[Bug 1685045] Re: stop using libnss_resolve.so for name resolution

Dimitri John Ledkov launchpad at surgut.co.uk
Fri Apr 21 10:11:10 UTC 2017 

I am annoyed at stub resolvers, precisely because of containers.

A lot of things parse /etc/resolv.conf and when that only has stub
resolver, it may still be copied into containers with different network
namespace and thus enabled to do any dns resolutions.

The lack of private dbus resolved socket is unfortunate.

IMHO everyone should use the two nss modules (including containers) and
/etc/resolv.conf should actually be a symlink to the resolved maintained
private resolv.conf.

Or we need to teach container technologies to copy
/run/systemd/resolve/resolv.conf instead of /etc/resolv.conf into
containers / chroots / etc.

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to systemd in Ubuntu.
https://bugs.launchpad.net/bugs/1685045

Title:
  stop using libnss_resolve.so for name resolution

Status in systemd package in Ubuntu:
  Triaged

Bug description:
  Once we have systemd-resolved's stub DNS resolver on a solid footing
  everywhere (LP: #1682499; LP: #1647031), we should stop using
  libnss_resolve.so for name resolution and *only* use the DNS stub
  resolver via libnss_dns.so.

  The reason is that libnss_resolve.so is non-standard, depends on more
  moving parts (dbus+added NSS module), and consistently masks bugs in
  the stub DNS resolver or its configuration that are only discovered
  when someone tries to use software that does not use the NSS
  configuration of the host (including, but not limited to, chroots;
  containers; software written in languages that don't use libc).

  Since systemd-resolved *must* continue to provide a robust stub DNS
  resolver for the foreseeable future, having the dbus service in use
  /as well/ is unwelcome complexity that causes bugs to manifest far
  from the point of introduction.

  Since the systemd-resolved service is currently only enabled if the
  libnss-resolve package is installed, this enablement logic would need
  to be migrated into the base systemd package.

  I believe we should consider making this change even in SRU due to the
  pernicious effects of the current behavior.  However, that will
  require some thought to come up with a reasonable SRU test case with
  low risk of regression.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/systemd/+bug/1685045/+subscriptions

More information about the foundations-bugs mailing list