TL;博士
我有一个奇怪的情况,我可以在某些主机上进行 DNS 查找,但不能在其他主机上进行。这似乎与 resolv.conf 有一个名称服务器条目指向我的名称服务器和另一个可能与 docker 有关,但我不知道如何修复它。
问题
我一直在阅读Stéphane Graber 对 LXD 的精彩介绍,并想尝试一下。因此,我做了:
$ sudo usermod -a -G lxd <myusername>
$ newgrp lxd
$ sudo lxd init
我使用所有默认设置对其进行了配置。然后我输入:
$ lxc image list images:
error: Get https://images.linuxcontainers.org/streams/v1/index.json: lookup images.linuxcontainers.org: no such host
一些测试
我尝试从另一台 PC 上的网络浏览器访问该地址,它运行良好。所以我认为 DNS 设置一定有问题,但是:
$ host images.linuxcontainers.org
images.linuxcontainers.org is an alias for canonical.images.linuxcontainers.org.
canonical.images.linuxcontainers.org has address 91.189.91.21
canonical.images.linuxcontainers.org has address 91.189.88.37
canonical.images.linuxcontainers.org has IPv6 address 2001:67c:1560:8001::21
canonical.images.linuxcontainers.org has IPv6 address 2001:67c:1562::41
所以我尝试了wget:
$ wget https://images.linuxcontainers.org/streams/v1/index.json
--2016-11-10 15:56:22-- https://images.linuxcontainers.org/streams/v1/index.json
Resolving images.linuxcontainers.org (images.linuxcontainers.org)... failed: Name or service not known.
wget: unable to resolve host address "images.linuxcontainers.org"
这让我觉得我的互联网连接有问题,但如果我使用 us.images.linuxcontainers.org(我在网上某处看到提到):
$ wget https://us.images.linuxcontainers.org/streams/v1/index.json
--2016-11-10 15:57:26-- https://us.images.linuxcontainers.org/streams/v1/index.json
Resolving us.images.linuxcontainers.org (us.images.linuxcontainers.org)... 91.189.91.21, 2001:67c:1562::41
Connecting to us.images.linuxcontainers.org (us.images.linuxcontainers.org)|91.189.91.21|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 3086 (3.0K) [application/json]
Saving to: "index.json"
index.json 100%[==================================================================================>] 3.01K --.-KB/s in 0s
2016-11-10 15:57:26 (8.36 MB/s) - "index.json" saved [3086/3086]
我还尝试了 canonical.images.linuxcontainers.org,它(根据host上面)是 images.linuxcontainers.org 的别名并且也可以工作,所以它看起来host可以查找 images.linuxcontainers.org,而wget不能lxc,但是 wget 可以访问 canonical.images.linuxcontainers.org 和我尝试过的大多数其他网站。
$ wget https://canonical.images.linuxcontainers.org/streams/v1/index.json
--2016-11-10 16:02:28-- https://canonical.images.linuxcontainers.org/streams/v1/index.json
Resolving canonical.images.linuxcontainers.org (canonical.images.linuxcontainers.org)... 91.189.91.21, 91.189.88.37
Connecting to canonical.images.linuxcontainers.org (canonical.images.linuxcontainers.org)|91.189.91.21|:443... connected.
ERROR: no certificate subject alternative name matches
requested host name "canonical.images.linuxcontainers.org".
To connect to canonical.images.linuxcontainers.org insecurely, use `--no-check-certificate'.
$ wget --no-check-certificate https://canonical.images.linuxcontainers.org/streams/v1/index.json
--2016-11-10 16:02:37-- https://canonical.images.linuxcontainers.org/streams/v1/index.json
Resolving canonical.images.linuxcontainers.org (canonical.images.linuxcontainers.org)... 91.189.88.37, 91.189.91.21
Connecting to canonical.images.linuxcontainers.org (canonical.images.linuxcontainers.org)|91.189.88.37|:443... connected.
WARNING: no certificate subject alternative name matches
requested host name "canonical.images.linuxcontainers.org".
HTTP request sent, awaiting response... 301 Moved Permanently
Location: https://uk.images.linuxcontainers.org/streams/v1/index.json [following]
--2016-11-10 16:02:37-- https://uk.images.linuxcontainers.org/streams/v1/index.json
Resolving uk.images.linuxcontainers.org (uk.images.linuxcontainers.org)... 91.189.88.37, 2001:67c:1560:8001::21
Connecting to uk.images.linuxcontainers.org (uk.images.linuxcontainers.org)|91.189.88.37|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 3086 (3.0K) [application/json]
Saving to: "index.json.1"
index.json.1 100%[==================================================================================>] 3.01K --.-KB/s in 0s
2016-11-10 16:02:38 (96.5 MB/s) - "index.json.1" saved [3086/3086]
我也尝试过wget -4排除wget -6IPv6 问题,但结果都是一样的。最后我尝试了一些其他的程序,w3m但也没有区别。
我显然错过了一些东西;任何人都可以就为什么我无法lxc下载图像列表提供任何建议吗?
个人电脑
PC 是运行 Ubuntu Server 16.10 的相对较新的安装,在主主机中安装了很少的附加软件包。Docker 已安装并正在运行,但没有容器启动。有趣的是,我最近重新启动到内核 4.8.6 以测试我遇到的另一个问题,使用该内核我可以访问 images.linuxcontainers.org,但 docker 无法启动,所以我想知道这是否与 docker 有关.
配置
/etc/resolv.conf看起来像这样(但由于某种原因我不知道,实际上是一个符号链接/run/resolvconf/resolv.conf):
# Dynamic resolv.conf(5) file for glibc resolver(3) generated by resolvconf(8)
# DO NOT EDIT THIS FILE BY HAND -- YOUR CHANGES WILL BE OVERWRITTEN
nameserver 192.168.1.254
nameserver 127.0.0.53
search lan
如果我查询第一个列出的名称服务器,我会得到与不附加名称服务器地址相同的结果:
$ host images.linuxcontainers.org 192.168.1.254
images.linuxcontainers.org is an alias for canonical.images.linuxcontainers.org.
canonical.images.linuxcontainers.org has address 91.189.91.21
canonical.images.linuxcontainers.org has address 91.189.88.37
canonical.images.linuxcontainers.org has IPv6 address 2001:67c:1560:8001::21
canonical.images.linuxcontainers.org has IPv6 address 2001:67c:1562::41
如果我确实查询第二个,它会超时而没有到达服务器:
$ host images.linuxcontainers.org 127.0.0.53
;; connection timed out; no servers could be reached
如果我查询第二个但使用它的规范名称然后超时???
$ host canonical.images.linuxcontainers.org 127.0.0.53
Using domain server:
Name: 127.0.0.53
Address: 127.0.0.53#53
Aliases:
canonical.images.linuxcontainers.org has address 91.189.88.37
canonical.images.linuxcontainers.org has address 91.189.91.21
;; connection timed out; no servers could be reached
;; connection timed out; no servers could be reached
编辑1:
/etc/nsswitch.conf看起来像这样:
# /etc/nsswitch.conf
#
# Example configuration of GNU Name Service Switch functionality.
# If you have the `glibc-doc-reference' and `info' packages installed, try:
# `info libc "Name Service Switch"' for information about this file.
passwd: compat
group: compat
shadow: compat
gshadow: files
hosts: files resolve [!UNAVAIL=return] dns
networks: files
protocols: db files
services: db files
ethers: db files
rpc: db files
netgroup: nis
编辑 2
修改后的 nsswitch.conf 现在看起来像这样:
# /etc/nsswitch.conf
#
# Example configuration of GNU Name Service Switch functionality.
# If you have the `glibc-doc-reference' and `info' packages installed, try:
# `info libc "Name Service Switch"' for information about this file.
passwd: compat
group: compat
shadow: compat
gshadow: files
hosts: files resolve dns
networks: files
protocols: db files
services: db files
ethers: db files
rpc: db files
netgroup: nis
编辑 3
/etc/systemd/resolved.conf 的内容:
# This file is part of systemd.
#
# systemd is free software; you can redistribute it and/or modify it
# under the terms of the GNU Lesser General Public License as published by
# the Free Software Foundation; either version 2.1 of the License, or
# (at your option) any later version.
#
# Entries in this file show the compile time defaults.
# You can change settings by editing this file.
# Defaults can be restored by simply deleting this file.
#
# See resolved.conf(5) for details
[Resolve]
#DNS=
#FallbackDNS=8.8.8.8 8.8.4.4 2001:4860:4860::8888 2001:4860:4860::8844
#Domains=
#LLMNR=yes
#DNSSEC=no
#Cache=yes
这是第一次看到
resolvehosts关键字,好像不对。你应该有类似的东西或者如果您安装了 mDNS
您可以删除
[NOTFOUND=return]or[!UNAVAIL=return],如果没有可查询的内容,它仍然是默认操作。好吧,经过一番挖掘,我发现有一个新的 NSS 模块
libnss-resolve您最终可能会以某种方式安装它,而不是使用您提到的软件包。没有包依赖它。
但我现在不能说什么,为什么
systemd-resolved不可靠。最好将其报告为systemd.