A limitation of Debian's /etc/network/interfaces control file

April 10, 2007

Unless I am missing something, in Debian and Ubuntu there is no way to bring up an interface without having it try to obtain an IP address in some way. The interfaces(5) manpage suggests that 'auto ethN', possibly with 'iface ethN inet manual' should work, but it doesn't seem to go in my testing on Ubuntu.

You might rationally ask what use there is in bringing up an interface without an IP address. It turns out that there's a number of things that such up but unconfigured interfaces are either good for or necessary for (depending on your perspective), including:

  • running tcpdump and similar packet capture programs to do traffic accounting and/or monitoring.
  • bringing up your DSL PPPoE connection, since PPPoE uses the Ethernet purely as a transport.
  • bridging virtual guest machines onto an Ethernet (or VLAN) that the host machine is logically not on (although it clearly has physical access to them).

The Ubuntu machine I ran into this on was our traffic accounting system, and we definitely never want the monitoring interface to be assigned an IP address, or even respond to packets. (If we were being thorough, this means that we should turn off some normal Linux network settings so that the interface never responds to rogue ARPs for the machine's management IP address.)

The workaround we're currently using is to set 'iface ethN inet dhcp'. There's no DHCP server on the monitoring segment that will ever respond to the accounting machine's DHCP request; in fact, I believe that there is basically no untagged traffic flowing over that network segment.

(And yes, if this ever changes we could get a peculiar surprise.)

Sidebar: setting up unconfigured but active interfaces in Fedora

To set up such an interface in Fedora (and probably Red Hat Enterprise), you want the obvious minimal ifcfg-ethN control file:

DEVICE=ethN
ONBOOT=yes

Put this in /etc/sysconfig/network-scripts and you're good to go.


Comments on this page:

From 70.49.25.249 at 2007-04-11 22:00:42:

While granting that it's stupid that Debian and derivatives don't want interfaces without IPs (I expect that's also due to their idea that if you install a server, you must want to immediately start it up), you should probably also disconnect the TX on that interface's ethernet cable. Take off and nuke the site from orbit sort of stuff. - MikeP

By cks at 2007-04-11 23:25:39:

Disconnecting the TX (especially on a gigabit cable) is somewhat more work than we're really enthused about right now, and we'd have to remember that that connection needs a special cable (that otherwise shows as faulty in cable testers and so on). We might feel differently about an IDS or the like, but this is just doing traffic accounting so that we can identify high bandwidth users behind a NAT gateway if outside forces ask us to.

By DanielMartin at 2007-04-15 10:51:00:

Sorry I didn't see this before.

Here's how you do it:

iface netB inet manual
  up /sbin/ifconfig $IFACE up
  down /sbin/ifconfig $IFACE down

manual means "I'm doing everything myself, either later or with the up and down scripts". Everything, including the fundamental low-level bring the interface up step.

By cks at 2007-04-16 13:27:22:

Thanks for the information; it works fine now.

Looking at the manpage in retrospect, this is clearly my failure to read it completely. I had sort of assumed that up and down were run after the interface was brought up (or down), partly from the examples in /etc/network/if-up.d, but since there is both a pre-up and a post-up option, that's clearly a silly assumption.

(And the description of the manual method even says that the interface can be configured manually by means of up and down, once I read it carefully. I think I need a refresher course on Unix manpage reading.)

I still think that Debian makes this harder than it should be, since I maintain that the meaning of an auto ethN with no iface ethN should be clear and unambiguous.

Written on 10 April 2007.
« Why indirect xdm probably doesn't work on your Linux machine
Users don't really benefit from filing bug reports »

Page tools: View Source, View Normal, Add Comment.
Search:
Login: Password:
Atom Syndication: Recent Comments.

Last modified: Tue Apr 10 15:18:06 2007
This dinky wiki is brought to you by the Insane Hackers Guild, Python sub-branch.