Linux日誌中出現大量dhclient mesage淺析

最近檢查發現一臺Linux伺服器，發現其日誌裡面有大量下麵信息，其中部分信息做了脫敏處理。其中一個地址A(192.168.AAA.AAA) 為DNS伺服器地址,地址B(192.168.BBB.BBB)為動態獲取的IP地址。

#脫敏後信息如下所示：

Jul 24 15:14:18 xxxxxx dhclient: DHCPREQUEST on eth0 to 192.168.AAA.AAA port 67 (xid=0x1ff3cda3)

Jul 24 15:14:18 xxxxxx dhclient: DHCPACK from 192.168.AAA.AAA (xid=0x1ff3cda3)

Jul 24 15:14:18 xxxxxx dhclient: bound to 192.168.BBB.BBB -- renewal in 863 seconds.

Jul 24 15:28:41 xxxxxx dhclient: DHCPREQUEST on eth0 to 192.168.AAA.AAA port 67 (xid=0x1ff3cda3)

Jul 24 15:28:41 xxxxxx dhclient: DHCPACK from 192.168.AAA.AAA (xid=0x1ff3cda3)

Jul 24 15:28:41 xxxxxx dhclient: bound to 192.168.BBB.BBB -- renewal in 681 seconds.

Jul 24 15:40:02 xxxxxx dhclient: DHCPREQUEST on eth0 to 192.168.AAA.AAA port 67 (xid=0x1ff3cda3)

Jul 24 15:40:02 xxxxxx dhclient: DHCPACK from 192.168.AAA.AAA (xid=0x1ff3cda3)

Jul 24 15:40:02 xxxxxx dhclient: bound to 192.168.BBB.BBB -- renewal in 763 seconds.

那麼DHCPREQUEST、DHCPACK是什麼東西呢？ 初步判斷很有可能是伺服器動態申請IP（DHCP）的相關性。然後搜索了相關資料驗證一下：

DHCPREQUEST簡介：

DHCP請求（REQUEST） 當客戶PC收到一個IP租約提供時，它必須告訴所有其他的DHCP伺服器它已經接受了一個租約提供。因此，該客戶會發送一個DHCPREQUEST消息，其中包含提供租約的伺服器的IP。當其他DHCP伺服器收到了該消息後，它們會收回所有可能已提供給該客戶的租約。然後它們把曾經給該客戶保留的那個地址重新放回到可用地址池中，這樣，它們就可以為其他電腦分配這個地址。任意數量的DHCP伺服器都可以響應同一個IP租約請求，但是每一個客戶網卡只能接受一個租約提供。

DHCPACK簡介：

當DHCP伺服器收到來自客戶的REQUEST消息後，它就開始了配置過程的最後階段。這個響應階段包括發送一個DHCPACK包給客戶。這個包包含租期和客戶可能請求的其他所有配置信息。這時候，TCP/IP配置過程就完成了。

但是這台伺服器不是設置的靜態IP嗎？ 怎麼會有DHCP的相關日誌呢？ 首先檢查確認地址A(192.168.AAA.AAA)為一個DNS伺服器地址。如下所示：

[root@xxxx log]# more /etc/resolv.conf

; generated by /sbin/dhclient-script

search eel1.esquel.com

nameserver 192.168.AAA.AAA

nameserver 192.168.xxx.xxx

然後查看該伺服器的IP地址。如下所示：

[root@xxxxx log]# ifconfig
eth0      Link encap:Ethernet  HWaddr 00:0C:29:AF:0F:87 
          inet addr:192.168.BBB.BBB  Bcast:192.168.xxx.xxx  Mask:255.255.255.0
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:1113647339 errors:0 dropped:0 overruns:0 frame:0
          TX packets:5394185429 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:232836326224 (216.8 GiB)  TX bytes:7577117537336 (6.8 TiB)

lo        Link encap:Local Loopback 
          inet addr:127.0.0.1  Mask:255.0.0.0
          UP LOOPBACK RUNNING  MTU:16436  Metric:1
          RX packets:943142413 errors:0 dropped:0 overruns:0 frame:0
          TX packets:943142413 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:37841765933 (35.2 GiB)  TX bytes:37841765933 (35.2 GiB)

檢查發現這個網路綁定了兩個IP地址。如下所示所示（其中192.168.CCC.CCC為靜態IP地址）,最讓人驚奇的是ifconfig中顯示的是動態IP地址，而不是ifcfg-eth0設置的靜態IP地址

[root@xxxxx log]# ip addr show eth0

2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast qlen 1000

    link/ether 00:0c:29:af:0f:87 brd ff:ff:ff:ff:ff:ff

    inet 192.168.BBB.BBB/24 brd 192.168.152.255 scope global eth0

    inet 192.168.CCC.CC/24 brd 192.168.152.255 scope global secondary eth0

[root@xxx network-scripts]# more ifcfg-eth0 

# Intel Corporation 82545EM Gigabit Ethernet Controller (Copper)

DEVICE=eth0

BOOTPROTO=none

ONBOOT=yes

HWADDR=00:0c:29:af:0f:87

NETMASK=255.255.255.0

IPADDR=192.168.CCC.CCC

GATEWAY=192.168.xxx.xxx

TYPE=Ethernet

USERCTL=no

IPV6INIT=no

PEERDNS=yes

個人猜測是因為Local的系統管理員，不知出於什麼原因給網卡多綁定了一個地址，下麵在測試伺服器，做了一個簡單的測試。如果網路設置動態獲取IP地址，基本上就會有這類信息出現，

Jul 20 13:01:49 DB-Server dhclient: bound to 10.20.57.24 -- renewal in 12333 seconds.

Jul 20 16:27:22 DB-Server dhclient: DHCPREQUEST on eth0 to 192.168.27.210 port 67 (xid=0x293091fd)

Jul 20 16:27:22 DB-Server dhclient: DHCPACK from 192.168.27.210 (xid=0x293091fd)

Jul 20 16:27:22 DB-Server dhclient: bound to 10.20.57.24 -- renewal in 11811 seconds.

Jul 20 19:44:12 DB-Server dhclient: DHCPREQUEST on eth0 to 192.168.27.210 port 67 (xid=0x293091fd)

Jul 20 19:44:13 DB-Server dhclient: DHCPACK from 192.168.27.210 (xid=0x293091fd)

Jul 20 19:44:13 DB-Server dhclient: bound to 10.20.57.24 -- renewal in 13245 seconds.

Jul 20 23:24:58 DB-Server dhclient: DHCPREQUEST on eth0 to 192.168.27.210 port 67 (xid=0x293091fd)

Jul 20 23:24:58 DB-Server dhclient: DHCPACK from 192.168.27.210 (xid=0x293091fd)

Jul 20 23:24:58 DB-Server dhclient: bound to 10.20.57.24 -- renewal in 13115 seconds.

Jul 21 03:03:32 DB-Server dhclient: DHCPREQUEST on eth0 to 192.168.27.210 port 67 (xid=0x293091fd)

Jul 21 03:03:33 DB-Server dhclient: DHCPACK from 192.168.27.210 (xid=0x293091fd)

Jul 21 03:03:33 DB-Server dhclient: bound to 10.20.57.24 -- renewal in 13533 seconds.

測試過程中也發現，如果第一個地址是靜態IP地址，第二個（secondary）地址為動態地址，在message裡面也沒有出現上面的DHCPREQUEST 、DHCPACK日誌信息。但是如果網卡的第一個地址為動態地址就會在message中出現DHCP相關日誌。

[root@DB-Server network-scripts]# ifconfig eth0

eth0      Link encap:Ethernet  HWaddr B0:83:FE:55:32:E5  

          inet addr:10.20.57.24  Bcast:10.255.255.255  Mask:255.0.0.0

          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1

          RX packets:230 errors:0 dropped:0 overruns:0 frame:0

          TX packets:162 errors:0 dropped:0 overruns:0 carrier:0

          collisions:0 txqueuelen:1000 

          RX bytes:22435 (21.9 KiB)  TX bytes:20666 (20.1 KiB)

          Interrupt:233 Base address:0x4000 

[root@DB-Server network-scripts]# more /etc/resolv.conf

; generated by /sbin/dhclient-script

search gfg1.esquel.com

nameserver 192.168.xxx.xxx

nameserver 192.168.xxx.xxx

[root@DB-Server network-sc

[root@DB-Server network-scripts]# ifconfig eth0:1 10.20.57.26 netmask 255.0.0.0

[root@DB-Server network-scripts]# ip addr show eth0

2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast qlen 1000

    link/ether b0:83:fe:55:32:e5 brd ff:ff:ff:ff:ff:ff

    inet 10.20.57.24/8 brd 10.255.255.255 scope global eth0

    inet 10.20.57.26/8 brd 10.255.255.255 scope global secondary eth0:1

參考資料：

https://zh.wikipedia.org/zh-hans/%E5%8A%A8%E6%80%81%E4%B8%BB%E6%9C%BA%E8%AE%BE%E7%BD%AE%E5%8D%8F%E8%AE%AE