systemd/man/nss-systemd.xml

<?xml version='1.0'?> <!--*-nxml-*-->
<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN"
  "http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd">

<!--
  SPDX-License-Identifier: LGPL-2.1+
-->

<refentry id="nss-systemd" conditional='ENABLE_NSS_SYSTEMD'>

  <refentryinfo>
    <title>nss-systemd</title>
    <productname>systemd</productname>
  </refentryinfo>

  <refmeta>
    <refentrytitle>nss-systemd</refentrytitle>
    <manvolnum>8</manvolnum>
  </refmeta>

  <refnamediv>
    <refname>nss-systemd</refname>
    <refname>libnss_systemd.so.2</refname>
    <refpurpose>Provide UNIX user and group name resolution for dynamic users and groups.</refpurpose>
  </refnamediv>

  <refsynopsisdiv>
    <para><filename>libnss_systemd.so.2</filename></para>
  </refsynopsisdiv>

  <refsect1>
    <title>Description</title>

    <para><command>nss-systemd</command> is a plug-in module for the GNU Name Service Switch (NSS) functionality of the
    GNU C Library (<command>glibc</command>), providing UNIX user and group name resolution for dynamic users and
    groups allocated through the <varname>DynamicUser=</varname> option in systemd unit files. See
    <citerefentry><refentrytitle>systemd.exec</refentrytitle><manvolnum>5</manvolnum></citerefentry> for details on
    this option.</para>

    <para>This module also ensures that the root and nobody users and groups (i.e. the users/groups with the UIDs/GIDs
    0 and 65534) remain resolvable at all times, even if they aren't listed in <filename>/etc/passwd</filename> or
    <filename>/etc/group</filename>, or if these files are missing.</para>

    <para>To activate the NSS module, add <literal>systemd</literal> to the lines starting with
    <literal>passwd:</literal> and <literal>group:</literal> in <filename>/etc/nsswitch.conf</filename>.</para>

    <para>It is recommended to place <literal>systemd</literal> after the <literal>files</literal> or
    <literal>compat</literal> entry of the <filename>/etc/nsswitch.conf</filename> lines so that
    <filename>/etc/passwd</filename> and <filename>/etc/group</filename> based mappings take precedence.</para>
  </refsect1>

  <refsect1>
    <title>Example</title>

    <para>Here is an example <filename>/etc/nsswitch.conf</filename> file that enables
    <command>nss-systemd</command> correctly:</para>

    <programlisting>passwd:         compat mymachines <command>systemd</command>
group:          compat mymachines <command>systemd</command>
shadow:         compat

hosts:          files mymachines resolve [!UNAVAIL=return] dns myhostname
networks:       files

protocols:      db files
services:       db files
ethers:         db files
rpc:            db files

netgroup:       nis</programlisting>

  </refsect1>

  <refsect1>
    <title>See Also</title>
    <para>
      <citerefentry><refentrytitle>systemd</refentrytitle><manvolnum>1</manvolnum></citerefentry>,
      <citerefentry><refentrytitle>systemd.exec</refentrytitle><manvolnum>5</manvolnum></citerefentry>,
      <citerefentry><refentrytitle>nss-resolve</refentrytitle><manvolnum>8</manvolnum></citerefentry>,
      <citerefentry><refentrytitle>nss-myhostname</refentrytitle><manvolnum>8</manvolnum></citerefentry>,
      <citerefentry><refentrytitle>nss-mymachines</refentrytitle><manvolnum>8</manvolnum></citerefentry>,
      <citerefentry project='man-pages'><refentrytitle>nsswitch.conf</refentrytitle><manvolnum>5</manvolnum></citerefentry>,
      <citerefentry project='man-pages'><refentrytitle>getent</refentrytitle><manvolnum>1</manvolnum></citerefentry>
    </para>
  </refsect1>

</refentry>
nss: add new "nss-systemd" NSS module for mapping dynamic users With this NSS module all dynamic service users will be resolvable via NSS like any real user. 2016-07-14 20:19:49 +03:00			`<?xml version='1.0'?> <!---nxml--->`
			`<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN"`
			`"http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd">`

			`<!--`
Add SPDX license identifiers to man pages 2017-11-18 19:22:32 +03:00			`SPDX-License-Identifier: LGPL-2.1+`
nss: add new "nss-systemd" NSS module for mapping dynamic users With this NSS module all dynamic service users will be resolvable via NSS like any real user. 2016-07-14 20:19:49 +03:00			`-->`

make nss-systemd support conditional (#6155) This allows the nss-systemd module to be disabled on minimal installations. 2017-06-24 20:30:26 +03:00			`<refentry id="nss-systemd" conditional='ENABLE_NSS_SYSTEMD'>`
nss: add new "nss-systemd" NSS module for mapping dynamic users With this NSS module all dynamic service users will be resolvable via NSS like any real user. 2016-07-14 20:19:49 +03:00
			`<refentryinfo>`
			`<title>nss-systemd</title>`
			`<productname>systemd</productname>`
			`</refentryinfo>`

			`<refmeta>`
			`<refentrytitle>nss-systemd</refentrytitle>`
			`<manvolnum>8</manvolnum>`
			`</refmeta>`

			`<refnamediv>`
			`<refname>nss-systemd</refname>`
			`<refname>libnss_systemd.so.2</refname>`
			`<refpurpose>Provide UNIX user and group name resolution for dynamic users and groups.</refpurpose>`
			`</refnamediv>`

			`<refsynopsisdiv>`
			`<para><filename>libnss_systemd.so.2</filename></para>`
			`</refsynopsisdiv>`

			`<refsect1>`
			`<title>Description</title>`

			`<para><command>nss-systemd</command> is a plug-in module for the GNU Name Service Switch (NSS) functionality of the`
			`GNU C Library (<command>glibc</command>), providing UNIX user and group name resolution for dynamic users and`
			`groups allocated through the <varname>DynamicUser=</varname> option in systemd unit files. See`
			`<citerefentry><refentrytitle>systemd.exec</refentrytitle><manvolnum>5</manvolnum></citerefentry> for details on`
			`this option.</para>`

nss-systemd: resolve root/nobody statically Let's extend nss-systemd to also synthesize user/group entries for the UIDs/GIDs 0 and 65534 which have special kernel meaning. Given that nss-systemd is listed in /etc/nsswitch.conf only very late any explicit listing in /etc/passwd or /etc/group takes precedence. This functionality is useful in minimal container-like setups that lack /etc/passwd files (or only have incompletely populated ones). 2016-07-27 14:14:01 +03:00			`<para>This module also ensures that the root and nobody users and groups (i.e. the users/groups with the UIDs/GIDs`
			`0 and 65534) remain resolvable at all times, even if they aren't listed in <filename>/etc/passwd</filename> or`
			`<filename>/etc/group</filename>, or if these files are missing.</para>`

nss: add new "nss-systemd" NSS module for mapping dynamic users With this NSS module all dynamic service users will be resolvable via NSS like any real user. 2016-07-14 20:19:49 +03:00			`<para>To activate the NSS module, add <literal>systemd</literal> to the lines starting with`
			`<literal>passwd:</literal> and <literal>group:</literal> in <filename>/etc/nsswitch.conf</filename>.</para>`

			`<para>It is recommended to place <literal>systemd</literal> after the <literal>files</literal> or`
			`<literal>compat</literal> entry of the <filename>/etc/nsswitch.conf</filename> lines so that`
			`<filename>/etc/passwd</filename> and <filename>/etc/group</filename> based mappings take precedence.</para>`
			`</refsect1>`

			`<refsect1>`
			`<title>Example</title>`

			`<para>Here is an example <filename>/etc/nsswitch.conf</filename> file that enables`
			`<command>nss-systemd</command> correctly:</para>`

			`<programlisting>passwd: compat mymachines <command>systemd</command>`
			`group: compat mymachines <command>systemd</command>`
			`shadow: compat`

man: sync up the suggested nsswitch.conf configuration for our four NSS modules This unifies the suggested nsswitch.conf configuration for our four NSS modules to this: hosts: files mymachines resolve [!UNAVAIL=return] dns myhostname Note that this restores "myhostname" to the suggested configuration of nss-resolve for the time being, undoing 4484e1792b64b01614f04b7bde97bf019f601bf9. "myhostname" should probably be dropped eventually, but when we do this we should do it in full, and not only drop it from the suggested nsswitch.conf for one of the modules, but also drop it in source and stop referring to it altogether. Note that nss-resolve doesn't replace nss-myhostname in full: the former only works if D-Bus/resolved is available for resolving the local hostname, the latter works in all cases even if D-Bus or resolved are not in operation, hence there's some value in keeping the line as it is right now. Note that neither dns nor myhostname are considered at all with the above configuration unless the resolve module actually returns UNAVAIL. Thus, even though handling of local hostname resolving is implemented twice this way it is only executed once for each lookup. 2016-10-24 19:58:03 +03:00			`hosts: files mymachines resolve [!UNAVAIL=return] dns myhostname`
nss: add new "nss-systemd" NSS module for mapping dynamic users With this NSS module all dynamic service users will be resolvable via NSS like any real user. 2016-07-14 20:19:49 +03:00			`networks: files`

			`protocols: db files`
			`services: db files`
			`ethers: db files`
			`rpc: db files`

			`netgroup: nis</programlisting>`

			`</refsect1>`

			`<refsect1>`
			`<title>See Also</title>`
			`<para>`
			`<citerefentry><refentrytitle>systemd</refentrytitle><manvolnum>1</manvolnum></citerefentry>,`
			`<citerefentry><refentrytitle>systemd.exec</refentrytitle><manvolnum>5</manvolnum></citerefentry>,`
			`<citerefentry><refentrytitle>nss-resolve</refentrytitle><manvolnum>8</manvolnum></citerefentry>,`
			`<citerefentry><refentrytitle>nss-myhostname</refentrytitle><manvolnum>8</manvolnum></citerefentry>,`
			`<citerefentry><refentrytitle>nss-mymachines</refentrytitle><manvolnum>8</manvolnum></citerefentry>,`
			`<citerefentry project='man-pages'><refentrytitle>nsswitch.conf</refentrytitle><manvolnum>5</manvolnum></citerefentry>,`
			`<citerefentry project='man-pages'><refentrytitle>getent</refentrytitle><manvolnum>1</manvolnum></citerefentry>`
			`</para>`
			`</refsect1>`

			`</refentry>`