Red Hat Enterprise Linux 7 与 CentOS 7 中默认的网络服务由 NetworkManager 提供,这是动态控制及配置网络的守护进程,它用于保持当前网络设备及连接处于工作状态,同时也支持传统的 ifcfg 类型的配置文件。

NetworkManager 可以用于以下类型的连接:Ethernet,VLANS,Bridges,Bonds,Teams,Wi-Fi,mobile boradband(如移动3G)以及 IP-over-InfiniBand。针对与这些网络类型,NetworkManager 可以配置他们的网络别名,IP 地址,静态路由,DNS,VPN连接以及很多其它的特殊参数。

可以用命令行工具 nmcli 来控制 NetworkManager。在CentOS / RHEL 7中网络管理命令行工具,也叫nmcli。经常使用ifconfig的用户应该在CentOS 7中避免使用ifconfig了。nmcli的功能要强大、复杂的多。

network-manager (包括 nmcli, nm-tool 等工具) 比 wpa_supplicant 要更加智能,方便一些。 配置 network-manager 的文件在 /etc/NetworkManager/NetworkManager.conf 中,如果某个网卡不想通过 network-manager 控制,可以在配置文件中指定。

安装

1
sudo apt-get install network-manager

使用指令

命令语法:

1
2
nmcli[ OPTIONS ] OBJECT { COMMAND | help }

OBJECT和COMMAND可以用全称也可以用简称,最少可以只用一个字母,建议用头三个字母。OBJECT里面我们平时用的最多的就是connection和device,这里需要简单区分一下connection和device。

device叫网络接口,是物理设备

1
2
device -show and manage network interfaces
nmcli device help

connection是连接,偏重于逻辑设置

1
2
connection -start, stop, and manage network connections
nmcli connection help

连接

1.显示所有包括不活动连接

1
nmcli con show

2.显示所有活动连接

1
nmcli con show --active

3.显示网络连接配置

1
nmcli con show "System eth0“

4.显示设备状态

1
nmcli dev status

5.显示网络接口属性

1
nmcli dev show eno16777736

6.创建新连接default,IP自动通过dhcp获取

1
nmcli con add con-name default type Ethernet ifnameeth0

7.删除连接

1
nmcli con del default

8.创建新连接static ,指定静态IP,不自动连接

1
2
nmcticon add con-name static ifnameeth0 autoconnect no type Ethernet 
ip4 172.25.X.10/24  gw4 172.25.X.254

con add – 添加新的连接
con-name – 连接名
type – 设备类型
ifname – 接口名
autoconnect no - 禁止开机自动启动
命令完成后,会在/etc/sysconfig/network-scripts/下生成一个配置文件,但是网卡没有绑定,所以并没有生效。
9.启用static连接配置

1
nmcli con up static

10.启用default连接配置

1
nmcli con up default

11.删除一个连接配置

1
nmcli con delete home

12.修改连接设置

1
2
3
4
5
6
nmcli con mod“static” connection.autoconnect no
nmcli con mod “static” ipv4.dns 172.25.X.254
nmcli con mod “static” +ipv4.dns 8.8.8.8
nmcli con mod “static” -ipv4.dns 8.8.8.8
nmcli con mod “static” ipv4.addresses “172.25.X.10/24 172.25.X.254”
nmcli con mod “static” +ipv4.addresses 10.10.10.10/16

+:添加第二个参数
-:删除参数
无+或-:修改参数

设备配置被保存在文本文件中:

1
/etc/sysconfig/network-scripts/ifcfg-<name>

帮助文档列出完整选项列表:

1
/usr/share/doc/initcripts-*/sysconfig.txt

13.修改连接配置后,需要重新加载配置

1
2
3
4
nmcli con reload
nmcli con down “system eth0” 可被自动激活
nmcli con up “system eth0”
nmcli dev dis eth0 禁用网卡,访止被自动激活

wifi

1.Get Wifi status

1
nmcli radio wifi

2.Turn wifi on or off

1
nmcli radio wifi <on|off>

3.List available access points(AP) to connect to

1
nmcli device wifi list

4.Refresh previous list

1
nmcli device wifi rescan

5.Create a new connection to an open AP

1
nmcli device wifi connect <SSID|BSSID>

6.Create a new connection to a password protected AP

1
nmcli device wifi connect <SSID|BSSID> password <password>

7.create a WPA2 Enterprise connection 

1
2
3
4
5
nmcli connection add \
 type wifi con-name "MySSID" ifname wlp3s0 ssid "MySSID" -- \
 wifi-sec.key-mgmt wpa-eap 802-1x.eap tls 802-1x.identity "USERNAME" \
 802-1x.ca-cert ~/ca.pem 802-1x.client-cert ~/cert.pem \
 802-1x.private-key-password "..." 802-1x.private-key ~/key.pem

substitute your own wifi device name for wlp3s0, and so forth.
It will then be listed under nmcli connection, and can be brought up using nmcli connection up MySSID.

8.Authenticating with a username and password
if you use a username/password auth (likely via RADIUS) you can use the command below to add it (use the correct 802-1x.eap option for your network, the example of ttls as below doesn’t require a certificate to be defined) and then use –ask the first time you go to connect to save the password into the connection file.

1
2
3
4
nmcli connection add \
 type wifi con-name "MySSID" ifname wlp3s0 ssid "MySSID" -- \
 wifi-sec.key-mgmt wpa-eap 802-1x.eap ttls \
 802-1x.phase2-auth mschapv2 802-1x.identity "USERNAME"

If using the username/password option you should add –ask after nmcli the first time you bring it up to save the password without leaving it in your command history. It will give you an error message saying as much when you attempt to bring it up otherwise. You will probably get prompted about additional wireless settings when using –ask, you can type no for them unless you need to specify a static IP, in which case answer yes for that option and set the correct information, and in the future you shouldn’t need to use –ask unless your password changes.

or:

1
2
3
4
5
6
7
# nmcli con edit CONNECTION_NAME
nmcli> set ipv4.method auto
nmcli> set 802-1x.eap peap
nmcli> set 802-1x.identity USERNAME
nmcli> set 802-1x.phase2-auth mschapv2
nmcli> save
nmcli> quit

then vim /etc/NetworkManager/system-connections/CONNECTION_NAME to hold your password

1
2
3
4
5
[connection]
id=CONNECTION_NAME
 
[802-1x]
password=YOUR_8021X_PASSWORD

Restart NetworkManager to pick up the changes:

1
systemctl restart NetworkManager

You may need to bring the interface down and up to test the new changes:

1
2
nmcli con down CONNECTION_NAME
nmcli con up CONNECTION_NAME

9.Exploring nmcli on your own
In general, the space of possible nmcli settings can be explored by adding the words asdf.asdf asdf to the end of the command line to produce an error message stating what words are possible substitutions for the first asdf. Choose one, and then you will get an error message listing the possible sub-settings for the second asdf. Choose one of those, and you will see the possible settings:

1
2
3
4
5
6
$ nmcli connection add ... asdf.asdf asdf
Error: invalid or not allowed setting 'asdf': 'asdf' not among [connection, 802-11-wireless (wifi), 802-11-wireless-security (wifi-sec), 802-1x, ipv4, ipv6].
$ nmcli connection add ... wifi-sec.asdf asdf
Error: invalid property 'asdf': 'asdf' not among [key-mgmt, wep-tx-keyidx, auth-alg, proto, pairwise, group, leap-username, wep-key0, wep-key1, wep-key2, wep-key3, wep-key-flags, wep-key-type, psk, psk-flags, leap-password, leap-password-flags].
$ nmcli connection add ... wifi-sec.proto asdf
Error: failed to modify wifi-sec.proto: 'asdf' not among [wpa, rsn].

By iterating through all of the sub-settings, I was able to piece together the successful command line shown above. The one surprise was that the password must precede the private key path — if you put the password later, it has no effect!