diff options
| author | Florian Klink <flokli@flokli.de> | 2021-07-17 19:41:45 +0200 |
|---|---|---|
| committer | Florian Klink <flokli@flokli.de> | 2021-07-17 23:55:35 +0200 |
| commit | c1536f5c78ead2fdcb0ec11824d673638fa6a5f4 (patch) | |
| tree | d3b81c2f2ce04c82955b708be690981460123425 | |
| parent | b59c06dc92f8d03660eb4155754d93a6c34cda83 (diff) | |
| download | nixpkgs-c1536f5c78ead2fdcb0ec11824d673638fa6a5f4.tar nixpkgs-c1536f5c78ead2fdcb0ec11824d673638fa6a5f4.tar.gz nixpkgs-c1536f5c78ead2fdcb0ec11824d673638fa6a5f4.tar.bz2 nixpkgs-c1536f5c78ead2fdcb0ec11824d673638fa6a5f4.tar.lz nixpkgs-c1536f5c78ead2fdcb0ec11824d673638fa6a5f4.tar.xz nixpkgs-c1536f5c78ead2fdcb0ec11824d673638fa6a5f4.tar.zst nixpkgs-c1536f5c78ead2fdcb0ec11824d673638fa6a5f4.zip | |
nixos/systemd: fix NSS database ordering
- The order of NSS (host) modules has been brought in line with upstream
recommendations:
- The `myhostname` module is placed before the `resolve` (optional) and `dns`
entries, but after `file` (to allow overriding via `/etc/hosts` /
`networking.extraHosts`, and prevent ISPs with catchall-DNS resolvers from
hijacking `.localhost` domains)
- The `mymachines` module, which provides hostname resolution for local
containers (registered with `systemd-machined`) is placed to the front, to
make sure its mappings are preferred over other resolvers.
- If systemd-networkd is enabled, the `resolve` module is placed before
`files` and `myhostname`, as it provides the same logic internally, with
caching.
- The `mdns(_minimal)` module has been updated to the new priorities.
If you use your own NSS host modules, make sure to update your priorities
according to these rules:
- NSS modules which should be queried before `resolved` DNS resolution should
use mkBefore.
- NSS modules which should be queried after `resolved`, `files` and
`myhostname`, but before `dns` should use the default priority
- NSS modules which should come after `dns` should use mkAfter.
| -rw-r--r-- | nixos/doc/manual/from_md/release-notes/rl-2111.section.xml | 71 | ||||
| -rw-r--r-- | nixos/doc/manual/release-notes/rl-2111.section.md | 24 | ||||
| -rw-r--r-- | nixos/modules/config/nsswitch.nix | 4 | ||||
| -rw-r--r-- | nixos/modules/services/networking/avahi-daemon.nix | 4 | ||||
| -rw-r--r-- | nixos/modules/system/boot/resolved.nix | 3 | ||||
| -rw-r--r-- | nixos/modules/system/boot/systemd.nix | 5 |
6 files changed, 103 insertions, 8 deletions
diff --git a/nixos/doc/manual/from_md/release-notes/rl-2111.section.xml b/nixos/doc/manual/from_md/release-notes/rl-2111.section.xml index fcaac9e8bec..e923a289442 100644 --- a/nixos/doc/manual/from_md/release-notes/rl-2111.section.xml +++ b/nixos/doc/manual/from_md/release-notes/rl-2111.section.xml @@ -562,6 +562,77 @@ be removed in 22.05. </para> </listitem> + <listitem> + <para> + The order of NSS (host) modules has been brought in line with + upstream recommendations: + </para> + <itemizedlist spacing="compact"> + <listitem> + <para> + The <literal>myhostname</literal> module is placed before + the <literal>resolve</literal> (optional) and + <literal>dns</literal> entries, but after + <literal>file</literal> (to allow overriding via + <literal>/etc/hosts</literal> / + <literal>networking.extraHosts</literal>, and prevent ISPs + with catchall-DNS resolvers from hijacking + <literal>.localhost</literal> domains) + </para> + </listitem> + <listitem> + <para> + The <literal>mymachines</literal> module, which provides + hostname resolution for local containers (registered with + <literal>systemd-machined</literal>) is placed to the + front, to make sure its mappings are preferred over other + resolvers. + </para> + </listitem> + <listitem> + <para> + If systemd-networkd is enabled, the + <literal>resolve</literal> module is placed before + <literal>files</literal> and + <literal>myhostname</literal>, as it provides the same + logic internally, with caching. + </para> + </listitem> + <listitem> + <para> + The <literal>mdns(_minimal)</literal> module has been + updated to the new priorities. + </para> + </listitem> + </itemizedlist> + <para> + If you use your own NSS host modules, make sure to update your + priorities according to these rules: + </para> + <itemizedlist spacing="compact"> + <listitem> + <para> + NSS modules which should be queried before + <literal>resolved</literal> DNS resolution should use + mkBefore. + </para> + </listitem> + <listitem> + <para> + NSS modules which should be queried after + <literal>resolved</literal>, <literal>files</literal> and + <literal>myhostname</literal>, but before + <literal>dns</literal> should use the default priority + </para> + </listitem> + <listitem> + <para> + NSS modules which should come after <literal>dns</literal> + should use mkAfter. + </para> + </listitem> + </itemizedlist> + </listitem> </itemizedlist> </section> </section> diff --git a/nixos/doc/manual/release-notes/rl-2111.section.md b/nixos/doc/manual/release-notes/rl-2111.section.md index 030f1d21818..4409ad7b436 100644 --- a/nixos/doc/manual/release-notes/rl-2111.section.md +++ b/nixos/doc/manual/release-notes/rl-2111.section.md @@ -139,3 +139,27 @@ In addition to numerous new and upgraded packages, this release has the followin - The wordpress module provides a new interface which allows to use different webservers with the new option [`services.wordpress.webserver`](options.html#opt-services.wordpress.webserver). Currently `httpd` and `nginx` are supported. The definitions of wordpress sites should now be set in [`services.wordpress.sites`](options.html#opt-services.wordpress.sites). Sites definitions that use the old interface are automatically migrated in the new option. This backward compatibility will be removed in 22.05. + +- The order of NSS (host) modules has been brought in line with upstream + recommendations: + + - The `myhostname` module is placed before the `resolve` (optional) and `dns` + entries, but after `file` (to allow overriding via `/etc/hosts` / + `networking.extraHosts`, and prevent ISPs with catchall-DNS resolvers from + hijacking `.localhost` domains) + - The `mymachines` module, which provides hostname resolution for local + containers (registered with `systemd-machined`) is placed to the front, to + make sure its mappings are preferred over other resolvers. + - If systemd-networkd is enabled, the `resolve` module is placed before + `files` and `myhostname`, as it provides the same logic internally, with + caching. + - The `mdns(_minimal)` module has been updated to the new priorities. + + If you use your own NSS host modules, make sure to update your priorities + according to these rules: + + - NSS modules which should be queried before `resolved` DNS resolution should + use mkBefore. + - NSS modules which should be queried after `resolved`, `files` and + `myhostname`, but before `dns` should use the default priority + - NSS modules which should come after `dns` should use mkAfter. diff --git a/nixos/modules/config/nsswitch.nix b/nixos/modules/config/nsswitch.nix index d19d35a4890..91a36cef10e 100644 --- a/nixos/modules/config/nsswitch.nix +++ b/nixos/modules/config/nsswitch.nix @@ -124,8 +124,8 @@ with lib; group = mkBefore [ "files" ]; shadow = mkBefore [ "files" ]; hosts = mkMerge [ - (mkBefore [ "files" ]) - (mkAfter [ "dns" ]) + (mkOrder 998 [ "files" ]) + (mkOrder 1499 [ "dns" ]) ]; services = mkBefore [ "files" ]; }; diff --git a/nixos/modules/services/networking/avahi-daemon.nix b/nixos/modules/services/networking/avahi-daemon.nix index 0b7d5575c11..020a817f259 100644 --- a/nixos/modules/services/networking/avahi-daemon.nix +++ b/nixos/modules/services/networking/avahi-daemon.nix @@ -240,8 +240,8 @@ in system.nssModules = optional cfg.nssmdns pkgs.nssmdns; system.nssDatabases.hosts = optionals cfg.nssmdns (mkMerge [ - (mkOrder 900 [ "mdns_minimal [NOTFOUND=return]" ]) # must be before resolve - (mkOrder 1501 [ "mdns" ]) # 1501 to ensure it's after dns + (mkBefore [ "mdns_minimal [NOTFOUND=return]" ]) # before resolve + (mkAfter [ "mdns" ]) # after dns ]); environment.systemPackages = [ pkgs.avahi ]; diff --git a/nixos/modules/system/boot/resolved.nix b/nixos/modules/system/boot/resolved.nix index 84bc9b78076..a6fc07da0ab 100644 --- a/nixos/modules/system/boot/resolved.nix +++ b/nixos/modules/system/boot/resolved.nix @@ -140,7 +140,8 @@ in # add resolve to nss hosts database if enabled and nscd enabled # system.nssModules is configured in nixos/modules/system/boot/systemd.nix - system.nssDatabases.hosts = optional config.services.nscd.enable "resolve [!UNAVAIL=return]"; + # added with order 501 to allow modules to go before with mkBefore + system.nssDatabases.hosts = (mkOrder 501 ["resolve [!UNAVAIL=return]"]); systemd.additionalUpstreamSystemUnits = [ "systemd-resolved.service" diff --git a/nixos/modules/system/boot/systemd.nix b/nixos/modules/system/boot/systemd.nix index abd8ab29cae..58064e5de86 100644 --- a/nixos/modules/system/boot/systemd.nix +++ b/nixos/modules/system/boot/systemd.nix @@ -925,9 +925,8 @@ in system.nssModules = [ systemd.out ]; system.nssDatabases = { hosts = (mkMerge [ - [ "mymachines" ] - (mkOrder 1600 [ "myhostname" ] # 1600 to ensure it's always the last - ) + (mkOrder 400 ["mymachines"]) # 400 to ensure it comes before resolve (which is mkBefore'd) + (mkOrder 999 ["myhostname"]) # after files (which is 998), but before regular nss modules ]); passwd = (mkMerge [ (mkAfter [ "systemd" ]) |