Summary of Thursday's call between GNOME and NM devels and Default DNS resolver change owners
Dan Williams
dcbw at redhat.com
Fri Jul 17 18:18:51 UTC 2015
On Fri, 2015-07-17 at 13:22 -0400, Chuck Anderson wrote:
> Looks great! I've been using this daily on Fedora 21 and I have to
> say it mostly works well EXCEPT for the captive portal detection stuff
> which is just horrendously bad, so I'm happy to see a new design that
> may work a lot better.
What doesn't work in your experience with the captive portal stuff?
Just wondering so we can improve it. This plan doesn't necessarily make
anything about *detecting* a portal better, just the flow after one has
been detected.
Dan
> Will the below be substantially implemented and testable
> by the July 28 Change CheckPoint: Completion deadline (testable)?
> That is only 10 days away...
>
> It would be great if the Change page could be updated with these plans
> and the current status, how to test, etc.
>
> Thanks!
>
> On Fri, Jul 17, 2015 at 05:40:56PM +0200, Tomas Hozza wrote:
> > Hello all.
> >
> > I would like to share the outcome of the discussion between GNOME and NM developers
> > and the "Default DNS resolver" [1] Change for F23.
> >
> > The full summary can be found here [2] and recording here [3] is anyone is interested.
> >
> >
> > Integration points:
> > - Captive portal detection
> > - Captive portal handling
> > - User interaction
> >
> >
> > Points we agreed on:
> > * Captive portal detecion
> > * NM side
> > * NM will be the only daemon doing Captive portal detection
> > * NM moves connectivity check before NM_DEVICE_STATE_ACTIVATED, emits signal before network is "up"
> > * If portal has been detected, NM blocks NM_DEVICE_STATE_ACTIVATED for a specific device until there is no more portal
> > * NM regularly does the Captive portal detection (connectivity check) to determine if the login using GNOME was already done
> > * Once the login was done and Internet connectivity is detected, NM triggers some event in nm-dispatcher (or something like that)
> > * GNOME side
> > * GNOME Shell does not do detection itself, but relies on the NM (as already done)
> > * GNOME is watching the change of "connectivity state" property in NM
> > * dnssec-trigger side
> > * Does not do any detection
> > * does not do any user interaction
> > * Only relies on events triggered by NM and acts based on the connectivity status
> >
> > * Captive portal handling (login)
> > * GNOME side
> > * If Captive portal is detected, then browser window is launched
> > * The browser window ls launched with LD_PRELOAD (https://github.com/hadess/resolvconf-override) as resolv.conf override
> > * GNOME should fetch the connection-provided DNS servers using NM API (existing) and use those for LD_PRELOAD solution
> > * dnssec-trigger side
> > * does not do any user interaction
> > * Only relies on events triggered by NM and acts based on the connectivity status
> >
> > * User interface / user interaction
> > * Fedora Workstation product
> > * GNOME shell
> > * informs the user about the Captive portal
> > * launches the window
> > * dnssec-trigger
> > * the applet will be split into separate package and not installed by default (already done)
> > * if all falbacks fail, it switches automatically to "Insecure" mode (no DNSSEC validation) without user interaction
> > * automatic switch to insecure mode will be possible to turn off using configuration file for expert users
> > * a notification can be emited about switching to insecure mode (so far by default OFF)
> > * Other desktops / Spins
> > * dnssec-trigger applet
> > * should handle the UI that is usually handled by GNOME Shell (if there is not any specific Spin implementation to do that, i.e. if GNOME is not in use)
> > * Captive portal detection will be still done in NM
> >
> > * under discussion:
> > * notification can be turned OFF by default, but configurable in config file for expert users - unfortunatelly this will not create pressure on admins to fix the networks
> > * alternative: display a message which will say that local network is broken and that admin should be woken up:
> > * 'Your network is seriously broken. Go and kick your network admin NOW!
> > * This broken network will stop working from Fedora 24 on because it does not support DNSSEC. (Tell this to your admin!)'
> >
> >
> > [1] https://fedoraproject.org/wiki/Changes/Default_Local_DNS_Resolver
> > [2] https://www.piratepad.ca/p/default-dns-resolver-f23
> > [3] https://bluejeans.com/s/8pTY/
> >
> >
> > Regards,
> > --
> > Tomas Hozza
> > Software Engineer - EMEA ENG Developer Experience
> >
> > PGP: 1D9F3C2D
> > Red Hat Inc. http://cz.redhat.com
More information about the devel
mailing list