[PATCH 0/2] systemd: use nss-resolve when systemd-resoveld is enable

[PATCH 0/2] systemd: use nss-resolve when systemd-resoveld is enable

[Maciej Borzecki]

A patch series that enables use of nss-resolve (systemd's NSS service module) if
systemd-networkd is enabled via PACKAGECONFIG.

The first patch is a trivial formatting change.

The second patch does the following:

- replace dns with resolve in /etc/nsswitch.conf if systemd-resolved is enabled

- applies a patch fixing the location of libnss_* services provided by systemd
  (the patch has been submitted upstream for inclusion in v232)

- applies a patch that fixes SERVFAIL handling, this restores the ability to
  properly resolve names under qemu (backport from v231)

Maciej Borzecki (2):
  systemd: fix indentation
  systemd: use nss-resolve by default if resolved is enabled

 .../0023-nss-install-nss-modules-into-lib.patch    | 64 ++++++++++++++++++++++
 ...en-processing-auxiliary-DNSSEC-transactio.patch | 49 +++++++++++++++++
 meta/recipes-core/systemd/systemd_230.bb           | 22 ++++++--
 3 files changed, 131 insertions(+), 4 deletions(-)
 create mode 100644 meta/recipes-core/systemd/systemd/0023-nss-install-nss-modules-into-lib.patch
 create mode 100644 meta/recipes-core/systemd/systemd/0024-resolved-when-processing-auxiliary-DNSSEC-transactio.patch

-- 
2.5.0

[PATCH 1/2] systemd: fix indentation

[Maciej Borzecki]

Signed-off-by: Maciej Borzecki <maciej.borzecki@rndity.com>
---
 meta/recipes-core/systemd/systemd_230.bb | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/meta/recipes-core/systemd/systemd_230.bb b/meta/recipes-core/systemd/systemd_230.bb
index 6e6ef76cfa2322fc0b833e4f38a4cdf7483a8782..1276316a0cddeefecb34cf9422c94c3ed12f5381 100644
--- a/meta/recipes-core/systemd/systemd_230.bb
+++ b/meta/recipes-core/systemd/systemd_230.bb
@@ -211,8 +211,8 @@ do_install() {
 
 	chown root:systemd-journal ${D}/${localstatedir}/log/journal
 
-        # Delete journal README, as log can be symlinked inside volatile.
-        rm -f ${D}/${localstatedir}/log/README
+	# Delete journal README, as log can be symlinked inside volatile.
+	rm -f ${D}/${localstatedir}/log/README
 
 	install -d ${D}${systemd_unitdir}/system/graphical.target.wants
 	install -d ${D}${systemd_unitdir}/system/multi-user.target.wants
-- 
2.5.0

[PATCH 2/2] systemd: use nss-resolve by default if resolved is enabled

[Maciej Borzecki]

Add nss-resolve to NSS hosts resolution service if systemd-resolved is
enabled via PACKAGECONFIG. This enabled routing all DNS requests through
systemd-networkd by default.

Apply the following patches:
- 0023-nss-install-nss-modules-into-lib - makes sure that libnss_resolve
  and other nss modules end up in ${rootlibdir}
- 0024-resolved-when-processing-auxiliary-DNSSEC-transactio - backport
  v231 patch that fixes SERVFAIL handling, required for name resolution
  under qemu or in containers.

Signed-off-by: Maciej Borzecki <maciej.borzecki@rndity.com>
---
 .../0023-nss-install-nss-modules-into-lib.patch    | 64 ++++++++++++++++++++++
 ...en-processing-auxiliary-DNSSEC-transactio.patch | 49 +++++++++++++++++
 meta/recipes-core/systemd/systemd_230.bb           | 18 +++++-
 3 files changed, 129 insertions(+), 2 deletions(-)
 create mode 100644 meta/recipes-core/systemd/systemd/0023-nss-install-nss-modules-into-lib.patch
 create mode 100644 meta/recipes-core/systemd/systemd/0024-resolved-when-processing-auxiliary-DNSSEC-transactio.patch

diff --git a/meta/recipes-core/systemd/systemd/0023-nss-install-nss-modules-into-lib.patch b/meta/recipes-core/systemd/systemd/0023-nss-install-nss-modules-into-lib.patch
new file mode 100644
index 0000000000000000000000000000000000000000..747d848a3e3917a69872cf68d77e26d66506a18e
--- /dev/null
+++ b/meta/recipes-core/systemd/systemd/0023-nss-install-nss-modules-into-lib.patch
@@ -0,0 +1,64 @@
+From eb76a59139c5ca6355cf1ef9594dab8b73b9b1f5 Mon Sep 17 00:00:00 2001
+Message-Id: <eb76a59139c5ca6355cf1ef9594dab8b73b9b1f5.1474443269.git.maciej.borzecki@rndity.com>
+In-Reply-To: <cover.1474443269.git.maciej.borzecki@rndity.com>
+References: <cover.1474443269.git.maciej.borzecki@rndity.com>
+From: Maciek Borzecki <maciek.borzecki@gmail.com>
+Date: Tue, 20 Sep 2016 21:24:45 +0200
+Subject: [PATCH 1/2] nss: install nss modules into /lib
+
+NSS modules (libnss_*.so.*) need to be installed into
+${rootlibdir} (typically /lib) in order to be used. Previously, the
+modules were installed into ${libdir} (usually ${prefix}/lib), where in
+case of a split /usr, this would typically resolve to /usr/lib.
+
+Signed-off-by: Maciek Borzecki <maciek.borzecki@gmail.com>
+Signed-off-by: Maciej Borzecki <maciej.borzecki@rndity.com>
+
+---
+Upstream-Status: Pending
+
+ Makefile.am | 7 ++++---
+ 1 file changed, 4 insertions(+), 3 deletions(-)
+
+diff --git a/Makefile.am b/Makefile.am
+index dbd3386..0e2dca5 100644
+--- a/Makefile.am
++++ b/Makefile.am
+@@ -151,6 +151,7 @@ nodist_zshcompletion_DATA = $(nodist_zshcompletion_data)
+ endif
+ udevlibexec_PROGRAMS =
+ gperf_gperf_sources =
++rootlib_LTLIBRARIES =
+ 
+ in_files = $(filter %.in,$(EXTRA_DIST))
+ in_in_files = $(filter %.in.in, $(in_files))
+@@ -4931,7 +4932,7 @@ libnss_myhostname_la_LDFLAGS = \
+ libnss_myhostname_la_LIBADD = \
+ 	libsystemd-internal.la
+ 
+-lib_LTLIBRARIES += \
++rootlib_LTLIBRARIES += \
+ 	libnss_myhostname.la
+ endif
+ 
+@@ -5030,7 +5031,7 @@ libnss_mymachines_la_LDFLAGS = \
+ libnss_mymachines_la_LIBADD = \
+ 	libsystemd-internal.la
+ 
+-lib_LTLIBRARIES += \
++rootlib_LTLIBRARIES += \
+ 	libnss_mymachines.la
+ 
+ endif
+@@ -5321,7 +5322,7 @@ libnss_resolve_la_LIBADD = \
+ 	libsystemd-internal.la \
+         -ldl
+ 
+-lib_LTLIBRARIES += \
++rootlib_LTLIBRARIES += \
+ 	libnss_resolve.la
+ 
+ systemd_resolve_SOURCES = \
+-- 
+2.5.0
+
diff --git a/meta/recipes-core/systemd/systemd/0024-resolved-when-processing-auxiliary-DNSSEC-transactio.patch b/meta/recipes-core/systemd/systemd/0024-resolved-when-processing-auxiliary-DNSSEC-transactio.patch
new file mode 100644
index 0000000000000000000000000000000000000000..6924ce712ca4e8bb3d9e59178515b8bef4e381a5
--- /dev/null
+++ b/meta/recipes-core/systemd/systemd/0024-resolved-when-processing-auxiliary-DNSSEC-transactio.patch
@@ -0,0 +1,49 @@
+From 44f04e32cb66676446b70895278348910f3666c3 Mon Sep 17 00:00:00 2001
+Message-Id: <44f04e32cb66676446b70895278348910f3666c3.1474443269.git.maciej.borzecki@rndity.com>
+In-Reply-To: <cover.1474443269.git.maciej.borzecki@rndity.com>
+References: <cover.1474443269.git.maciej.borzecki@rndity.com>
+From: Lennart Poettering <lennart@poettering.net>
+Date: Thu, 23 Jun 2016 23:46:56 +0200
+Subject: [PATCH 2/2] resolved: when processing auxiliary DNSSEC transactions,
+ accept those with SERVFAIL
+
+Some upstream DNS servers return SERVFAIL if we ask them for DNSSEC RRs, which
+some forwarding DNS servers pass on to us as SERVFAIL (other though as
+NOERROR...). This is should not be considered a problem, as long as the domain
+in question didn't have DNSSEC enabled. Hence: when making use of auxiliary
+transactions accept those that return SERVFAIL.
+
+Signed-off-by: Maciej Borzecki <maciej.borzecki@rndity.com>
+---
+Upstream-Status: Backport from 231
+
+ src/resolve/resolved-dns-transaction.c | 9 +++++----
+ 1 file changed, 5 insertions(+), 4 deletions(-)
+
+diff --git a/src/resolve/resolved-dns-transaction.c b/src/resolve/resolved-dns-transaction.c
+index a4a6762..aa49e65 100644
+--- a/src/resolve/resolved-dns-transaction.c
++++ b/src/resolve/resolved-dns-transaction.c
+@@ -626,14 +626,15 @@ static int dns_transaction_dnssec_ready(DnsTransaction *t) {
+                         return 0;
+ 
+                 case DNS_TRANSACTION_RCODE_FAILURE:
+-                        if (dt->answer_rcode != DNS_RCODE_NXDOMAIN) {
++                        if (!IN_SET(dt->answer_rcode, DNS_RCODE_NXDOMAIN, DNS_RCODE_SERVFAIL)) {
+                                 log_debug("Auxiliary DNSSEC RR query failed with rcode=%s.", dns_rcode_to_string(dt->answer_rcode));
+                                 goto fail;
+                         }
+ 
+-                        /* Fall-through: NXDOMAIN is good enough for us. This is because some DNS servers erronously
+-                         * return NXDOMAIN for empty non-terminals (Akamai...), and we need to handle that nicely, when
+-                         * asking for parent SOA or similar RRs to make unsigned proofs. */
++                        /* Fall-through: NXDOMAIN/SERVFAIL is good enough for us. This is because some DNS servers
++                         * erronously return NXDOMAIN/SERVFAIL for empty non-terminals (Akamai...) or missing DS
++                         * records (Facebook), and we need to handle that nicely, when asking for parent SOA or similar
++                         * RRs to make unsigned proofs. */
+ 
+                 case DNS_TRANSACTION_SUCCESS:
+                         /* All good. */
+-- 
+2.5.0
+
diff --git a/meta/recipes-core/systemd/systemd_230.bb b/meta/recipes-core/systemd/systemd_230.bb
index 1276316a0cddeefecb34cf9422c94c3ed12f5381..4a78ff2e867c6b2484443612114c87c75b56a50e 100644
--- a/meta/recipes-core/systemd/systemd_230.bb
+++ b/meta/recipes-core/systemd/systemd_230.bb
@@ -36,7 +36,9 @@ SRC_URI += " \
            file://0021-include-missing.h-for-getting-secure_getenv-definiti.patch \
            file://0022-socket-util-don-t-fail-if-libc-doesn-t-support-IDN.patch \
            file://udev-re-enable-mount-propagation-for-udevd.patch \
-"
+           file://0023-nss-install-nss-modules-into-lib.patch \
+           file://0024-resolved-when-processing-auxiliary-DNSSEC-transactio.patch \
+           "
 SRC_URI_append_libc-uclibc = "\
            file://0002-units-Prefer-getty-to-agetty-in-console-setup-system.patch \
 "
@@ -452,7 +454,7 @@ FILES_${PN} = " ${base_bindir}/* \
                 ${rootlibexecdir}/systemd/* \
                 ${systemd_unitdir}/* \
                 ${base_libdir}/security/*.so \
-                ${libdir}/libnss_* \
+                ${rootlibdir}/libnss_* \
                 /cgroup \
                 ${bindir}/systemd* \
                 ${bindir}/busctl \
@@ -562,12 +564,24 @@ pkg_postinst_${PN} () {
 	sed -e '/^hosts:/s/\s*\<myhostname\>//' \
 		-e 's/\(^hosts:.*\)\(\<files\>\)\(.*\)\(\<dns\>\)\(.*\)/\1\2 myhostname \3\4\5/' \
 		-i $D${sysconfdir}/nsswitch.conf
+
+	if ${@bb.utils.contains('PACKAGECONFIG', 'resolved', 'true', 'false', d)}; then
+			# replace dns with resolve
+			sed -e 's/^hosts:\(.*\)dns\(.*\)/hosts:\1 resolve \2/' \
+					-i $D${sysconfdir}/nsswitch.conf
+	fi
 }
 
 pkg_prerm_${PN} () {
 	sed -e '/^hosts:/s/\s*\<myhostname\>//' \
 		-e '/^hosts:/s/\s*myhostname//' \
 		-i $D${sysconfdir}/nsswitch.conf
+
+	if ${@bb.utils.contains('PACKAGECONFIG', 'resolved', 'true', 'false', d)}; then
+			# restore dns
+			sed -e 's/^hosts:\(.*\)resolve\(.*\)/hosts:\1 dns \2/' \
+					-i $D${sysconfdir}/nsswitch.conf
+	fi
 }
 
 pkg_postinst_udev-hwdb () {
-- 
2.5.0

Re: [PATCH 0/2] systemd: use nss-resolve when systemd-resoveld is enable

[Khem Raj]

On Wed, Sep 21, 2016 at 1:19 AM, Maciej Borzecki
<maciej.borzecki@rndity.com> wrote:
> A patch series that enables use of nss-resolve (systemd's NSS service module) if
> systemd-networkd is enabled via PACKAGECONFIG.
>
> The first patch is a trivial formatting change.
>
> The second patch does the following:
>
> - replace dns with resolve in /etc/nsswitch.conf if systemd-resolved is enabled
>
> - applies a patch fixing the location of libnss_* services provided by systemd
>   (the patch has been submitted upstream for inclusion in v232)
>
> - applies a patch that fixes SERVFAIL handling, this restores the ability to
>   properly resolve names under qemu (backport from v231)
>
> Maciej Borzecki (2):
>   systemd: fix indentation
>   systemd: use nss-resolve by default if resolved is enabled
>


These changes look fine to me.

>  .../0023-nss-install-nss-modules-into-lib.patch    | 64 ++++++++++++++++++++++
>  ...en-processing-auxiliary-DNSSEC-transactio.patch | 49 +++++++++++++++++
>  meta/recipes-core/systemd/systemd_230.bb           | 22 ++++++--
>  3 files changed, 131 insertions(+), 4 deletions(-)
>  create mode 100644 meta/recipes-core/systemd/systemd/0023-nss-install-nss-modules-into-lib.patch
>  create mode 100644 meta/recipes-core/systemd/systemd/0024-resolved-when-processing-auxiliary-DNSSEC-transactio.patch
>
> --
> 2.5.0
>