#!/bin/ksh # $Id: hosts,v 1.14 2011/08/19 15:53:19 ksb Exp $ # We're a netlint plugin that checks the validity of /etc/hosts. (petef,ksb) #****p* netlint/hosts # NAME # hosts # DESCRIPTION # The /etc/hosts file on each node should contain just enough information to # boot a node. All the network interfaces on the node, the special enter for # localhost, and maybe any hosts on any locally attached black # (non-routable) networks. #*** PROGNAME=`basename $0` : ${CARP:=echo} : ${HOSTFSPATH:=/etc/hosts} export HOSTFSPATH CARP if [ _"$1" = _"-V" ]; then echo "$PROGNAME: "'$Id: hosts,v 1.14 2011/08/19 15:53:19 ksb Exp $' [ -f $HOSTFSPATH ] || echo "$PROGNAME: no $HOSTFSPATH found!" exit 0 fi HOST=`hostname` export HOST #****a* hosts/HOSTS_MISSING # NAME # HOSTS_MISSING # FORMAT # HOSTS_MISSING: path # DESCRIPTION # The complaint is that the hosts file is completely missing on the node. # IMPACT # This is always bad. # REMEDIATION # Install a hosts file or the apropos symbolic link. #*** if [ ! -s $HOSTFSPATH ] ; then $CARP "HOSTS_MISSING: $HOSTFSPATH" exit 0 fi #****a* hosts/HOSTS_IP # NAME # HOSTS_IP # FORMAT # HOSTS_IP: ip path # DESCRIPTION # The netlint program maps each interface's IP in /etc/hosts to be sure that # the system can reverse map all the interfaces back to itself at boot time. # This error indicates that some IP addresses bound to a local interface do # not map to that host. # # This might be fine for virtual IPs (VIPs) that move between servers, or for # a host that is holding another host's IP address for some other reason. # These are noted in site policy in ~netlint/lib/reverse/ where there is a # file for each host and a list of IPs that can be ignored for that host. # IMPACT # Having a wrong mapping in the hosts file is bad as is can cause the system # to duplicate the IP of another host on the network. Missing a mapping in # /etc/hosts can cause a longer than normal boot time, as the host times out # on a resolver query before the network is fully lighted. # REMEDIATION # * Update /etc/hosts (a comment line is accepted here as well) # * Update site policy # * Update the black network zone and rebuild it from the master source. # SEE ALSO # /usr/msrc/etc/hostname for the code to generate the black network address maps. #*** # Get a list of IPs our hostname resolves to echo ${IP_LIST:-`nslookup $HOST 2>/dev/null | egrep "^Addr[es]*:[ ]*" | sed -e '1d' -e 's,^Addr[es]*: *,,' -e 'y/,/ /' -e 's,[ ][ ]*, ,'`} | tr ' ' '\012' | sed -e 's,\.,\\.,g' | xapply -f -S/bin/sh 'sed -e "s/^#+//" $HOSTFSPATH |egrep "^%1[ ][ ]*$HOST([ ].*$|$)" >/dev/null || echo "HOSTS_IP: %1 $HOSTFSPATH"' - | sed -e 's,\\\.,.,g' | fgrep -v '0.0.0.0' | xapply -f -S/bin/sh '$CARP "%1"' - #****a* hosts/HOSTS_EXTRA # NAME # HOSTS_EXTRA # FORMAT # HOSTS_EXTRA: ip path # DESCRIPTION # The netlint program carps about IP address mapped in a hosts file # that are not on a directly attached network. These should all be # resolved with a name server, really. # # IMPACT # Having a wrong mapping in the hosts file is bad as is can cause the system # to contact a dead or incorrect host at boot. # REMEDIATION # * Update /etc/hosts to remove the off-net mapping # * Update site policy # * If a hard coded IP is actually necessary, append ##netlint_ignore to the host line. # BUGS # * We don't handle IPV6 addresses (yet) #*** listy=/tmp/nlhl$((RANDOM%1000)) while [ -e $listy ] ; do listy="$listy,$((RANDOM%100))" done trap 'rm $listy.*' EXIT sed -n -e '/##netlint_ignore/d;s/#.*//;s/^[ ]*//;/^$/d' -e 's/^\([0-9.]*\)[ ].*/\1/p' <$HOSTFSPATH >$listy.res xapply -P1 -S/bin/ksh " # %1 . $NETLINT_FUNCS while read IP ; do [ %[1/1] = \`AndIt \$IP %[1/2]\` ] || echo \$IP done <$listy.res >$listy.%u mv $listy.%u $listy.res " $SUBNET_LIST 127.0.0.0/8 if [ -s $listy.res ] ; then xapply -f -S/bin/sh '$CARP "HOSTS_EXTRA: %1 $HOSTFSPATH"' $listy.res fi exit 0