1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
|
<?xml version="1.0"?>
<!DOCTYPE chapter PUBLIC "-//OASIS//DTD DocBook XML V4.3//EN"
"http://www.oasis-open.org/docbook/xml/4.3/docbookx.dtd" [
<!ENTITY % local.common.attrib "xmlns:xi CDATA #FIXED 'http://www.w3.org/2003/XInclude'">
]>
<chapter id="ref-migrating">
<title>Migrating from NetworkManager 0.8 to NetworkManager 0.9</title>
<para>
NetworkManager 0.9 is a new major version of NetworkManager that breaks
both API and ABI compared to previous versions. These changes are
intended to make communication with NetworkManager much simpler, especially
for network control and configuration programs. Thankfully, most changes
are not difficult to implement, and the advantages of the simpler
architecture of NetworkManager 0.9 greatly outweight the effort of
updating client programs.
</para>
<section>
<title>Architecture and D-Bus API Changes in 0.9</title>
<para>
This section details the architectural and D-Bus API changes in
NetworkManager 0.9.
</para>
<section>
<title>Elimination of the User Settings Service</title>
<para>
Previously there were two "settings services", or D-Bus services that
provided and saved network configuration information. NetworkManager
owned the "system" settings service, and one user-level applet owned the
"user" settings service. Now, the "user" settings service has been
eliminated, so clients only have to track one D-Bus service to read and
update network configuration. The functionality of the old user settings
service has been replaced with a "permissions" key on each connection
object to preserve the ability to restrict which users can use the
connection, and with a "secret agent" D-Bus API for user-session-level
secure storage of network secrets and passwords.
</para>
<para>
Elimination of the user settings service provides the following advantages
for clients of NetworkManager:
<itemizedlist>
<listitem>Simpler discovery of network configuration and change tracking</listitem>
<listitem>Simpler storage of user-level network secrets by control applets</listitem>
<listitem>Correct operation of fast-user switching and multi-seat configurations</listitem>
<listitem>More granular network connection permissions for system administrators</listitem>
<listitem>Connections are now system-wide by default (unless restricted by the user or system administrator)</listitem>
<listitem>Easier deployment of user-specific connections (ie, VPNs)</listitem>
</itemizedlist>
</para>
<para>
With this change, D-Bus methods that previously took a "service name"
argument (like
<literal>org.freedesktop.NetworkManager.ActivateConnection</literal>) and
objects with service name properties (like ActiveConnection objects) no
longer have those arguments or properties.
</para>
<para>
<emphasis role="strong">Action:</emphasis> if you develop a network control
applet that talks to NetworkManager and used to provide a user settings
service, you can eliminate that code and rely on NetworkManager for all
storage of network configuration. Your applet should now implement the
Secret Agent D-Bus API (see below) to store user-specific secrets, and
add legacy user-specific configuration to NetworkManager when run. More
information about both these changes follows.
</para>
</section>
<section>
<title>User Secret Agents</title>
<para>
Even with the elimination of the user settings service, in some cases it
is still desirable to store secrets in the user's session and not in
system-wide storage (and thus available to all users). To allow this
functionality the concept of agents has been introduced. Using the new
<ulink url="spec.html#org.freedesktop.NetworkManager.AgentManager">
<literal>org.freedesktop.NetworkManager.AgentManager</literal></ulink>
D-Bus interface provided by NetworkManager, user applications can register
themselves as "secret agents", ie programs capable of saving and providing
secrets to NetworkManager. The agent should export the
<ulink url="spec.html#org.freedesktop.NetworkManager.SecretAgent">
<literal>org.freedesktop.NetworkManager.SecretAgent</literal></ulink>
D-Bus interface, but should NOT claim a bus name on the system or session
bus. Instead, NetworkManager talks to the agent directly over the D-Bus
connection which the agent used to register itself.
</para>
<para>
Each agent must send a unique identifier to NetworkManager when it
registers. This identifier must follow certain rules (see the NM D-Bus
API documentation for more details) but looks essentially the same as
a D-Bus service name. Only one agent using a given identifier may be
registered at the same time. The agent is automatically unregistered
if it disconnects from D-Bus or exits.
</para>
<para>
When NetworkManager requires secrets during the attempt to connect to a
network, and no secrets are available from the internal settings service,
NetworkManager queries each registered agent for secrets. Agents that
are in "active" user sessions (as determined by ConsoleKit) are preferred
over inactive ones. Only agents belonging to users who have permission
to view and modify the connection are queried. For more information on
connection permissions, see below.
</para>
When secrets are requested, the agent is also sent a set of flags that
modify the behavior of the request. By default, the agent should never
attempt to query the user for secrets, but should simply return any
available saved secrets. Other flags allow the agent to explicitly
request new secrets from the user.
<para>
<emphasis role="strong">Action:</emphasis> the parts of a previous user
settings service that handled secrets may be easily repurposed as the bulk
of the implementation of a secret agent. The agent is sent all available
connection settings, and from those should be able to retrieve or save
any saved user secrets, or to request new secrets from the user.
</para>
</section>
<section>
<title>Settings Service Interface Changes</title>
<para>
With the elimination of the user settings service, the old
<literal>org.freedesktop.NetworkManagerUserSettings</literal> and
<literal>org.freedesktop.NetworkManagerSystemSettings</literal> D-Bus
service names are no longer used. Instead NetworkManager provides the
settings service using its own D-Bus service name,
<literal>org.freedesktop.NetworkManager</literal>. The object path of
the settings service remains unchanged.
</para>
<para>
Additionally, the D-Bus interface of the settings service has changed
to <ulink url="spec.html#org.freedesktop.NetworkManager.Settings">
<literal>org.freedesktop.NetworkManager.Settings</literal></ulink> from
the old interface name of
<literal>org.freedesktop.NetworkManagerSettings</literal>, and the old
<literal>org.freedesktop.NetworkManagerSettings.System</literal>
interface has been merged into the new
<ulink url="spec.html#org.freedesktop.NetworkManager.Settings">
<literal>org.freedesktop.NetworkManager.Settings</literal></ulink> interface
as the split no longer made sense. This includes the
<literal>SaveHostname</literal> method and the <literal>Hostname</literal>
and <literal>CanModify</literal> properties.
</para>
<para>
<emphasis role="strong">Action:</emphasis> change the service name that
your application uses to request system network settings to
<literal>org.freedesktop.NetworkManager</literal>, and update the D-Bus
interface that codes uses to talk to the settings service to
<ulink url="spec.html#org.freedesktop.NetworkManager.Settings">
<literal>org.freedesktop.NetworkManager.Settings</literal></ulink>.
Listen for hostname changes using the new interface name as well.
</para>
</section>
<section>
<title>Connection Object Interface Changes</title>
<para>
Consistent with the interface changes to the Settings object, the
Connection object's D-Bus interface has changed to
<ulink url="spec.html#org.freedesktop.NetworkManager.Settings.Connection">
<literal>org.freedesktop.NetworkManager.Settings.Connection</literal></ulink>
from the previous
<literal>org.freedesktop.NetworkManagerSettings.Connection</literal>.
</para>
<para>
Additionally, the
<literal>org.freedesktop.NetworkManager.Settings.Connection.Updated</literal>
signal of the Connection object no longer includes the updated settings
data argument, as that might allow users who are not authorized to
view the connection details to do so. Instead, when a client receives the
Updated signal, it should requery the Connection's settings with the
<literal>org.freedesktop.NetworkManager.Settings.Connection.GetSettings</literal>
method. If the client receives an error as a result of this method call,
it should assume the connection has been deleted.
</para>
<para>
<emphasis role="strong">Action:</emphasis> where code manipulates
Connection objects, update the D-Bus interface that code uses to be
<literal>org.freedesktop.NetworkManager.Settings.Connection</literal>.
Additionally, code that listens for the
<literal>org.freedesktop.NetworkManager.Settings.Connection.Updated</literal>
signal should no longer expect the new settings data as an argument, but
instead should request the new settings data using the
<literal>org.freedesktop.NetworkManager.Settings.Connection.GetSettings</literal>
method.
</para>
</section>
<section>
<title>Permissions Methods Consolidation</title>
<para>
Previously there were two D-Bus method calls to retrieve the list of
operations that a user client could perform, and two signals notifying
callers that they should recheck permissions. Those two calls were:
<itemizedlist>
<listitem>
<literal>org.freedesktop.NetworkManagerSettings.System.GetPermissions</literal>
which returned a bitfield of operations the caller was allowed to
perform related to modify system network settings and the machine
hostname
</listitem>
<listitem>
<literal>org.freedesktop.NetworkManager.GetPermissions</literal> which
returned a dictionary mapping permission names to result strings like
"yes", "auth", or "no", relating to network control permissions like
the ability to enable or disable WiFi.
</listitem>
</itemizedlist>
These two calls have been consolidated into an enhanced
<literal>org.freedesktop.NetworkManager.GetPermissions</literal> call that
uses the same arguments, but includes all permissions, including those which
the settings service used to handle.
</para>
<para>
With this change, the bitfield items from
<literal>org.freedesktop.NetworkManagerSettings.System.GetPermissions</literal>
are now string-based permissions. The mapping is as follows:
<table>
<tgroup cols="2">
<thead>
<row><entry>Old bitfield value</entry><entry>New permission name</entry></row>
</thead>
<tbody>
<row>
<entry><screen>0x1 (connection-modify)</screen></entry>
<entry>
<literal>org.freedesktop.NetworkManager.settings.modify.system</literal>
or <literal>org.freedesktop.NetworkManager.settings.modify.system</literal>
depending on the permissions of the connection.
</entry>
</row>
<row>
<entry><screen>0x2 (wifi-share-protected)</screen></entry>
<entry>
<literal>org.freedesktop.NetworkManager.wifi.share.protected</literal>
</entry>
</row>
<row>
<entry><screen>0x4 (wifi-share-open)</screen></entry>
<entry>
<literal>org.freedesktop.NetworkManager.wifi.share.open</literal>
</entry>
</row>
<row>
<entry><screen>0x8 (hostname-modify)</screen></entry>
<entry>
<literal>org.freedesktop.NetworkManager.settings.modify.hostname</literal>
</entry>
</row>
</tbody>
</tgroup>
</table>
</para>
<para>
<emphasis role="strong">Action:</emphasis> modify handling of existing
code that checks permissions to recognize the new permissions names for
old system settings permissions, and remove code that used to call
<literal>org.freedesktop.NetworkManagerSettings.System.GetPermissions</literal>.
</para>
</section>
<section>
<title>AddConnection Returns Object Path of New Connection</title>
<para>
The <ulink url="spec.html#org.freedesktop.NetworkManager.Settings">
<literal>org.freedesktop.NetworkManager.Settings.AddConnection</literal>
</ulink> method call now returns the object path of the newly added
connection. Previously, if code wanted to manipulate a connection
post-addition, it had to wait for the new connection to be announced via
the NewConnection signal by matching connection UUIDs. Now the object
path is returned and this workaround is no longer required.
</para>
<para>
<emphasis role="strong">Action:</emphasis> update code that adds new
connections to handle the object path returned from AddConnection, and
remove workarounds for finding the new connection via signals.
</para>
</section>
<section>
<title>Support for WiMAX Devices</title>
<para>
NetworkManager now supports Intel WiMAX mobile broadband devices. A
corresponding device type (<literal>NM_DEVICE_TYPE_WIMAX</literal>) and
a new <ulink url="spec.html#org.freedesktop.NetworkManager.Device.WiMax">
<literal>org.freedesktop.NetworkManager.Device.WiMax</literal></ulink>
D-Bus interface have been added. Furthermore, to support connection to
different WiMAX Network Service Providers (NSPs) the
<ulink url="spec.html#org.freedesktop.NetworkManager.Device.WiMax.Nsp">
<literal>org.freedesktop.NetworkManager.Device.WiMax.Nsp</literal></ulink>
interface has been added to access information about each available
WiMAX network.
</para>
<para>
<emphasis role="strong">Action:</emphasis> update code that handles
devices and/or displays status to users to recognize the new device type,
and to display available WiMAX NSPs similar to how WiFi Access Points
are displayed. Also update code that creates new connections to allow
creation of new WiMAX connections.
</para>
</section>
<section>
<title>New Device States</title>
<para>
A few <ulink url="spec.html#type-NM_DEVICE_STATE">new device states</ulink>
have been added, and all device states have been renumbered for flexibility.
The new devices states IP_CHECK, SECONDARIES, and DEACTIVATING.
</para>
<para>
<emphasis role="strong">Action:</emphasis> where code checks device state
or shows UI indication of the device's state, make sure the new device
states are processed correctly, and that code in switch()-type statements
is updated to handle the new states.
</para>
</section>
<section>
<title>Consolidated Modem Devices</title>
<para>
Many new mobile broadband devices support multiple access families, like
Qualcomm Gobi cards (CDMA/EVDO and GSM/UMTS), or multi-mode EVDO/LTE
or UMTS/LTE modems like the Pantech UML290. The previous hard split
between CDMA/EVDO and GSM/UMTS device classes was not flexible enough to
deal with these new multi-mode devices. Thus the previously separate
CDMA and GSM device classes have been combined into a single Modem
device class, which exposes both hardware "ModemCapabilities" and
runtime "CurrentCapabilities" which represent generic access technology
families like CDMA/EVDO, GSM/UMTS, and LTE which the device supports.
ModemCapabilities indicate all the access technology families which the
modem is capable of supporting, while CurrentCapabilities indicate the
immediate access technology families the device supports without reloading
the firmware and thus restarting the device.
</para>
<para>
Along with this change, the
<literal>org.freedesktop.NetworkManager.Device.Serial</literal>
interface has been removed as it's functionality will be incorporated
into the
<ulink url="spec.html#org.freedesktop.NetworkManager.Device.Modem">
<literal>org.freedesktop.NetworkManager.Device.Modem</literal></ulink>
interface in the future.
</para>
<para>
<emphasis role="strong">Action:</emphasis> combine code that checks for
the old CDMA and GSM device types, and instead handle the new Modem device
type. Where behavior must change based on the capabilities of the device,
check the CurrentCapabilities device property to determine whether to
treat the device as CDMA, GSM, or LTE for purposes of configuration and
status.
</para>
</section>
<section>
<title>Secret Property Flags</title>
<para>
In the Connection object's configuration properties, each setting's secret
properties (like WiFi passphrases, or public key passwords, etc) now has
an associated "flags" property that changes how NetworkManager treats the
secret. The "flags" property is a bitfield of one or more of the
following values:
<table>
<tgroup cols="2">
<thead>
<row><entry>Flag Value</entry><entry>Meaning</entry></row>
</thead>
<tbody>
<row>
<entry><screen>0x00 (none)</screen></entry>
<entry>
NetworkManager is responsible for providing and storing this
secret (default)
</entry>
</row>
<row>
<entry><screen>0x01 (agent-owned)</screen></entry>
<entry>
A user secret agent is responsible for providing and storing
this secret; when it is required agents will be asked to
retrieve it
</entry>
</row>
<row>
<entry><screen>0x02 (not saved)</screen></entry>
<entry>
The secret is not saved, and should be requested each time it
is required. Used for OTP/token configurations where the
secret changes periodically, or if the user simply wants to
manually enter the secret each time.
</entry>
</row>
<row>
<entry><screen>0x04 (not required)</screen></entry>
<entry>
In situations where it cannot be automatically determined that
the secret is required (some VPNs and PPP providers dont require
all possible secrets) this flag indicates that the specific
secret is not required.
</entry>
</row>
</tbody>
</tgroup>
</table>
</para>
<para>
<emphasis role="strong">Action:</emphasis> user interface code which
handles entry of connection secrets should be updated to read and set
secret flags. For example, code that creates new VPN connections may want
to set the "agent-owned" flag to ensure that the user's VPN password is
not available to all users. EAP-TLS and VPN interface code might add a
checkbox that toggles the "not saved" bit to indicate that the
password/PIN code should be requested from a hardware token each time it
is required.
</para>
</section>
<section>
<title>Deprecated Methods Removed</title>
<para>
A few methods and signals of the <literal>org.freedesktop.NetworkManager</literal>
interface deprecated in version 0.7 have been removed. All the
replacement methods and signals have existed since version 0.7 and so are
not new to this version of NetworkManager, but some older programs may
be using removed items. The following table lists the removed items and
their replacements:
<table>
<tgroup cols="2">
<thead>
<row><entry>Removed Item</entry><entry>Replacement</entry></row>
</thead>
<tbody>
<row>
<entry><screen>StateChange signal</screen></entry>
<entry>
Use the <literal>StateChanged</literal> signal, which has the
same arguments.
</entry>
</row>
<row>
<entry><screen>sleep() and wake() methods</screen></entry>
<entry>
Use the <literal>Sleep()</literal> method instead, which takes
a boolean argument indicating whether NetworkManager should
go to sleep or wake up.
</entry>
</row>
<row>
<entry><screen>state() method</screen></entry>
<entry>
Use the <literal>State</literal> property instead.
</entry>
</row>
</tbody>
</tgroup>
</table>
</para>
<para>
<emphasis role="strong">Action:</emphasis> update code to use these
replacement methods and properties where it used old deprecated ones
</para>
</section>
</section>
</chapter>
|
