DNS适用于主机,但不适用于wget
TL; DR
我有一个奇怪的情况,我可以在某些主机上进行DNS查找,但不能在其他主机上进行DNS查找。 这似乎与resolv.conf有关,有一个名称服务器条目指向我的名字服务器,另一个可能与docker有关,但我不知道如何解决它。
问题
我一直在阅读StéphaneGraber对LXD的精彩介绍,并希望尝试一下。 因此,我做了:
$ sudo usermod -a -G lxd $ newgrp lxd $ sudo lxd init 我使用所有默认设置进行了配置。 然后我打字:
$ lxc image list images: error: Get https://images.linuxcontainers.org/streams/v1/index.json: lookup images.linuxcontainers.org: no such host
一些测试
我尝试从另一台PC上的Web浏览器访问该地址,但它运行正常。 所以我认为DNS设置肯定有问题,但是:
$ host images.linuxcontainers.org images.linuxcontainers.org is an alias for canonical.images.linuxcontainers.org. canonical.images.linuxcontainers.org has address 91.189.91.21 canonical.images.linuxcontainers.org has address 91.189.88.37 canonical.images.linuxcontainers.org has IPv6 address 2001:67c:1560:8001::21 canonical.images.linuxcontainers.org has IPv6 address 2001:67c:1562::41
所以我试过wget:
$ wget https://images.linuxcontainers.org/streams/v1/index.json --2016-11-10 15:56:22-- https://images.linuxcontainers.org/streams/v1/index.json Resolving images.linuxcontainers.org (images.linuxcontainers.org)... failed: Name or service not known. wget: unable to resolve host address "images.linuxcontainers.org"
这让我觉得我的网络连接有问题,但是如果我使用us.images.linuxcontainers.org(我在网上的某个地方提到过):
$ wget https://us.images.linuxcontainers.org/streams/v1/index.json --2016-11-10 15:57:26-- https://us.images.linuxcontainers.org/streams/v1/index.json Resolving us.images.linuxcontainers.org (us.images.linuxcontainers.org)... 91.189.91.21, 2001:67c:1562::41 Connecting to us.images.linuxcontainers.org (us.images.linuxcontainers.org)|91.189.91.21|:443... connected. HTTP request sent, awaiting response... 200 OK Length: 3086 (3.0K) [application/json] Saving to: "index.json" index.json 100%[==================================================================================>] 3.01K --.-KB/s in 0s 2016-11-10 15:57:26 (8.36 MB/s) - "index.json" saved [3086/3086]
我也尝试了canonical.images.linuxcontainers.org,它(根据上面的host )是images.linuxcontainers.org的别名,也是有效的,所以看起来host可以查找images.linuxcontainers.org,而wget和lxc不能, 但是 wget 可以访问canonical.images.linuxcontainers.org和我尝试过的大多数其他网站。
$ wget https://canonical.images.linuxcontainers.org/streams/v1/index.json --2016-11-10 16:02:28-- https://canonical.images.linuxcontainers.org/streams/v1/index.json Resolving canonical.images.linuxcontainers.org (canonical.images.linuxcontainers.org)... 91.189.91.21, 91.189.88.37 Connecting to canonical.images.linuxcontainers.org (canonical.images.linuxcontainers.org)|91.189.91.21|:443... connected. ERROR: no certificate subject alternative name matches requested host name "canonical.images.linuxcontainers.org". To connect to canonical.images.linuxcontainers.org insecurely, use `--no-check-certificate'. $ wget --no-check-certificate https://canonical.images.linuxcontainers.org/streams/v1/index.json --2016-11-10 16:02:37-- https://canonical.images.linuxcontainers.org/streams/v1/index.json Resolving canonical.images.linuxcontainers.org (canonical.images.linuxcontainers.org)... 91.189.88.37, 91.189.91.21 Connecting to canonical.images.linuxcontainers.org (canonical.images.linuxcontainers.org)|91.189.88.37|:443... connected. WARNING: no certificate subject alternative name matches requested host name "canonical.images.linuxcontainers.org". HTTP request sent, awaiting response... 301 Moved Permanently Location: https://uk.images.linuxcontainers.org/streams/v1/index.json [following] --2016-11-10 16:02:37-- https://uk.images.linuxcontainers.org/streams/v1/index.json Resolving uk.images.linuxcontainers.org (uk.images.linuxcontainers.org)... 91.189.88.37, 2001:67c:1560:8001::21 Connecting to uk.images.linuxcontainers.org (uk.images.linuxcontainers.org)|91.189.88.37|:443... connected. HTTP request sent, awaiting response... 200 OK Length: 3086 (3.0K) [application/json] Saving to: "index.json.1" index.json.1 100%[==================================================================================>] 3.01K --.-KB/s in 0s 2016-11-10 16:02:38 (96.5 MB/s) - "index.json.1" saved [3086/3086]
我也尝试过wget -4和wget -6来排除IPv6问题,但结果都是相同的。 最后我尝试了一些像w3m这样的其他程序,但也没有区别。
我显然错过了一些东西; 任何人都可以提供任何建议,为什么我不能让lxc下载图像列表?
电脑
PC是一个相对较新的运行Ubuntu Server 16.10的安装,在主机中安装的附加软件包非常少 。 Docker已安装并正在运行,但没有容器启动。 有趣的是,我最近重新启动到内核4.8.6来测试我遇到的另一个问题,并且使用该内核我可以访问images.linuxcontainers.org,但是docker无法启动,所以我想知道这是否与docker有关。
组态
/etc/resolv.conf看起来像这样(但由于某些原因我不知道,实际上是/run/resolvconf/resolv.conf的符号链接):
# Dynamic resolv.conf(5) file for glibc resolver(3) generated by resolvconf(8) # DO NOT EDIT THIS FILE BY HAND -- YOUR CHANGES WILL BE OVERWRITTEN nameserver 192.168.1.254 nameserver 127.0.0.53 search lan
如果我查询第一个列出的名称服务器,我会得到相同的结果,就好像我没有附加名称服务器地址:
$ host images.linuxcontainers.org 192.168.1.254 images.linuxcontainers.org is an alias for canonical.images.linuxcontainers.org. canonical.images.linuxcontainers.org has address 91.189.91.21 canonical.images.linuxcontainers.org has address 91.189.88.37 canonical.images.linuxcontainers.org has IPv6 address 2001:67c:1560:8001::21 canonical.images.linuxcontainers.org has IPv6 address 2001:67c:1562::41
如果我查询第二个,它会在没有到达服务器的情况下超时:
$ host images.linuxcontainers.org 127.0.0.53 ;; connection timed out; no servers could be reached
如果我查询第二个但使用规范名称它的工作,然后超时???
$ host canonical.images.linuxcontainers.org 127.0.0.53 Using domain server: Name: 127.0.0.53 Address: 127.0.0.53#53 Aliases: canonical.images.linuxcontainers.org has address 91.189.88.37 canonical.images.linuxcontainers.org has address 91.189.91.21 ;; connection timed out; no servers could be reached ;; connection timed out; no servers could be reached
编辑1:
/etc/nsswitch.conf看起来像这样:
# /etc/nsswitch.conf # # Example configuration of GNU Name Service Switch functionality. # If you have the `glibc-doc-reference' and `info' packages installed, try: # `info libc "Name Service Switch"' for information about this file. passwd: compat group: compat shadow: compat gshadow: files hosts: files resolve [!UNAVAIL=return] dns networks: files protocols: db files services: db files ethers: db files rpc: db files netgroup: nis
编辑2
修改后的nsswitch.conf现在看起来像这样:
# /etc/nsswitch.conf # # Example configuration of GNU Name Service Switch functionality. # If you have the `glibc-doc-reference' and `info' packages installed, try: # `info libc "Name Service Switch"' for information about this file. passwd: compat group: compat shadow: compat gshadow: files hosts: files resolve dns networks: files protocols: db files services: db files ethers: db files rpc: db files netgroup: nis
编辑3
/etc/systemd/resolved.conf的内容:
# This file is part of systemd. # # systemd is free software; you can redistribute it and/or modify it # under the terms of the GNU Lesser General Public License as published by # the Free Software Foundation; either version 2.1 of the License, or # (at your option) any later version. # # Entries in this file show the compile time defaults. # You can change settings by editing this file. # Defaults can be restored by simply deleting this file. # # See resolved.conf(5) for details [Resolve] #DNS= #FallbackDNS=8.8.8.8 8.8.4.4 2001:4860:4860::8888 2001:4860:4860::8844 #Domains= #LLMNR=yes #DNSSEC=no #Cache=yes
-
这是第一次看到
resolvehosts关键字,看来是错误的。 你应该有类似的东西hosts: files dns [NOTFOUND=return]或者如果您安装了mDNS
hosts: files dns mdns4_minimal [NOTFOUND=return] mdns4您可以删除
[NOTFOUND=return]或[!UNAVAIL=return],如果没有任何内容可以查询,它仍然是默认操作。 -
好吧,经过一番挖掘,我发现有一个新的NSS模块给我
libnss-resolvenss module to resolve names via systemd-resolved nss-resolve is a plugin for the GNU Name Service Switch (NSS) functionality of the GNU C Library (glibc) providing DNS and LLMNR resolution to programs via the systemd-resolved daemon (provided in the systemd package). Installing this package automatically adds resolve to /etc/nsswitch.conf.您最终可能会以某种方式安装它而不是您提到的软件包。 没有包依赖它。
~$ apt-cache rdepends libnss-resolve libnss-resolve Reverse Depends:但我现在不能说什么,为什么
systemd-resolved不可靠。 最好在systemd中将其报告为bug。