From: Maciej Borzecki <maciej.borzecki@rndity.com>
To: openembedded-core@lists.openembedded.org
Subject: [PATCH 2/2] systemd: use nss-resolve by default if resolved is enabled
Date: Wed, 21 Sep 2016 10:19:59 +0200 [thread overview]
Message-ID: <f07e3e1e57b5a8b9c9a7b9fe69c47596d28267bc.1474444047.git.maciej.borzecki@rndity.com> (raw)
In-Reply-To: <cover.1474444047.git.maciej.borzecki@rndity.com>
In-Reply-To: <cover.1474444047.git.maciej.borzecki@rndity.com>
Add nss-resolve to NSS hosts resolution service if systemd-resolved is
enabled via PACKAGECONFIG. This enabled routing all DNS requests through
systemd-networkd by default.
Apply the following patches:
- 0023-nss-install-nss-modules-into-lib - makes sure that libnss_resolve
and other nss modules end up in ${rootlibdir}
- 0024-resolved-when-processing-auxiliary-DNSSEC-transactio - backport
v231 patch that fixes SERVFAIL handling, required for name resolution
under qemu or in containers.
Signed-off-by: Maciej Borzecki <maciej.borzecki@rndity.com>
---
.../0023-nss-install-nss-modules-into-lib.patch | 64 ++++++++++++++++++++++
...en-processing-auxiliary-DNSSEC-transactio.patch | 49 +++++++++++++++++
meta/recipes-core/systemd/systemd_230.bb | 18 +++++-
3 files changed, 129 insertions(+), 2 deletions(-)
create mode 100644 meta/recipes-core/systemd/systemd/0023-nss-install-nss-modules-into-lib.patch
create mode 100644 meta/recipes-core/systemd/systemd/0024-resolved-when-processing-auxiliary-DNSSEC-transactio.patch
diff --git a/meta/recipes-core/systemd/systemd/0023-nss-install-nss-modules-into-lib.patch b/meta/recipes-core/systemd/systemd/0023-nss-install-nss-modules-into-lib.patch
new file mode 100644
index 0000000000000000000000000000000000000000..747d848a3e3917a69872cf68d77e26d66506a18e
--- /dev/null
+++ b/meta/recipes-core/systemd/systemd/0023-nss-install-nss-modules-into-lib.patch
@@ -0,0 +1,64 @@
+From eb76a59139c5ca6355cf1ef9594dab8b73b9b1f5 Mon Sep 17 00:00:00 2001
+Message-Id: <eb76a59139c5ca6355cf1ef9594dab8b73b9b1f5.1474443269.git.maciej.borzecki@rndity.com>
+In-Reply-To: <cover.1474443269.git.maciej.borzecki@rndity.com>
+References: <cover.1474443269.git.maciej.borzecki@rndity.com>
+From: Maciek Borzecki <maciek.borzecki@gmail.com>
+Date: Tue, 20 Sep 2016 21:24:45 +0200
+Subject: [PATCH 1/2] nss: install nss modules into /lib
+
+NSS modules (libnss_*.so.*) need to be installed into
+${rootlibdir} (typically /lib) in order to be used. Previously, the
+modules were installed into ${libdir} (usually ${prefix}/lib), where in
+case of a split /usr, this would typically resolve to /usr/lib.
+
+Signed-off-by: Maciek Borzecki <maciek.borzecki@gmail.com>
+Signed-off-by: Maciej Borzecki <maciej.borzecki@rndity.com>
+
+---
+Upstream-Status: Pending
+
+ Makefile.am | 7 ++++---
+ 1 file changed, 4 insertions(+), 3 deletions(-)
+
+diff --git a/Makefile.am b/Makefile.am
+index dbd3386..0e2dca5 100644
+--- a/Makefile.am
++++ b/Makefile.am
+@@ -151,6 +151,7 @@ nodist_zshcompletion_DATA = $(nodist_zshcompletion_data)
+ endif
+ udevlibexec_PROGRAMS =
+ gperf_gperf_sources =
++rootlib_LTLIBRARIES =
+
+ in_files = $(filter %.in,$(EXTRA_DIST))
+ in_in_files = $(filter %.in.in, $(in_files))
+@@ -4931,7 +4932,7 @@ libnss_myhostname_la_LDFLAGS = \
+ libnss_myhostname_la_LIBADD = \
+ libsystemd-internal.la
+
+-lib_LTLIBRARIES += \
++rootlib_LTLIBRARIES += \
+ libnss_myhostname.la
+ endif
+
+@@ -5030,7 +5031,7 @@ libnss_mymachines_la_LDFLAGS = \
+ libnss_mymachines_la_LIBADD = \
+ libsystemd-internal.la
+
+-lib_LTLIBRARIES += \
++rootlib_LTLIBRARIES += \
+ libnss_mymachines.la
+
+ endif
+@@ -5321,7 +5322,7 @@ libnss_resolve_la_LIBADD = \
+ libsystemd-internal.la \
+ -ldl
+
+-lib_LTLIBRARIES += \
++rootlib_LTLIBRARIES += \
+ libnss_resolve.la
+
+ systemd_resolve_SOURCES = \
+--
+2.5.0
+
diff --git a/meta/recipes-core/systemd/systemd/0024-resolved-when-processing-auxiliary-DNSSEC-transactio.patch b/meta/recipes-core/systemd/systemd/0024-resolved-when-processing-auxiliary-DNSSEC-transactio.patch
new file mode 100644
index 0000000000000000000000000000000000000000..6924ce712ca4e8bb3d9e59178515b8bef4e381a5
--- /dev/null
+++ b/meta/recipes-core/systemd/systemd/0024-resolved-when-processing-auxiliary-DNSSEC-transactio.patch
@@ -0,0 +1,49 @@
+From 44f04e32cb66676446b70895278348910f3666c3 Mon Sep 17 00:00:00 2001
+Message-Id: <44f04e32cb66676446b70895278348910f3666c3.1474443269.git.maciej.borzecki@rndity.com>
+In-Reply-To: <cover.1474443269.git.maciej.borzecki@rndity.com>
+References: <cover.1474443269.git.maciej.borzecki@rndity.com>
+From: Lennart Poettering <lennart@poettering.net>
+Date: Thu, 23 Jun 2016 23:46:56 +0200
+Subject: [PATCH 2/2] resolved: when processing auxiliary DNSSEC transactions,
+ accept those with SERVFAIL
+
+Some upstream DNS servers return SERVFAIL if we ask them for DNSSEC RRs, which
+some forwarding DNS servers pass on to us as SERVFAIL (other though as
+NOERROR...). This is should not be considered a problem, as long as the domain
+in question didn't have DNSSEC enabled. Hence: when making use of auxiliary
+transactions accept those that return SERVFAIL.
+
+Signed-off-by: Maciej Borzecki <maciej.borzecki@rndity.com>
+---
+Upstream-Status: Backport from 231
+
+ src/resolve/resolved-dns-transaction.c | 9 +++++----
+ 1 file changed, 5 insertions(+), 4 deletions(-)
+
+diff --git a/src/resolve/resolved-dns-transaction.c b/src/resolve/resolved-dns-transaction.c
+index a4a6762..aa49e65 100644
+--- a/src/resolve/resolved-dns-transaction.c
++++ b/src/resolve/resolved-dns-transaction.c
+@@ -626,14 +626,15 @@ static int dns_transaction_dnssec_ready(DnsTransaction *t) {
+ return 0;
+
+ case DNS_TRANSACTION_RCODE_FAILURE:
+- if (dt->answer_rcode != DNS_RCODE_NXDOMAIN) {
++ if (!IN_SET(dt->answer_rcode, DNS_RCODE_NXDOMAIN, DNS_RCODE_SERVFAIL)) {
+ log_debug("Auxiliary DNSSEC RR query failed with rcode=%s.", dns_rcode_to_string(dt->answer_rcode));
+ goto fail;
+ }
+
+- /* Fall-through: NXDOMAIN is good enough for us. This is because some DNS servers erronously
+- * return NXDOMAIN for empty non-terminals (Akamai...), and we need to handle that nicely, when
+- * asking for parent SOA or similar RRs to make unsigned proofs. */
++ /* Fall-through: NXDOMAIN/SERVFAIL is good enough for us. This is because some DNS servers
++ * erronously return NXDOMAIN/SERVFAIL for empty non-terminals (Akamai...) or missing DS
++ * records (Facebook), and we need to handle that nicely, when asking for parent SOA or similar
++ * RRs to make unsigned proofs. */
+
+ case DNS_TRANSACTION_SUCCESS:
+ /* All good. */
+--
+2.5.0
+
diff --git a/meta/recipes-core/systemd/systemd_230.bb b/meta/recipes-core/systemd/systemd_230.bb
index 1276316a0cddeefecb34cf9422c94c3ed12f5381..4a78ff2e867c6b2484443612114c87c75b56a50e 100644
--- a/meta/recipes-core/systemd/systemd_230.bb
+++ b/meta/recipes-core/systemd/systemd_230.bb
@@ -36,7 +36,9 @@ SRC_URI += " \
file://0021-include-missing.h-for-getting-secure_getenv-definiti.patch \
file://0022-socket-util-don-t-fail-if-libc-doesn-t-support-IDN.patch \
file://udev-re-enable-mount-propagation-for-udevd.patch \
-"
+ file://0023-nss-install-nss-modules-into-lib.patch \
+ file://0024-resolved-when-processing-auxiliary-DNSSEC-transactio.patch \
+ "
SRC_URI_append_libc-uclibc = "\
file://0002-units-Prefer-getty-to-agetty-in-console-setup-system.patch \
"
@@ -452,7 +454,7 @@ FILES_${PN} = " ${base_bindir}/* \
${rootlibexecdir}/systemd/* \
${systemd_unitdir}/* \
${base_libdir}/security/*.so \
- ${libdir}/libnss_* \
+ ${rootlibdir}/libnss_* \
/cgroup \
${bindir}/systemd* \
${bindir}/busctl \
@@ -562,12 +564,24 @@ pkg_postinst_${PN} () {
sed -e '/^hosts:/s/\s*\<myhostname\>//' \
-e 's/\(^hosts:.*\)\(\<files\>\)\(.*\)\(\<dns\>\)\(.*\)/\1\2 myhostname \3\4\5/' \
-i $D${sysconfdir}/nsswitch.conf
+
+ if ${@bb.utils.contains('PACKAGECONFIG', 'resolved', 'true', 'false', d)}; then
+ # replace dns with resolve
+ sed -e 's/^hosts:\(.*\)dns\(.*\)/hosts:\1 resolve \2/' \
+ -i $D${sysconfdir}/nsswitch.conf
+ fi
}
pkg_prerm_${PN} () {
sed -e '/^hosts:/s/\s*\<myhostname\>//' \
-e '/^hosts:/s/\s*myhostname//' \
-i $D${sysconfdir}/nsswitch.conf
+
+ if ${@bb.utils.contains('PACKAGECONFIG', 'resolved', 'true', 'false', d)}; then
+ # restore dns
+ sed -e 's/^hosts:\(.*\)resolve\(.*\)/hosts:\1 dns \2/' \
+ -i $D${sysconfdir}/nsswitch.conf
+ fi
}
pkg_postinst_udev-hwdb () {
--
2.5.0
next prev parent reply other threads:[~2016-09-21 8:20 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2016-09-21 8:19 [PATCH 0/2] systemd: use nss-resolve when systemd-resoveld is enable Maciej Borzecki
2016-09-21 8:19 ` [PATCH 1/2] systemd: fix indentation Maciej Borzecki
2016-09-21 8:19 ` Maciej Borzecki [this message]
2016-09-21 17:27 ` [PATCH 0/2] systemd: use nss-resolve when systemd-resoveld is enable Khem Raj
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=f07e3e1e57b5a8b9c9a7b9fe69c47596d28267bc.1474444047.git.maciej.borzecki@rndity.com \
--to=maciej.borzecki@rndity.com \
--cc=openembedded-core@lists.openembedded.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.