1NM-CLOUD-SETUP(8) Automatic Network Configuratio NM-CLOUD-SETUP(8)
2
3
4
6 nm-cloud-setup - Overview of Automatic Network Configuration in Cloud
7
9 When running a virtual machine in a public cloud environment, it is
10 desirable to automatically configure the network of that VM. In simple
11 setups, the VM only has one network interface and the public cloud
12 supports automatic configuration via DHCP, DHCP6 or IPv6 autoconf.
13 However, the virtual machine might have multiple network interfaces, or
14 multiple IP addresses and IP subnets on one interface which cannot be
15 configured via DHCP. Also, the administrator may reconfigure the
16 network while the machine is running. NetworkManager's nm-cloud-setup
17 is a tool that automatically picks up such configuration in cloud
18 environments and updates the network configuration of the host.
19
20 Multiple cloud providers are supported. See the section called
21 “SUPPORTED CLOUD PROVIDERS”.
22
24 The goal of nm-cloud-setup is to be configuration-less and work
25 automatically. All you need is to opt-in to the desired cloud providers
26 (see the section called “ENVIRONMENT VARIABLES”) and run
27 /usr/libexec/nm-cloud-setup.
28
29 Usually this is done by enabling the nm-cloud-setup.service systemd
30 service and let it run periodically. For that there is both a
31 nm-cloud-setup.timer systemd timer and a NetworkManager dispatcher
32 script.
33
35 nm-cloud-setup configures the network by fetching the configuration
36 from the well-known meta data server of the cloud provider. That means,
37 it already needs the network configured to the point where it can reach
38 the meta data server. Commonly that means, that a simple connection
39 profile is activated that possibly uses DHCP to get the primary IP
40 address. NetworkManager will create such a profile for ethernet devices
41 automatically if it is not configured otherwise via "no-auto-default"
42 setting in NetworkManager.conf. One possible alternative may be to
43 create such an initial profile with nmcli device connect "$DEVICE" or
44 nmcli connection add type ethernet ....
45
46 By setting the user-data org.freedesktop.nm-cloud-setup.skip=yes on the
47 profile, nm-cloud-setup will skip the device.
48
49 nm-cloud-setup modifies the run time configuration akin to nmcli device
50 modify. With this approach, the configuration is not persisted and only
51 preserved until the device disconnects.
52
53 /usr/libexec/nm-cloud-setup
54 The binary /usr/libexec/nm-cloud-setup does most of the work. It
55 supports no command line arguments but can be configured via
56 environment variables. See the section called “ENVIRONMENT VARIABLES”
57 for the supported environment variables.
58
59 By default, all cloud providers are disabled unless you opt-in by
60 enabling one or several providers. If cloud providers are enabled, the
61 program tries to fetch the host's configuration from a meta data server
62 of the cloud via HTTP. If configuration could be not fetched, no cloud
63 provider are detected and the program quits. If host configuration is
64 obtained, the corresponding cloud provider is successfully detected.
65 Then the network of the host will be configured.
66
67 It is intended to re-run nm-cloud-setup every time when the
68 configuration (maybe) changes. The tool is idempotent, so it should be
69 OK to also run it more often than necessary. You could run
70 /usr/libexec/nm-cloud-setup directly. However it may be preferable to
71 restart the nm-cloud-setup systemd service instead or use the timer or
72 dispatcher script to run it periodically (see below).
73
74 nm-cloud-setup.service systemd unit
75 Usually /usr/libexec/nm-cloud-setup is not run directly, but only by
76 systemctl restart nm-cloud-setup.service. This ensures that the tool
77 only runs once at any time. It also allows to integrate with the
78 nm-cloud-setup systemd timer, and to enable/disable the service via
79 systemd.
80
81 As you need to set environment variable to configure nm-cloud-setup
82 binary, you can do so via systemd override files. Try systemctl edit
83 nm-cloud-setup.service.
84
85 nm-cloud-setup.timer systemd timer
86 /usr/libexec/nm-cloud-setup is intended to run whenever an update is
87 necessary. For example, during boot when when changing the network
88 configuration of the virtual machine via the cloud provider.
89
90 One way to do this, is by enabling the nm-cloud-setup.timer systemd
91 timer with systemctl enable --now nm-cloud-setup.timer.
92
93 /usr/lib/NetworkManager/dispatcher.d/90-nm-cloud-setup.sh
94 There is also a NetworkManager dispatcher script that will run for
95 example when an interface is activated by NetworkManager. Together with
96 the nm-cloud-setup.timer systemd timer this script is to automatically
97 pick up changes to the network.
98
99 The dispatcher script will do nothing, unless the systemd service is
100 enabled. To use the dispatcher script you should therefor run systemctl
101 enable nm-cloud-setup.service once.
102
104 The following environment variables are used to configure
105 /usr/libexec/nm-cloud-setup. You may want to configure them with a
106 drop-in for the systemd service. For example by calling systemctl edit
107 nm-cloud-setup.service and configuring [Service] Environment=, as
108 described in systemd.exec(5) manual.
109
110 • NM_CLOUD_SETUP_LOG: control the logging verbosity. Set it to one of
111 TRACE, DEBUG, INFO, WARN, ERR or OFF. The program will print
112 message on stdout and the default level is WARN.
113
114 • NM_CLOUD_SETUP_AZURE: boolean, whether Microsoft Azure support is
115 enabled. Defaults to no.
116
117 • NM_CLOUD_SETUP_EC2: boolean, whether Amazon EC2 (AWS) support is
118 enabled. Defaults to no.
119
120 • NM_CLOUD_SETUP_GCP: boolean, whether Google GCP support is enabled.
121 Defaults to no.
122
123 • NM_CLOUD_SETUP_ALIYUN: boolean, whether Alibaba Cloud (Aliyun)
124 support is enabled. Defaults to no.
125
127 As detailed before, nm-cloud-setup needs to be explicitly enabled. As
128 it runs as a systemd service and timer, that basically means to enable
129 and configure those. This can be done by dropping the correct files and
130 symlinks to disk.
131
132 The following example enables nm-cloud-setup for Amazon EC2 cloud:
133
134 dnf install -y NetworkManager-cloud-setup
135
136 mkdir -p /etc/systemd/system/nm-cloud-setup.service.d
137 cat > /etc/systemd/system/nm-cloud-setup.service.d/10-enable-ec2.conf << EOF
138 [Service]
139 Environment=NM_CLOUD_SETUP_EC2=yes
140 EOF
141
142 # systemctl enable nm-cloud-setup.service
143 mkdir -p /etc/systemd/system/NetworkManager.service.wants/
144 ln -s /usr/lib/systemd/system/nm-cloud-setup.service /etc/systemd/system/NetworkManager.service.wants/nm-cloud-setup.service
145
146 # systemctl enable nm-cloud-setup.timer
147 mkdir -p /etc/systemd/system/timers.target.wants/
148 ln -s /etc/systemd/system/timers.target.wants/nm-cloud-setup.timer /usr/lib/systemd/system/nm-cloud-setup.timer
149
150 # systemctl daemon-reload
151
152
153
155 Amazon EC2 (AWS)
156 For AWS, the tools tries to fetch configuration from
157 http://169.254.169.254/. Currently, it only configures IPv4 and does
158 nothing about IPv6. It will do the following.
159
160 • First fetch http://169.254.169.254/latest/meta-data/ to determine
161 whether the expected API is present. This determines whether EC2
162 environment is detected and whether to proceed to configure the
163 host using EC2 meta data.
164
165 • Fetch
166 http://169.254.169.254/2018-09-24/meta-data/network/interfaces/macs/
167 to get the list of available interface. Interfaces are identified
168 by their MAC address.
169
170 • Then for each interface fetch
171 http://169.254.169.254/2018-09-24/meta-data/network/interfaces/macs/$MAC/subnet-ipv4-cidr-block
172 and
173 http://169.254.169.254/2018-09-24/meta-data/network/interfaces/macs/$MAC/local-ipv4s.
174 Thereby we get a list of local IPv4 addresses and one CIDR subnet
175 block.
176
177 • Then nm-cloud-setup iterates over all interfaces for which it could
178 fetch IP configuration. If no ethernet device for the respective
179 MAC address is found, it is skipped. Also, if the device is
180 currently not activated in NetworkManager or if the currently
181 activated profile has a user-data
182 org.freedesktop.nm-cloud-setup.skip=yes, it is skipped.
183
184 If only one interface and one address is configured, then the tool
185 does nothing and leaves the automatic configuration that was
186 obtained via DHCP.
187
188 Otherwise, the tool will change the runtime configuration of the
189 device.
190
191 • Add static IPv4 addresses for all the configured addresses from
192 local-ipv4s with prefix length according to
193 subnet-ipv4-cidr-block. For example, we might have here 2 IP
194 addresses like "172.16.5.3/24,172.16.5.4/24".
195
196 • Choose a route table 30400 + the index of the interface and add
197 a default route 0.0.0.0/0. The gateway is the first IP address
198 in the CIDR subnet block. For example, we might get a route
199 "0.0.0.0/0 172.16.5.1 10 table=30400".
200
201 Also choose a route table 30200 + the interface index. This
202 contains a direct routes to the subnets of this interface.
203
204 • Finally, add a policy routing rule for each address. For
205 example "priority 30200 from 172.16.5.3/32 table 30200,
206 priority 30200 from 172.16.5.4/32 table 30200". and "priority
207 30400 from 172.16.5.3/32 table 30400, priority 30400 from
208 172.16.5.4/32 table 30400" The 30200+ rules select the table to
209 reach the subnet directly, while the 30400+ rules use the
210 default route. Also add a rule "priority 30350 table main
211 suppress_prefixlength 0". This has a priority between the two
212 previous rules and causes a lookup of routes in the main table
213 while ignoring the default route. The purpose of this is so
214 that other specific routes in the main table are honored over
215 the default route in table 30400+.
216
217 With above example, this roughly corresponds for interface eth0 to
218 nmcli device modify "eth0" ipv4.addresses
219 "172.16.5.3/24,172.16.5.4/24" ipv4.routes "172.16.5.0/24 0.0.0.0 10
220 table=30200, 0.0.0.0/0 172.16.5.1 10 table=30400"
221 ipv4.routing-rules "priority 30200 from 172.16.5.3/32 table 30200,
222 priority 30200 from 172.16.5.4/32 table 30200, priority 20350 table
223 main suppress_prefixlength 0, priority 30400 from 172.16.5.3/32
224 table 30400, priority 30400 from 172.16.5.4/32 table 30400". Note
225 that this replaces the previous addresses, routes and rules with
226 the new information. But also note that this only changes the run
227 time configuration of the device. The connection profile on disk is
228 not affected.
229
230 Google Cloud Platform (GCP)
231 For GCP, the meta data is fetched from URIs starting with
232 http://metadata.google.internal/computeMetadata/v1/ with a HTTP header
233 "Metadata-Flavor: Google". Currently, the tool only configures IPv4 and
234 does nothing about IPv6. It will do the following.
235
236 • First fetch
237 http://metadata.google.internal/computeMetadata/v1/instance/id to
238 detect whether the tool runs on Google Cloud Platform. Only if the
239 platform is detected, it will continue fetching the configuration.
240
241 • Fetch
242 http://metadata.google.internal/computeMetadata/v1/instance/network-interfaces/
243 to get the list of available interface indexes. These indexes can
244 be used for further lookups.
245
246 • Then, for each interface fetch
247 http://metadata.google.internal/computeMetadata/v1/instance/network-interfaces/$IFACE_INDEX/mac
248 to get the corresponding MAC address of the found interfaces. The
249 MAC address is used to identify the device later on.
250
251 • Then, for each interface with a MAC address fetch
252 http://metadata.google.internal/computeMetadata/v1/instance/network-interfaces/$IFACE_INDEX/forwarded-ips/
253 and then all the found IP addresses at
254 http://metadata.google.internal/computeMetadata/v1/instance/network-interfaces/$IFACE_INDEX/forwarded-ips/$FIPS_INDEX.
255
256 • At this point, we have a list of all interfaces (by MAC address)
257 and their configured IPv4 addresses.
258
259 For each device, we lookup the currently applied connection in
260 NetworkManager. That implies, that the device is currently
261 activated in NetworkManager. If no such device was in
262 NetworkManager, or if the profile has user-data
263 org.freedesktop.nm-cloud-setup.skip=yes, we skip the device. Now
264 for each found IP address we add a static route "$FIPS_ADDR/32
265 0.0.0.0 100 type=local" and reapply the change.
266
267 The effect is not unlike calling nmcli device modify "$DEVICE"
268 ipv4.routes "$FIPS_ADDR/32 0.0.0.0 100 type=local [,...]" for all
269 relevant devices and all found addresses.
270
271 Microsoft Azure
272 For Azure, the meta data is fetched from URIs starting with
273 http://169.254.169.254/metadata/instance with a URL parameter
274 "?format=text&api-version=2017-04-02" and a HTTP header
275 "Metadata:true". Currently, the tool only configures IPv4 and does
276 nothing about IPv6. It will do the following.
277
278 • First fetch
279 http://169.254.169.254/metadata/instance?format=text&api-version=2017-04-02
280 to detect whether the tool runs on Azure Cloud. Only if the
281 platform is detected, it will continue fetching the configuration.
282
283 • Fetch
284 http://169.254.169.254/metadata/instance/network/interface/?format=text&api-version=2017-04-02
285 to get the list of available interface indexes. These indexes can
286 be used for further lookups.
287
288 • Then, for each interface fetch
289 http://169.254.169.254/metadata/instance/network/interface/$IFACE_INDEX/macAddress?format=text&api-version=2017-04-02
290 to get the corresponding MAC address of the found interfaces. The
291 MAC address is used to identify the device later on.
292
293 • Then, for each interface with a MAC address fetch
294 http://169.254.169.254/metadata/instance/network/interface/$IFACE_INDEX/ipv4/ipAddress/?format=text&api-version=2017-04-02
295 to get the list of (indexes of) IP addresses on that interface.
296
297 • Then, for each IP address index fetch the address at
298 http://169.254.169.254/metadata/instance/network/interface/$IFACE_INDEX/ipv4/ipAddress/$ADDR_INDEX/privateIpAddress?format=text&api-version=2017-04-02.
299 Also fetch the size of the subnet and prefix for the interface from
300 http://169.254.169.254/metadata/instance/network/interface/$IFACE_INDEX/ipv4/subnet/0/address/?format=text&api-version=2017-04-02.
301 and
302 http://169.254.169.254/metadata/instance/network/interface/$IFACE_INDEX/ipv4/subnet/0/prefix/?format=text&api-version=2017-04-02.
303
304 • At this point, we have a list of all interfaces (by MAC address)
305 and their configured IPv4 addresses.
306
307 Then the tool configures the system like doing for AWS environment.
308 That is, using source based policy routing with the tables/rules
309 30200/30400.
310
311 Alibaba Cloud (Aliyun)
312 For Aliyun, the tools tries to fetch configuration from
313 http://100.100.100.200/. Currently, it only configures IPv4 and does
314 nothing about IPv6. It will do the following.
315
316 • First fetch http://100.100.100.200/2016-01-01/meta-data/ to
317 determine whether the expected API is present. This determines
318 whether Aliyun environment is detected and whether to proceed to
319 configure the host using Aliyun meta data.
320
321 • Fetch
322 http://100.100.100.200/2016-01-01/meta-data/network/interfaces/macs/
323 to get the list of available interface. Interfaces are identified
324 by their MAC address.
325
326 • Then for each interface fetch
327 http://100.100.100.200/2016-01-01/meta-data/network/interfaces/macs/$MAC/vpc-cidr-block,
328 http://100.100.100.200/2016-01-01/meta-data/network/interfaces/macs/$MAC/private-ipv4s,
329 http://100.100.100.200/2016-01-01/meta-data/network/interfaces/macs/$MAC/netmask
330 and
331 http://100.100.100.200/2016-01-01/meta-data/network/interfaces/macs/$MAC/gateway.
332 Thereby we get a list of private IPv4 addresses, one CIDR subnet
333 block and private IPv4 addresses prefix.
334
335 • Then nm-cloud-setup iterates over all interfaces for which it could
336 fetch IP configuration. If no ethernet device for the respective
337 MAC address is found, it is skipped. Also, if the device is
338 currently not activated in NetworkManager or if the currently
339 activated profile has a user-data
340 org.freedesktop.nm-cloud-setup.skip=yes, it is skipped. Also, there
341 is only one interface and one IP address, the tool does nothing.
342
343 Then the tool configures the system like doing for AWS environment.
344 That is, using source based policy routing with the tables/rules
345 30200/30400. One difference to AWS is that the gateway is also
346 fetched via metadata instead of using the first IP address in the
347 subnet.
348
350 NetworkManager(8) nmcli(1)
351
352
353
354NetworkManager 1.32.12 NM-CLOUD-SETUP(8)