On 06/12/2018 13:36, Lennart Poettering wrote:
nss-systemd should be in nsswitch.conf by default. It's required for systemd's DynamicUser=1 option to work correctly, and that's core service functionality. Hence, given that systemd is Fedora's PID 1, nss-systemd should also be in nsswitch.conf unconditionally (in the 'passwd' and 'group' lines). A system where nss-systemd is not enabled is simply broken right now. nss-myhostname should be in nsswitch.conf by default too. It's very minimal, and just makes sure the local hostname remains resolvable all the time. By enabling this, installers and image generators don't have to patch /etc/hosts anymore like they traditionally did, in fact they can remove it altogether and just leave resolution of the local hostname to the module, and it will magically follow whatever is currently set via sethostname(). This module should be in the 'hosts' line.
Based on my experimentation with an F29 live image last week both nss-systemd and nss-myhostname are in the default configuration.
Then there is nss-mymachines. It's primarily useful if systemd-machined or systemd-nspawn is used. Given that those are now part of the 'systemd-container' RPM it would be OK to also add nss-mymachines to nsswitch.conf only when the RPM is installed, if there's a concept for that. That said, in order to simplify things, and given that systemd is a very core part of the OS I'd personally just put it statically in nsswitch.conf too by default. After all a missing NSS module listed in nsswitch.conf is just skipped, hence this should not matter. This module should be in the 'passwd', 'group' and 'hosts' lines. Finally, there's nss-resolve. It's the client side to systemd-resolved. It's the client side to systemd-resolved's DNS/mDNS/LLMNR/DoT/DNSSEC stack. systemd-resolved is not default in Fedora right now. Quite frankly I think it should be, but that's another political discussion (and I am not sure I am ready to have it right now). The module is benign though: if resolved is not running it doesn't do anything. It only does its thing if resolved is running. Thus I'd also suggest to just enable it by default, and simplify things because then people can use resolved just by doing "systemctl enable systemd-resolved" and don't need to do anything else. This module should be in the 'hosts' line.
Equally, neither nss-mymachines or nss-resolve appear to be in the default configuration on an F29 image. Tom -- Tom Hughes (tom@xxxxxxxxxx) http://compton.nu/ _______________________________________________ devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx
