Configuring network in RHEL7

News Red Hat Certification Program Understanding and using essential tools Access a shell prompt and issue commands with correct syntax Finding Help Managing local users and groups LDAP Authentication NIS authentication  
Working with archives and compressed files Text files processing Using redirection and pipes Use grep and extended regular expressions to analyze text files Finding files and directories; mass operations on files Connecting to the server via ssh, using multiple consoles and screen command Introduction to Unix permissions model VIM: Basic and intermediate set of command for sysadmins Working with hard and soft links
OSI Model IP Addresses Classes and subnett The TCP/IP Model Configuring network in RHEL7          
Managing files in RHEL       Tips Sysadmin Horror Stories Unix History with some Emphasis on Scripting Humor Etc

As a Linux server administrator, you need to manage network interfaces assigning IP addresses to them.  The IP addresses can be assigned in two ways:

Static IP Addressing

To configure the static  IP addressing you need to specify an IP address, a subnet mask, and a default gateway.

On you home network you router is you default gateway and often have the first IP address in in the network ID.

Some recommendations fro creating home network or some test network in the cloud

These principles have become unofficial standards for network techs, and following them simplify troubleshooting  and allow others faster understand your network setup.

Now you can give each of the computers an IP address, subnet mask, and default gateway.

If you’ve entered an IP address and your ping is not successful, first check your IP settings. Odds are good you made a typo. Otherwise, check your connections, driver, and so forth. Static addressing has been around for a long time and is still heavily used for more critical systems on your network. Static addressing poses one big problem, however: making any changes to the network is a serious pain. Most systems today use a far easier and more flexible method to get their IP information: dynamic IP addressing.

Special IP Addresses

There are two special IP addresses you need to know about.

Names of the Ethernet interfaces

For a long time, network cards in Linux have had default names eth0, eth1, and eth2. This naming was assigned based on the order of detection of the network card. So, eth0 was the first network card that got detected, eth1 the second, and so on.

This approach works well for servers and was used in RHEL 4 till RHEL 6 (although in RHEL 6 network manager was also an option).  In RHEL 7 we have obligatory additional component -- an intermediary called Network Manager, which was initially designed for laptop linux installation and now got into server space by stealth. 

For laptops you typically need to take care of  the "on the  fly" change of the type of connection. When laptop is moved from office to home or from cubical, or office the conference room, the  type of connection can change. For example, people usually use wired connection at office (via laptop docking station) and WiFi at conference room and home. All those things are not needs for server.

There was a political struggle in Red Hat  in which "Linux on desktop" faction won and now server admins need to learn and used more complex setup which essentially was designed for the laptops and involves the component, we mentioned above -- the Network manager.

Another  complication in RHEL 7 is that the default names for network cards are now based on firmware, device topology, and device types. This leads to bizarre network card names. which are impossible to memorize and creates some problems for scripts, Now names are dependent on the vendor of equipment and type of adapter.

The name now consists of the following parts:

Apart from this default device naming, network cards can be named based on the BIOS device name as well. In this naming, names such as em1 (embedded network card 1) or p4p1 (which is PCI slot 4, port 1) can be used.

Those name are generated by the  biosdevname package, developed by Dell and which screw up things even further the RHEL idea to introduce new scheme of naming interfaces.  First of all it is applicable to blades, in which all interfaces are hidden and any potential help in indentifying to which slot cable was connected by the name of the interface is completely lost. But in its infinite wisdom  the  biosdevname package is activated on  blades in RHEL7 and you need to deactivate it after the installation unless you use Kickstart.

And impose two different naming convention makes even less sense and is a clear sign  of the loss of architectural integrity.

If this "RHEL7-style" name cannot be generated, traditional names such as eth0 are used. You can also forcefully assign old eth-type names by supplying parameters biosdevname=0 and net.ifnames=0 to GRUB2 bootloader.

In most case in RHEL7  after installation of the OS you need to deal with the this new Ethernet interface scheme and names such as ens2.  From the  name we can guess that this is a hotplug slot Ethernet device, with its unique index number 2.

Generally those "games with device names" look counterproductive and complicate writing scripts for Linux.

Adding additional RPMs

By default not all necessary RPMs are installed in CentOS. Some of them should probably added immediately after the installation (anaconda in RHEl 7 is a joke and does not allow specify individual packages unless you use Kickstart

The following can probably be added  to create a more comfortable work environment, especially is you worked with previous version of RHEL:

yum install bash-completion # packages below use bash completion, so it is useful to add it
yum install net-tools # provides "legacy" ifconfig, netstat, route, arp and  several other commands
yum install traceroute.x86_64 #  traceroute
yum install tcpdump # tcpdump -- sometimes needed but keeing it on the production server is not recommanded as represents some security risk 
                    # so it should be de-installed after you finish installation

Setting up Network Configuration

To set the network configuration for a new server you need to know the following five parameters:

The first thing we must do is find out the name of our Ethernet interface that is connected to network. You need also set it "up".

But which interface is connected might be a problem if you have 4,  or more interfaces like most servers have.  A static IP address cannot be configured without the correct interface name. One way is to see the output of the command

nmcli d

in your terminal for quick identification of Ethernet cards installed in your machine. The output of this command  can show which interface is connected and which is not. You can try the command old ifconfig command: connected interface should get some packets while disconnected do not. 

The command ip a will show which interfaces are up and which are not. The other is to use tcpdump utility and see what packets each interface gets

On small networks you select IP yourself.  In large corporations there is usually some centralized IP allocation service, which will provide you with IP that you should use for the particular server as well as subnet mask, default router and DNS server you should use.

You need to check with  ping if the Ip is already occupied in any case. That's a useful precaution

 In you home network (192.168.0.0/24) router often has the address  192.168.0.1  or  192.168.0.254 (the first or the last address in this subnet). Sometime a different subnet is used  like 192.168.5.0/24. In this case router can be 192.168.5.1  or  192.168.5.254

Using new to RHEL7 ip command

While utility ip was available in RHEL6, RHEL 7 makes it the new standard way of configuring networking, although the old ifconfig utility is deprecated but still available if you install the proper package (in CentOS7 it should be installed vi net-tools package, which installs ifconfig, netstat, route, arp and  several other commands; In RHEL7 I think it is installed by default).

The ip utility has different set of options/parameters in  comparison with ifconfig. Which now  need to be memorized, as again this is "a new brave world" of RHEL7, quite different from the world of RHEL4-RHEL6.  Some typical invocations:

For Sysadmins who worked in RHEL6 this is usually pretty foreign utility and you need a cheatsheet to use it productively.  Among them:

So RHEL7 migrated away for earlier RHEL version in which the ifconfig utility was and is still used for validating network configuration.  and netstat for displaying routing table. They still can be used (and probably are preferred option  is you need to manage simultaneously both RHEL5, RHEL6 and RHEL7.)  But  as RHEL6 end of life is 2020 you also need to learn new, unique for RHEL7 utilities, which represent another "new way of doing things", a new brave world, if you wish ;-)

TIP:

To show current network settings, you can use the ip addr show command (which can be abbreviated as ip a s or even as ip a). The ip command does not always require you to type the complete option. The command shows the following items about its current status:

If you are just interested in the link state of the network interfaces, you can use the ip link show command. This command (of which you can see the output in Listing 8.2) repeats the link state information of the ip addr show command.

[0]d620@ROOT:~ # ip addr show
1: lo:  mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host
       valid_lft forever preferred_lft forever
2: enp9s0:  mtu 1500 qdisc mq state UP group default qlen 1000
    link/ether 00:1c:23:06:cb:e7 brd ff:ff:ff:ff:ff:ff
    inet 192.168.5.23/24 brd 192.168.5.255 scope global noprefixroute dynamic enp9s0
       valid_lft 70434sec preferred_lft 70434sec
    inet6 fe80::4dcf:908b:d93f:808d/64 scope link noprefixroute
       valid_lft forever preferred_lft forever
3: wlp12s0:  mtu 1500 qdisc noop state DOWN group default qlen 1000
    link/ether ba:36:3f:be:e5:5f brd ff:ff:ff:ff:ff:ff
4: docker0:  mtu 1500 qdisc noqueue state DOWN group default
    link/ether 02:42:3e:20:c0:d0 brd ff:ff:ff:ff:ff:ff
    inet 172.17.0.1/16 scope global docker0
       valid_lft forever preferred_lft forever

In case the ip link show command the output looks like:

d620@ROOT:~ # ip link show
1: lo:  mtu 65536 qdisc noqueue state UNKNOWN mode DEFAULT group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
2: enp9s0:  mtu 1500 qdisc mq state UP mode DEFAULT group default qlen 1000
    link/ether 00:1c:23:06:cb:e7 brd ff:ff:ff:ff:ff:ff
3: wlp12s0:  mtu 1500 qdisc noop state DOWN mode DEFAULT group default qlen 1000
    link/ether ba:36:3f:be:e5:5f brd ff:ff:ff:ff:ff:ff
4: docker0:  mtu 1500 qdisc noqueue state DOWN mode DEFAULT group default
    link/ether 02:42:3e:20:c0:d0 brd ff:ff:ff:ff:ff:ff

shows the current link state as down, you can temporarily bring it up again by using ip link set, which is followed by dev devicename and up (for example, ip link set dev eno16777736 up).

We now know that  ip addr add  command allow us to set an IP address on a network interface. Bit settings provided by the ip command are  not persistent. If you want to make your configuration persistent in RHEL7 you need to NetworkManager. It has two configuration utilities:  nmtui or nmcli.

Configuring Network Configuration using NetworkManager

Networking on RHEL 7 is managed by the NetworkManager service. You can use the systemctl status NetworkManager command to verify its current status. When NetworkManager comes up, it reads the network card configuration scripts, which are in /etc/sysconfig/network-scripts and have a name that starts with ifcfg and is followed by the name of the network card.

Two terms are used in describing the configuration of Ethernet interface:

You can create multiple connections for a single device. This can make sense on mobile computers, to make a difference between settings that are used while connected to the home network and settings that are needed to the corporate network. Switching between connections on devices is something that is common on end-user computers, and not so common on servers, except web servers.

To manage the network connections you need to use iether the nmtui or the nmcli command.

Tip

Configuring the Network with nmtui

If you assign ip address, netmask and the default route via ip command those setting will not survive the reboot. To make those assignment permanent in RHL7 you typically use utility  nmtui which provides user interface to Network Manager.

The nmtui interface consists of three menu options:

If you have access to GUI you can use nm-connection-editor instead of nmtui. Not all setting are available via GUI but basic settings are. It does, however, offer all you need to manage address configuration on a network connection. Start it by using the nm-connection-editor command, or by using the applet in the GNOME graphical interface.

Network Configuration Files

The result of setting parameter is your network interface(s) via mntui is the "per-interface" configuration file in the directory /etc/sysconfig/network-scripts. The name of this generated configuration files has prefix ifcfg- which is followed by the name of the network interface.

[0]d620@ROOT:/etc/sysconfig/network-scripts # cat ifcfg-enp9s0
TYPE=Ethernet
PROXY_METHOD=none
BROWSER_ONLY=no
BOOTPROTO=dhcp
DEFROUTE=yes
IPV4_FAILURE_FATAL=yes
IPV6INIT=yes
IPV6_AUTOCONF=yes
IPV6_DEFROUTE=yes
IPV6_FAILURE_FATAL=no
IPV6_ADDR_GEN_MODE=stable-privacy
NAME=enp9s0
UUID=034c881a-b017-48d6-9398-9b02ee66e4e2
DEVICE=enp9s0
ONBOOT=no
USERS=root

TIPS:

Excluding Network Manager from management of the particular Enernet inteface and using  /etc/sysconfig/network-scripts/  file directly

In RHEL 7 you usually use network manager to assign those addresses, and we will discuss it later. This is the preferable method, but you also can do it directly by editing the file with settings in  /etc/sysconfig/network-scripts directory.  One problem with the established method  is that by default Network Manager overwrites /etc/resolv.conf file (the file with DNS settings) and this is highly undesirable behaviour which you block only by editing specific configuration files. 

See How do I prevent Network Manager from controlling an interface CDRouter Support

Network Manager has a command line tool that can be used to see which interfaces it is controlling. Pull up a terminal window and type the following command:
nmcli dev status

This displays a table that lists all network interfaces along with their STATE. If Network Manager is not controlling an interface, its STATE will be listed as unmanaged. Any other value indicates the interface is under Network Manager control.

#Network Manager settings are controlled by a configuration file: #/etc/NetworkManager/NetworkManager.conf. We will use this #file to tell Network Manager to stop controlling a particular interface.

ifcfg method

With CentOS, one way to tell Network Manager to stop controlling an interface is by editing the individual ifcfg-* files. First, make sure the /etc/NetworkManager/NetworkManager.conf file has the following lines.

[main]
plugins=ifcfg-rh

This plugin tells Network Manager to look at the CentOS ifcfg-* files. Now for each interface you’d like Network Manager to ignore, edit the individual /etc/sysconfig/network-scripts/ifcfg-* interface files, adding the following lines:

NM_CONTROLLED=no
HWADDR=00:11:22:33:44:55

If present, set the HWADDR value to be the actual MAC address of this interface.

keyfile method

Another way to tell Network Manager to stop controlling an interface is by adding the following lines to the /etc/NetworkManager/NetworkManager.conf file:

[main]
plugins=keyfile

[keyfile]
unmanaged-devices=mac:00:11:22:33:44:55;mac:66:77:88:99:00:aa

List the MAC address of each interface you want Network Manager to ignore, separated with a semicolon. Make sure that MAC addresses listed here are LOWER CASE.

Newer versions of NetworkManager can also use a more generic alternate KEYFILE method that does not involve actual MAC addresses and instead uses interface names. This syntax replaces the [keyfile] section above with the following:

[keyfile]
unmanaged-devices=interface-name:eth*,except:interface-name:eth0;interface-name:wlan*

udev rules method

A third way to tell Network Manager to stop controlling an interface is to add a udev rule. Create the file /etc/udev/rules.d/00-nta1000-net.rules and add the following content:

#
# Interfaces that shouldn't be managed by NetworkManager
#
ACTION=="add", SUBSYSTEM=="net", KERNEL=="eth1", ENV{NM_UNMANAGED}="1"
ACTION=="add", SUBSYSTEM=="net", KERNEL=="eth2", ENV{NM_UNMANAGED}="1"
ACTION=="add", SUBSYSTEM=="net", KERNEL=="eth3", ENV{NM_UNMANAGED}="1"

You can list the interfaces (by name) that you want Network Manager to avoid.

You should reboot for these changes to take effect.

Manually stop Network Manager

If Network Manager is not needed during testing, it can be shut off completely.

systemctl stop NetworkManager
systemctl start NetworkManager

The above commands will stop/start NetworkManager, but will not affect whether it is automatically started when the machine boots. To disable/enable NetworkManager automatically when the system boots, again use the systemctl command (as root):

systemctl disable NetworkManager
systemctl enable NetworkManager

Remove Network Manager from the system

If Network Manager will not be needed at all, it can be removed from the system completely.

yum remove NetworkManager

Restart Networking

You may need to restart networking to make changes take effect.

systemctl restart network

Within the directory /etc/sysconfig/network-scripts/ you should find the file ifcfg-INTERFACENAME (Where INTERFACENAME is the name of your interface). In my instance, the file is ifcfg-enp9s03.  The  default configuration is DHCP configuration and can look something lke:

[0]d620@ROOT:/etc/sysconfig/network-scripts # cat ifcfg-enp9s0
TYPE=Ethernet
PROXY_METHOD=none
BROWSER_ONLY=no
BOOTPROTO=dhcp
DEFROUTE=yes
IPV4_FAILURE_FATAL=yes
IPV6INIT=yes
IPV6_AUTOCONF=yes
IPV6_DEFROUTE=yes
IPV6_FAILURE_FATAL=no
IPV6_ADDR_GEN_MODE=stable-privacy
NAME=enp9s0
UUID=034c881a-b017-48d6-9398-9b02ee66e4e2
DEVICE=enp9s0
ONBOOT=no
USERS=root

We need to modify that file in order to not only change the protocol from dhcp to static, but to add the specific IP address. So when you open up that file, you'll want to change:

BOOTPROTO=dhcp

To:

BOOTPROTO=static

Now you'll need to add the entries to set not only the IP address, but the netmask, gateway, and DNS addresses. At the bottom of that file, add the following:

IPADDR=192.168.0.2
NETMASK=255.255.255.0
GATEWAY=192.168.0.254
NM_CONTROLLED=no
HWADDR=00:11:22:33:44:55

Verifying Created Ethernet configuration

Validating Routing

One important aspect of networking is routing. On every network that needs to communicate to nodes on other networks, routing is a requirement. Every network has, at least, a default router (also called the default gateway) that is set, and you can see which router is used as the default router by using the command ip route show Routers use network IDs to determine network traffic. Built into this router is a routing table, the actual instructions that tell the router what to do with incoming packets and where to send them.

You should always perform one quick check to verify that your router is set correctly: the default router at all times must be on the same network as the local IP address that your network card is using.  The first line shows the default router:

[130] d620@ROOT:~ # ip route show
default via 192.168.5.1 dev enp9s0 proto dhcp metric 100
172.17.0.0/16 dev docker0 proto kernel scope link src 172.17.0.1
192.168.5.0/24 dev enp9s0 proto kernel scope link src 192.168.5.23 metric 100

Checking the Availability of Ports and Services

Network problems can be related to the local IP and router settings but can also be related to network ports that are not available on your server or on a remote server. To verify availability of ports on your server, you can use the netstat command, or the newer ss command, which provides the same functionality.

By typing ss -ls you will get summary of used ports

Total: 203 (kernel 264)
TCP:   5 (estab 1, closed 0, orphaned 0, synrecv 0, timewait 0/0), ports 0

Transport Total     IP        IPv6
*         264       -         -
RAW       1         0         1
UDP       3         2         1
TCP       5         3         2
INET      9         5         4
FRAG      0         0         0

By typing ss -tul, you’ll  see all listening TCP and UDP ports on the local system:

[0]d620@ROOT:~ #ss -tul
Netid State      Recv-Q Send-Q                                             Local Address:Port                                                              Peer Address:Port
udp   UNCONN     0      0                                                              *:bootpc                                                                       *:*
udp   UNCONN     0      0                                                      127.0.0.1:323                                                                          *:*
udp   UNCONN     0      0                                                            ::1:323                                                                         :::*
tcp   LISTEN     0      128                                                            *:ssh                                                                          *:*
tcp   LISTEN     0      100                                                    127.0.0.1:smtp                                                                         *:*
tcp   LISTEN     0      128                                                           :::ssh                                                                         :::*
tcp   LISTEN     0      100                                                          ::1:smtp                                                                :::*                                                         192.168.5.14:58008

Notice where the port is listening on. Some ports are only listening on the IPv4 loopback address 127.0.0.1 or the IPv6 loopback address ::1, which means that they are locally accessible only. Other ports are listening on *, which stands for all IPv4 addresses, or on :::*, which represents all ports on all IPv6 addresses.

Configuring the Network with nmcli

This utility is used mainly in scripts.

nmcli without paramaters shows all connections. This shows active and inactive connections. You can easily see the difference because inactive connections are not currently assigned to a device:

[0]d620@ROOT:~ # nmcli
enp9s0: connected to dhcp
        "Broadcom and subsidiaries NetXtreme BCM5752"
        ethernet (tg3), 00:1C:23:06:CB:E7, hw, mtu 1500
        ip4 default
        inet4 192.168.5.23/24
        route4 0.0.0.0/0
        route4 192.168.5.0/24
        inet6 fe80::4dcf:908b:d93f:808d/64
        route6 fe80::/64
        route6 ff00::/8

docker0: connected to docker0
        "docker0"
        bridge, 02:42:3E:20:C0:D0, sw, mtu 1500
        inet4 172.17.0.1/16
        route4 172.17.0.0/16

wlp12s0: unavailable
        "Intel PRO/Wireless 3945ABG"
        wifi (iwl3945), BA:36:3F:BE:E5:5F, hw, mtu 1500

lo: unmanaged
        "lo"
        loopback (unknown), 00:00:00:00:00:00, sw, mtu 65536

DNS configuration:
        servers: 4.2.2.3 4.2.2.2
        domains: SSG5-ISDN-WLAN
        interface: enp9s0

Use "nmcli device show" to get complete information about known devices and
"nmcli connection show" to get an overview on active connection profiles.

Consult nmcli(1) and nmcli-examples(5) manual pages for complete usage details.

After finding the name of the connection, you can use nmcli con show followed by the name of the connection to see all properties of the connection. Notice that this... command shows many properties. Here is and example of the output of this command.

[127] d620@ROOT:~ # nmcli con show
NAME     UUID                                  TYPE      DEVICE
dhcp     ac522294-9aa2-4729-be22-f0f6ee6451af  ethernet  enp9s0
docker0  39461b65-4dc9-4e1e-8ec4-a8a1d2b6e725  bridge    docker0
enp9s0   034c881a-b017-48d6-9398-9b02ee66e4e2  ethernet  --

To find out what exactly these settings are doing, read man 5 nm-settings.

You can also use nmcli to show status of all devices

nmcli dev status
[0]d620@ROOT:~ # nmcli dev status
DEVICE   TYPE      STATE        CONNECTION
enp9s0   ethernet  connected    dhcp
docker0  bridge    connected    docker0
wlp12s0  wifi      unavailable  --

As well as settings for the particular device, for example enp9s

[2] d620@ROOT:~ # nmcli dev show enp9s0
GENERAL.DEVICE:                        enp9s0
GENERAL.TYPE:                          ethernet
GENERAL.HWADDR:                        00:1C:23:06:CB:E7
GENERAL.MTU:                           1500
GENERAL.STATE:                         100 (connected)
GENERAL.CONNECTION:                    dhcp
GENERAL.CON-PATH:                      /org/freedesktop/NetworkManager/ActiveConnection/1
WIRED-PROPERTIES.CARRIER:              on
IP4.ADDRESS[1]:                        192.168.5.23/24
IP4.GATEWAY:                           192.168.5.1
IP4.ROUTE[1]:                          dst = 0.0.0.0/0, nh = 192.168.5.1, mt = 100
IP4.ROUTE[2]:                          dst = 192.168.5.0/24, nh = 0.0.0.0, mt = 100
IP4.DNS[1]:                            4.2.2.3
IP4.DNS[2]:                            4.2.2.2
IP4.DOMAIN[1]:                         SSG5-ISDN-WLAN
IP6.ADDRESS[1]:                        fe80::4dcf:908b:d93f:808d/64
IP6.GATEWAY:                           --
IP6.ROUTE[1]:                          dst = fe80::/64, nh = ::, mt = 100
IP6.ROUTE[2]:                          dst = ff00::/8, nh = ::, mt = 256, table=255

Setting Static IP in scripts using nmcli

TIPS:

You created network connections using nmcli con add. You can also change current connection properties by using nmcli con mod. Here is an example of a simple script to configure a network interface:

# Make sure that the static connection does not connect automatically 
nmcli con mod "static" connection.autoconnect no.
# Add a DNS server to the static connection
nmcli con mod "static" ipv4.dns 10.0.0.10. 
# To add a second item for the same parameters, use a + sign.
nmcli con mod "static" +ipv4.dns 8.8.8.8.
# Using nmcli con mod, you can also change parameters such as the existing IP address. 
nmcli con mod "static" ipv4.addresses "10.0.0.20/24" 10.0.0.100/24.
# Add a second IP address you use the + sign again: 
nmcli con mod "static" +ipv4.addresses 10.20.30.40/16.
# After changing connection properties, you need to activate them. 
nmcli con up "static".

Recommended Links

Google matched content

Softpanorama Recommended

Top articles

Sites