我有一台用于 HPC 的服务器,它是 RedHat。它似乎有一个奇怪的错误。我试过:
$ curl https://www.aliyun.com/ -vv
Couldn't resolve host 'www.aliyun.com'
我也尝试过这些:
wget https://www.aliyun.com/git clone https://github.com/my_username/my_repotelnet www.aliyun.com 80nc www.aliyun.com 80, ETC...
他们都给出了类似的错误getaddrinfo: Name or service not known.。如果我直接使用IP地址,一切正常。 (例wget https://140.205.34.3/ --no-check-certificate:)不过,我可以成功ping www.aliyun.com。
我已经尝试过了curl http://localhost/,效果很好(localhost 是 中指定的域/etc/hosts)。
罪魁祸首可能是谁?您有类似的经历并提供帮助吗?
/etc/resolv.conf附在这里:
nameserver 11.11.4.1
nameserver 202.114.0.242
nameserver 8.8.8.8
nameserver 202.112.20.131
uname -a结果:
Linux node111 2.6.32-220.el6.x86_64 #1 SMP Wed Nov 9 08:03:13 EST 2011 x86_64 x86_64 x86_64 GNU/Linux
lsb_release -a结果:
LSB Version: :core-4.0-amd64:core-4.0-noarch:graphics-4.0-amd64:graphics-4.0-noarch:printing-4.0-amd64:printing-4.0-noarch
Distributor ID: RedHatEnterpriseServer
Description: Red Hat Enterprise Linux Server release 6.2 (Santiago)
Release: 6.2
Codename: Santiago
ip -a结果:(启用 InfiniBand)
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 16436 qdisc noqueue state UNKNOWN
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP qlen 1000
link/ether 00:e0:81:e1:15:8d brd ff:ff:ff:ff:ff:ff
inet 11.11.0.111/16 brd 11.11.255.255 scope global eth0
inet6 fe80::2e0:81ff:fee1:158d/64 scope link
valid_lft forever preferred_lft forever
3: eth1: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN qlen 1000
link/ether 00:e0:81:e1:15:8e brd ff:ff:ff:ff:ff:ff
4: ib0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 2044 qdisc pfifo_fast state UP qlen 256
link/infiniband 80:00:00:48:fe:80:00:00:00:00:00:00:46:d2:c9:20:00:00:38:b1 brd 00:ff:ff:ff:ff:12:40:1b:ff:ff:00:00:00:00:00:00:ff:ff:ff:ff
inet 10.10.0.111/16 brd 10.10.255.255 scope global ib0
inet6 fe80::46d2:c920:0:38b1/64 scope link
valid_lft forever preferred_lft forever
5: virbr0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UNKNOWN
link/ether 52:54:00:7f:dc:4b brd ff:ff:ff:ff:ff:ff
inet 192.168.122.1/24 brd 192.168.122.255 scope global virbr0
6: virbr0-nic: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN qlen 500
link/ether 52:54:00:7f:dc:4b brd ff:ff:ff:ff:ff:ff
笔记:我没有机器的 root 权限。
内容/etc/nsswitch.conf:
#
# /etc/nsswitch.conf
#
# An example Name Service Switch config file. This file should be
# sorted with the most-used services at the beginning.
#
# The entry '[NOTFOUND=return]' means that the search for an
# entry should stop if the search in the previous entry turned
# up nothing. Note that if the search failed due to some other reason
# (like no NIS server responding) then the search continues with the
# next entry.
#
# Valid entries include:
#
# nisplus Use NIS+ (NIS version 3)
# nis Use NIS (NIS version 2), also called YP
# dns Use DNS (Domain Name Service)
# files Use the local files
# db Use the local database (.db) files
# compat Use NIS on compat mode
# hesiod Use Hesiod for user lookups
# [NOTFOUND=return] Stop searching if not found so far
#
# To use db, put the "db" in front of "files" for entries you want to be
# looked up first in the databases
#
# Example:
#passwd: db files nisplus nis
#shadow: db files nisplus nis
#group: db files nisplus nis
passwd: files ldap
shadow: files ldap
group: files ldap
#hosts: db files nisplus nis dns
hosts: files dns
# Example - obey only what nisplus tells us...
#services: nisplus [NOTFOUND=return] files
#networks: nisplus [NOTFOUND=return] files
#protocols: nisplus [NOTFOUND=return] files
#rpc: nisplus [NOTFOUND=return] files
#ethers: nisplus [NOTFOUND=return] files
#netmasks: nisplus [NOTFOUND=return] files
bootparams: nisplus [NOTFOUND=return] files
ethers: files
netmasks: files
networks: files
protocols: files
rpc: files
services: files
netgroup: files ldap
publickey: nisplus
automount: files ldap
aliases: files nisplus
编辑#1
$ getent hosts www.microsoft.com
218.58.101.49 e13678.ca.s.tl88.net www.microsoft.com www.microsoft.com-c-3.edgekey.net www.microsoft.com-c-3.edgekey.net.globalredir.akadns.net
$ getent hosts www.aliyun.com
2400:3200:1300::3e v6wagbridge.aliyun.com.gds.alibabadns.com www.aliyun.com www-jp-de-intl-adns.aliyun.com www-jp-de-intl-adns.aliyun.com.gds.alibabadns.com v6wagbridge.aliyun.com
编辑#2
getent hosts www.aliyun.com效果很好,但getaddrinfo报告name or service not known。 (测试于这个简单的 C 程序)
编辑#3
我已经尝试过了dig,似乎 DNS 服务器11.11.4.1不适用于全球互联网。这是我发现的。
$ dig @11.11.4.1 www.aliyun.com
; <<>> DiG 9.7.3-P3-RedHat-9.7.3-8.P3.el6 <<>> @11.11.4.1 www.aliyun.com
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 37272
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION:
;www.aliyun.com. IN A
;; Query time: 1 msec
;; SERVER: 11.11.4.1#53(11.11.4.1)
;; WHEN: Mon Aug 20 14:48:37 2018
;; MSG SIZE rcvd: 32
$ dig @1.1.1.1 www.aliyun.com
; <<>> DiG 9.7.3-P3-RedHat-9.7.3-8.P3.el6 <<>> @1.1.1.1 www.aliyun.com
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 64269
;; flags: qr rd ra; QUERY: 1, ANSWER: 6, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION:
;www.aliyun.com. IN A
;; ANSWER SECTION:
www.aliyun.com. 113 IN CNAME www-jp-de-intl-adns.aliyun.com.
www-jp-de-intl-adns.aliyun.com. 293 IN CNAME www-jp-de-intl-adns.aliyun.com.gds.alibabadns.com.
www-jp-de-intl-adns.aliyun.com.gds.alibabadns.com. 113 IN CNAME xjp.wagbridge.aliyun.aliyun.com.
xjp.wagbridge.aliyun.aliyun.com. 89 IN CNAME xjp-adns.aliyun.com.
xjp-adns.aliyun.com. 89 IN CNAME xjp-adns.aliyun.com.gds.alibabadns.com.
xjp-adns.aliyun.com.gds.alibabadns.com. 89 IN A 47.88.251.164
;; Query time: 223 msec
;; SERVER: 1.1.1.1#53(1.1.1.1)
;; WHEN: Mon Aug 20 14:48:39 2018
;; MSG SIZE rcvd: 256
答案1
这让很多人感到困惑,但该ping命令有自己与/etc/resolv.conf文件的集成,而您提到的其他工具则利用名称服务器切换工具。如果您运行strace <cmd>并分析与命令交互的库的输出,您可以看到这一点。
例如,这里是ping:
$ strace ping -c 3 www.aliyun.com |& grep -E "ns|resolv"
open("/lib64/libresolv.so.2", O_RDONLY|O_CLOEXEC) = 3
这是curl:
$ strace curl -v www.aliyun.com |& grep -E "ns|resolv"
open("/lib64/libnss3.so", O_RDONLY|O_CLOEXEC) = 3
open("/lib64/libnssutil3.so", O_RDONLY|O_CLOEXEC) = 3
open("/lib64/libnspr4.so", O_RDONLY|O_CLOEXEC) = 3
open("/lib64/libresolv.so.2", O_RDONLY|O_CLOEXEC) = 3
connect(3, {sa_family=AF_INET, sin_port=htons(80), sin_addr=inet_addr("47.88.251.161")}, 16) = -1 EINPROGRESS (Operation now in progress)
getpeername(3, {sa_family=AF_INET, sin_port=htons(80), sin_addr=inet_addr("47.88.251.161")}, [16]) = 0
getsockname(3, {sa_family=AF_INET, sin_port=htons(55876), sin_addr=inet_addr("10.0.2.15")}, [16]) = 0
您可能想知道,但是等等,它们都显示对 的调用libresolv,那么问题是什么?curl甚至知道呼叫的原因libresolv是因为它被指示这样做。为什么?因为这个文件:
$ grep host /etc/nsswitch.conf
#hosts: db files nisplus nis dns
hosts: files dns myhostname
该文件中的引用hosts:告诉那些调用 NSS(名称服务器交换机)的工具,它们应该files首先咨询,然后dns再调用。
引用files意味着使用该/etc/hosts文件,dns选项意味着咨询/etc/resolv.confDNS 名称服务器并在那里查找主机名。
你的问题
因此,您的问题很可能是由于您的/etc/nsswitch.conf文件缺少dns我上面所示的条目。
哪些可执行文件使用 NSS?
您可以使用它来查看可执行文件readelf,它显示可执行文件需要哪些共享库。
$ type -f curl
curl is /bin/curl
$ readelf -d /bin/curl | grep -i shared
0x0000000000000001 (NEEDED) Shared library: [libcurl.so.4]
0x0000000000000001 (NEEDED) Shared library: [libssl3.so]
0x0000000000000001 (NEEDED) Shared library: [libsmime3.so]
0x0000000000000001 (NEEDED) Shared library: [libnss3.so]
0x0000000000000001 (NEEDED) Shared library: [libnssutil3.so]
0x0000000000000001 (NEEDED) Shared library: [libplds4.so]
0x0000000000000001 (NEEDED) Shared library: [libplc4.so]
0x0000000000000001 (NEEDED) Shared library: [libnspr4.so]
0x0000000000000001 (NEEDED) Shared library: [libpthread.so.0]
0x0000000000000001 (NEEDED) Shared library: [libdl.so.2]
0x0000000000000001 (NEEDED) Shared library: [libz.so.1]
0x0000000000000001 (NEEDED) Shared library: [libc.so.6]
$ type -f ping
ping is /bin/ping
$ readelf -d /bin/ping | grep -i shared
0x0000000000000001 (NEEDED) Shared library: [libcap.so.2]
0x0000000000000001 (NEEDED) Shared library: [libidn.so.11]
0x0000000000000001 (NEEDED) Shared library: [libcrypto.so.10]
0x0000000000000001 (NEEDED) Shared library: [libresolv.so.2]
0x0000000000000001 (NEEDED) Shared library: [libm.so.6]
0x0000000000000001 (NEEDED) Shared library: [libc.so.6]
类似的方法可以用于ldd:
$ ldd /bin/ping|grep -E "ns|resolv"
libresolv.so.2 => /lib64/libresolv.so.2 (0x00007fd144d40000)
$ ldd /bin/curl|grep -E "ns|resolv"
libnss3.so => /lib64/libnss3.so (0x00007f9795413000)
libnssutil3.so => /lib64/libnssutil3.so (0x00007f97951e4000)
libnspr4.so => /lib64/libnspr4.so (0x00007f9794b9d000)
libresolv.so.2 => /lib64/libresolv.so.2 (0x00007f9792067000)
DNS 似乎正在运行
如果您能够运行这些命令并且它们有效:
$ getent hosts www.google.com
216.58.193.164 www.google.com
$ getent hosts www.aliyun.com
47.88.198.17 xjp-adns.aliyun.com.gds.alibabadns.com www.aliyun.com
然后尝试使用opennssl看看是否可以连接到这些服务:
$ true | openssl s_client -connect www.aliyun.com:443
depth=2 C = BE, O = GlobalSign nv-sa, OU = Root CA, CN = GlobalSign Root CA
depth=1 C = BE, O = GlobalSign nv-sa, CN = GlobalSign Organization Validation CA - SHA256 - G2
depth=0 C = CN, ST = ZheJiang, L = HangZhou, O = "Alibaba (China) Technology Co., Ltd.", CN = *.aliyun.com
0 s:/C=CN/ST=ZheJiang/L=HangZhou/O=Alibaba (China) Technology Co., Ltd./CN=*.aliyun.com
i:/C=BE/O=GlobalSign nv-sa/CN=GlobalSign Organization Validation CA - SHA256 - G2
1 s:/C=BE/O=GlobalSign nv-sa/CN=GlobalSign Organization Validation CA - SHA256 - G2
i:/C=BE/O=GlobalSign nv-sa/OU=Root CA/CN=GlobalSign Root CA
subject=/C=CN/ST=ZheJiang/L=HangZhou/O=Alibaba (China) Technology Co., Ltd./CN=*.aliyun.com
issuer=/C=BE/O=GlobalSign nv-sa/CN=GlobalSign Organization Validation CA - SHA256 - G2