Re: [zones-discuss] netmask warning, misconfiguration
Mike Gerdts writes: > On Dec 3, 2007 5:43 AM, James Carlson <[EMAIL PROTECTED]> wrote: > > It doesn't always work very well, which is why I generally recommend > > against /etc/netmasks. It may have been an ok interface 20 years ago, > > but with CIDR, it's mostly a defect looking for a place to happen. > > If using only a local netmasks file, it works quite well. I much > prefer to have one authoritative netmasks file per system than having > system administrators specifying the mask every time "addif ..." is > added to /etc/hostname.* or a zone is created. Besides the look-up ambiguity, there are also the chicken-and-egg problems that occur when users accidentally configure the system to use NIS or some other directory service for netmask resolution. Trying to configure an interface using a service that's reachable only by talking on that interface doesn't work very well unless the protocol was designed to be used that way -- and NIS was not. In fact, at least inside Sun, it's a somewhat common way to produce apparent "hangs" on boot. > For configuring IP addresses on the typical machine bolted to a rack > or sitting on a desk, /etc/netmasks is quite manageable, stable, and > desirable. I much prefer DHCP or BOOTP for these cases. It's centrally managed, so you don't have to tweak each machine to have the right information, and it's standards-based, so you can integrate with other systems. Don't let the "dynamic" word in the name get in the road; whether the addresses are dynamic or stable over time is a matter of administration, not a requirement of the protocol. But it's your network. Even if I don't like /etc/netmasks, it's a supported, stable interface, and it's not going anywhere. -- James Carlson, Solaris Networking <[EMAIL PROTECTED]> Sun Microsystems / 35 Network Drive71.232W Vox +1 781 442 2084 MS UBUR02-212 / Burlington MA 01803-2757 42.496N Fax +1 781 442 1677 ___ zones-discuss mailing list zones-discuss@opensolaris.org
Re: [zones-discuss] netmask warning, misconfiguration
On Dec 3, 2007 8:45 AM, James Carlson <[EMAIL PROTECTED]> wrote: > Besides the look-up ambiguity, there are also the chicken-and-egg > problems that occur when users accidentally configure the system to > use NIS or some other directory service for netmask resolution. > Trying to configure an interface using a service that's reachable only > by talking on that interface doesn't work very well unless the > protocol was designed to be used that way -- and NIS was not. In > fact, at least inside Sun, it's a somewhat common way to produce > apparent "hangs" on boot. Getting netmasks from NIS is a bug. /etc/nsswitch.{nis,ldap,etc} should not suggest that this is a good practice. > I much prefer DHCP or BOOTP for these cases. It's centrally managed, > so you don't have to tweak each machine to have the right information, > and it's standards-based, so you can integrate with other systems. > Don't let the "dynamic" word in the name get in the road; whether the > addresses are dynamic or stable over time is a matter of > administration, not a requirement of the protocol. Please continue to spread the word about "dynamic" frequently. I can't tell you how many times I have had to express the same to people that have a fear of it because they assume that every address allocated will be from a dynamic address range or that anything that plugs into the network will automatically get an IP address. -- Mike Gerdts http://mgerdts.blogspot.com/ ___ zones-discuss mailing list zones-discuss@opensolaris.org
Re: [zones-discuss] netmask warning, misconfiguration
On Dec 3, 2007 5:43 AM, James Carlson <[EMAIL PROTECTED]> wrote: > It doesn't always work very well, which is why I generally recommend > against /etc/netmasks. It may have been an ok interface 20 years ago, > but with CIDR, it's mostly a defect looking for a place to happen. If using only a local netmasks file, it works quite well. I much prefer to have one authoritative netmasks file per system than having system administrators specifying the mask every time "addif ..." is added to /etc/hostname.* or a zone is created. It is quite likely that /etc/netmasks is not as desirable in situations where lots of networks are referenced. For example, systems with non-trivial firewall (or similar) rules would most likely benefit from CIDR notation because you may have some rules that apply to 10.0.0.0/8 with more refined rules for 10.27.45.128/25. /etc/netmasks would be worthless for that. For configuring IP addresses on the typical machine bolted to a rack or sitting on a desk, /etc/netmasks is quite manageable, stable, and desirable. -- Mike Gerdts http://mgerdts.blogspot.com/ ___ zones-discuss mailing list zones-discuss@opensolaris.org
Re: [zones-discuss] netmask warning, misconfiguration
Jordan Brown (Sun) writes: > OTOH, I don't immediately understand how the example can work. It says > that 128.32.*.* (except for the exclusions) gets a 24-bit netmask, but I > don't see how that can be unambiguously determined. The example *seems* > to want to explicitly specify a 28-bit netmask for several ranges and a > 24-bit netmask for the rest, but how can it distinguish between > requesting that 128.32.*.* is all 24-bit and requesting that 128.32.0.* > is all 24-bit? (For that matter, why isn't it specifying that > 128.001?.*.* is 24-bit?) It doesn't always work very well, which is why I generally recommend against /etc/netmasks. It may have been an ok interface 20 years ago, but with CIDR, it's mostly a defect looking for a place to happen. -- James Carlson, Solaris Networking <[EMAIL PROTECTED]> Sun Microsystems / 35 Network Drive71.232W Vox +1 781 442 2084 MS UBUR02-212 / Burlington MA 01803-2757 42.496N Fax +1 781 442 1677 ___ zones-discuss mailing list zones-discuss@opensolaris.org
Re: [zones-discuss] netmask warning, misconfiguration
[EMAIL PROTECTED] wrote: > What does the "netmasks" entry in /etc/nsswitch.conf say? A common > issue is that a user changes their local /etc/netmasks file but their > the switch says to use something like "nis". Bingo! Thanks! >> (I also tried 172.20.0.0 on the theory that maybe it wanted me to set >> the netmask for the entire Class B, but no dice.) > > Actually, that's exactly what you should be using in your local > /etc/netmasks entry. I'm not sure, but reading netmasks(4) I don't think so. Note that it has an example entry: 128.32.27.16 255.255.255.240 and says that the system uses the longest prefix found. OTOH, I don't immediately understand how the example can work. It says that 128.32.*.* (except for the exclusions) gets a 24-bit netmask, but I don't see how that can be unambiguously determined. The example *seems* to want to explicitly specify a 28-bit netmask for several ranges and a 24-bit netmask for the rest, but how can it distinguish between requesting that 128.32.*.* is all 24-bit and requesting that 128.32.0.* is all 24-bit? (For that matter, why isn't it specifying that 128.001?.*.* is 24-bit?) > Although I do suggest that specifying the prefix > length (such as /24) via zonecfg(1M) is the best solution. Point-specifying a global value seems like the wrong answer. Normalization says that you should specify the global value in one place, not replicated across many. (Less abstractly, that you should specify the netmask in one place, not individually for each address that uses it.) ___ zones-discuss mailing list zones-discuss@opensolaris.org
Re: [zones-discuss] netmask warning, misconfiguration
> zoneadm: zone 'int-sagent-1-z1': WARNING: bge0:1: no matching subnet > found in netmasks(4) for 172.20.46.188; using default of 255.255.0.0. > > but my /etc/netmasks (on both the global and local zone) looks good: What does the "netmasks" entry in /etc/nsswitch.conf say? A common issue is that a user changes their local /etc/netmasks file but their the switch says to use something like "nis". > (I also tried 172.20.0.0 on the theory that maybe it wanted me to set > the netmask for the entire Class B, but no dice.) Actually, that's exactly what you should be using in your local /etc/netmasks entry. Although I do suggest that specifying the prefix length (such as /24) via zonecfg(1M) is the best solution. dsc ___ zones-discuss mailing list zones-discuss@opensolaris.org
Re: [zones-discuss] netmask warning, misconfiguration
Antonello Cruz wrote: > I would definitely run > > zonecfg -z int-sagent-1-z1 info > > to check what the zone thinks is the netmask. Doesn't display a netmask. > I suspect if you haven't defined the '/24' it will pick the default for > the address class. In this case, '/16' IIRC. > Sometimes documentation gets old... Sure seems like a bug. >>> Did you use, in zonecfg: >>> zonecfg:int-sagent-1-z1:net> set address=172.20.46.188/24 >>> ? >> >> No, no "/24". (I see how that could affect the picture, but it seems >> like /etc/netmasks should work too, and the message certainly suggests >> it.) Actually, I just remembered that I didn't specify the address this way. I used "set address=int-sagent-1-z1". (I don't like using IP addresses when I don't absolutely have to.) ___ zones-discuss mailing list zones-discuss@opensolaris.org
Re: [zones-discuss] netmask warning, misconfiguration
I would definitely run zonecfg -z int-sagent-1-z1 info to check what the zone thinks is the netmask. I suspect if you haven't defined the '/24' it will pick the default for the address class. In this case, '/16' IIRC. Sometimes documentation gets old... Antonello Jordan Brown (Sun) wrote: > Antonello Cruz wrote: >>> zoneadm: zone 'int-sagent-1-z1': WARNING: bge0:1: no matching subnet >>> found in netmasks(4) for 172.20.46.188; using default of 255.255.0.0. >> How did you setup the IP address for that zone? >> >> Did you use, in zonecfg: >> zonecfg:int-sagent-1-z1:net> set address=172.20.46.188/24 >> ? > > No, no "/24". (I see how that could affect the picture, but it seems > like /etc/netmasks should work too, and the message certainly suggests it.) ___ zones-discuss mailing list zones-discuss@opensolaris.org
Re: [zones-discuss] netmask warning, misconfiguration
Antonello Cruz wrote: >> zoneadm: zone 'int-sagent-1-z1': WARNING: bge0:1: no matching subnet >> found in netmasks(4) for 172.20.46.188; using default of 255.255.0.0. > How did you setup the IP address for that zone? > > Did you use, in zonecfg: > zonecfg:int-sagent-1-z1:net> set address=172.20.46.188/24 > ? No, no "/24". (I see how that could affect the picture, but it seems like /etc/netmasks should work too, and the message certainly suggests it.) ___ zones-discuss mailing list zones-discuss@opensolaris.org
Re: [zones-discuss] netmask warning, misconfiguration
Jordan, How did you setup the IP address for that zone? Did you use, in zonecfg: zonecfg:int-sagent-1-z1:net> set address=172.20.46.188/24 ? Antonello Jordan Brown (Sun) wrote: > I get: > > zoneadm: zone 'int-sagent-1-z1': WARNING: bge0:1: no matching subnet > found in netmasks(4) for 172.20.46.188; using default of 255.255.0.0. > > but my /etc/netmasks (on both the global and local zone) looks good: > > 172.20.46.0255.255.255.0 > > (I also tried 172.20.0.0 on the theory that maybe it wanted me to set > the netmask for the entire Class B, but no dice.) > > I see many instances of this message in BugTraq and Google searches, but > I don't immediately see any resolutions. > ___ > zones-discuss mailing list > zones-discuss@opensolaris.org ___ zones-discuss mailing list zones-discuss@opensolaris.org