Re: [zones-discuss] netmask warning, misconfiguration
Jordan Brown (Sun) writes: OTOH, I don't immediately understand how the example can work. It says that 128.32.*.* (except for the exclusions) gets a 24-bit netmask, but I don't see how that can be unambiguously determined. The example *seems* to want to explicitly specify a 28-bit netmask for several ranges and a 24-bit netmask for the rest, but how can it distinguish between requesting that 128.32.*.* is all 24-bit and requesting that 128.32.0.* is all 24-bit? (For that matter, why isn't it specifying that 128.001?.*.* is 24-bit?) It doesn't always work very well, which is why I generally recommend against /etc/netmasks. It may have been an ok interface 20 years ago, but with CIDR, it's mostly a defect looking for a place to happen. -- James Carlson, Solaris Networking [EMAIL PROTECTED] Sun Microsystems / 35 Network Drive71.232W Vox +1 781 442 2084 MS UBUR02-212 / Burlington MA 01803-2757 42.496N Fax +1 781 442 1677 ___ zones-discuss mailing list zones-discuss@opensolaris.org
Re: [zones-discuss] netmask warning, misconfiguration
On Dec 3, 2007 5:43 AM, James Carlson [EMAIL PROTECTED] wrote: It doesn't always work very well, which is why I generally recommend against /etc/netmasks. It may have been an ok interface 20 years ago, but with CIDR, it's mostly a defect looking for a place to happen. If using only a local netmasks file, it works quite well. I much prefer to have one authoritative netmasks file per system than having system administrators specifying the mask every time addif ... is added to /etc/hostname.* or a zone is created. It is quite likely that /etc/netmasks is not as desirable in situations where lots of networks are referenced. For example, systems with non-trivial firewall (or similar) rules would most likely benefit from CIDR notation because you may have some rules that apply to 10.0.0.0/8 with more refined rules for 10.27.45.128/25. /etc/netmasks would be worthless for that. For configuring IP addresses on the typical machine bolted to a rack or sitting on a desk, /etc/netmasks is quite manageable, stable, and desirable. -- Mike Gerdts http://mgerdts.blogspot.com/ ___ zones-discuss mailing list zones-discuss@opensolaris.org
Re: [zones-discuss] netmask warning, misconfiguration
On Dec 3, 2007 8:45 AM, James Carlson [EMAIL PROTECTED] wrote:
Besides the look-up ambiguity, there are also the chicken-and-egg
problems that occur when users accidentally configure the system to
use NIS or some other directory service for netmask resolution.
Trying to configure an interface using a service that's reachable only
by talking on that interface doesn't work very well unless the
protocol was designed to be used that way -- and NIS was not. In
fact, at least inside Sun, it's a somewhat common way to produce
apparent hangs on boot.
Getting netmasks from NIS is a bug. /etc/nsswitch.{nis,ldap,etc}
should not suggest that this is a good practice.
I much prefer DHCP or BOOTP for these cases. It's centrally managed,
so you don't have to tweak each machine to have the right information,
and it's standards-based, so you can integrate with other systems.
Don't let the dynamic word in the name get in the road; whether the
addresses are dynamic or stable over time is a matter of
administration, not a requirement of the protocol.
Please continue to spread the word about dynamic frequently. I
can't tell you how many times I have had to express the same to people
that have a fear of it because they assume that every address
allocated will be from a dynamic address range or that anything that
plugs into the network will automatically get an IP address.
--
Mike Gerdts
http://mgerdts.blogspot.com/
___
zones-discuss mailing list
zones-discuss@opensolaris.org
Re: [zones-discuss] netmask warning, misconfiguration
Antonello Cruz wrote: I would definitely run zonecfg -z int-sagent-1-z1 info to check what the zone thinks is the netmask. Doesn't display a netmask. I suspect if you haven't defined the '/24' it will pick the default for the address class. In this case, '/16' IIRC. Sometimes documentation gets old... Sure seems like a bug. Did you use, in zonecfg: zonecfg:int-sagent-1-z1:net set address=172.20.46.188/24 ? No, no /24. (I see how that could affect the picture, but it seems like /etc/netmasks should work too, and the message certainly suggests it.) Actually, I just remembered that I didn't specify the address this way. I used set address=int-sagent-1-z1. (I don't like using IP addresses when I don't absolutely have to.) ___ zones-discuss mailing list zones-discuss@opensolaris.org
Re: [zones-discuss] netmask warning, misconfiguration
zoneadm: zone 'int-sagent-1-z1': WARNING: bge0:1: no matching subnet found in netmasks(4) for 172.20.46.188; using default of 255.255.0.0. but my /etc/netmasks (on both the global and local zone) looks good: What does the netmasks entry in /etc/nsswitch.conf say? A common issue is that a user changes their local /etc/netmasks file but their the switch says to use something like nis. (I also tried 172.20.0.0 on the theory that maybe it wanted me to set the netmask for the entire Class B, but no dice.) Actually, that's exactly what you should be using in your local /etc/netmasks entry. Although I do suggest that specifying the prefix length (such as /24) via zonecfg(1M) is the best solution. dsc ___ zones-discuss mailing list zones-discuss@opensolaris.org
Re: [zones-discuss] netmask warning, misconfiguration
Jordan, How did you setup the IP address for that zone? Did you use, in zonecfg: zonecfg:int-sagent-1-z1:net set address=172.20.46.188/24 ? Antonello Jordan Brown (Sun) wrote: I get: zoneadm: zone 'int-sagent-1-z1': WARNING: bge0:1: no matching subnet found in netmasks(4) for 172.20.46.188; using default of 255.255.0.0. but my /etc/netmasks (on both the global and local zone) looks good: 172.20.46.0255.255.255.0 (I also tried 172.20.0.0 on the theory that maybe it wanted me to set the netmask for the entire Class B, but no dice.) I see many instances of this message in BugTraq and Google searches, but I don't immediately see any resolutions. ___ zones-discuss mailing list zones-discuss@opensolaris.org ___ zones-discuss mailing list zones-discuss@opensolaris.org
Re: [zones-discuss] netmask warning, misconfiguration
Antonello Cruz wrote: zoneadm: zone 'int-sagent-1-z1': WARNING: bge0:1: no matching subnet found in netmasks(4) for 172.20.46.188; using default of 255.255.0.0. How did you setup the IP address for that zone? Did you use, in zonecfg: zonecfg:int-sagent-1-z1:net set address=172.20.46.188/24 ? No, no /24. (I see how that could affect the picture, but it seems like /etc/netmasks should work too, and the message certainly suggests it.) ___ zones-discuss mailing list zones-discuss@opensolaris.org
Re: [zones-discuss] netmask warning, misconfiguration
[EMAIL PROTECTED] wrote: What does the netmasks entry in /etc/nsswitch.conf say? A common issue is that a user changes their local /etc/netmasks file but their the switch says to use something like nis. Bingo! Thanks! (I also tried 172.20.0.0 on the theory that maybe it wanted me to set the netmask for the entire Class B, but no dice.) Actually, that's exactly what you should be using in your local /etc/netmasks entry. I'm not sure, but reading netmasks(4) I don't think so. Note that it has an example entry: 128.32.27.16 255.255.255.240 and says that the system uses the longest prefix found. OTOH, I don't immediately understand how the example can work. It says that 128.32.*.* (except for the exclusions) gets a 24-bit netmask, but I don't see how that can be unambiguously determined. The example *seems* to want to explicitly specify a 28-bit netmask for several ranges and a 24-bit netmask for the rest, but how can it distinguish between requesting that 128.32.*.* is all 24-bit and requesting that 128.32.0.* is all 24-bit? (For that matter, why isn't it specifying that 128.001?.*.* is 24-bit?) Although I do suggest that specifying the prefix length (such as /24) via zonecfg(1M) is the best solution. Point-specifying a global value seems like the wrong answer. Normalization says that you should specify the global value in one place, not replicated across many. (Less abstractly, that you should specify the netmask in one place, not individually for each address that uses it.) ___ zones-discuss mailing list zones-discuss@opensolaris.org
[zones-discuss] netmask warning, misconfiguration
I get: zoneadm: zone 'int-sagent-1-z1': WARNING: bge0:1: no matching subnet found in netmasks(4) for 172.20.46.188; using default of 255.255.0.0. but my /etc/netmasks (on both the global and local zone) looks good: 172.20.46.0255.255.255.0 (I also tried 172.20.0.0 on the theory that maybe it wanted me to set the netmask for the entire Class B, but no dice.) I see many instances of this message in BugTraq and Google searches, but I don't immediately see any resolutions. ___ zones-discuss mailing list zones-discuss@opensolaris.org
