firejail: changing Ethernet network adapter name is breaking Firefox profile

[piorunz]

Hello,

I run Firefox via firejail. I let Firefox use only one network adapter,
because that cuts off Firefox from my LAN. I run several profiles of
Firefox on my machine. Only one of them has access to LAN for security
reasons.

This is my example shortcut in KDE menu:
firejail --net=enp5s0 --netfilter=/etc/firejail/nolocal.net firefox -P
default-esr

Problem is, every now and then, Ethernet adapter name changes, from
enp5s0 to enp6s0 for example. Shortcut stops working! I have to manually
edit all shortcuts, and change enp5s0 to enp6s0 in each one.

How to fix this?


--
With kindest regards, Piotr.

⢀⣴⠾⠻⢶⣦⠀
⣾⠁⢠⠒⠀⣿⡁ Debian - The universal operating system
⢿⡄⠘⠷⠚⠋⠀ https://www.debian.org/
⠈⠳⣄⠀⠀⠀⠀

[Darac Marjal]

On 17/01/2022 22:43, piorunz wrote:
> Hello,
>
> I run Firefox via firejail. I let Firefox use only one network adapter,
> because that cuts off Firefox from my LAN. I run several profiles of
> Firefox on my machine. Only one of them has access to LAN for security
> reasons.
>
> This is my example shortcut in KDE menu:
> firejail --net=enp5s0 --netfilter=/etc/firejail/nolocal.net firefox -P
> default-esr
>
> Problem is, every now and then, Ethernet adapter name changes, from
> enp5s0 to enp6s0 for example. Shortcut stops working! I have to manually
> edit all shortcuts, and change enp5s0 to enp6s0 in each one.

If you have multiple Network Adapters, connected to different networks,
why not give them more sensible names?

Using
https://wiki.debian.org/NetworkInterfaceNames#CUSTOM_SCHEMES_USING_.LINK_FILES
you can assign names such as "lan", "wan", "internal", "wifi" etc.  That
way, you just need to do "firejail --net=wan
--netfilter=/etc/firejail/nolocal.net firefox -P default-esr".

[piorunz]

On 17/01/2022 22:50, Darac Marjal wrote:

> If you have multiple Network Adapters, connected to different networks,
> why not give them more sensible names?
>
> Using
> https://wiki.debian.org/NetworkInterfaceNames#CUSTOM_SCHEMES_USING_.LINK_FILES
> you can assign names such as "lan", "wan", "internal", "wifi" etc.  That
> way, you just need to do "firejail --net=wan
> --netfilter=/etc/firejail/nolocal.net firefox -P default-esr".

Amazing, that worked! Thanks!

[Andrei POPESCU]

On Lu, 17 ian 22, 22:43:49, piorunz wrote:
>
> Problem is, every now and then, Ethernet adapter name changes, from
> enp5s0 to enp6s0 for example.

Those names are supposed to be stable.

Are you doing any changes to the hardware when that happens?


Kind regards,
Andrei
--
http://wiki.debian.org/FAQsFromDebianUser

[lou]

i've installed bullseye on usb disk

can i copy it to hard disk (sda2) and make necessary change in
/etc/fstab and

then update grub of usb disk to boot sda2?

Thanks!

[Andrei POPESCU]

Something like that should be possible, yes.

For more visibility you might want to re-send your question in a new
mail to this list instead of a reply with changed Subject.

https://www.urbandictionary.com/define.php?term=Thread%20Hijacking

(yes, your e-mail shows up as "attached" to the original thread, see
https://lists.debian.org/debian-user/2022/01/thrd2.html)

To provide useful hints you should provide exact details about the USB
disk and the hard disk you want to move the installation to (ideally
output of 'fdisk -l'), as well as the computer(s) involved, in
particular whether they are booting via BIOS or UEFI, what other
operating systems are installed (if any) and what other disk drives are
installed (if any).

[David]

Hi, in general this kind of thing is quite possible, and I would
encourage you to try, and you will learn by doing that.

However, there are a few potential problems that you need to
be careful to avoid.

First, it's best to try this first on a secondary system that you do
not rely on for any other important tasks. That way you can
experiment without fear of making mistakes.

Related, the most important consideration for me would be that,
if the usb disk is providing the root file system for a currently
running operating system, then I would not attempt to copy
that file system to another drive.

Because that file system is being used for many things during
the copy, and therefore it might be changing during the copy
process, and so the copy process might not capture all of the
changes. If that occurs, then the copy will differ from the original
and might not work correctly.

I would only ever copy any drive when it is not in use, to
be sure that the copy is an exact replica of the original, and
that the original did not change during the copy process.
In the case of your question, that means at least 2 systems
must be available, one to be copied and another one to do
the copying.

Another thing to consider is that the copy process must
preserve any special attributes of the filesystem, which are likely
to be essential to correct functioning of a root file system.
So to achieve that might require the copy to be done using
a special method.

Many years ago when I first tried this kind of thing, I used
to make all my root filesystem partitions have exactly the
same byte count so that I could use 'dd' to guarantee a
bit identical copy.

But that is fiddly and inconvenient. For many years I have
used
'rsync -haxv -HAXS -W --delete ...'
and I have not had any problems that I have noticed,
although it is complicated, see for example:
https://unix.stackexchange.com/questions/118840/preserving-extended-attributes-with-cp-rsync
and I have no expectation that such an 'rsync' command
will copy any attributes set using 'chattr'.

[to...@tuxteam.de]

On Sat, Jan 22, 2022 at 08:28:34AM +0100, Andrei POPESCU wrote:
> On Lu, 17 ian 22, 22:43:49, piorunz wrote:
> >
> > Problem is, every now and then, Ethernet adapter name changes, from
> > enp5s0 to enp6s0 for example.
>
> Those names are supposed to be stable.

Hahaha :)

Actually, they're supposed to be /predictable/.

Now assume the following situation: you've got just one USB port (Apple,
I'm looking at you). Your Ethernet adapter is a dongle hanging off it.
You now realize you need some USB storage to do your backups (you make
backups, don't you?). You go to the shop, buy a USB hub, stick it into
your port, and stick your Ethernet adapter into it, so now you have some
more free USB thingies.

*Poof*, your Ethernet device name changes, since, by default [1] it's
named after the path in the USB device tree leading to your device.
Don't forget to stick your Ethernet dongle into the same port
afterwards. Else... *poof*.

So... predictable, yes. Stable... is in the eye of the beholder.

Me? I've decided that the whole schema is far too Rube Goldbergesque for
my needs. I have "net.ifnames=0" in my Linux boot commandline (via
/etc/default/grub) and made sure nothing messes with things after boot.

The day this humble laptop has more than one Ethernet (or wlan) adapter,
I'll cope with it.

Cheers

[1] https://www.man7.org/linux/man-pages/man7/systemd.net-naming-scheme.7.html#NAMING
(search for "Table 2" there: gah, why don't people provide anchors

--
t

[lou]

Thank Andrei and David!

i've tried, it doesn't work, i give up

if install by copy is complicated, i won't do it that way

instead, i just install as usual

[piorunz]

On 22/01/2022 07:28, Andrei POPESCU wrote:
> On Lu, 17 ian 22, 22:43:49, piorunz wrote:
>>
>> Problem is, every now and then, Ethernet adapter name changes, from
>> enp5s0 to enp6s0 for example.
>
> Those names are supposed to be stable.
>
> Are you doing any changes to the hardware when that happens?
>
>
> Kind regards,
> Andrei

No, I just reboot or turn off & on again my computer.

[piorunz]

On 22/01/2022 09:00, to...@tuxteam.de wrote:
> Hahaha:)
>
> Actually, they're supposed to be/predictable/.
>
> Now assume the following situation: you've got just one USB port (Apple,
> I'm looking at you). Your Ethernet adapter is a dongle hanging off it.
> You now realize you need some USB storage to do your backups (you make
> backups, don't you?). You go to the shop, buy a USB hub, stick it into
> your port, and stick your Ethernet adapter into it, so now you have some
> more free USB thingies.

*Nothing* like this happens in my case. I just turn off & on again my
computer.

This is my ethernet card:
06:00.0 Ethernet controller: Realtek Semiconductor Co., Ltd.
RTL8111/8168/8411 PCI Express Gigabit Ethernet Controller (rev 15)

It's built in to my ASUS motherboard.

[Stanislav Vlasov]

yes, i do this:
1) make neccessary partitions and fs and mount them -- man parted,
man mkfs, may be man pvcreate, man vgcreate, man lvcreate, man mount)
2) copy files with xattrs, selabels, capabilities to new place (/boot
to new boot partition, / to new root partition, etc) -- man cp or man
rsync
3) change fstab on new system -- man vi or man nano
4) mount / and after that /boot (if exists) into /mnt and /mnt/boot respectively
5) mount --bind /dev /mnt/dev; mount --bind /sys /mnt/sys; mount
--bind /proc /mnt/proc
6) grub-install /dev/disk # /dev/disk is a device with new /boot part
7) umount all from /mnt

About 15 years ago similar process was used to deploy several hundreds
of new workstations from prepared tar of master image - simply boot
from livecd and unpack system to prepared mountpoint.

If you ask such questions - get some practice on virtual machine
before install on real computer.

--
Stanislav

[Cindy Sue Causey]

There's also "update-initramfs -u" that can be run in between
/etc/fstab and one's boot manager (LILO, GRUB, etc). That's when my
best successes grab hold.

That may be false hope on my part, but I've always figured it poked
around and verified that everything matched up properly for booting.
With any luck, it might warn about something that's missing if one
keeps encountering an unbootable system....

Or not.... :)

Cindy :)
--
Cindy-Sue Causey
Talking Rock, Pickens County, Georgia, USA
* runs with birdseed *

[David Wright]

On Sat 22 Jan 2022 at 11:32:17 (+0000), piorunz wrote:
> On 22/01/2022 07:28, Andrei POPESCU wrote:
> > On Lu, 17 ian 22, 22:43:49, piorunz wrote:
> > >
> > > Problem is, every now and then, Ethernet adapter name changes, from
> > > enp5s0 to enp6s0 for example.
> >
> > Those names are supposed to be stable.
> >
> > Are you doing any changes to the hardware when that happens?
>

> No, I just reboot or turn off & on again my computer.

Presumably that has to be caused by the hardware or the firmware,
which sounds decidedly flaky, and something the OS can do nothing
about, except work around it.

As for that, I would have thought that's pretty easy: you just set
an environment variable with the name of the interface in it, and use
firejail --net="$Mywiredifname" …

All my systems define that very variable, not because I have issues
with the OS's choice, but so that I can use the same script to scp
through the IPv6 link address to whatever machine is on the other
end of the wire (yes, I know, it's a cheat).

Cheers,
David.

[David Wright]

On Sat 22 Jan 2022 at 10:00:34 (+0100), to...@tuxteam.de wrote:
> On Sat, Jan 22, 2022 at 08:28:34AM +0100, Andrei POPESCU wrote:
> > On Lu, 17 ian 22, 22:43:49, piorunz wrote:
> > >
> > > Problem is, every now and then, Ethernet adapter name changes, from
> > > enp5s0 to enp6s0 for example.
> >
> > Those names are supposed to be stable.
>
> Hahaha :)
>
> Actually, they're supposed to be /predictable/.
>
> Now assume the following situation: you've got just one USB port (Apple,
> I'm looking at you). Your Ethernet adapter is a dongle hanging off it.
> You now realize you need some USB storage to do your backups (you make
> backups, don't you?). You go to the shop, buy a USB hub, stick it into
> your port, and stick your Ethernet adapter into it, so now you have some
> more free USB thingies.
>
> *Poof*, your Ethernet device name changes, since, by default [1] it's
> named after the path in the USB device tree leading to your device.
> Don't forget to stick your Ethernet dongle into the same port
> afterwards. Else... *poof*.
>
> So... predictable, yes. Stable... is in the eye of the beholder.

> [1] https://www.man7.org/linux/man-pages/man7/systemd.net-naming-scheme.7.html#NAMING
> (search for "Table 2" there: gah, why don't people provide anchors

That doesn't tally with my experience. Two paragraphs before Table 2 is:

ID_NET_NAME_MAC=prefixxAABBCCDDEEFF
This name consists of the prefix, letter x, and 12
hexadecimal digits of the MAC address. It is available if the
device has a fixed MAC address. Because this name is based on
an attribute of the card itself, it remains "stable" when the
device is moved (even between machines), but will change when
the hardware is replaced.

which describes what I observe here.

> Me? I've decided that the whole schema is far too Rube Goldbergesque for
> my needs. I have "net.ifnames=0" in my Linux boot commandline (via
> /etc/default/grub) and made sure nothing messes with things after boot.
>
> The day this humble laptop has more than one Ethernet (or wlan) adapter,
> I'll cope with it.

It's not as if you're given no choice in the matter.

Cheers,
David.

[to...@tuxteam.de]

On Sat, Jan 22, 2022 at 09:53:00AM -0600, David Wright wrote:

[...]

> That doesn't tally with my experience. Two paragraphs before Table 2 is:
>
> ID_NET_NAME_MAC=prefixxAABBCCDDEEFF

[...]

> which describes what I observe here.

MAC is definitely a better choice in this (USB) context. Although, I could
come up with some funny "war stories" on that, too :-)

> > Me? I've decided that the whole schema is far too Rube Goldbergesque [...]

> It's not as if you're given no choice in the matter.

Luckily, luckily :-)

Cheers
--
t

[Greg Wooledge]

On Sat, Jan 22, 2022 at 10:00:34AM +0100, to...@tuxteam.de wrote:
> On Sat, Jan 22, 2022 at 08:28:34AM +0100, Andrei POPESCU wrote:
> > On Lu, 17 ian 22, 22:43:49, piorunz wrote:
> > >
> > > Problem is, every now and then, Ethernet adapter name changes, from
> > > enp5s0 to enp6s0 for example.
> >
> > Those names are supposed to be stable.
>
> Hahaha :)
>
> Actually, they're supposed to be /predictable/.

In reality, they are neither. What piorunz is reporting is not uncommon.
Any change to the system hardware, or even to the motherboard's firmware,
can cause PCI devices to be renumbered. This causes "predictable"
network interface names to change, unpredictably.

Some people work around this by reverting to the old "eth0" style names,
and for machines with exactly one ethernet interface, this works well.

For machines with more than one ethernet interface, of course, it doesn't.
On such machines, the best course of action seems to be setting up
systemd.link(5) files to give your interfaces whatever names you want
them to have, based on their MAC addresses. (In essence, replicating
what udev used to do by default, but which was deprecated in buster.)

[David Christensen]

I have a SOHO network with about a dozen IoT, iOS, Android, Windows,
macOS, Debian GNU/ Linux, and FreeBSD machines.


Copying/ imaging/ cloning Debian (and FreeBSD) operating system
instances from one device to another is possible. There are multiple
choices.


A simple case is to image the entire device. Boot the Debian Installer
(d-i) (or a live Linux distribution) and use dd(1) to copy the entire
USB drive to the entire HDD:

# dd bs=1M if=/dev/disk/by-id/usb-... of=/dev/disk/by-id/ata-...


When done, shut down the computer, disconnect the USB drive, boot the
computer, enter the CMOS setup utility, adjust the settings, save the
settings, exit Setup, and boot the HDD.


Of course, the number of sectors on the target device must be equal to
or larger than the number of allocated sectors on the source device.
And, if the device uses GPT partitioning, you must deal with the backup
partition table at the end.


Also note that if the USB disk was partitioned with the MBR scheme, the
d-i may have written an entry to /etc/crypttab or /etc/fstab for swap
that uses a /dev/sd?? partition node. (Boot and/or root should be based
upon UUID). Using /dev/sd* nodes is brittle and can break if you add,
remove, or rearrange drives. My fix is to replace the swap partition
/dev/sd?? value with a /dev/disk/by-partuuid/... value.


While doing the work by hand from a d-i rescue console or a live Linux
distribution terminal is possible, it is error prone. I have written
scripts to automate most of the steps. Alternatively, there are
purpose-built tools for cloning drives. Clonezilla is one FOSS example:

https://clonezilla.org/


David

[Andrei POPESCU]

On Sb, 22 ian 22, 09:40:39, David Christensen wrote:
>
> A simple case is to image the entire device. Boot the Debian Installer
> (d-i) (or a live Linux distribution) and use dd(1) to copy the entire USB
> drive to the entire HDD:
>
> # dd bs=1M if=/dev/disk/by-id/usb-... of=/dev/disk/by-id/ata-...
>
>
> When done, shut down the computer, disconnect the USB drive, boot the
> computer, enter the CMOS setup utility, adjust the settings, save the
> settings, exit Setup, and boot the HDD.
>
>
> Of course, the number of sectors on the target device must be equal to or
> larger than the number of allocated sectors on the source device. And, if
> the device uses GPT partitioning, you must deal with the backup partition
> table at the end.

It seems one can avoid such issues simply by cloning only the file
system instead.

At least e2image (with the -a switch) seems to be able to do that, other
file systems might have their own tools for that.

[Andrei POPESCU]

On Sb, 22 ian 22, 09:52:45, David Wright wrote:
> On Sat 22 Jan 2022 at 11:32:17 (+0000), piorunz wrote:
> > On 22/01/2022 07:28, Andrei POPESCU wrote:
> > > On Lu, 17 ian 22, 22:43:49, piorunz wrote:
> > > >
> > > > Problem is, every now and then, Ethernet adapter name changes, from
> > > > enp5s0 to enp6s0 for example.
> > >
> > > Those names are supposed to be stable.
> > >
> > > Are you doing any changes to the hardware when that happens?
> >
> > No, I just reboot or turn off & on again my computer.
>
> Presumably that has to be caused by the hardware or the firmware,
> which sounds decidedly flaky, and something the OS can do nothing
> about, except work around it.

A BIOS / UEFI Firmware update might fix it.

[Andrei POPESCU]

On Sb, 22 ian 22, 10:00:34, to...@tuxteam.de wrote:
>
> *Poof*, your Ethernet device name changes, since, by default [1] it's
> named after the path in the USB device tree leading to your device.
> Don't forget to stick your Ethernet dongle into the same port
> afterwards. Else... *poof*.

I thought USB dongles are supposed to be using the MAC based naming
scheme by default.

[Tixy]

On Sat, 2022-01-22 at 23:53 +0100, Andrei POPESCU wrote:
> On Sb, 22 ian 22, 10:00:34, to...@tuxteam.de wrote:
> >
> > *Poof*, your Ethernet device name changes, since, by default [1] it's
> > named after the path in the USB device tree leading to your device.
> > Don't forget to stick your Ethernet dongle into the same port
> > afterwards. Else... *poof*.
>
> I thought USB dongles are supposed to be using the MAC based naming
> scheme by default.

Out of curiosity, just in draw for a USB ether dongle, it looks like
the serial number is used...

[ 281.313111] usb 2-9: Manufacturer: Realtek
[ 281.313115] usb 2-9: SerialNumber: 0023563C4747
[ 281.350604] usbcore: registered new interface driver r8152
[ 281.362262] usbcore: registered new interface driver cdc_ether
[...]
[ 281.533462] r8152 2-9:1.0 eth0: v1.11.11
[ 281.550872] r8152 2-9:1.0 enx0023563c4747: renamed from eth0

--
Tixy