As I am spiralling into Linux server administration, there’s certainly a lot to learn. Certainly a lot leaves me wanting BSD, but since that’s not an option, … here we go.
NetworkManager
The NetworkManager on Linux (or CentOS specially) manages the network. Whatever content/blog posts/knowledge base I found. It usually suggests that you uninstall it first. Common problems are that people are unable to manage /etc/resolv.conf — because changes made by them to that file get overwritten again.
Internals
The NetworkManager gets everything it needs from a few configuration files.
These are located in: /etc/sysconfig/network-scripts/
There’re easy enough to be managed with automation (Ansible, Chef, Salt) and here’s how you get a grip on DNS.
As an example, the host I’m dealing with has an eth0 device. It’s configuration is located in the directory, in a ifcfg-eth0 file and its contents are the following:
TYPE="Ethernet"
PROXY_METHOD="none"
BROWSER_ONLY="no"
BOOTPROTO="none"
DEFROUTE="yes"
IPV4_FAILURE_FATAL="no"
NAME="eth0"
UUID="63b28d0a-41f0-4e3a-bf30-c05c98772dbb"
DEVICE="eth0"
ONBOOT="yes"
IPADDR="172.21.0.12"
PREFIX="24"
GATEWAY="172.21.0.1"
IPV6_PRIVACY="no"
ZONE=public
DNS1="172.21.0.1"
Most of this speaks for itself, but there are a few titbits in here.
Managing DNS and resolve.conf
In order to (statically) manage the nameservers used by this host, I put the following into the file:
DNS1="172.21.0.1"
If I needed multiple DNS (e.g. for fallback):
DNS1="172.21.0.1"
DNS2="172.21.0.2"
DNS3="172.21.0.3"
In order to apply this, you can use a hammer and reboot — or use your best friend (sarcasm) systemd:
$ systemctl restart NetworkManager
Done!
introducing firewalld
firewalld is another interesting component. It breaks your firewall down into zones, services and sources. (And a few other things.) It’s not half bad, even though pf is still superior. Its biggest advantage is that it hides iptables from me (mostly). And it allows me to define rules in a structured XML, which is still easier to read and assert on than iptables -nL.
In order to for example but my eth0 device into a the public zone, put this into ifcfg-eth0:
ZONE=public
This also implies that I can’t put this device into another zone — conflicts. But this makes sense. We can also change this of course and put devices into different zones. I believe public may be an implicit default.
FIN
Thanks for reading!