Default variable details

Some of debops.ifupdown default variables have more extensive configuration than simple strings or lists, here you can find documentation and examples for them.

ifupdown__interfaces
ifupdown__custom_files

ifupdown__interfaces 

The ifupdown__*_interfaces variables are YAML dictionaries which define what network interfaces are configured on a host. All dictionaries are recursively combined together in the order they appear in the defaults/main.yml file.

Each entry in the ifupdown__*_interfaces dictionaries is a YAML dictionary. The key of a given entry is either a network interface name (for example eth0, br0, etc.) or a "label" that holds the preferences for a network interface denoted by the iface parameter. Configuration parameters in labeled sections will be merged with the real network interface preferences.

You can also use YAML lists of dictionaries, however you cannot combine both dictionaries and lists in the same ifupdown__*_interfaces variable. YAML dictionaries specified in a list need to have the iface parameter that specifies the interface name, otherwise they will be skipped.

Each network interface will have its configuration in a separate file in /etc/network/interfaces.d/ directory on the managed hosts (both IPv4 and IPv6 configuration is in the same file).

Network interface types

Each network interface has a particular type (ethernet, bridge, VLAN, etc.). The type can be specified by the type parameter. If this parameter is not defined, the role will try to select the correct type based on the interface name prefix:

en* or eth*: The Ethernet network interfaces, marked as the ether type. If not configured specifically, this interface type will automatically enable an IPv4 DHCP configuration and IPv6 SLAAC configuration. The network interface will be configured to be brought up by the hotplug subsystem.
br*: The network bridge interface, marked as the bridge type. If not configured specifically, the role will configure an anonymous bridge without any network interfaces connected, which will be started automatically at boot. The firewall will be configured to allow network traffic through the bridge, without IPv4 NAT.
vlan* or name with a dot (.): The VLAN interface, marked as the vlan type.
bond*: The bonding interface, marked as the bonding type.
sl*: The Serial Line Internet Protocol interface, marked as the slip type.
wl*: The Wireless LAN interface, marked as the wlan type.
ww*: The Wireless WAN interface, marked as the wwan type.
tap*, tun*, mesh*, sit*: The network tunnel interface, marked as the tunnel type.
6to4: The IPv6 to IPv4 transition mechanism interface, marked as the 6to4 type. If not configured specifically, this interface will be configured as 6to4 tunnel with local IPv6 address based on the default network interface IPv4 address.
mapping: The interface configuration is selected dynamically by a specified script. See interfaces(5) for more details.

Each network interface can have multiple parameters. Some parameters are specific to a particular interface type.

General interface parameters

iface

Name of the network interface to configure. If not specified, the network interface will be taken from the YAML dictionary key which holds the parameters.

Example Ethernet interface configuration without and with iface parameter, and a version specified as a list:

ifupdown__interfaces:
  'eth0':
    type: 'ether'

ifupdown__group_interfaces:
  'external':
    iface: 'eth0'
    type: 'ether'

ifupdown__host_interfaces:
  - iface: 'eth0'
    type: 'ether'

The iface parameter can be templated by Jinja, unlike the dictionary key.

type

Optional. Specify the interface type. If this parameter is not defined, role will try and guess the type based on the interface name (see Network interface types). The interface type affects the order in which interfaces are brought up/down and use/requirement of special parameters for certain types.

Type	Weight	Notes
`mapping`	00	interface configured dynamically via scripts
`bonding`	10	virtual bonded interface
`ether`	20	Ethernet (physical or virtual) interface
`slip`	30	Serial Line Internet Protocol interface
`wlan`	30	Wireless Local Area Network interface (WiFi)
`wwan`	30	Wireless Wide Area Network interface (mobile networks, GSM)
`vlan`	40	VLAN interface, requires another interface to be attached to
`bridge`	60	network bridge
`6to4`	80	IPv6 in IPv4 tunnel
`tunnel`	80	virtual network tunnel

If the detected interface type is vlan, the role will check what parent interface is a given VLAN attached to and change the configuration to reorder the vlan interface after all of the parent interfaces, so that network interfaces are processed in the working order. This will only happen if weight_class parameter is not specified. If the interface is overridden, the weight parameter will be set to 5 to ensure proper interface order.

weight_class

Optional. Override the specified type for a given interface so that the weight of another type will be used instead.

weight

Optional. Positive or negative number (for example 2 or -2) which will be added to the base weight defined by the interface type. This can be used to affect the network interface order.

state

Optional. If not specified or present, the given interface configuration file will be created. If absent, the interface configuration will be removed. If ignore, the interface configuration won't be modified in any way – this is useful if you want to make sure that some network interfaces are ignored by the role.

If you use the dynamic interface layout, you might need to explicitly set the br0 and br1 bridge state to present because this interface layout will try to remove them by default.

auto

Optional, boolean. If True, the network interface will be brought up by the networking service at boot time, which might be not what you actually want in the newer, systemd-based hosts. By default it will be set to False. See also allow parameter.

allow

Optional, boolean, string or YAML list. If set to False, this option is disabled. If True, the hotplug subsystem can bring this interface up or down when the hotplug event is detected. You can also specify a list of specific conditions at which the interface is brought up, currently recognized conditions are:

auto: bring the interface up at boot time by the networking service. This might not be what you want on newer systems.
boot: bring the interface up at boot time by iface@.service systemd unit. This will put any processes related to a given interface in their separate cgroup, which allows for better control over the network interface. This is a custom implementation of the auto mechanism managed by this Ansible role.
hotplug: bring the interface up/down at hotplug events. This condition is required to be present for the ifup@.service systemd unit to work properly.

If this parameter is not specified, the role will use the boot value for network interfaces other than physical Ethernet interfaces, which will use the hotplug value by default.

IPv4 and IPv6 configuration parameters

inet: Optional. IPv4 configuration method used by a given interface. There are many configuration methods described in the interfaces(5) manual page, most commonly used are: manual, dhcp, static. If you set this parameter to False, the IPv4 configuration will be disabled.
inet6: Optional. IPv6 configuration method used by a given interface. There are many configuration methods described in the interfaces(5) manual page, most commonly used are: auto, manual, dhcp, static, v4tunnel, 6to4. If you set this parameter to False, the IPv6 configuration will be disabled.
address or addresses: Optional. A string or an YAML list of IPv4 and/or IPv6 addresses to set on a given network interface, in the form of ipaddress/prefix or CIDR. Remember that you need to specify the host IP address and not the network; the 192.0.2.1/24 is the correct notation, and 192.0.2.0/24 is incorrect.
gateway or gateways: Optional. Specify the IPv4 or IPv6 address of the network gateway to which outgoing packets will be directed. If it's a list of addresses, first valid address for a network type will be used as the gateway.

DNS nameserver and search parameters

dns_nameservers: Optional. String or list of IP addresses of the nameservers to configure in /etc/resolv.conf. Remember that only 3 nameservers are allowed at any time. They will be added to the IPv4 section of the network interface configuration unless IPv4 is disabled, in which case they will be configured in IPv6 section.
dns_search: Optional. String or list of domains which should be searched in the DNS if a hostname without a domain is specified. They will be added to the /etc/resolv.conf. This list will be added to the IPv4 section of the network interface configuration unless IPv4 is disabled, in which case they will be configured in IPv6 section.

Bonding parameters

slaves: Optional. String or YAML list of network interfaces to bond together.
bond_*: Optional. If an interface is a bonding, any parameters that have bond_ prefix will be added to that interface configuration. See the documentation included in the ifenslave package for possible configuration options.

Bridge parameters

bridge_*: Optional. If an interface is a bridge, any parameters that have bridge_ prefix will be added to that interface configuration. See the bridge-utils-interfaces(5) manual for more details about possible bridge configuration options.

VLAN parameters

vlan_device or vlan_raw_device: Name of the network interface on which a VLAN will be configured. If the interface name contains a dot (for example eth0.10), the role will try to detect the network interface automatically.

6to4 tunnel parameters

local: Optional. Specify the public IPv4 address which will be used to create the IPv6 6to4 tunnel.

Mapping parameters

script: Absolute path to a script which will be used to select a specific interface configuration for a mapping dynamically. See interfaces(5) manual for more details.

DHCP parameters

dhcp_ignore

Optional. String or list of variable names used by the dhclient-script(8) script to configure the interface. The specified variables representing DHCP options will be unset by the configuration script; this can be used to selectively ignore DHCP options on a given network interface.

See The filter-dhcp-options hook documentation for more details.

Custom interface options

comment: Optional. String or a YAML text block with a comment that will be added to a given interface configuration file.
comment4: Optional. String or a YAML text block with a comment that will be added to a given interface configuration file near the IPv4 section.
comment6: Optional. String or a YAML text block with a comment that will be added to a given interface configuration file near the IPv6 section.
options: Optional. String or a YAML text block with custom options for the network interface. It will be added after the IPv4 section, unless IPv4 support is disabled in which case it will be added after IPv6 section. If this parameter is specified, autogenerated configuration for specific interface types will be disabled.
options4: Optional. String or a YAML text block with custom options added to the IPv4 section of the network interface configuration. If this parameter is present, autogenerated configuration for specific interface types will be disabled.
options6: Optional. String or a YAML text block with custom options added to the IPv6 section of the network interface configuration. If this parameter is present, autogenerated configuration for specific interface types will be disabled.
add_options: Optional. String or a YAML text block with custom options for the network interface. It will be added after the IPv4 section, unless IPv4 support is disabled in which case it will be added after IPv6 section. You can use this parameter to add options to the autogenerated configuration, which will be still included.
add_options4: Optional. String or a YAML text block with custom options added to the IPv4 section of the network interface configuration. You can use this parameter to add options to the autogenerated configuration, which will be still included.
add_options6: Optional. String or a YAML text block with custom options added to the IPv6 section of the network interface configuration. You can use this parameter to add options to the autogenerated configuration, which will be still included.
debug: Optional, boolean. If True, the role will add commented out debug information to the generated interface configuration file. It can be used to check what the role thinks the interface configuration should be like.

Firewall parameters

forward: Optional, boolean. If absent and an interface is a bridge, or present and True, the role will generate configuration for the debops.ferm and the debops.sysctl roles to enable packet forwarding for a given interface.
forward_ipv6: Optional, boolean. Only makes sense with the forward parameter present. By default the role will enable forwarding on IPv6 networks, you can use this parameter to disable it by setting it to False.
forward_ipv4: Optional, boolean. Only makes sense with the forward parameter present. By default the role will enable forwarding on IPv4 networks, you can use this parameter to disable it by setting it to False.
accept_ra: Optional, by default not defined. If 0, the SLAAC Router Advertisements on IPv6 networks will be ignored by this interface. If 1, this interface will accept the SLAAC Router Advertisements when forwarding is disabled, ignore when forwarding is enabled. If 2, SLAAC Router Advertisements received on this interface will be accepted even when forwarding is enabled.
forward_interface_ferm_rule_enabled: Optional, boolean. Should a Firewall rule be configured which matches new connection attempts entering the interface? If disabled using False, the default Firewall policy will apply. Defaults to True.
forward_interface_ferm_rule: Optional, string. Default action or any custom ferm configuration. Defaults to ACCEPT.
forward_outerface_ferm_rule_enabled: Optional, boolean. Should a Firewall rule be configured which matches new connection attempts exiting the interface? If disabled using False, the default Firewall policy will apply. Defaults to True.
forward_outerface_ferm_rule: Optional, string. Default action or any custom ferm configuration. Defaults to ACCEPT.
nat: Optional, boolean. If present and True, the firewall configuration for a given interface (usually a bridge) will include the IPv4 NAT rules. The default gateway IPv4 address will be used in the Source NAT configuration.
nat_masquerade: Optional, boolean. If present and True, the role will use the MASQUERADE rule in the firewall configuration instead of the SNAT rule. This is useful when the host has no fixed default IP address, for example on a laptop. Defaults to ifupdown__default_nat_masquerade.
nat_snat_address: Optional. Specify the SNAT IPv4 address to use for the NAT on a given bridge. If not specified, the role will use the host's default IPv4 address as the SNAT IP address.
nat_snat_interface: Optional. If specified, the IPv4 address on a given network interface will be used to generate the SNAT firewall rules.

Configuration examples

The examples below are based on the Debian Network Configuration and Debian IPv6 configuration pages to make comparison between /etc/network/interfaces configuration and debops.ifupdown configuration easier. Examples are verbose to reflect the examples from the wiki page, but some of the parameters can be omitted to let the role autogenerate them.

Keep in mind that the auto parameter, included in the examples for completeness, usually should be avoided in the newer OS releases (Jessie+, Trusty+) on systemd-based hosts. This is done so that the additional processes related to a given network interfaces are put in their own ifup@.service cgroup instead of being grouped together under the networking.service cgroup.

Use DHCP and SLAAC to automatically configure the network interface:

ifupdown__interfaces:
  'eth0':
    auto: True
    allow: 'hotplug'
    inet: 'dhcp'
    inet6: 'auto'

Configure the network interface manually using static IPv4 and IPv6 configuration:

ifupdown__interfaces:
  'static-eth0':
    iface: 'eth0'
    auto: True
    inet: 'static'
    inet6: 'static'
    addresses: [ '192.0.2.7/24', '2001:db8::c0ca:1eaf/64' ]
    gateways:  [ '192.0.2.254', '2001:db8::1ead:ed:beef' ]

Configure an interface without an IP address:

ifupdown__interfaces:

  'eth0':
    inet: 'manual'
    options: |
      pre-up ifconfig $IFACE up
      post-down ifconfig $IFACE down

 'eth0.99':
   inet: 'manual'
   options: |
     post-up ifconfig $IFACE up
     pre-down ifconfig $IFACE down

Configure DNS nameservers and search domains with an autogenerated default interface:

ifupdown__interfaces:
  'external':
    iface: '{{ ifupdown__external_interface }}'
    inet: 'dhcp'
    dns_nameservers: [ '12.34.56.78', '12.34.56.79' ]
    dns_search: 'example.com'

Configure static bridge between two Ethernet interfaces:

ifupdown__interfaces:

  'eth0':
    inet: 'manual'
    inet6: False

  'eth1':
    inet: 'manual'
    inet6: False

  'br0':
    inet: 'static'
    address: '10.10.0.15/24'
    gateway: '10.10.0.1'
    bridge_ports: [ 'eth0', 'eth1' ]
    bridge_stp: 'on'

Create a static VLAN interface on an Ethernet interface:

ifupdown__interfaces:
  'eth0.222':
    auto: True
    inet: 'static'
    address: '10.10.10.1/24'
    vlan_raw_device: 'eth0'

Connect a bridge to a VLAN on an Ethernet interface:

ifupdown__interfaces:

  'eth0':
    auto: True
    inet: 'static'
    inet6: False
    address: '192.168.1.1/24'

  'eth0.110':
    inet: 'manual'
    vlan_device: 'eth0'

  'br0':
    auto: True
    inet: 'static'
    address: '192.168.110.1/24'
    bridge_ports: 'eth0.110'
    bridge_stp: 'on'
    bridge_maxwait: '10'

Create a bonded interface using two Ethernet interfaces and attached VLANs:

ifupdown__interfaces:

  'bond0':
    auto: True
    inet: 'manual'
    slaves: [ 'eth1', 'eth0' ]
    options: |
      up ifconfig bond0 0.0.0.0 up

  'vlan10':
    auto: True
    inet: 'static'
    address: '10.10.10.12/16'
    gateway: '10.10.0.1'
    vlan_raw_device: 'bond0'
    dns_nameservers: '10.10.0.2'
    dns_search: 'hup.hu'

  'vlan20':
    auto: True
    inet: 'static'
    address: '10.20.10.12/16'
    vlan_raw_device: 'bond0'

  'vlan30':
    auto: True
    inet: 'static'
    address: '10.30.10.12/16'
    vlan_raw_device: 'bond0'

Create advanced bonding configuration with MTU and other parameters:

ifupdown__interfaces:

  'bond0':
    auto: True
    inet: 'manual'
    bond_slaves: [ 'eth0', 'eth1' ]
    bond_mode: '4'
    bond_miimon: '100'
    bond_downdelay: '200'
    bond_updelay: '200'
    bond_lacp_rate: '1'
    bond_xmit_hash_policy: 'layer2+3'
    options: |
      up ifconfig lacptrunk0 0.0.0.0 up
      post-up ifconfig eth0 mtu 9000 && ifconfig eth1 mtu 9000 && ifconfig bond0 mtu 9000

  'vlan101':
    auto: True
    inet: 'static'
    address: '10.101.60.123/24'
    gateway: '10.155.60.1'
    vlan_device: 'bond0'

  'vlan151':
    auto: True
    inet: 'static'
    address: '192.168.1.1/24'
    vlan_device: 'bond0'

Configure multiple IP addresses on an interface using the "manual approach" method:

ifupdown__interfaces:
  'eth0':
    allow: [ 'auto', 'hotplug' ]
    addresses:
      - '192.168.1.42/24'
      - '192.168.1.43/24'
      - '192.168.1.44/24'
      - '10.10.10.14/24'
    gateway: '192.168.1.1'

Configure a 6to4 tunnel using your public, default IPv4 address (role will autogenerate most of the required configuration):

ifupdown__interfaces:
  '6to4': {}

Configure a restricted bridge network:

ifupdown__interfaces:
  'br2':
    type: 'bridge'
    inet6: 'static'
    inet: 'static'
    nat: True
    forward_interface_ferm_rule: 'outerface (br0 br2) ACCEPT'
    forward_outerface_ferm_rule_enabled: False
    addresses:
      - '2001:db8::23/64'
      - '192.0.2.23/24'

Hosts attached to the br2 bridge are allowed to talk to each other. Additionally, the hosts can initiate connections to the outside world thought br0. No connections can be initiated from the outside world to the hosts behind br2. SNAT is used for IPv4. For IPv6 it is expected that the prefix is routed to the host so that the host can forward packets to br2.

ifupdown__custom_files 

The ifupdown__*_custom_files list variables can be used to place custom scripts or other configuration files on the remote hosts needed for network configuration (for example mapping scripts). Each list element is a YAML dictionary with specific parameters:

dest or path: Required. Absolute path to the destination file on remote host.
src: Optional. Path to the source file on the Ansible Controller which will be copied to the remote host. Shouldn't be used with the content parameter.
content: Optional. An YAML text block with the file contents which should be put in the specified destination file on the remote host. Shouldn't be used with the src parameter.
owner: Optional. Specify the UNIX user account which will be an owner of the file. If not specified, root will be the owner.
group: Optional. Specify the UNIX group which will be the primary group of the file. If not specified, root will be the primary group.
mode: Optional. Specify the file mode which should be set for a given file. If not specified, 0644 mode will be set.
force: Optional, boolean. If not specified or True, the role will ensure that the file contents are up to date on each run. If False, existing files won't be changed if they are different.

Examples

Create an interface mapping script:

ifupdown__custom_files:
  - dest: '/usr/local/lib/ifupdown-map-wlan.sh'
    owner: 'root'
    group: 'root'
    mode: '0755'
    content: |
      #!/bin/sh
      # Script contents ...
      exit 0