Code Monkey home page Code Monkey logo

suse-module-tools's Introduction

suse-module-tools

This package contains a collection of tools and configuration files for handling kernel modules and setting module parameters. The configuration files represent a carefully engineered, recommended default configuration. In certain cases, it may be necessary to modify or revert some of these settings. It's ok to do so, but make sure you know what you're doing if you do.

Please don't edit any of the configuration files shipped in this package. Instead, copy the files from /lib/modprobe.d to /etc/modprobe.d, preserving the file name, and edit the copy under /etc/modprobe.d. Likewise for /lib/depmod.d vs. /etc/depmod.d and /usr/lib/modules-load.d vs. /etc/modules-load.d.

To completely mask the directives in a configuration file, it's recommended to create a symlink to /dev/null with the same name as the file to be masked in the respective directory under /etc. E.g. to mask /lib/modprobe.d/20-foo.conf, run

ln -s /dev/null /etc/modprobe.d/20-foo.conf

Blacklisted file systems

In the Linux kernel, file system types are implemented as kernel modules. While many of these file systems are well maintained, some of the older and less frequently used ones are not. This poses a security risk, because maliciously crafted file system images might open security holes when mounted either automatically or by an inadvertent user.

These file systems are therefore blacklisted by default under openSUSE and SUSE Enterprise Linux. This means that the on-demand loading of file system modules at mount time is disabled. Blacklisting is accomplished by placing configuration files called 60-blacklist_fs-$SOME_FS.conf under /lib/modprobe.d. The current list of blacklisted filesystems is:

@FS_BLACKLIST@ # will be filled from spec file during package build

CAVEAT

In the very unlikely case that one of the blacklisted file systems is necessary for your system to boot, make sure you un-blacklist your file system before rebooting.

Un-blacklisting a file system

If a user tries to mount(8) a device with a blacklisted file system, the mount command prints an error message like this:

mount: /mnt/mx: unknown filesystem type 'minix' (hint: possibly blacklisted, see mount(8)).

(mount(8) can't distinguish between a file system for which no kernel module exists at all, and a file system for which a module exists which is blacklisted).

Users who need the blacklisted file systems and therefore want to override the blacklisting can load the blacklisted module directly using modprobe $SOME_FS in a terminal. This will call a script that offers to "un-blacklist" the module for future use.

# modprobe minix
unblacklist: *** NOTE: minix will be loaded even if you answer "n" below. ***
unblacklist: minix is currently blacklisted, do you want to un-blacklist it (y/n)? y
unblacklist: minix un-blacklisted by creating /etc/modprobe.d/60-blacklist_fs-minix.conf

If the user selects y, the module is un-blacklisted by creating a symlink to /dev/null (see above). Future attempts to mount minix file systems will work with no issue, even after reboot, because the kernel's auto-loading mechanism works for this file system again. If the user selects n, the module remains blacklisted. Regardless of the user's answer, the module will be loaded for the time being; i.e. subsequent mount commands for devices with this file system will succeed until the module is unloaded or the system is rebooted.

For security reasons, it's recommended that you only un-blacklist file system modules that you know you'll use on a regular basis, and just enable them temporarily otherwise.

Weak modules

This package contains the script weak-modules2 which is necessary to make 3rd party kernel modules installed for one kernel available to KABI-compatible kernels. SUSE ensures KABI compatibility over the life time of a service pack in SUSE Enterprise Linux. See the SUSE SolidDriver Program for details.

Capturing log output from weak_modules2

Use the following environment variables:

  • WM2_VERBOSE: value from 0 (default, no logging) - 3 (tracing). the -v/--verbose option increases log level by one.
  • WM2_DEBUG: 0 (default) or 1. Enables verbose output of certain commands called by weak-modules2. Equivalent to --debug.
  • WM2_LOGFILE: redirect the output to the given file.

Kernel scriptlet files

The scripts in kernel-scriptlets directory are used internally by kernel packages.

Capturing log output from kernel scripts

  • KERNEL_PACKAGE_SCRIPT_DEBUG when non-empty enables some extra output to kernel log.

Kernel-specific sysctl settings

This package installs the file 50-kernel-uname_r.conf which makes sure that sysctl settings which are recommended for the currently running kernel are applied by systemd-sysctl.service at boot time. These settings are shipped in the file /boot/sysctl.conf-$(uname -r), which is part of the kernel package.

suse-module-tools's People

Contributors

aafeijoo-suse avatar andreasstieger avatar brjsp avatar danimo avatar fbuihuu avatar goldwynr avatar hramrach avatar jengelh avatar lnussel avatar mtomaschewski avatar mwilck avatar ptesarik avatar scarabeusiv avatar tblume avatar thkukuk avatar tiwai avatar vogtinator avatar werkov avatar

Stargazers

avatar avatar avatar avatar avatar

Watchers

avatar avatar avatar avatar avatar avatar avatar avatar

Forkers

vikas-lamba jeffmahoney ptesarik tiwai hramrach f279801 vogtinator goldwynr dirkmueller lnussel tblume mwilck werkov daandemeyer aafeijoo-suse

suse-module-tools's Issues

bridge function on KVM broken

On Leap15.1 in the past 3 days an update broke my KVM bridge arrangement.
I have tracked this down to:

Repository     : Main Update Repository                                                
Name           : suse-module-tools                                                     
Version        : 15.1.18-lp151.2.4.1                                                   
Arch           : x86_64                                                                
Vendor         : openSUSE          

Via rollback to snapshot I returned my system to a working state and individually applied each update in turn. This version ended up breaking networking for all my VM's on that Leap15.1 system.

Reverting to the snapshot just prior to this update restored KVM network funciton:

Working version of suse-module-tools:

Status         : out-of-date (version 15.1.13-lp151.1.1 installed)

I tried to find the OBS entry for this package but received 503 maintenance:
https://software.opensuse.org/package/suse-module-tools

Bridge network setup used for KVM is configured via Network Manager:

nmcli con show
NAME               UUID                                  TYPE      DEVICE 
bridge-br0         ac4cc651-5bcd-4bcd-b302-4f3cb370393b  bridge    br0    
bridge-slave-p4p2  1da5ea09-ab13-4cf6-9d23-a57ebbee7abf  ethernet  p4p2   
vnet0              b54bbb49-52dc-4ef2-ac10-6abefeaa91b7  tun       vnet0  
vnet1              dd887ab9-5437-4fc0-bd06-aa0b200b0af3  tun       vnet1  
vnet2              5f6e43b2-f948-4be9-b084-99a60940ef63  tun       vnet2

with br0 setup via command line:

build:~ # nmcli dev show br0
GENERAL.DEVICE:                         br0
GENERAL.TYPE:                           bridge
GENERAL.HWADDR:                         A4:1F:72:##:##:##
GENERAL.MTU:                            1500
GENERAL.STATE:                          100 (connected)
GENERAL.CONNECTION:                     bridge-br0
GENERAL.CON-PATH:                       /org/freedesktop/NetworkManager/ActiveConnection/1
IP4.ADDRESS[1]:                         192.168.1.117/24
IP4.GATEWAY:                            192.168.1.1
IP4.ROUTE[1]:                           dst = 0.0.0.0/0, nh = 192.168.1.1, mt = 425
IP4.ROUTE[2]:                           dst = 192.168.1.0/24, nh = 0.0.0.0, mt = 425
IP4.DNS[1]:                             192.168.1.1
IP4.DOMAIN[1]:                          lan
IP6.ADDRESS[1]:                         fe80::7ed1:ec96:f7d7:8176/64
IP6.GATEWAY:                            --
IP6.ROUTE[1]:                           dst = ff00::/8, nh = ::, mt = 256, table=255
IP6.ROUTE[2]:                           dst = fe80::/64, nh = ::, mt = 256
IP6.ROUTE[3]:                           dst = fe80::/64, nh = ::, mt = 425

and in the working state/package I have:

build:~ # virsh net-list --all
 Name          State      Autostart   Persistent
--------------------------------------------------
 default       inactive   no          yes
 host-bridge   active     yes         yes

via:

<network>
 <name>host-bridge</name>
 <forward mode="bridge"/>
 <bridge name="br0"/>
</network>

KVM guest instances are started on boot.

All looks to be the same with the non working package version but the guest machines get no connection with their respective NetworkManagers timing out and showing the interface as disconnected.

With the working package I get from dmesg:

[    7.191670] r8169 0000:04:00.0 p4p2: link up
[    7.191678] IPv6: ADDRCONF(NETDEV_CHANGE): p4p2: link becomes ready
[    7.205000] br0: port 1(p4p2) entered blocking state
[    7.205002] br0: port 1(p4p2) entered disabled state
[    7.205087] device p4p2 entered promiscuous mode
[    7.205165] br0: port 1(p4p2) entered blocking state
[    7.205166] br0: port 1(p4p2) entered listening state
[   22.236116] br0: port 1(p4p2) entered learning state
[   37.340106] br0: port 1(p4p2) entered forwarding state
[   37.340108] br0: topology change detected, propagating
[   37.361500] NET: Registered protocol family 17
[   38.126142] tun: Universal TUN/TAP device driver, 1.6
[   38.126534] br0: port 2(vnet0) entered blocking state
[   38.126535] br0: port 2(vnet0) entered disabled state
[   38.126567] device vnet0 entered promiscuous mode
[   38.126625] br0: port 2(vnet0) entered blocking state
[   38.126627] br0: port 2(vnet0) entered listening state
[   38.302882] br0: port 3(vnet1) entered blocking state
[   38.302884] br0: port 3(vnet1) entered disabled state
[   38.302923] device vnet1 entered promiscuous mode
[   38.302974] br0: port 3(vnet1) entered blocking state
[   38.302975] br0: port 3(vnet1) entered listening state
[   38.418570] br0: port 4(vnet2) entered blocking state
[   38.418572] br0: port 4(vnet2) entered disabled state
[   38.418607] device vnet2 entered promiscuous mode
[   38.418657] br0: port 4(vnet2) entered blocking state
[   38.418659] br0: port 4(vnet2) entered listening state
[   53.212099] br0: port 2(vnet0) entered learning state
[   53.468099] br0: port 4(vnet2) entered learning state
[   53.468119] br0: port 3(vnet1) entered learning state
[   68.316104] br0: port 2(vnet0) entered forwarding state
[   68.316106] br0: topology change detected, propagating
[   68.576119] br0: port 4(vnet2) entered forwarding state
[   68.576121] br0: topology change detected, propagating
[   68.576143] br0: port 3(vnet1) entered forwarding state
[   68.576144] br0: topology change detected, propagating

And with the failing package I get:

[    7.357325] r8169 0000:04:00.0 p4p2: link up
[    7.357333] IPv6: ADDRCONF(NETDEV_CHANGE): p4p2: link becomes ready
[    7.369683] br0: port 1(p4p2) entered blocking state
[    7.369685] br0: port 1(p4p2) entered disabled state
[    7.369764] device p4p2 entered promiscuous mode
[    7.369847] br0: port 1(p4p2) entered blocking state
[    7.369848] br0: port 1(p4p2) entered listening state
[   22.492087] br0: port 1(p4p2) entered learning state
[   37.596060] br0: port 1(p4p2) entered forwarding state
[   37.596066] br0: topology change detected, propagating
[   37.616522] NET: Registered protocol family 17
[   38.392030] tun: Universal TUN/TAP device driver, 1.6
[   38.393234] br0: port 2(vnet0) entered blocking state
[   38.393236] br0: port 2(vnet0) entered disabled state
[   38.393272] device vnet0 entered promiscuous mode
[   38.393334] br0: port 2(vnet0) entered blocking state
[   38.393335] br0: port 2(vnet0) entered listening state
[   38.582000] br0: port 3(vnet1) entered blocking state
[   38.582002] br0: port 3(vnet1) entered disabled state
[   38.582039] device vnet1 entered promiscuous mode
[   38.582090] br0: port 3(vnet1) entered blocking state
[   38.582092] br0: port 3(vnet1) entered listening state
[   38.696091] br0: port 4(vnet2) entered blocking state
[   38.696093] br0: port 4(vnet2) entered disabled state
[   38.696131] device vnet2 entered promiscuous mode
[   38.696183] br0: port 4(vnet2) entered blocking state
[   38.696184] br0: port 4(vnet2) entered listening state
[   53.468065] br0: port 2(vnet0) entered learning state
[   53.724065] br0: port 4(vnet2) entered learning state
[   53.724090] br0: port 3(vnet1) entered learning state
[   68.572074] br0: port 2(vnet0) entered forwarding state
[   68.572076] br0: topology change detected, propagating
[   68.828074] br0: port 3(vnet1) entered forwarding state
[   68.828075] br0: topology change detected, propagating
[   68.828094] br0: port 4(vnet2) entered forwarding state
[   68.828095] br0: topology change detected, propagating

Is their a missing post install step maybe.

I couldn't find what might be causing this failure in KVM networking with this setup hence my reverting to a prior working snapshot and installing each pending package in turn and rebooting. This was the last package I tried given it's changelog indicating bridge changes.

I do have some additional repositories on this system but they are mainly Python3 / buildbot Kiwi related and do have some outstanding packages held back related to these but again this worked before this package and works again when reverting to pre zypper snapshot of just this package being installed.

Apologies if this report is misplaced, or down to something I have yet to uncover.

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google ❤️ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.