we have a script that needs to take action on a finite list of hosts. but every time we add or remove a host to the /etc/hosts file, we end up having to update this script.
basically, say my hosts file looks like:
192.168.100.1 hostip_1
192.168.100.2 hostip_2
192.168.100.10 hostip_3
192.168.100.20 hostip_5
and my script (bash) does something like:
callmyfunction hostip_1
callmyfunction hostip_2
callmyfunction hostip_3
callmyfunction hostip_5
if i want to add hostip_4 to the list of hosts, i now have to go in and edit my script and add it to the list. while it's a small edit, it is still a step that can be forgotten in the process (especially if someone new to the system comes in).
is there a way i can test to see if 'hostip_1' is a valid hostname within the system (without pinging the host or grepping the /etc/hosts file)? we may use multiple hosts files, and different configurations may have different filenames, so i can't rely on trying to grep a single file. i need the system to do that work for me.
any clues?
first, my statement about things not being in the hosts file is wrong. that is exactly where they are. dumb on my part.
but the answer is:
getent hosts
that will get it to print everything out, and i can do a lookup from there.
As you are populating the /etc/hosts file, I am assuming that you are not using DNS. So below solution wont fit your use case. But it will still get you some pointers.
In a working DNS environment, you can check the host name to its corresponding IP with below command
# host host_name
This is will give the IP address of the host. In case the host name does not exists, then it will give you corresponding host not found message.
You can parse the output of above command and can deduce whether a give host name exists.
might not be in your /etc/hosts file... better search for the name and see if an ip can be found:
(($(dig +noall +answer google.de |wc -c)>0)) && echo exists
this is bash, can be adaptet to pretty much everything.
dig +noall +answer google.de
returns the ips if found. If empty, that name cannot be used in the computer running this code.
If all the targets are on the same subnet (same network), use arping, it will check that hosts are available using ARP.
Related
As stated in the title: What does the #... in the output below mean? I don't think they are hostnames, because I think the #-sign is reserved for mailing. Normally there stands a IP-subnet or simply an IP-address - but nothing is the case here. I also know I can put hostnames in there, but I don't think I could put such #... into the hosts file to restrict the access to only some IPs... Sooo, what is this?
glaforge#enterprise: showmount -e [REMOVED]
Export list for [REMOVED]:
[REMOVED] *
[REMOVED] #somenamea,#somenameb
In the list of exports shown by showmount -e any names with an # are netgroups, not individual hosts.
A netgroup is a list of hosts. They're typically defined in /etc/netgroup on the NFS server (but could also be in NIS, LDAP, etc. depending on how /etc/nsswitch.conf is configured).
Using netgroups to define your exports saves a lot of typing compared to exporting to each host separately. (I find that it reduces the chances of making typos. Or if I do make a typo in one of my exports, I'll find it faster as it'll affect all the machines in the netgroup rather than just one machine.)
Example
On my NFS server I could have the following netgroups defined in /net/netgroup:
nuts (walnut,,) (almond,,) (pistachio,,) (hazelnut,,)
flowers (rose,,) (tulip,,) (iris,,)
Each entry in a netgroup is defined as a tuple of (hostname, user, NIS domain) but NFS only cares about the hostname so just leave the other parts blank. The NIS domain is not the same thing as a DNS domain. If you need to specify a full DNS name, e.g., foo.example.com, put it all in the host part: (foo.example.com,,)
And then my exports file could look like this:
/vol/home #nuts(rw) #flowers(rw)
/vol/web #nuts(rw)
/vol/dns #nuts(ro) almond(rw)
Now the hosts in the flowers netgroup can mount home read-write but can't access web or dns. The host almond has read-write access to everything, but the rest of the machines in the nuts netgroup only have read-only access to dns.
If I were to run showmount -e it would look something like this:
% showmount -e
Export list for example.com:
/vol/home #nuts,#flowers
/vol/web #nuts
/vol/dns #nuts,almond
I'm writing program in x86-64 assembly for linux that will create X11 window using only system calls invoked with syscall instruction. Based on the content of the DISPLAY environment variable I have to create either tcp or unix socket. In linux manual "man 7 X" it is written that :
The hostname part of the display name should be the empty string. For example: :0, :1, and :0.1. The most efficient local transport will be chosen.
However I compiled C code example from https://en.wikibooks.org/wiki/X_Window_Programming/XCB and ran compiled executable in GDB with changed DISPLAY environment variable. When I change DISPLAY environment variable from DISPLAY=:0 to DISPLAY=unix:0 or DISPLAY=unix/:0 or DISPLAY=unix/abc:0 window is still created. Is linux manual wrong and what is real syntax of DISPLAY environment variable?
Short Answer: X11 can run over multiple transport. The comment is related to 'local' connection.
Long Answer:
The quote that you include refers to 'local' connection. The X11 system can run over few tarnsport layers. On my system:
local
The hostname part of the display name should be the empty string. For example: :0, :1, and :0.1. The most effi‐
cient local transport will be chosen.
TCPIP
The hostname part of the display name should be the server machine's hostname or IP address. Full Internet names,
abbreviated names, IPv4 addresses, and IPv6 addresses are all allowed. For example: x.org:0, expo:0, [::1]:0,
198.112.45.11:0, bigmachine:1, and hydra:0.1.
Also, many systems support running over unix sockets, which had (at least in the past) more efficient that TCP connections.
I want to know how does the DIG (Domain Information Groper) command really works when it comes to code and implementation. I mean when we enter a DIG command, which part of the code in FreeBSD or BIND hits first.
Currently, I see that when I hit the DIG command, I see the control going to a file client.c. Inside this file, following function is called:
static void
client_request(isc_task_t *task, isc_event_t *event);
But how does the control reach to this place is still a big mystery for me even after digging a lot into 'named' part of the BIND code.
Further, I see this function being called from two places within this file. I tried to put logs into such places to know if control reaches to this place through those paths, but unfortunately that doesn't happen. It seems "Client_request()" function is somehow being called from outside somewhere that I am not able to figure out.
Is there anybody here who can help me out to resolve this mystery for me ?
Thanks.
Not only for bind but to any other command, within FreeBSD you could use ktrace, it is very verbose but could help you to get a quick overview of how the program is behaving.
For example, in latest FreeBSD's you have drill command instead of dig so if you would like to know what is happening behind scenes when you run the command, you could give a try to:
# ktrace drill freebsd.org
Then to disable tracing:
# ktrace -C
Once tracing is enabled on a process, trace data will be logged until
either the process exits or the trace point is cleared. A traced process
can generate enormous amounts of log data quickly; It is strongly
suggested that users memorize how to disable tracing before attempting to
trace a process.
After running ktrace drill freebsd.org a file ktrace.out should be created the one you could read with kdump, for example:
# kdump -f ktrace.out | less
That will hopefully "reveal the mystery", in your case, just replace drill with dig and then use something like:
# ktrace dig freebsd.org
Thanks to FreeBSD Ports system you can compile your own BIND with debugging enabled. To do so run
cd /usr/ports/dns/bind913/ && make install clean WITH_DEBUG=1
Then you can run it inside debugger (lldb /usr/local/bin/dig), break on the line you are interested in and then look at backtrace to figure out how the control reached there.
I would like to use fireHOL ip lists: http://iplists.firehol.org , ipset and iptables together on my centOS webserver.
I have installed the fireHOL lists and updated the IP lists it generates.
The IP lists it creates are saved in: /etc/firehol/ipsets (https://github.com/firehol/blocklist-ipsets/wiki/Downloading-IP-Lists#where-are-the-ipsets)
I have installed ipset.
I already have iptables installed and working (controlled via CSF/LFD).
How do I tie together the IP lists, ipset and iptables so that the lists are blocked via iptables (https://github.com/firehol/blocklist-ipsets/wiki/Downloading-IP-Lists#updating-the-ipsets-in-kernel)?
Thanks for any help.
I don't know how to do it with CSF/LFD, but if you use FireHOL, you would need something like the following for each ipset.
Let's assume you are interested for ipset dshield.
In your firehol.conf, at its top you should add this:
ipset4 create dshield hash:net
ipset4 addfile dshield ipsets/dshield.netset
blacklist4 input inface ${wan} log "BLACKLIST dshield" ipset:dshield
Of course, the above is a fragment. You will need to configure firehol.conf properly.
Then, update-ipsets will update dshield in kernel automatically when it is updated.
So the general idea:
create the ipset with the name of the IP list you are interested
initialize it with the contents of the file generated by update-ipsets
create a blacklist that uses the ipset you created
update-ipsets will automatically update the ipset in kernel
firehol takes care of 1,2,3 and update-ipsets of the 4th.
Check this: https://github.com/firehol/firehol/wiki/Working-with-IPSETs
Alternatively:
You can do 1 and 2 by running ipset commands on your console.
You can do 3 using your firewall (it has to support ipsets) or by running iptables commands on your console.
If you don't know what to do, the simplest way is to use firehol. Check its docs (http://firehol.org/guides/firehol-welcome/).
On Ubuntu 12.04 I am tring to get the subtree of management values with the following command:
snmpwalk -v 2c -c public localhost
with the last line of the output being
iso.3.6.1.2.1.25.1.7.0 = No more variables left in this MIB View (It is past the end of the MIB tree)
Is this an error? A warning? Does the subtree end there?
There's a bit more going on here than you might suspect. I encounter this on every new Ubuntu box that I build, and I do consider it a problem (not an error, but a problem--more on this down further).
Here's the technically-correct explanation (why this is not an "error"):
"No more variables left in this MIB View" is not particularly an error; rather, it is a statement about your request. The request started at something simple, say ".1.3" and continued to ask for the "next" lexicographic OID. It got "next" OIDs until that last one, at which point the agent has informed you that there's nothing more to see; don't bother asking.
Now, here's why I consider it a problem (in the context of this question):
The point of installing "snmpd" and running it is to gather meaningful information about the box; typically, this information is performance-oriented. For example, the three general things that I need to know about are network-interface information (IF-MIB::ifHCInOctets and IF-MIB::ifHCOutOctets), disk information (UCD-SNMP-MIB::dskUsed and UCD-SNMP-MIB::dskTotal), and CPU information (UCD-SNMP-MIB::ssCpuRawIdle, UCD-SNMP-MIB::ssCpuRawWait, and so on).
The default Ubuntu "snmpd" configuration specifically denies just about everything useful with this configuration (limiting access to just enough information to tell you that the box is a Linux box):
view systemonly included .1.3.6.1.2.1.1
view systemonly included .1.3.6.1.2.1.25.1
rocommunity public default -V systemonly
This configuration locks the box down, which may be "safe" if it will be on an insecure network with little SNMP administration knowledge available.
However, the first thing that I do is remove the "-V systemonly" portion of the "rocommunity" setting; this will allow all available SNMP information to be accessed (read-only) via the community string of "public".
If you do that, then you'll probably see what you're expecting, which is pages and pages of SNMP information that you can use to gauge the performance of your box.
I know this thread is probably very old the I fix this is to use:
rocommunity public
and that should fix the problem.
Briefly, this is not an error, actually, when you "walk up" all OIDs on your agent, it will shows your this line>
Sometimes, it won't show you this line, because the last OID is not on your agent(you have already walk up all OIDs on your agent, but not walk up all OIDs).
$ snmpwalk -v 2c -c public localhost NET-SNMP-EXTEND-MIB::nsExtendObjects
NET-SNMP-EXTEND-MIB::nsExtendObjects = No more variables left in this MIB View (It is past the end of the MIB tree)
Also you can get this error while you can trying to see executed scripts I fix that problem to add
view all included .1 80
line to snmpd.conf than restart service
Than you will see your output going to change for both input