From 9053aaad4255a1d01a50f8e44784cd7eebe8f95c Mon Sep 17 00:00:00 2001 From: Lennart Poettering Date: Tue, 23 Feb 2016 18:24:03 +0100 Subject: man: change recommended order of NSS modules in /etc/nsswitch.conf So far we recommended placing "nss-mymachines" after "nss-resolve" in the order of preference in /etc/nsswitch.conf. This change reverse this order. Rationale: single-label names are resolved via LLMNR by resolved, which has to time out if no peer by that name exists. By placing "nss-mymachines" first (which always responds immediately) we avoid running into this timeout for most containers. Both modules should return the same data if LLMNR is used by the container anyway. While we are at it, improve the man pages of the three NSS modules in other ways a bit. --- man/nss-resolve.xml | 45 +++++++++++++++++++-------------------------- 1 file changed, 19 insertions(+), 26 deletions(-) (limited to 'man/nss-resolve.xml') diff --git a/man/nss-resolve.xml b/man/nss-resolve.xml index 8b0928145f..d9e56453e8 100644 --- a/man/nss-resolve.xml +++ b/man/nss-resolve.xml @@ -56,37 +56,36 @@ Description - nss-resolve is a plugin module for the - GNU Name Service Switch (NSS) functionality of the GNU C Library - (glibc) enabling it to resolve host names via - the - systemd-resolved8 - local network name resolution service. - - To activate the NSS module, resolve - has to be added to the line starting with - hosts: in - /etc/nsswitch.conf. - - It is recommended to place resolve early - in the nsswitch.conf line (but after the - files entry), replacing the - dns entry if it exists, to ensure DNS queries - are always routed via + nss-resolve is a plug-in module for the GNU Name Service Switch (NSS) functionality of the + GNU C Library (glibc) enabling it to resolve host names via the + systemd-resolved8 local network + name resolution service. It replaces the nss-dns plug-in module that traditionally resolves + hostnames via DNS. + + To activate the NSS module, add resolve to the line starting with + hosts: in /etc/nsswitch.conf. + + It is recommended to place resolve early in /etc/nsswitch.conf' + hosts: line (but after the files or mymachines entries), + replacing the dns entry if it exists, to ensure DNS queries are always routed via systemd-resolved8. + + Note that nss-resolve will chain-load nss-dns if + systemd-resolved.service is not running, ensuring that basic DNS resolution continues to work + if the service is down. Example - Here is an example /etc/nsswitch.conf - file that enables resolve correctly: + Here is an example /etc/nsswitch.conf file that enables nss-resolve + correctly: passwd: compat mymachines group: compat mymachines shadow: compat -hosts: files resolve mymachines myhostname +hosts: files mymachines resolve myhostname networks: files protocols: db files @@ -96,12 +95,6 @@ rpc: db files netgroup: nis - Note that nss-resolve will chain-load - nss-dns if - systemd-resolved.service is not running, - ensuring that basic DNS resolution continues to work if the - service is down. - -- cgit v1.2.1