network interface configuration

[MalteJ]

When running as pid 1, auraed has to care about network interface configuration.
By using netlink and the Linux kernel we can configure static IPv4 and IPv6 addresses and SLAAC IPv6.
To support DHCP provided IPv4 and IPv6 addresses, we need to integrate a DHCP client.

Also, we have to think about how to expose the runtime API. Currently auraed creates a Unix socket. This socket is not accessible from outside of the machine. Can we change this to an IP based socket? Or make it configurable?

[krisnova]

There is a lot of detail here. For now we can just start simple and expose the lo loopback interface.

I will start to work on a deeper architecture document in my free time, however we can also start to iterate here in this issue if that is easier.

By using netlink and the Linux kernel we can configure static IPv4 and IPv6 addresses and SLAAC IPv6.

Do we have any options other than netlink here?

We should make Auraed run as IPv6 by default.

Also, we have to think about how to expose the runtime API.

This will be our first subsystem of the project. I am unsure what we want to call this however for right now I am leaning towards "net" or "nic" or "netdev".

For an example of the work that goes into an aurae subsystem see my PR in https://github.com/aurae-runtime/api/pull/1

Currently auraed creates a Unix socket. This socket is not accessible from outside of the machine. Can we change this to an IP based socket? Or make it configurable?

I do not want pid 1 listening on the network by default.

I do however want pid 1 to have a reliable way of scheduling services that expose a 2nd gRPC server instance over a specific network device after it has been configured.

I am pretty adamant that the primary daemon on the system should only ever listen on a unix domain socket - however I would love to be proven wrong 🤓

What does everyone else think?

[MalteJ]

Netlink is the way to go to configure network devices. There's also a nice Rust crate: https://crates.io/crates/rtnetlink
It's just that DHCP is no part of netlink. So we'd need to add it on top.

When auraed starts within a VM and is to be controlled from its hypervisor, we should simply be able to use fe80::2 as the inner aurae's IP address. The outer aurae could use fe80::1.

Without thinking too much about it, I would have exposed the pid 1's grpc API via the network. In our environment we assume this network to be secure (DMZ).

[MalteJ]

In fact I assume the attacker comes from the inside. They hack an application, escalate privileges and own the inner system.