mirror of
https://github.com/NixOS/nixpkgs.git
synced 2024-11-27 09:23:01 +00:00
cae086d605
When `services.resolved` is enabled, then `resolve [!UNAVAIL=return]` is added to `system.nssDatabases.hosts` with priority 501, which prevents lower-priority NSS modules from running unless systemd-resolved is not available. Quoting from `man nss-resolve`: > To activate the NSS module, add "resolve [!UNAVAIL=return]" to the line > starting with "hosts:" in /etc/nsswitch.conf. Specifically, it is > recommended to place "resolve" early in /etc/nsswitch.conf's "hosts:" > line. It should be before the "files" entry, since systemd-resolved > supports /etc/hosts internally, but with caching. To the contrary, it > should be after "mymachines", to give hostnames given to local VMs and > containers precedence over names received over DNS. Finally, we > recommend placing "dns" somewhere after "resolve", to fall back to > nss-dns if systemd-resolved.service is not available. Note that the man page (just) recommends "early" and means with this "before the 'files' and 'dns' entries". It does not insist on being first or excluding other modules. For this reason, libvirt NSS modules should run before the `resolve` module. They should come right next to `mymachines` because both are conceptually very similar -- they resolve local VMs/containers. Since the data source of the libvirt NSS modules are local plain text files (see source code of the libvirt NSS module), no performance impact is expected form this raise of priorities. Other NSS modules in NixOS also explicitly set their priority, which is why this change increases consistency. Fixes #322022 |
||
|---|---|---|
| .. | ||
| config | ||
| hardware | ||
| i18n/input-method | ||
| image | ||
| installer | ||
| misc | ||
| profiles | ||
| programs | ||
| security | ||
| services | ||
| system | ||
| tasks | ||
| testing | ||
| virtualisation | ||
| module-list.nix | ||
| rename.nix | ||