stop using libnss_resolve.so for name resolution

Bug #1685045 reported by Steve Langasek on 2017-04-21
8
This bug affects 1 person
Affects Status Importance Assigned to Milestone
systemd (Ubuntu)
High
Unassigned

Bug Description

Once we have systemd-resolved's stub DNS resolver on a solid footing everywhere (LP: #1682499; LP: #1647031), we should stop using libnss_resolve.so for name resolution and *only* use the DNS stub resolver via libnss_dns.so.

The reason is that libnss_resolve.so is non-standard, depends on more moving parts (dbus+added NSS module), and consistently masks bugs in the stub DNS resolver or its configuration that are only discovered when someone tries to use software that does not use the NSS configuration of the host (including, but not limited to, chroots; containers; software written in languages that don't use libc).

Since systemd-resolved *must* continue to provide a robust stub DNS resolver for the foreseeable future, having the dbus service in use /as well/ is unwelcome complexity that causes bugs to manifest far from the point of introduction.

Since the systemd-resolved service is currently only enabled if the libnss-resolve package is installed, this enablement logic would need to be migrated into the base systemd package.

I believe we should consider making this change even in SRU due to the pernicious effects of the current behavior. However, that will require some thought to come up with a reasonable SRU test case with low risk of regression.

Steve Langasek (vorlon) wrote :

Even if we don't make this change across the board in SRU, we should look at changing Ubuntu Core 16 to use only the stub resolver. This might even turn out to be the root cause of bug #1659195.

Changed in systemd (Ubuntu):
importance: Undecided → High
status: New → Triaged
Dimitri John Ledkov (xnox) wrote :

I am annoyed at stub resolvers, precisely because of containers.

A lot of things parse /etc/resolv.conf and when that only has stub resolver, it may still be copied into containers with different network namespace and thus enabled to do any dns resolutions.

The lack of private dbus resolved socket is unfortunate.

IMHO everyone should use the two nss modules (including containers) and /etc/resolv.conf should actually be a symlink to the resolved maintained private resolv.conf.

Or we need to teach container technologies to copy /run/systemd/resolve/resolv.conf instead of /etc/resolv.conf into containers / chroots / etc.

Anders Kaseorg (andersk) wrote :

Dimitri: It is not merely difficult, but in fact fundamentally impossible, to make everyone use nss_resolve for DNS resolution. Many programs cannot use nsswitch for DNS at all. This includes anything that needs to lookup record types other than A and AAAA (e.g. SRV, TXT, MX, SSHFP, AFSDB), anything that needs an asynchronous API, anything running on a non-primary architecture (e.g. nothing automatically pulls in libnss-resolve:i386 on amd64), and anything that doesn’t use libc.

Steve Langasek (vorlon) on 2018-01-26
Changed in systemd (Ubuntu):
status: Triaged → Fix Released
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers