On Tue, Nov 15, 2005 at 05:47:03PM +0100, Dennis Roos wrote: > On Tue, 2005-11-15 at 17:00 +0300, Dmitry Koterov wrote: > > Hello. > > > > Shortly: when I use BIND (or PowerDNS) inside vserver listening > > ALL addresses (0.0.0.0), nslookup to server 127.0.0.1 shows error > > message "reply from unexpected source: 213.248.62.106#53, > > expected 127.0.0.1#53"
> Which is true, as your nameserver (powerdns or bind) is assigned > your vserver interface as primary interface and answers are sent with > that source. hmm, let me rephrase this: in a guest (with current networking) the localhost ip 127.0.0.1 is remapped to the first assigned guest IP (which is very likely 213.248.62.106 in your case) > > Long description. I have installed linux-vserver (named "zulu") > > on kernel 2.6.12.5 and set up one real IP for it - > > 213.248.62.106: > > > > [EMAIL PROTECTED] /]# ifconfig > > eth0 Link encap:Ethernet HWaddr 00:30:48:75:13:D2 > > UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 > > RX packets:39623139 errors:0 dropped:0 overruns:0 frame:0 > > TX packets:18575687 errors:0 dropped:0 overruns:0 carrier:0 > > collisions:0 txqueuelen:1000 > > RX bytes:50148146621 (46.7 GiB) TX bytes:1249870165 (1.1 GiB) > > Base address:0x3000 Memory:dd300000-dd320000 > > > > eth0:zulu Link encap:Ethernet HWaddr 00:30:48:75:13:D2 > > inet addr:213.248.62.106 Bcast:213.248.62.255 Mask:255.255.255.0 > > UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 > > Base address:0x3000 Memory:dd300000-dd320000 > > > > First question: why doesn't ifconfig show "lo" interface? > > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ > lo is not assigned to your context and therefor not shown. there is no IP assigned which would 'refer' to lo, so as lo is not carrying any visible IP it is not shown (you can make all interfaces visible by disabling the hide_netif flag) > > Then, I installed named (BIND), compiled it with > > --disable-linux-caps before. BIND listens on all IP addresses > > inside vserver: > > > > [EMAIL PROTECTED] /]# netstat -na > > Active Internet connections (servers and established) > > Proto Recv-Q Send-Q Local Address Foreign Address > > State > > tcp 0 0 213.248.62.106:53 0.0.0.0:* > > LISTEN > > udp 0 0 213.248.62.106:53 0.0.0.0:* > > ... > This shows only listening on your vserver ip address. And answering to > the world ;) binds to 0.0.0.0 are 'mapped' to the guest IP if there is only one IP assigned ... > > Then I try nslookup: > > > > [EMAIL PROTECTED] /]# nslookup > > > server 127.0.0.1 > > Default server: 127.0.0.1 > > Address: 127.0.0.1#53 > > > hostmag.ru. > > ;; reply from unexpected source: 213.248.62.106#53, expected 127.0.0.1#53 > > ;; reply from unexpected source: 213.248.62.106#53, expected 127.0.0.1#53 > FWIR: The first interface brought up in the context is 'assigned' the > functionality of lo0. close, but no banana :) > For a more detailed explaination you have to rely on the > developers/experts answer(s)... I'm just a simple end user ;) here it is: linux-networking does not depend/operate on interfaces but on IPs, so the guests are not 'limited' to interfaces but a subset of the host IPs ... (in your case very likely a single one, 213.248.62.106) now, your DNS is configured to 'expect' the reply from the 127.0.0.1 IP (which was probably used to issue the original request) but the remapping made it come from the one and only IP, which is kind of unexpected for the requestor ... > > Second question: what's wrong? Why BIND tries to answer from > > vserver IP address, but NOT from localhost which I used? > > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ > localhost is just a name, so I guess you're refering to the loopback > ip address which defaults to 127.0.0.1 > > As I explained above, 127.0.0.1 is not assigned to your guest context > and so is not used as reply address by your nameserver exactly, it is _remapped_ as described above to the one guest IP ... > > I have also tried PowerDNS instead of BIND - absolutely same > > effect. > As to be expected. > > > I do not want to write 213.248.62.106 in my resolv.conf, because > > this IP may be changed one fine day, or vserver will be moved to > > another machine. > It always needs an ip address, so why not rewrite /etc/resolv.conf > from pre-start or post-start and use the ip address assigned at time > as nameserver. > > Seems networking stack isolation in linux-vserver is not finished > > yet? > I don't know the answer to this one, but it seems that it is doing > its job quite nicely ;) we intentionally avoided further IP stack isolation, because naturally this adds overhead we want to avoid nevertheless, we are working on an alternative solution (code name NGNET) which will provide complete network virtualization for those who really need it ... HTH, Herbert Dennis: thanks for the answers ... > -- > Regards, > Dennis Roos > > Network Engineer @ InTouch N.V. > Middenweg 76 > 1097 BS Amsterdam > Tel: +31 (0)20 6752060 > Fax: +31 (0)20 6758429 > > -=[Assumption is the mother of all f*ckups]=- > > > _______________________________________________ > Vserver mailing list > [email protected] > http://list.linux-vserver.org/mailman/listinfo/vserver _______________________________________________ Vserver mailing list [email protected] http://list.linux-vserver.org/mailman/listinfo/vserver
