Merge pull request #15437 from keszybz/man-nss-resolve

Move "files" and "dns" later in the recommended hosts: lines
2024-10-27 10:25:37 +03:00 · 2020-04-16 16:11:24 +02:00 · 2020-04-16 16:11:24 +02:00 · 0f6d7be844
commit 0f6d7be844
parent 9ba4029f8f f2a20e9966
4 changed files with 23 additions and 15 deletions
--- a/man/nss-myhostname.xml
+++ b/man/nss-myhostname.xml
@ -67,9 +67,13 @@
    <para>To activate the NSS modules, add <literal>myhostname</literal> to the line starting with
    <literal>hosts:</literal> in <filename>/etc/nsswitch.conf</filename>.</para>

-    <para>It is recommended to place <literal>myhostname</literal> last in the <filename>nsswitch.conf</filename>'
-    <literal>hosts:</literal> line to make sure that this mapping is only used as fallback, and that any DNS or
-    <filename>/etc/hosts</filename> based mapping takes precedence.</para>
+    <para>It is recommended to place <literal>myhostname</literal> either between <literal>resolve</literal>
+    and "traditional" modules like <literal>files</literal> and <literal>dns</literal>, or after them. In the
+    first version, well-known names like <literal>localhost</literal> and the machine hostname are given
+    higher priority than the external configuration. This is recommended when the external DNS servers and
+    network are not absolutely trusted. In the second version, external configuration is given higher
+    priority and <command>nss-myhostname</command> only provides a fallback mechanism. This might be suitable
+    in closely controlled networks, for example on a company LAN.</para>
  </refsect1>

  <refsect1>
@ -83,7 +87,10 @@
 group:          compat mymachines systemd
 shadow:         compat

-hosts:          files mymachines resolve [!UNAVAIL=return] dns <command>myhostname</command>
+# Either (untrusted network):
+hosts:          mymachines resolve [!UNAVAIL=return] <command>myhostname</command> files dns
+# Or (only trusted networks):
+hosts:          mymachines resolve [!UNAVAIL=return] files dns <command>myhostname</command>
 networks:       files

 protocols:      db files
--- a/man/nss-mymachines.xml
+++ b/man/nss-mymachines.xml
@ -69,7 +69,7 @@
 group:          compat <command>mymachines</command> systemd
 shadow:         compat

-hosts:          files <command>mymachines</command> resolve [!UNAVAIL=return] dns myhostname
+hosts:          <command>mymachines</command> resolve [!UNAVAIL=return] myhostname files dns
 networks:       files

 protocols:      db files
--- a/man/nss-resolve.xml
+++ b/man/nss-resolve.xml
@ -34,14 +34,15 @@
    name resolution service. It replaces the <command>nss-dns</command> plug-in module that traditionally resolves
    hostnames via DNS.</para>

-    <para>To activate the NSS module, add <literal>resolve</literal> to the line starting with
-    <literal>hosts:</literal> in <filename>/etc/nsswitch.conf</filename>. Specifically, it is recommended to place
-    <literal>resolve</literal> early in <filename>/etc/nsswitch.conf</filename>'s <literal>hosts:</literal> line (but
-    after the <literal>files</literal> or <literal>mymachines</literal> entries), right before the
-    <literal>dns</literal> entry if it exists, followed by <literal>[!UNAVAIL=return]</literal>, to ensure DNS queries
-    are always routed via
-    <citerefentry><refentrytitle>systemd-resolved</refentrytitle><manvolnum>8</manvolnum></citerefentry> if it is
-    running, but are routed to <command>nss-dns</command> if this service is not available.</para>
+    <para>To activate the NSS module, add <literal>resolve [!UNAVAIL=return]</literal> to the line starting
+    with <literal>hosts:</literal> in <filename>/etc/nsswitch.conf</filename>. Specifically, it is
+    recommended to place <literal>resolve</literal> early in <filename>/etc/nsswitch.conf</filename>'s
+    <literal>hosts:</literal> line. It should be before the <literal>files</literal> entry, since
+    <filename>systemd-resolved</filename> supports <filename>/etc/hosts</filename> internally, but with
+    caching. To the contrary, it should be after <literal>mymachines</literal>, to give hostnames given to
+    local VMs and containers precedence over names received over DNS. Finally, we recommend placing
+    <literal>dns</literal> somewhere after <literal>resolve</literal>, to fall back to
+    <command>nss-dns</command> if <filename>systemd-resolved.service</filename> is not available.</para>

    <para>Note that <command>systemd-resolved</command> will synthesize DNS resource
    records in a few cases, for example for <literal>localhost</literal> and the
@ -66,7 +67,7 @@
 group:          compat mymachines systemd
 shadow:         compat

-hosts:          files mymachines <command>resolve [!UNAVAIL=return]</command> dns myhostname
+hosts:          mymachines <command>resolve [!UNAVAIL=return]</command> myhostname files dns
 networks:       files

 protocols:      db files
--- a/man/nss-systemd.xml
+++ b/man/nss-systemd.xml
@ -65,7 +65,7 @@
 group:          compat [SUCCESS=merge] mymachines [SUCCESS=merge] <command>systemd</command>
 shadow:         compat

-hosts:          files mymachines resolve [!UNAVAIL=return] dns myhostname
+hosts:          mymachines resolve [!UNAVAIL=return] myhostname files dns
 networks:       files

 protocols:      db files