Lackhead.org

I recently ran into an issue that, while it had a simple solution, stumped me for a while. I don’t know if said stumpitude came from my waning mental faculties or what. In any case, it took me longer than expected to track down the answer, and since there weren’t too many pages that I found out on the net that addressed this, I thought I’d at least get this down somewhere.

The issue came up on my main application server, which runs my web server, email server, and is a DNS master for one of my domains. I recently set up a virtual web server under apache, and since it was doing SSL I needed it to run using its own IP address so that I could use an IP-address based virtual server configuration. Since the machine is running Ubuntu 7.04 (a Debian variant), the ethernet interfaces are set up in /etc/network/interfaces. Here is what that file looked like before adding the alias:

# The loopback network interface

auto lo

iface lo inet loopback

# The primary network interface

auto eth0

iface eth0 inet static

        address 10.0.0.25

        netmask 255.255.255.0

        network 10.0.0.0

        broadcast 10.0.0.255

        gateway 10.0.0.1

Easy enough to add an alias; I just copied/pasted in another stanza, identical to the eth0 stanza only with the alias set up so that it was set up as eth0:0:

# The secondary network interface

auto eth0:0

iface eth0:0 inet static

        address 10.0.0.50

        netmask 255.255.255.0

        network 10.0.0.0

        broadcast 10.0.0.255

        gateway 10.0.0.1

A quick ifup eth0:0 and now I was up and running with my one ethernet interface answering to two IP addresses, one which was my original/main IP addr (10.0.0.25) and a new one that I could use for my new virtual web server (10.0.0.50).

But I ran into a snag- I found out later that my DNS updates were no longer being pushed out to my secondary servers. Why? Well, being a good administrator I set up bind on my secondary DNS servers to only accept zone updates from the master server, via a stanza like this in named.conf:

// be secondary for lackhead.org

zone “foobar.com” in  {

       type slave;

       notify no;

       file “db.foobar.com”;

       masters { 10.0.0.25; };

};

Looking at the named logs, I saw that the zone updates being pushed out by my master name server were coming from 10.0.0.50, the new IP alias I had just set up. In face, looking at the box, I saw that all outgoing traffic that originated from my server box was coming from this new IP alias I had set up, instead of what I thought of as the primary interface, eth0.

After a bit of digging, I found my error. If you notice up above when I created eth0:0 in the /etc/network/interfaces file, I just copied/pasted the stanza, and then just updated the IP address, and changed the interface name from eth0 to eth0:0. One effect of this was that the IP alias also had a line that specified the gateway. The result of this was that when Ubuntu was bringing up the interfaces, it essentially did a ip route add default gw …. command, which meant that a default route was added to the routing table for each interface. This is what my routing table looked like:

(508) root@myhost:/var/log:# netstat -nr

Kernel IP routing table

Destination     Gateway         Genmask         Flags   MSS Window  irtt Iface

10.0.0.0        0.0.0.0         255.255.255.0   U         0 0          0 eth0

0.0.0.0         10.0.0.1     0.0.0.0         UG        0 0          0 eth0

0.0.0.0         10.0.0.1     0.0.0.0         UG        0 0          0 eth0

(509) root@myhost:/var/log:#

Note the duplicate entry for 0.0.0.0. This, I think, is where I got confused and/or misled, because netstat doesn’t seem to report sub interfaces, so while I say that I had two default routes, they both pointed to eth0, not eth0:0, and so in my mind I read this as all traffic should be going out eth0. Honestly, I consider this a bug, and perhaps I’ll submit one to Ubuntu for it.

In any case, I did eventually figure out what was going on, and removed the gateway line from the eth0:0 stanza, did a quick ifdown eth0:0 ; ifup eth0:0 and viola, not only did the duplicate entry in the routing table not show up, but I got the behavior I had expected; all outgoing traffic from my box now originated from eth0, but any traffic coming into the IP address bound to eth0:0 was responded to out of eth0:0.

Yay! Lesson to be learned- be wary of perils of cut and paste.

-c

You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.