dev/nixpkgs
1
0
Fork 0
Code Issues Pull Requests Actions 2 Packages Projects Releases Wiki Activity

nixos/virtualisation: increase priority for libvirt NSS modules

Browse Source 
When `services.resolved` is enabled, then `resolve [!UNAVAIL=return]`
is added to `system.nssDatabases.hosts` with priority 501,
which prevents lower-priority NSS modules from running
unless systemd-resolved is not available.

Quoting from `man nss-resolve`:

> To activate the NSS module, add "resolve [!UNAVAIL=return]" to the line
> starting with "hosts:" in /etc/nsswitch.conf. Specifically, it is
> recommended to place "resolve" early in /etc/nsswitch.conf's "hosts:"
> line. It should be before the "files" entry, since systemd-resolved
> supports /etc/hosts internally, but with caching. To the contrary, it
> should be after "mymachines", to give hostnames given to local VMs and
> containers precedence over names received over DNS. Finally, we
> recommend placing "dns" somewhere after "resolve", to fall back to
> nss-dns if systemd-resolved.service is not available.

Note that the man page (just) recommends "early" and means with this
"before the 'files' and 'dns' entries". It does not insist on being
first or excluding other modules.

For this reason, libvirt NSS modules should run before the `resolve`
module. They should come right next to `mymachines` because both are
conceptually very similar -- they resolve local VMs/containers.

Since the data source of the libvirt NSS modules are local
plain text files (see source code of the libvirt NSS module),
no performance impact is expected form this raise of priorities.

Other NSS modules in NixOS also explicitly set their priority, which is
why this change increases consistency.

Fixes #322022
This commit is contained in:
Michael Franzl 2024-06-25 20:22:14 +02:00
parent efdfa300ee
commit cae086d605
No known key found for this signature in database
GPG Key ID: F2FA572344C60B07
2 changed files with 5 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
nixos/modules/system/boot/systemd.nix
View File

@ -489,7 +489,7 @@ in
system.nssModules = [ cfg.package.out ];
system.nssDatabases = {
hosts = (mkMerge [
(mkOrder 400 ["mymachines"]) # 400 to ensure it comes before resolve (which is mkBefore'd)
(mkOrder 400 ["mymachines"]) # 400 to ensure it comes before resolve (which is 501)
(mkOrder 999 ["myhostname"]) # after files (which is 998), but before regular nss modules
]);
passwd = (mkMerge [

7
nixos/modules/virtualisation/libvirtd.nix
View File

@ -545,9 +545,10 @@ in
};
system.nssModules = optional (cfg.nss.enable or cfg.nss.enableGuest) cfg.package;
system.nssDatabases.hosts = builtins.concatLists [
(optional cfg.nss.enable "libvirt")
(optional cfg.nss.enableGuest "libvirt_guest")
system.nssDatabases.hosts = mkMerge [
# ensure that the NSS modules come between mymachines (which is 400) and resolve (which is 501)
(mkIf cfg.nss.enable (mkOrder 430 [ "libvirt" ]))
(mkIf cfg.nss.enableGuest (mkOrder 432 [ "libvirt_guest" ]))
];
};
}