systemd/man/nss-systemd.xml

<?xml version='1.0'?> <!--*-nxml-*-->
<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN"
  "http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd">
<!-- SPDX-License-Identifier: LGPL-2.1-or-later -->

<refentry id="nss-systemd" conditional='ENABLE_NSS_SYSTEMD'>

  <refentryinfo>
    <title>nss-systemd</title>
    <productname>systemd</productname>
  </refentryinfo>

  <refmeta>
    <refentrytitle>nss-systemd</refentrytitle>
    <manvolnum>8</manvolnum>
  </refmeta>

  <refnamediv>
    <refname>nss-systemd</refname>
    <refname>libnss_systemd.so.2</refname>
    <refpurpose>UNIX user and group name resolution for user/group lookup via Varlink</refpurpose>
  </refnamediv>

  <refsynopsisdiv>
    <para><filename>libnss_systemd.so.2</filename></para>
  </refsynopsisdiv>

  <refsect1>
    <title>Description</title>

    <para><command>nss-systemd</command> is a plug-in module for the GNU Name Service Switch (NSS)
    functionality of the GNU C Library (<command>glibc</command>), providing UNIX user and group name
    resolution for services implementing the <ulink url="https://systemd.io/USER_GROUP_API">User/Group Record
    Lookup API via Varlink</ulink>, such as the system and service manager
    <citerefentry><refentrytitle>systemd</refentrytitle><manvolnum>1</manvolnum></citerefentry> (for its
    <varname>DynamicUser=</varname> feature, see
    <citerefentry><refentrytitle>systemd.exec</refentrytitle><manvolnum>5</manvolnum></citerefentry> for
    details),
    <citerefentry><refentrytitle>systemd-homed.service</refentrytitle><manvolnum>8</manvolnum></citerefentry>, or <citerefentry><refentrytitle>systemd-machined.service</refentrytitle><manvolnum>8</manvolnum></citerefentry>.</para>

    <para>This module also ensures that the root and nobody users and groups (i.e. the users/groups with the UIDs/GIDs
    0 and 65534) remain resolvable at all times, even if they aren't listed in <filename>/etc/passwd</filename> or
    <filename>/etc/group</filename>, or if these files are missing.</para>

    <para>This module preferably utilizes
    <citerefentry><refentrytitle>systemd-userdbd.service</refentrytitle><manvolnum>8</manvolnum></citerefentry>
    for resolving users and groups, but also works without the service running.</para>

    <para>To activate the NSS module, add <literal>systemd</literal> to the lines starting with
    <literal>passwd:</literal> and <literal>group:</literal> in <filename>/etc/nsswitch.conf</filename>.</para>

    <para>It is recommended to place <literal>systemd</literal> after the <literal>files</literal> or
    <literal>compat</literal> entry of the <filename>/etc/nsswitch.conf</filename> lines so that
    <filename>/etc/passwd</filename> and <filename>/etc/group</filename> based mappings take precedence.</para>
  </refsect1>

  <refsect1>
    <title>Configuration in <filename>/etc/nsswitch.conf</filename></title>

    <para>Here is an example <filename>/etc/nsswitch.conf</filename> file that enables
    <command>nss-systemd</command> correctly:</para>

    <!-- synchronize with other nss-* man pages and factory/etc/nsswitch.conf -->
    <programlisting>passwd:         compat <command>systemd</command>
group:          compat [SUCCESS=merge] <command>systemd</command>
shadow:         compat

hosts:          mymachines resolve [!UNAVAIL=return] files myhostname dns
networks:       files

protocols:      db files
services:       db files
ethers:         db files
rpc:            db files

netgroup:       nis</programlisting>

  </refsect1>

  <refsect1>
    <title>Example: Mappings provided by <filename>systemd-machined.service</filename></title>

    <para>The container <literal>rawhide</literal> is spawned using
    <citerefentry><refentrytitle>systemd-nspawn</refentrytitle><manvolnum>1</manvolnum></citerefentry>:
    </para>

    <programlisting># systemd-nspawn -M rawhide --boot --network-veth --private-users=pick
Spawning container rawhide on /var/lib/machines/rawhide.
Selected user namespace base 20119552 and range 65536.
...

$ machinectl --max-addresses=3
MACHINE CLASS     SERVICE        OS     VERSION ADDRESSES
rawhide container systemd-nspawn fedora 30      169.254.40.164 fe80::94aa:3aff:fe7b:d4b9

$ getent passwd vu-rawhide-0 vu-rawhide-81
vu-rawhide-0:*:20119552:65534:vu-rawhide-0:/:/usr/sbin/nologin
vu-rawhide-81:*:20119633:65534:vu-rawhide-81:/:/usr/sbin/nologin

$ getent group vg-rawhide-0 vg-rawhide-81
vg-rawhide-0:*:20119552:
vg-rawhide-81:*:20119633:

$ ps -o user:15,pid,tty,command -e|grep '^vu-rawhide'
vu-rawhide-0      692 ?        /usr/lib/systemd/systemd
vu-rawhide-0      731 ?        /usr/lib/systemd/systemd-journald
vu-rawhide-192    734 ?        /usr/lib/systemd/systemd-networkd
vu-rawhide-193    738 ?        /usr/lib/systemd/systemd-resolved
vu-rawhide-0      742 ?        /usr/lib/systemd/systemd-logind
vu-rawhide-81     744 ?        /usr/bin/dbus-daemon --system --address=systemd: --nofork --nopidfile --systemd-activation --syslog-only
vu-rawhide-0      746 ?        /usr/sbin/sshd -D ...
vu-rawhide-0      752 ?        /usr/lib/systemd/systemd --user
vu-rawhide-0      753 ?        (sd-pam)
vu-rawhide-0     1628 ?        login -- zbyszek
vu-rawhide-1000  1630 ?        /usr/lib/systemd/systemd --user
vu-rawhide-1000  1631 ?        (sd-pam)
vu-rawhide-1000  1637 pts/8    -zsh
</programlisting>
  </refsect1>

  <refsect1>
    <title>See Also</title>
    <para>
      <citerefentry><refentrytitle>systemd</refentrytitle><manvolnum>1</manvolnum></citerefentry>,
      <citerefentry><refentrytitle>systemd.exec</refentrytitle><manvolnum>5</manvolnum></citerefentry>,
      <citerefentry><refentrytitle>nss-resolve</refentrytitle><manvolnum>8</manvolnum></citerefentry>,
      <citerefentry><refentrytitle>nss-myhostname</refentrytitle><manvolnum>8</manvolnum></citerefentry>,
      <citerefentry><refentrytitle>nss-mymachines</refentrytitle><manvolnum>8</manvolnum></citerefentry>,
      <citerefentry><refentrytitle>systemd-userdbd.service</refentrytitle><manvolnum>8</manvolnum></citerefentry>,
      <citerefentry><refentrytitle>systemd-homed.service</refentrytitle><manvolnum>8</manvolnum></citerefentry>,
      <citerefentry><refentrytitle>systemd-machined.service</refentrytitle><manvolnum>8</manvolnum></citerefentry>,
      <citerefentry project='man-pages'><refentrytitle>nsswitch.conf</refentrytitle><manvolnum>5</manvolnum></citerefentry>,
      <citerefentry project='man-pages'><refentrytitle>getent</refentrytitle><manvolnum>1</manvolnum></citerefentry>
    </para>
  </refsect1>

</refentry>
nss: add new "nss-systemd" NSS module for mapping dynamic users With this NSS module all dynamic service users will be resolvable via NSS like any real user. 2016-07-14 20:19:49 +03:00			`<?xml version='1.0'?> <!---nxml--->`
man: use same header for all files The "include" files had type "book" for some raeason. I don't think this is meaningful. Let's just use the same everywhere. $ perl -i -0pe 's^..DOCTYPE (book\|refentry) PUBLIC "-//OASIS//DTD DocBook XML V4.[25]//EN"\s+"http^<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN"\n "http^gms' man/*.xml 2019-03-14 16:40:58 +03:00			`<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN"`
nss: add new "nss-systemd" NSS module for mapping dynamic users With this NSS module all dynamic service users will be resolvable via NSS like any real user. 2016-07-14 20:19:49 +03:00			`"http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd">`
license: LGPL-2.1+ -> LGPL-2.1-or-later 2020-11-09 07:23:58 +03:00			`<!-- SPDX-License-Identifier: LGPL-2.1-or-later -->`
nss: add new "nss-systemd" NSS module for mapping dynamic users With this NSS module all dynamic service users will be resolvable via NSS like any real user. 2016-07-14 20:19:49 +03:00
make nss-systemd support conditional (#6155) This allows the nss-systemd module to be disabled on minimal installations. 2017-06-24 20:30:26 +03:00			`<refentry id="nss-systemd" conditional='ENABLE_NSS_SYSTEMD'>`
nss: add new "nss-systemd" NSS module for mapping dynamic users With this NSS module all dynamic service users will be resolvable via NSS like any real user. 2016-07-14 20:19:49 +03:00
			`<refentryinfo>`
			`<title>nss-systemd</title>`
			`<productname>systemd</productname>`
			`</refentryinfo>`

			`<refmeta>`
			`<refentrytitle>nss-systemd</refentrytitle>`
			`<manvolnum>8</manvolnum>`
			`</refmeta>`

			`<refnamediv>`
			`<refname>nss-systemd</refname>`
			`<refname>libnss_systemd.so.2</refname>`
tree-wide: fixes for assorted grammar and spelling issues Fixes #16363. Also includes some changes where I generalized the pattern. 2020-07-06 11:49:59 +03:00			`<refpurpose>UNIX user and group name resolution for user/group lookup via Varlink</refpurpose>`
nss: add new "nss-systemd" NSS module for mapping dynamic users With this NSS module all dynamic service users will be resolvable via NSS like any real user. 2016-07-14 20:19:49 +03:00			`</refnamediv>`

			`<refsynopsisdiv>`
			`<para><filename>libnss_systemd.so.2</filename></para>`
			`</refsynopsisdiv>`

			`<refsect1>`
			`<title>Description</title>`

man: document the new nss-systemd behaviour (This also changes the suggested /etc/nsswitch.conf line to use for hooking up nss-system to use glibc's [SUCCESS=merge] feature so that we can properly merge group membership lists). 2019-11-19 18:51:27 +03:00			`<para><command>nss-systemd</command> is a plug-in module for the GNU Name Service Switch (NSS)`
			`functionality of the GNU C Library (<command>glibc</command>), providing UNIX user and group name`
			`resolution for services implementing the <ulink url="https://systemd.io/USER_GROUP_API">User/Group Record`
			`Lookup API via Varlink</ulink>, such as the system and service manager`
			`<citerefentry><refentrytitle>systemd</refentrytitle><manvolnum>1</manvolnum></citerefentry> (for its`
			`<varname>DynamicUser=</varname> feature, see`
			`<citerefentry><refentrytitle>systemd.exec</refentrytitle><manvolnum>5</manvolnum></citerefentry> for`
man: document new varlink service 2020-07-07 22:29:21 +03:00			`details),`
			`<citerefentry><refentrytitle>systemd-homed.service</refentrytitle><manvolnum>8</manvolnum></citerefentry>, or <citerefentry><refentrytitle>systemd-machined.service</refentrytitle><manvolnum>8</manvolnum></citerefentry>.</para>`
nss: add new "nss-systemd" NSS module for mapping dynamic users With this NSS module all dynamic service users will be resolvable via NSS like any real user. 2016-07-14 20:19:49 +03:00
nss-systemd: resolve root/nobody statically Let's extend nss-systemd to also synthesize user/group entries for the UIDs/GIDs 0 and 65534 which have special kernel meaning. Given that nss-systemd is listed in /etc/nsswitch.conf only very late any explicit listing in /etc/passwd or /etc/group takes precedence. This functionality is useful in minimal container-like setups that lack /etc/passwd files (or only have incompletely populated ones). 2016-07-27 14:14:01 +03:00			`<para>This module also ensures that the root and nobody users and groups (i.e. the users/groups with the UIDs/GIDs`
			`0 and 65534) remain resolvable at all times, even if they aren't listed in <filename>/etc/passwd</filename> or`
			`<filename>/etc/group</filename>, or if these files are missing.</para>`

man: document the new nss-systemd behaviour (This also changes the suggested /etc/nsswitch.conf line to use for hooking up nss-system to use glibc's [SUCCESS=merge] feature so that we can properly merge group membership lists). 2019-11-19 18:51:27 +03:00			`<para>This module preferably utilizes`
			`<citerefentry><refentrytitle>systemd-userdbd.service</refentrytitle><manvolnum>8</manvolnum></citerefentry>`
			`for resolving users and groups, but also works without the service running.</para>`

nss: add new "nss-systemd" NSS module for mapping dynamic users With this NSS module all dynamic service users will be resolvable via NSS like any real user. 2016-07-14 20:19:49 +03:00			`<para>To activate the NSS module, add <literal>systemd</literal> to the lines starting with`
			`<literal>passwd:</literal> and <literal>group:</literal> in <filename>/etc/nsswitch.conf</filename>.</para>`

			`<para>It is recommended to place <literal>systemd</literal> after the <literal>files</literal> or`
			`<literal>compat</literal> entry of the <filename>/etc/nsswitch.conf</filename> lines so that`
			`<filename>/etc/passwd</filename> and <filename>/etc/group</filename> based mappings take precedence.</para>`
			`</refsect1>`

			`<refsect1>`
man: document new varlink service 2020-07-07 22:29:21 +03:00			`<title>Configuration in <filename>/etc/nsswitch.conf</filename></title>`
nss: add new "nss-systemd" NSS module for mapping dynamic users With this NSS module all dynamic service users will be resolvable via NSS like any real user. 2016-07-14 20:19:49 +03:00
			`<para>Here is an example <filename>/etc/nsswitch.conf</filename> file that enables`
			`<command>nss-systemd</command> correctly:</para>`

man,factory: update factory config for nsswitch.conf to match the man pages Also add a note in the man pages to remind people to adjust the factory config and other man pages at the same time. 2018-11-27 19:02:20 +03:00			`<!-- synchronize with other nss-* man pages and factory/etc/nsswitch.conf -->`
nss-mymachines: drop support for UID/GID resolving Now that we make the user/group name resolving available via userdb and thus nss-systemd, we do not need the UID/GID resolving support in nss-mymachines anymore. Let's drop it hence. We keep the module around, since besides UID/GID resolving it also does hostname resolving, which we care about. (One of those days we should replace that by some Varlink logic between nss-resolve/systemd-resolved.service too) The hooks are kept in the NSS module, but they do not resolve anything anymore, in order to keep compat at a maximum. 2020-07-07 22:58:12 +03:00			`<programlisting>passwd: compat <command>systemd</command>`
			`group: compat [SUCCESS=merge] <command>systemd</command>`
nss: add new "nss-systemd" NSS module for mapping dynamic users With this NSS module all dynamic service users will be resolvable via NSS like any real user. 2016-07-14 20:19:49 +03:00			`shadow: compat`

man: move 'files' module in NSS 'hosts:' line before myhostname I am pretty sure /etc/hosts (i.e. an explicitly configured, local, trusted database) should be useful for overriding the automatic myhostname logic. resolved's internal logic handles it that way and hence we should suggest it in the NSS fallback line, too. Let's also bring the factory file back into sync with what the docs say. And update the prose a bit too, to actually match what we recommend. 2020-08-17 10:10:32 +03:00			`hosts: mymachines resolve [!UNAVAIL=return] files myhostname dns`
nss: add new "nss-systemd" NSS module for mapping dynamic users With this NSS module all dynamic service users will be resolvable via NSS like any real user. 2016-07-14 20:19:49 +03:00			`networks: files`

			`protocols: db files`
			`services: db files`
			`ethers: db files`
			`rpc: db files`

			`netgroup: nis</programlisting>`

			`</refsect1>`

man: document new varlink service 2020-07-07 22:29:21 +03:00			`<refsect1>`
			`<title>Example: Mappings provided by <filename>systemd-machined.service</filename></title>`

			`<para>The container <literal>rawhide</literal> is spawned using`
			`<citerefentry><refentrytitle>systemd-nspawn</refentrytitle><manvolnum>1</manvolnum></citerefentry>:`
			`</para>`

			`<programlisting># systemd-nspawn -M rawhide --boot --network-veth --private-users=pick`
			`Spawning container rawhide on /var/lib/machines/rawhide.`
			`Selected user namespace base 20119552 and range 65536.`
			`...`

			`$ machinectl --max-addresses=3`
			`MACHINE CLASS SERVICE OS VERSION ADDRESSES`
			`rawhide container systemd-nspawn fedora 30 169.254.40.164 fe80::94aa:3aff:fe7b:d4b9`

			`$ getent passwd vu-rawhide-0 vu-rawhide-81`
			`vu-rawhide-0:*:20119552:65534:vu-rawhide-0:/:/usr/sbin/nologin`
			`vu-rawhide-81:*:20119633:65534:vu-rawhide-81:/:/usr/sbin/nologin`

			`$ getent group vg-rawhide-0 vg-rawhide-81`
			`vg-rawhide-0:*:20119552:`
			`vg-rawhide-81:*:20119633:`

			`$ ps -o user:15,pid,tty,command -e\|grep '^vu-rawhide'`
			`vu-rawhide-0 692 ? /usr/lib/systemd/systemd`
			`vu-rawhide-0 731 ? /usr/lib/systemd/systemd-journald`
			`vu-rawhide-192 734 ? /usr/lib/systemd/systemd-networkd`
			`vu-rawhide-193 738 ? /usr/lib/systemd/systemd-resolved`
			`vu-rawhide-0 742 ? /usr/lib/systemd/systemd-logind`
			`vu-rawhide-81 744 ? /usr/bin/dbus-daemon --system --address=systemd: --nofork --nopidfile --systemd-activation --syslog-only`
			`vu-rawhide-0 746 ? /usr/sbin/sshd -D ...`
			`vu-rawhide-0 752 ? /usr/lib/systemd/systemd --user`
			`vu-rawhide-0 753 ? (sd-pam)`
			`vu-rawhide-0 1628 ? login -- zbyszek`
			`vu-rawhide-1000 1630 ? /usr/lib/systemd/systemd --user`
			`vu-rawhide-1000 1631 ? (sd-pam)`
			`vu-rawhide-1000 1637 pts/8 -zsh`
			`</programlisting>`
			`</refsect1>`

nss: add new "nss-systemd" NSS module for mapping dynamic users With this NSS module all dynamic service users will be resolvable via NSS like any real user. 2016-07-14 20:19:49 +03:00			`<refsect1>`
			`<title>See Also</title>`
			`<para>`
			`<citerefentry><refentrytitle>systemd</refentrytitle><manvolnum>1</manvolnum></citerefentry>,`
			`<citerefentry><refentrytitle>systemd.exec</refentrytitle><manvolnum>5</manvolnum></citerefentry>,`
			`<citerefentry><refentrytitle>nss-resolve</refentrytitle><manvolnum>8</manvolnum></citerefentry>,`
			`<citerefentry><refentrytitle>nss-myhostname</refentrytitle><manvolnum>8</manvolnum></citerefentry>,`
			`<citerefentry><refentrytitle>nss-mymachines</refentrytitle><manvolnum>8</manvolnum></citerefentry>,`
man: document new varlink service 2020-07-07 22:29:21 +03:00			`<citerefentry><refentrytitle>systemd-userdbd.service</refentrytitle><manvolnum>8</manvolnum></citerefentry>,`
			`<citerefentry><refentrytitle>systemd-homed.service</refentrytitle><manvolnum>8</manvolnum></citerefentry>,`
			`<citerefentry><refentrytitle>systemd-machined.service</refentrytitle><manvolnum>8</manvolnum></citerefentry>,`
nss: add new "nss-systemd" NSS module for mapping dynamic users With this NSS module all dynamic service users will be resolvable via NSS like any real user. 2016-07-14 20:19:49 +03:00			`<citerefentry project='man-pages'><refentrytitle>nsswitch.conf</refentrytitle><manvolnum>5</manvolnum></citerefentry>,`
			`<citerefentry project='man-pages'><refentrytitle>getent</refentrytitle><manvolnum>1</manvolnum></citerefentry>`
			`</para>`
			`</refsect1>`

			`</refentry>`