Child pages
  • Using NWAM to configure network interfaces
Skip to end of metadata
Go to start of metadata


Network Auto-Magic (NWAM) is a new approach to managing network interfaces that was introduced with OpenSolaris. NWAM introduced network profiles to be able to change network settings on the fly and also a harmonized approach to service discovery (MDNS) configuration. One important reason to redesign networking was the increasing importance of wireless networking and the need to cope with its dynamic nature.

NWAM generally feels unfamiliar to long time users and thus is one of the features of OI generally underestimated and disabled as quickly as possible. On the other hand configuring network settings becomes quite easy using its main tools nwamcfg and nwamadm as this topic shows


Generally, all configuration can be done using two tools, nwamcfg to configure network profiles and nwamadm to manage network profiles. On its backend, NWAM relies on nwamd, the NWAM policy engine daemon and netcfgd, its NWAM repository daemon. Additionally, all configuration can be done via a GUI application.

NWAM access control

Todo: Describe how profiles can be used to control access to NWAM.

Access to the command line and GUI tools is controlled via security profiles "Network Autoconf Admin" and "Network Autoconf user", respectively. All NWAM profile handling can be done as root, though.

Setting up a profile

First step usually is to create a new profile to populate. As root user, issue the following command:

# nwamcfg
nwamcfg> create ncp Abroad
nwamcfg:ncp:Abroad> exit

Now, next time you start nwamcfg, you will see a new profile in the list of NCPs:

# nwamcfg
nwamcfg> list
Based on this, the network interface to be managed under the new profile can be set and configured:
# nwamcfg
nwamcfg> select ncp Abroad
create ncu phys e1000g0
Created ncu 'e1000g0'. Walking properties ...
activation-mode (manual) [manual|prioritized]>
enabled (true) [true|false]> 
priority-group> 0
priority-mode [exclusive|shared|all]> exclusive
Most important here is the activation-mode, which states if the profile is to be automatically set based on certain policies or if it is to be manually set using nwamadm. The latter should be most likely the case in a server environment. For the priority-group and -mode, the settings here (0 / exclusive) say that the profile is for wired access and will always be the only active one at a time.

If after listing the changes you are satisfied with the configuration, permanently store them using a commit:

nwamcfg:ncp:Abroad:ncu:e1000g0> list
type link
class phys
parent "Abroad"
activation-mode prioritized
enabled true
priority-group 0
priority-mode exclusive
nwamcfg:ncp:Abroad:ncu:e1000g0> commit
Committed changes

Now that an interface has been assigned to the profile, its IP configuration has to be defined:

nwamcfg:ncp:Abroad:ncu:e1000g0> end
nwamcfg:ncp:Abroad> create ncu ip e1000g0
Created ncu 'e1000g0'. Walking properties ...
enabled (true) [true|false]>
ip-version (ipv4,ipv6) [ipv4|ipv6]> ipv4
ipv4-addrsrc (dhcp) [dhcp|static]> static
nwamcfg:ncp:Abroad:ncu:e1000g0> list
type interface
class ip
parent "Abroad"
enabled true
ip-version ipv4
ipv4-addrsrc static
ipv4-addr ""
ipv4-default-route ""
ipv6-addrsrc dhcp,autoconf

As you can see, the profile features a static IP address and, for simplicity reasons, only provides IPv4 networking. Again, if you're happy with the results, commit them.

nwamcfg:ncp:Abroad:ncu:e1000g0> commit
Committed changes

As it stands, you now have defined a pysical and ip layer attached to a network profile:

nwamcfg:ncp:Abroad:ncu:e1000g0> end
nwamcfg:ncp:Abroad> list
phys e1000g0
ip e1000g0

Activating a profile

To activate the profile, you use nwamadm. First of all, check for the current situation:

# nwamadm list
ncp Abroad disabled
ncp Automatic online
ncu:phys e1000g0 online
ncu:ip e1000g0 online
loc Automatic online
loc NoNet offline
loc User disabled

As you can see, Automatic is the active profile while Abroad is currently disabled. We can change that easily, but be aware that you might lock yourself out if you are connected via SSH when changing the profile!

# nwamadm enable Abroad
Enabling ncp 'Abroad'

To check if the change has worked, you can use nwam again, and also ifconfig should show success:

# nwamadm list
ncp Abroad online
ncu:phys e1000g0 online
ncu:ip e1000g0 online
ncp Automatic disabled
loc Automatic online
loc NoNet offline
loc User disabled

# ifconfig e1000g0
e1000g0: flags=1000843<UP,BROADCAST,RUNNING,MULTICAST,IPv4> mtu 1500 index 8
inet netmask ffffff00 broadcast
ether 0:c:29:56:46:73


Although it is possible to directly modify profiles using an editor, it is not advisable and will be hardly necessary, anyway. One of the coolest features of NWAM tools is that they can be completely scripted. All steps above could also be put into two lines only:

# nwamcfg "create ncp Abroad;create ncu phys e1000g0;set activation-mode=manual;set enabled=true;set priority-group=0;set priority-mode=exclusive;end;create ncu ip e1000g0;set enabled=true;set ip-version=ipv4;set ipv4-addrsrc=static;set ipv4-addr=;set ipv4-default-route=;commit"

Or, more nicely formatted, commented and stored in a file:

# Profile for use on the road
# Created on 13/01/2013 by S. Mueller-Wilken
create ncp Abroad
# Create physical interface definition for 1st network card
create ncu phys e1000g0
set activation-mode=manual
set enabled=true
set priority-group=0
set priority-mode=exclusive
# Create IP configuration for first network card
create ncu ip e1000g0
set enabled=true
set ip-version=ipv4
set ipv4-addrsrc=static
set ipv4-addr=
set ipv4-default-route=
# Commit the settings

This file can then be read by nwamcfg, directly or, e.g. as part of a zone configuration, using zlogin:

# nwamcfg -f abroad.cfg
Configuration read.

Behind the scenes 

While there is no longer a need to fiddle around in /etc/nwam, the configuration is still completely there, as can be easily verified:

# ls /etc/nwam
loc loc.conf ncp-Abroad.conf ncp-Automatic.conf

All configuration is placed in readable ASCII files so that configuration from a global zone is possible:

# cat /etc/nwam/ncp-Abroad.conf 
link:e1000g0 type=uint64,0;class=uint64,0;parent=string,Abroad;enabled=boolean,true;activation-mode=uint64,4;priority-group=uint64,0;priority-mode=uint64,0;
interface:e1000g0 type=uint64,1;class=uint64,1;parent=string,Abroad;enabled=boolean,true;ipv6-addrsrc=uint64,0,1;ip-version=uint64,4;ipv4-addrsrc=uint64,2;ipv4-default-route=string,;ipv4-addr=string,;



  • No labels


  1. Nice, thank you..

    I am running:

    I had to fix /etc/resolv.conf (which has gone ? during this process) and to enable nwam (was disabled due use of old technique):

    $ pfexec svcadm disable svc:/network/physical:default
    $ pfexec svcadm enable svc:/network/physical:nwam

    Otherwise all worked just perfect,


  2. Hi again,

    can you explain what to do here?

    I was testing another Ethernet switch today, and my /etc/resolv.conf were gone!?

    It took me 10 minutes to figure out what is wrong. I like idea using nwam for static IP, but it is half working... and is annoying.

    If you can put some lights here (before opening ticket) would be fine (since man pages for nwamadm and nwamcfg are missing). Maybe this is better to use (have to investigate): pfexec /usr/bin/nwam-manager-properties


    1. Hi Predrag,

      see my comment below for a few insights on the reasons for resolv.conf to vanish. As for the nwam-manager-properties, it depends on your taste: the tool is just a graphical frontend to nwamcfg and nwamadmin. While they are convenient and neat, they simply don't give much benefit in server management. Either you do that via SSH or ultimatively automate via Chef, Puppet etc.. - but in any case, GUI apps are of not much use in that area.

  3. Hi Predrag,

    sorry, I should have mentioned NWAM configures resolv.conf handling not within network configuration or unit profiles (NCP or NCU) but the location profile (LOC). The default location profile "Automatic" uses DHCP for resolv.conf management and if your DHCP server publishes an empty name server list, this will zap your resolv.conf on every restart. I will add another section as time permits, but here's the immediate cure:

    # nwamcfg "select loc automatic; set nameservices=dns; set dns-nameservice-configsrc=manual; 
    set; set dns-nameservice-servers=; set; commit"

    Do a "list -a" on the location to get a feel for the possible settings. They're quite simple to understand!

    1. hi Stefan,

      thanks for update, and yes, it works ...

      I would add


      to nwamcfg command above. Also, this fixes use of IPv6 (disables it).


      1. Hi Predrag,

        thanks for the comment. I've fixed my command line. Apart from that: how does disabling IPv6 constitute a fix? You could disable IPv6 explicitly using nwamcfg anyway...


        1. Hi Stefan,

          well specifying just ipv4 values... i guess.

          Before i used this, i could see ipv6 output in ifconfig or ipadm commands. Now that is gone at least for interface, loopback is still having it).


          1. Can't you just delete and recreate lo as IPv4 only using ipadm?

            1. Well,

              didn't spent too much time looking for ipadm documentation, so tried:

              $ pfexec ipadm delete-addr lo0/v6
              $ ipadm show-addr
              ADDROBJ           TYPE     STATE        ADDR
              lo0/v4            static   ok 
              e1000g0/_a        static   ok 
              ### but ifconfig -a
              $ lo0: flags=2002000848<LOOPBACK,RUNNING,MULTICAST,IPv6,VIRTUAL> mtu 8252 index 1
                      inet6 ::/128
              $ pfexec ipadm delete-addr lo0/v4
              # ^^^^^^^^^^^^ this has removed it from ipadm show-addr list, but not from ifconfig -a
              $ pfexec ipadm create-addr -T static -a local= lo0/v4
              ipadm: Could not create address: Persistent operation on temporary object

              Then i have removed it from all displays:

              $ pfexec ipadm delete-if lo0

              But when tried to create:

              $ ipadm create-if lo0
              ipadm: Could not create lo0 : Operation failed
              $ pfexec ipadm create-addr -T static -a local= lo0/v4
              ipadm: Could not create address: Operation failed

              So,  what is next?




  4. That is an excellent way to configure the static IP in openindiana which can be set online without reboot.

    But the sentence says that "Or, more nicely formatted, commented and stored in a file": Does it mean that all the commands should be placed in file with extension .sh??

    I think that's really great.

    I also feel that Openindiana, Opensolaris, OpenSXCE, Illmos are truly UNIX variants and much better than Linux and its distros.

    1. Well, as I wrote - store the content in a configuration file (e.g. abroad.cfg) and load it via nwamcfg:

      This file can then be read by nwamcfg, directly or, e.g. as part of a zone configuration, using zlogin:

      # nwamcfg -f abroad.cfg
      Configuration read.
  5. After I changed IP from dhcp to static my non-global zone lost it's static IP.

    Should I reinstall whole zone from scratch?


    I reinstalled my zone, it registered interface and ipconfig displays it well.

    But, nwamd doesn't know about new interface e1000g0:1

    It logs these messages:

    Aug 6 15:57:03 devserv2 nwamd[402]: [ID 335035 daemon.error] 1: nwamd_ncu_handle_if_state_event: addrinfo doesn't exist for
    Aug 6 15:57:03 devserv2 nwamd[402]: [ID 588944 daemon.error] 1: nwamd_ncu_handle_if_state_event: address not managed by nwam removed, nothing to do
    Aug 6 15:57:04 devserv2 nwamd[402]: [ID 335035 daemon.error] 1: nwamd_ncu_handle_if_state_event: addrinfo doesn't exist for

    I tried create ncu phys e1000g0:1 but colon is prohibited for name of ncu.

    I'm stuck here.

    1. Well, to quote Oracle's Solaris 11 documentation (see "Note - NWAM does not work in a shared stack zone." So while you can use it with exclusive stack zones where you have dedicated NICs per zone, you can't with shared ones.

      As you are referrring to e1000g0:1 it seems you're on a shared zone and thus will have to configure networking parameters from the root zone. You can use zonecfg to get a picture of what is in place. Try the following command from your root zone:

      # zonecfg -z devserv2

      Further on, you use the standard zonecfg subcommands to add an interface to the zone and assign an IP address to it.