* Contents of /etc/hosts
@ 2016-10-05 18:31 John Darrington
2016-10-05 20:17 ` Ludovic Courtès
2016-10-06 9:24 ` Hartmut Goebel
0 siblings, 2 replies; 11+ messages in thread
From: John Darrington @ 2016-10-05 18:31 UTC (permalink / raw)
To: guix-devel
[-- Attachment #1: Type: text/plain, Size: 3047 bytes --]
Further to discussions on #guix earlier this week ...
Some of us are concerned about what we currently have in /etc/hosts viz:
127.0.0.1 localhost gambrinus
::1 localhost gambrinus
(my machine is called "gambrinus")
This is a problem becuase it means that "hostname -f" returns the wrong thing.
Further, the man page for hostname (from the net-tools package) says:
The recommended method of setting the FQDN is to make the hostname be
an alias for the fully qualified name using /etc/hosts, DNS, or NIS. For
example, if the hostname was "ursula", one might have a line in /etc/hosts
which reads:
127.0.1.1 ursula.example.com ursula
However I would recommend 127.0.0.2 instead of 127.0.1.1 because RFC 3330
mentions that 127.0.0.0/8 is reserved for loopback, but the rest of
127.0.0.0/16 subject to allocation.
Many systems also have a file called /etc/hostname and according to the hostname man page:
/etc/hostname Historically this file was supposed to only contain the
hostname and not the full canonical FQDN. Nowadays most software is able
to cope with a full FQDN here. This file is read at boot time by the system
initialization scripts to set the hostname.
Guix of course uses /etc/config.scm so we don't need /etc/hostname but there
might be some rougue programs which rely on it so perhaps we should have one.
When setting the name via the net-utils "hostname" utility,
HOST_NAME_MAX is the maximum length which can be passed to sethostname.
On Linux, this limit is 64
So security conscious programs (notably kerberos) will refuse to operate if
the forward and reverse DNS do not agree.
Some DHCP servers are configured to return the domain name which they
expect the host to use.
RFC 1034 \union 1123
stipulates that, labels may contain the characters [a-zA-Z0-9-] and \
may not start with -
In services/base.scm we have:
(define host-name-service-type
(shepherd-service-type
'host-name
(lambda (name)
(shepherd-service
(documentation "Initialize the machine's host name.")
(provision '(host-name))
(start #~(lambda _
(sethostname #$name)))
(respawn? #f)))))
This will fail if /etc/config.scm has is too long, or has invalid characters.
So we should check it in system reconfigure.
So ... my recommendations:
1. We change /etc/hosts to read
127.0.0.1 localhost.localdomain localhost
::1 localhost.localdomain localhost
127.0.0.2 gambrinus
2. We put some checks in guix system to ensure that the host-name field does not
exceed 63 bytes (not characters) and that it conforms to the format of RFC1034
Any objections if I commit a patch to gnu/system.scm ??
J'
--
Avoid eavesdropping. Send strong encrypted email.
PGP Public key ID: 1024D/2DE827B3
fingerprint = 8797 A26D 0854 2EAB 0285 A290 8A67 719C 2DE8 27B3
See http://sks-keyservers.net or any PGP keyserver for public key.
[-- Attachment #2: Digital signature --]
[-- Type: application/pgp-signature, Size: 181 bytes --]
^ permalink raw reply [flat|nested] 11+ messages in thread
* Re: Contents of /etc/hosts
2016-10-05 18:31 Contents of /etc/hosts John Darrington
@ 2016-10-05 20:17 ` Ludovic Courtès
2016-10-06 0:57 ` John Darrington
2016-10-06 9:24 ` Hartmut Goebel
1 sibling, 1 reply; 11+ messages in thread
From: Ludovic Courtès @ 2016-10-05 20:17 UTC (permalink / raw)
To: John Darrington; +Cc: guix-devel
Hi!
John Darrington <john@darrington.wattle.id.au> skribis:
> So ... my recommendations:
>
> 1. We change /etc/hosts to read
>
>
> 127.0.0.1 localhost.localdomain localhost
> ::1 localhost.localdomain localhost
>
> 127.0.0.2 gambrinus
It’s not very useful to have “localhost.localdomain”, is it? Also,
shouldn’t we keep the same address for both names?
Like:
127.0.0.1 localhost
::1 localhost
127.0.0.1 gambrinus
::1 gambrinus
Or am I missing something?
> 2. We put some checks in guix system to ensure that the host-name field does not
> exceed 63 bytes (not characters) and that it conforms to the format of RFC1034
Sure, makes sense.
> Any objections if I commit a patch to gnu/system.scm ??
Send it first. :-)
Thanks,
Ludo’.
^ permalink raw reply [flat|nested] 11+ messages in thread
* Re: Contents of /etc/hosts
2016-10-05 20:17 ` Ludovic Courtès
@ 2016-10-06 0:57 ` John Darrington
2016-10-06 10:07 ` Hartmut Goebel
2016-10-11 20:25 ` Ludovic Courtès
0 siblings, 2 replies; 11+ messages in thread
From: John Darrington @ 2016-10-06 0:57 UTC (permalink / raw)
To: Ludovic Court??s; +Cc: guix-devel
[-- Attachment #1: Type: text/plain, Size: 1715 bytes --]
On Wed, Oct 05, 2016 at 10:17:14PM +0200, Ludovic Court??s wrote:
Hi!
John Darrington <john@darrington.wattle.id.au> skribis:
> So ... my recommendations:
>
> 1. We change /etc/hosts to read
>
>
> 127.0.0.1 localhost.localdomain localhost
> ::1 localhost.localdomain localhost
>
> 127.0.0.2 gambrinus
It???s not very useful to have ???localhost.localdomain???, is it?
Try doing this: Put just a single line in your /etc/hosts:
127.0.0.1 localhost
then run "hostname -d"
You will get the answer "(none)"
I'm sure that will break some applications!
Now so long as there is also a canonical hostname in /etc/hosts this won't be
a problem. But what about on my machine running bind? Here all hostnames are
in the bind database and not in /etc/hosts (except for localhost).
Also, shouldn???t we keep the same address for both names?
Like:
127.0.0.1 localhost
::1 localhost
127.0.0.1 gambrinus
::1 gambrinus
Or am I missing something?
Hmm. I have never seen it done this way elsewhere, and I really wonder how some
services will react if they discover that 127.0.0.1 is not called "localhost"?
Or that one address is known by two names. I think it possible they might
assume a security breach and refuse to work. Kerberos is very fussy about such
things.
J'
--
Avoid eavesdropping. Send strong encrypted email.
PGP Public key ID: 1024D/2DE827B3
fingerprint = 8797 A26D 0854 2EAB 0285 A290 8A67 719C 2DE8 27B3
See http://sks-keyservers.net or any PGP keyserver for public key.
[-- Attachment #2: Digital signature --]
[-- Type: application/pgp-signature, Size: 181 bytes --]
^ permalink raw reply [flat|nested] 11+ messages in thread
* Re: Contents of /etc/hosts
2016-10-05 18:31 Contents of /etc/hosts John Darrington
2016-10-05 20:17 ` Ludovic Courtès
@ 2016-10-06 9:24 ` Hartmut Goebel
2016-10-08 14:08 ` John Darrington
1 sibling, 1 reply; 11+ messages in thread
From: Hartmut Goebel @ 2016-10-06 9:24 UTC (permalink / raw)
To: guix-devel
[-- Attachment #1: Type: text/plain, Size: 732 bytes --]
Am 05.10.2016 um 20:31 schrieb John Darrington:
> (shepherd-service-type
> 'host-name
> (lambda (name)
> (shepherd-service
I suggest adding a comment here whether this is the bare hostname or the
FQDN.
> 127.0.0.2 gambrinus
Now what happens if you "ping gambrinus"?
--
Schönen Gruß
Hartmut Goebel
Dipl.-Informatiker (univ), CISSP, CSSLP, ISO 27001 Lead Implementer
Information Security Management, Security Governance, Secure Software
Development
Goebel Consult, Landshut
http://www.goebel-consult.de
Blog: http://www.goebel-consult.de/blog/feiertagsarbeit-bei-teletrust
Kolumne:
http://www.cissp-gefluester.de/2011-02-fleisige-datensammler-fur-lukratives-geschaeftsmodell-gesucht
[-- Attachment #2: Type: text/html, Size: 2033 bytes --]
^ permalink raw reply [flat|nested] 11+ messages in thread
* Re: Contents of /etc/hosts
2016-10-06 0:57 ` John Darrington
@ 2016-10-06 10:07 ` Hartmut Goebel
2016-10-08 14:19 ` John Darrington
2016-10-11 20:25 ` Ludovic Courtès
1 sibling, 1 reply; 11+ messages in thread
From: Hartmut Goebel @ 2016-10-06 10:07 UTC (permalink / raw)
To: guix-devel
[-- Attachment #1.1: Type: text/plain, Size: 2319 bytes --]
Am 06.10.2016 um 02:57 schrieb John Darrington:
> 127.0.0.1 localhost
> ::1 localhost
> 127.0.0.1 gambrinus
> ::1 gambrinus
>
> Or am I missing something?
>
> Hmm. I have never seen it done this way elsewhere, and I really wonder how some
> services will react if they discover that 127.0.0.1 is not called "localhost"?
> Or that one address is known by two names. I think it possible they might
> assume a security breach and refuse to work.
This should not be a problem. One could always add several entries for
the same IP-address. And "getent hosts 127.0.0.1" will return the first
entry in /etc/hosts AFAIKT.
I started digging through the man pages, but did not finish. It's a deep
maybe recursive mess of documentation where nothing is said about Maybe
we need to refer to the gethostbyname(2) and gethostbyname(3)
documentation, which both are listed in "man hostname".
* gethostbyname(2) [1], uses uname[2], which returns what ever has been
set with sethostname (AFAICT) and always returns a single string.
* gethostbyname(3) [3] returns a structure capable to hold an name,
several aliases, and several addresses.
Nevertheless my conclusion is that any program should be able to handle
any ip-address and and hostname and must not rely on any assumtion
regarding these. (Exept perhaps to assume "localhost" is defined.)
[1] http://man7.org/linux/man-pages/man2/gethostname.2.html
[2] http://man7.org/linux/man-pages/man2/uname.2.html
[3] http://man7.org/linux/man-pages/man3/gethostbyname.3.html
[4] http://man7.org/linux/man-pages/man5/hosts.5.html
> Kerberos is very fussy about such things.
Yes, it is, forward and backward resolution must match. But this can be
done with a the hostname's non-loopback IP-address being in front of the
loopback entry. ASAIK
--
Schönen Gruß
Hartmut Goebel
Dipl.-Informatiker (univ), CISSP, CSSLP, ISO 27001 Lead Implementer
Information Security Management, Security Governance, Secure Software
Development
Goebel Consult, Landshut
http://www.goebel-consult.de
Blog: http://www.goebel-consult.de/blog/feiertagsarbeit-bei-teletrust
Kolumne:
http://www.cissp-gefluester.de/2011-02-fleisige-datensammler-fur-lukratives-geschaeftsmodell-gesucht
[-- Attachment #1.2: Type: text/html, Size: 4171 bytes --]
[-- Attachment #2: S/MIME Cryptographic Signature --]
[-- Type: application/pkcs7-signature, Size: 2430 bytes --]
^ permalink raw reply [flat|nested] 11+ messages in thread
* Re: Contents of /etc/hosts
2016-10-06 9:24 ` Hartmut Goebel
@ 2016-10-08 14:08 ` John Darrington
2016-10-09 9:12 ` Hartmut Goebel
0 siblings, 1 reply; 11+ messages in thread
From: John Darrington @ 2016-10-08 14:08 UTC (permalink / raw)
To: Hartmut Goebel; +Cc: guix-devel
[-- Attachment #1: Type: text/plain, Size: 717 bytes --]
On Thu, Oct 06, 2016 at 11:24:57AM +0200, Hartmut Goebel wrote:
Am 05.10.2016 um 20:31 schrieb John Darrington:
> (shepherd-service-type
> 'host-name
> (lambda (name)
> (shepherd-service
I suggest adding a comment here whether this is the bare hostname or the
FQDN.
> 127.0.0.2 gambrinus
Now what happens if you "ping gambrinus"?
ICMP packets will be sent to the local host.
J'
--
Avoid eavesdropping. Send strong encrypted email.
PGP Public key ID: 1024D/2DE827B3
fingerprint = 8797 A26D 0854 2EAB 0285 A290 8A67 719C 2DE8 27B3
See http://sks-keyservers.net or any PGP keyserver for public key.
[-- Attachment #2: Digital signature --]
[-- Type: application/pgp-signature, Size: 181 bytes --]
^ permalink raw reply [flat|nested] 11+ messages in thread
* Re: Contents of /etc/hosts
2016-10-06 10:07 ` Hartmut Goebel
@ 2016-10-08 14:19 ` John Darrington
0 siblings, 0 replies; 11+ messages in thread
From: John Darrington @ 2016-10-08 14:19 UTC (permalink / raw)
To: Hartmut Goebel; +Cc: guix-devel
On Thu, Oct 06, 2016 at 12:07:37PM +0200, Hartmut Goebel wrote:
Am 06.10.2016 um 02:57 schrieb John Darrington:
> 127.0.0.1 localhost
> ::1 localhost
> 127.0.0.1 gambrinus
> ::1 gambrinus
>
> Or am I missing something?
>
> Hmm. I have never seen it done this way elsewhere, and I really wonder how some
> services will react if they discover that 127.0.0.1 is not called "localhost"?
> Or that one address is known by two names. I think it possible they might
> assume a security breach and refuse to work.
This should not be a problem. One could always add several entries for
the same IP-address. And "getent hosts 127.0.0.1" will return the first
entry in /etc/hosts AFAIKT.
I started digging through the man pages, but did not finish. It's a deep
maybe recursive mess of documentation where nothing is said about Maybe
we need to refer to the gethostbyname(2) and gethostbyname(3)
documentation, which both are listed in "man hostname".
Indeed it is a mess. And be careful there are several versions of "hostname" program
in circulation. One of them explicitly says that
127.0.1.1 canoncal-name.example.com canonical-name
Is the recommended way to set the canoncial name and fqdn
* gethostbyname(2) [1], uses uname[2], which returns what ever has been
set with sethostname (AFAICT) and always returns a single string.
That is also my understanding.
* gethostbyname(3) [3] returns a structure capable to hold an name,
several aliases, and several addresses.
Yes.
Nevertheless my conclusion is that any program should be able to handle
any ip-address and and hostname and must not rely on any assumtion
regarding these. (Exept perhaps to assume "localhost" is defined.)
Well behaved programs should not make such assumptions. But I don't think
we should assume that all programs behave well .
Anyway I think we need to change what we currently have because it breaks
"hostname -f" (and possibly other things too)
J'
--
Avoid eavesdropping. Send strong encrypted email.
PGP Public key ID: 1024D/2DE827B3
fingerprint = 8797 A26D 0854 2EAB 0285 A290 8A67 719C 2DE8 27B3
See http://sks-keyservers.net or any PGP keyserver for public key.
^ permalink raw reply [flat|nested] 11+ messages in thread
* Re: Contents of /etc/hosts
2016-10-08 14:08 ` John Darrington
@ 2016-10-09 9:12 ` Hartmut Goebel
2016-10-09 9:56 ` John Darrington
0 siblings, 1 reply; 11+ messages in thread
From: Hartmut Goebel @ 2016-10-09 9:12 UTC (permalink / raw)
To: John Darrington; +Cc: guix-devel
Am 08.10.2016 um 16:08 schrieb John Darrington:
> > 127.0.0.2 gambrinus
> Now what happens if you "ping gambrinus"?
>
> ICMP packets will be sent to the local host.
Me fool. of course it does: the loopback interface has netmask /8
)defined in RFC 990 https://tools.ietf.org/html/rfc990
But for IPv6 the loopback interface has ::1/128, this ::2 would not got
there.
So if we follow your proposal adding "127.0.0.2 gambrius" to /etc/hosts,
we could not contently doe this for IPv6.
--
Regards
Hartmut Goebel
| Hartmut Goebel | h.goebel@crazy-compilers.com |
| www.crazy-compilers.com | compilers which you thought are impossible |
^ permalink raw reply [flat|nested] 11+ messages in thread
* Re: Contents of /etc/hosts
2016-10-09 9:12 ` Hartmut Goebel
@ 2016-10-09 9:56 ` John Darrington
2016-10-09 10:53 ` Hartmut Goebel
0 siblings, 1 reply; 11+ messages in thread
From: John Darrington @ 2016-10-09 9:56 UTC (permalink / raw)
To: Hartmut Goebel; +Cc: guix-devel
[-- Attachment #1: Type: text/plain, Size: 1011 bytes --]
On Sun, Oct 09, 2016 at 11:12:58AM +0200, Hartmut Goebel wrote:
Am 08.10.2016 um 16:08 schrieb John Darrington:
> > 127.0.0.2 gambrinus
> Now what happens if you "ping gambrinus"?
>
> ICMP packets will be sent to the local host.
Me fool. of course it does: the loopback interface has netmask /8
)defined in RFC 990 https://tools.ietf.org/html/rfc990
But for IPv6 the loopback interface has ::1/128, this ::2 would not got
there.
So if we follow your proposal adding "127.0.0.2 gambrius" to /etc/hosts,
we could not contently doe this for IPv6.
IPv6 is something I'm not really familiar with. Presumably there is an
equivalent way to do this in IPv6 ?
J'
--
Avoid eavesdropping. Send strong encrypted email.
PGP Public key ID: 1024D/2DE827B3
fingerprint = 8797 A26D 0854 2EAB 0285 A290 8A67 719C 2DE8 27B3
See http://sks-keyservers.net or any PGP keyserver for public key.
[-- Attachment #2: Digital signature --]
[-- Type: application/pgp-signature, Size: 181 bytes --]
^ permalink raw reply [flat|nested] 11+ messages in thread
* Re: Contents of /etc/hosts
2016-10-09 9:56 ` John Darrington
@ 2016-10-09 10:53 ` Hartmut Goebel
0 siblings, 0 replies; 11+ messages in thread
From: Hartmut Goebel @ 2016-10-09 10:53 UTC (permalink / raw)
To: John Darrington; +Cc: guix-devel
Am 09.10.2016 um 11:56 schrieb John Darrington:
> But for IPv6 the loopback interface has ::1/128, this ::2 would not got
> there.
>
> So if we follow your proposal adding "127.0.0.2 gambrius" to /etc/hosts,
> we could not contently doe this for IPv6.
>
> IPv6 is something I'm not really familiar with. Presumably there is an
> equivalent way to do this in IPv6 ?
I don't think we can use somehting like "::2 gamrius" for IPv6. I did
not find documentation for this when In did a short Internet search but:
* According to some sources, the loopback interface address is ::1/128,
which would be the same as 127.0.0.1/32. Thus this loopback is a kind of
point-to-point interface in IPv6, where as in IPv4 it "accepts" a /8
network.
* "/sbin/ip -6 route" says:
unreachable ::/96 dev lo metric 1024 error -113 pref medium
So when sending a packet to ::2 this will simply be discard.
--
Regards
Hartmut Goebel
| Hartmut Goebel | h.goebel@crazy-compilers.com |
| www.crazy-compilers.com | compilers which you thought are impossible |
^ permalink raw reply [flat|nested] 11+ messages in thread
* Re: Contents of /etc/hosts
2016-10-06 0:57 ` John Darrington
2016-10-06 10:07 ` Hartmut Goebel
@ 2016-10-11 20:25 ` Ludovic Courtès
1 sibling, 0 replies; 11+ messages in thread
From: Ludovic Courtès @ 2016-10-11 20:25 UTC (permalink / raw)
To: John Darrington; +Cc: guix-devel
Hello!
John Darrington <john@darrington.wattle.id.au> skribis:
> On Wed, Oct 05, 2016 at 10:17:14PM +0200, Ludovic Court??s wrote:
> Hi!
>
> John Darrington <john@darrington.wattle.id.au> skribis:
>
> > So ... my recommendations:
> >
> > 1. We change /etc/hosts to read
> >
> >
> > 127.0.0.1 localhost.localdomain localhost
> > ::1 localhost.localdomain localhost
> >
> > 127.0.0.2 gambrinus
>
> It???s not very useful to have ???localhost.localdomain???, is it?
>
> Try doing this: Put just a single line in your /etc/hosts:
> 127.0.0.1 localhost
> then run "hostname -d"
>
> You will get the answer "(none)"
Right.
But “localhost.localdomain” is kinda pointless no? I’ve checked a few
systems and I’ve never seen that. Typical desktop GNU/Linux installs
don’t have an FQDN and “hostname -d” doesn’t return one; that’s fine.
I think the current default is OK, but we should allow people to specify
an FQDN when there’s a meaningful one.
Thoughts?
Ludo’.
^ permalink raw reply [flat|nested] 11+ messages in thread
end of thread, other threads:[~2016-10-11 20:25 UTC | newest]
Thread overview: 11+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2016-10-05 18:31 Contents of /etc/hosts John Darrington
2016-10-05 20:17 ` Ludovic Courtès
2016-10-06 0:57 ` John Darrington
2016-10-06 10:07 ` Hartmut Goebel
2016-10-08 14:19 ` John Darrington
2016-10-11 20:25 ` Ludovic Courtès
2016-10-06 9:24 ` Hartmut Goebel
2016-10-08 14:08 ` John Darrington
2016-10-09 9:12 ` Hartmut Goebel
2016-10-09 9:56 ` John Darrington
2016-10-09 10:53 ` Hartmut Goebel
Code repositories for project(s) associated with this public inbox
https://git.savannah.gnu.org/cgit/guix.git
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).