ipadm error could be more helpful (when problem is permissions)
I have been recently having problems with networking under OmniOS; I'm finding the learning curve for Solarish, coming from Linux, to be quite significant, but running illumos as a guest OS in both Qemu and Virtualbox has compounded this and made diagnosing problems quite a slow process for me, in particular, with the plethora of network options available.
`dladm show-phys` had revealed that (some of) my NICs were in an unknown state, and I eventually found instructions revealing the process of creating an interface and assigning it addressed with `ipadm create-if` and `ipadm create-addr`. However, many of the `ipadm` commands I ran returned the error:
`ipadm: Could not create e1000g0 : Could not open DLPI link`
as declared here and defined here", when in fact, it seems to have been a simple permissions error - at the least, most recently, I forgot to prefix the commands with `sudo`, but this went over my head completely as the message looks much more complicated. Similarly, for creating an address, we have
`could not communicate with dhcpagent`
when I simply run the command as non-root. This, to me, implies more of a potential problem with the DHCP agent than just not havng the right perms.
Coming from a linux background, I'm used to most often having a pretty obvious error message regarding permissions if I need to be root to do something, and so far it seems illumos follows a similar policy (in fact, I've found the syntax of commands and error messages to be much better and easier to remember and follow), with most commands I've run complaining about lacking sufficient permissions if that's the case. Therefore,
What I would expect:¶
- Either the string constant defined in `libipadm.c` to be changed to add something like "(correct permissions?)" or "(run as root?)", etc. at the end of it, as a reminder
- or for libipadm to differentiate between reasons for failing to open the link, ; it could either output a generic permissions error to stderr, or perhaps a ": permission denied" suffix to the specific error.
I was originally going to submit a potential fix and PR for this, am happy to do so, but thought it best left open to some debate first, and all I would have done initially would have been the first option above, i.e. change the strings, I wouldn't want to mess with anything else just yet.
Thanks very much
Updated by Andy Fiddaman 2 months ago
Thanks for reporting, you are right, this can and should definitely be improved!
ipadm is calling the
dlpi_open() function and getting back the response code DL_SYSERR. Since DL_SYSERR != DLPI_SUCCESS, it returns the generic failure message that you are seeing.
What it can do in that case is look at
errno and, if it is
EACCESS, return a different error code that maps to a different message. All of these things are in a private interface so can be changed without worrying about compatibility with third party software etc.
That's the approach that I'd take rather than adding a questioning suffix to every dlpi_open failure message.
Is this something you'd like to work on and take through the review and RTI (request-to-integrate) process? (illumos does not use pull requests). If so I can help you do that and if not I'd be happy to do the work myself.
Updated by Ben Southall 2 months ago
I agree, I hadn't really followed the code through, I just thought I would add the lines as I'd already found them; as it's simple to detect a permission problem then definitely best to add a branch for this eventuality.
I would actually very much appreciate the chance to have a go myself and go through the motions (with your help), especially with an easy first fix, so thank you for offering. Only thing is I've been particularly busy the last couple of weeks and promised myself I would start finishing off a few projects before starting new ones! Am I alright to give it a go in a few weeks' time? I would want a bit of time anyway to spin up a new installation and get a dev environment setup, make sure I can compile the kernel as it is all the way through first, and also read the docs (TM) a bit more, so if you're happy, do you want to e.g. assign it to me and I'll get back in touch in the coming while when I have either some code or some questions?