From c1536f5c78ead2fdcb0ec11824d673638fa6a5f4 Mon Sep 17 00:00:00 2001 From: Florian Klink Date: Sat, 17 Jul 2021 19:41:45 +0200 Subject: nixos/systemd: fix NSS database ordering - The order of NSS (host) modules has been brought in line with upstream recommendations: - The `myhostname` module is placed before the `resolve` (optional) and `dns` entries, but after `file` (to allow overriding via `/etc/hosts` / `networking.extraHosts`, and prevent ISPs with catchall-DNS resolvers from hijacking `.localhost` domains) - The `mymachines` module, which provides hostname resolution for local containers (registered with `systemd-machined`) is placed to the front, to make sure its mappings are preferred over other resolvers. - If systemd-networkd is enabled, the `resolve` module is placed before `files` and `myhostname`, as it provides the same logic internally, with caching. - The `mdns(_minimal)` module has been updated to the new priorities. If you use your own NSS host modules, make sure to update your priorities according to these rules: - NSS modules which should be queried before `resolved` DNS resolution should use mkBefore. - NSS modules which should be queried after `resolved`, `files` and `myhostname`, but before `dns` should use the default priority - NSS modules which should come after `dns` should use mkAfter. --- .../from_md/release-notes/rl-2111.section.xml | 71 ++++++++++++++++++++++ nixos/doc/manual/release-notes/rl-2111.section.md | 24 ++++++++ nixos/modules/config/nsswitch.nix | 4 +- nixos/modules/services/networking/avahi-daemon.nix | 4 +- nixos/modules/system/boot/resolved.nix | 3 +- nixos/modules/system/boot/systemd.nix | 5 +- 6 files changed, 103 insertions(+), 8 deletions(-) diff --git a/nixos/doc/manual/from_md/release-notes/rl-2111.section.xml b/nixos/doc/manual/from_md/release-notes/rl-2111.section.xml index fcaac9e8bec..e923a289442 100644 --- a/nixos/doc/manual/from_md/release-notes/rl-2111.section.xml +++ b/nixos/doc/manual/from_md/release-notes/rl-2111.section.xml @@ -562,6 +562,77 @@ be removed in 22.05. + + + The order of NSS (host) modules has been brought in line with + upstream recommendations: + + + + + The myhostname module is placed before + the resolve (optional) and + dns entries, but after + file (to allow overriding via + /etc/hosts / + networking.extraHosts, and prevent ISPs + with catchall-DNS resolvers from hijacking + .localhost domains) + + + + + The mymachines module, which provides + hostname resolution for local containers (registered with + systemd-machined) is placed to the + front, to make sure its mappings are preferred over other + resolvers. + + + + + If systemd-networkd is enabled, the + resolve module is placed before + files and + myhostname, as it provides the same + logic internally, with caching. + + + + + The mdns(_minimal) module has been + updated to the new priorities. + + + + + If you use your own NSS host modules, make sure to update your + priorities according to these rules: + + + + + NSS modules which should be queried before + resolved DNS resolution should use + mkBefore. + + + + + NSS modules which should be queried after + resolved, files and + myhostname, but before + dns should use the default priority + + + + + NSS modules which should come after dns + should use mkAfter. + + + + diff --git a/nixos/doc/manual/release-notes/rl-2111.section.md b/nixos/doc/manual/release-notes/rl-2111.section.md index 030f1d21818..4409ad7b436 100644 --- a/nixos/doc/manual/release-notes/rl-2111.section.md +++ b/nixos/doc/manual/release-notes/rl-2111.section.md @@ -139,3 +139,27 @@ In addition to numerous new and upgraded packages, this release has the followin - The wordpress module provides a new interface which allows to use different webservers with the new option [`services.wordpress.webserver`](options.html#opt-services.wordpress.webserver). Currently `httpd` and `nginx` are supported. The definitions of wordpress sites should now be set in [`services.wordpress.sites`](options.html#opt-services.wordpress.sites). Sites definitions that use the old interface are automatically migrated in the new option. This backward compatibility will be removed in 22.05. + +- The order of NSS (host) modules has been brought in line with upstream + recommendations: + + - The `myhostname` module is placed before the `resolve` (optional) and `dns` + entries, but after `file` (to allow overriding via `/etc/hosts` / + `networking.extraHosts`, and prevent ISPs with catchall-DNS resolvers from + hijacking `.localhost` domains) + - The `mymachines` module, which provides hostname resolution for local + containers (registered with `systemd-machined`) is placed to the front, to + make sure its mappings are preferred over other resolvers. + - If systemd-networkd is enabled, the `resolve` module is placed before + `files` and `myhostname`, as it provides the same logic internally, with + caching. + - The `mdns(_minimal)` module has been updated to the new priorities. + + If you use your own NSS host modules, make sure to update your priorities + according to these rules: + + - NSS modules which should be queried before `resolved` DNS resolution should + use mkBefore. + - NSS modules which should be queried after `resolved`, `files` and + `myhostname`, but before `dns` should use the default priority + - NSS modules which should come after `dns` should use mkAfter. diff --git a/nixos/modules/config/nsswitch.nix b/nixos/modules/config/nsswitch.nix index d19d35a4890..91a36cef10e 100644 --- a/nixos/modules/config/nsswitch.nix +++ b/nixos/modules/config/nsswitch.nix @@ -124,8 +124,8 @@ with lib; group = mkBefore [ "files" ]; shadow = mkBefore [ "files" ]; hosts = mkMerge [ - (mkBefore [ "files" ]) - (mkAfter [ "dns" ]) + (mkOrder 998 [ "files" ]) + (mkOrder 1499 [ "dns" ]) ]; services = mkBefore [ "files" ]; }; diff --git a/nixos/modules/services/networking/avahi-daemon.nix b/nixos/modules/services/networking/avahi-daemon.nix index 0b7d5575c11..020a817f259 100644 --- a/nixos/modules/services/networking/avahi-daemon.nix +++ b/nixos/modules/services/networking/avahi-daemon.nix @@ -240,8 +240,8 @@ in system.nssModules = optional cfg.nssmdns pkgs.nssmdns; system.nssDatabases.hosts = optionals cfg.nssmdns (mkMerge [ - (mkOrder 900 [ "mdns_minimal [NOTFOUND=return]" ]) # must be before resolve - (mkOrder 1501 [ "mdns" ]) # 1501 to ensure it's after dns + (mkBefore [ "mdns_minimal [NOTFOUND=return]" ]) # before resolve + (mkAfter [ "mdns" ]) # after dns ]); environment.systemPackages = [ pkgs.avahi ]; diff --git a/nixos/modules/system/boot/resolved.nix b/nixos/modules/system/boot/resolved.nix index 84bc9b78076..a6fc07da0ab 100644 --- a/nixos/modules/system/boot/resolved.nix +++ b/nixos/modules/system/boot/resolved.nix @@ -140,7 +140,8 @@ in # add resolve to nss hosts database if enabled and nscd enabled # system.nssModules is configured in nixos/modules/system/boot/systemd.nix - system.nssDatabases.hosts = optional config.services.nscd.enable "resolve [!UNAVAIL=return]"; + # added with order 501 to allow modules to go before with mkBefore + system.nssDatabases.hosts = (mkOrder 501 ["resolve [!UNAVAIL=return]"]); systemd.additionalUpstreamSystemUnits = [ "systemd-resolved.service" diff --git a/nixos/modules/system/boot/systemd.nix b/nixos/modules/system/boot/systemd.nix index abd8ab29cae..58064e5de86 100644 --- a/nixos/modules/system/boot/systemd.nix +++ b/nixos/modules/system/boot/systemd.nix @@ -925,9 +925,8 @@ in system.nssModules = [ systemd.out ]; system.nssDatabases = { hosts = (mkMerge [ - [ "mymachines" ] - (mkOrder 1600 [ "myhostname" ] # 1600 to ensure it's always the last - ) + (mkOrder 400 ["mymachines"]) # 400 to ensure it comes before resolve (which is mkBefore'd) + (mkOrder 999 ["myhostname"]) # after files (which is 998), but before regular nss modules ]); passwd = (mkMerge [ (mkAfter [ "systemd" ]) -- cgit 1.4.1