Superpatterns Pat Patterson on the Cloud, Identity and Single Malt Scotch

8Jun/067

Solaris 10 /etc/hosts gotcha

Often, when I'm setting up a test system or a demo, I'll use bogus fully qualified domain names (FQDNs), adding entries to /etc/hosts (which is nowadays a symbolic link to /etc/inet/hosts). Today, I was setting up federation; my identity provider (IdP) is at amdemo.example.com and my service provider (SP) is at fmdemo.partner.com. I set up the IdP, appending amdemo.example.com to the line in /etc/hosts that said 192.168.1.31 amdemo and all was well - I could browse to amdemo.example.com and see Access Manager.

On to the SP. I do the same thing, appending fmdemo.partner.com to the line in /etc/hosts that contains fmdemo, browsing to fmdemo.partner.com and... I get some site on the internet. Hmmm. Check /etc/nsswitch.conf - it tells me that it will check files (i.e. /etc/hosts) before DNS. Hmmm. If I comment out the nameserver from /etc/resolv.conf, I can browse to fmdemo.partner.com and see Federation Manager. Strange.

After much man page reading, the answer is... /etc/inet/ipnodes. It turns out that, even if you don't choose IPv6 support, Solaris 10 will read /etc/inet/ipnodes before /etc/hosts and, if there is no ipnodes value, then go to DNS. So, the answer is to copy the relevant line from /etc/hosts to /etc/inet/ipnodes. I do that and, hey presto, I can see Federation Manager at fmdemo.partner.com!

The key here is the comment in /etc/nsswitch.conf that says

# Note that IPv4 addresses are searched in all of the ipnodes databases
# before searching the hosts databases.

So, with these lines in /etc/nsswitch.conf:

hosts:      files dns
ipnodes:    files dns

The search order is: /etc/inet/ipnodes, DNS, /etc/inet/hosts then DNS again.

This has actually bitten me before. I'm blogging it this time to increase my chances of actually remembering it.

Filed under: General Leave a comment
Comments (7) Trackbacks (0)
  1. or…

    hosts: files dns
    ipnodes: files
    

    Should make it so that you can just maintain your localhost entry in /etc/inet/ipnodes (then forget it exists) while using /etc/hosts and DNS like you always have.

  2. Thanks, Mike. Very cool.

  3. It would be really nice to know is the same behaviour is seen on linux too… and if so what the workaround could be…
    I seem to have similar issues with the ldap server in certain instances failing to startup due to an error… “Failed to find route to host”.. and it looks like the reason is pretty close to yours when you saw errors during your demo setup of federation.

  4. Hi Rohan – no, this is Solaris-specific. Linux puts IPv6 information in /etc/hosts.

    I can’t think of anything to help you with “Failed to find route to host” apart from the regular diagnostics – ping the hostname, ping the ip address, traceroute etc etc etc.

  5. I have found that the old gethostby???? calls ONLY use /etc/inet/hosts and that getaddrinfo ONLY uses /etc/inet/ipnodes

    I make all changes to /etc/inet/ipnodes then

    grep -v ‘:’ /etc/inet/ipnodes > /etc/inet/hosts

  6. Thanks for the post; this was driving me crazy for the better part of a day when I started getting weird NFS ‘permission denied’ errors after editing /etc/inet/hosts. And evidently because of name service caching, I didn’t notice anything was amiss immediately. After a ‘cat ipnodes.old hosts > ipnodes’ and deleting the duplicate lines, everything was hunky-dory. As I don’t use IPv6, I’m wondering if there would be a downside to symlinking ipnodes to hosts? I can’t try it now, maybe I will in the future.

  7. To make this easier on you when setting up a new system, in the /etc dir, you’ll find a file called nsswitch.dns already configured correctly to set the system up as a DNS client. Simply "cp /etc/nsswitch.dns /etc/nsswitch.conf" and Bob’s your Uncle!

    Also, you’ll find that the hosts file is really in /etc/inet. It’s only linked into the /etc dir for BSD compatibility reasons.

    Cheers,
    Steve


Leave a comment

No trackbacks yet.