Control: fixed -1 256~rc3-3 On Tue, 4 Jun 2024 15:24:19 -0700 Noah Meyerhans <no...@debian.org> wrote: > Control: reassign -1 libnss-myhostname > Control: affects -1 cloud.debian.org > Control: retitle -1 incorrect nsswitch.conf entry for nss-myhostname > > On Sat, Jun 01, 2024 at 11:13:32PM +0000, Michael Salivar wrote: > > * What led up to the situation? > > > > This was not previously an issue some months back as I deployed previous labs with the same scripts, but affected Bookworm deployments on 2024-06-01 in Azure. > > > > I found that /etc/hosts IPv4 loopback not configured with real hostname. This results in sudo taking approximately 20 seconds to prompt for password, or run command in the case of passwordless. > > > > * What exactly did you do (or not do) that was effective (or > > ineffective)? > > > > I changed the IPv4 loopback in /etc/hosts to include the real hostname like so: > > > > 127.0.0.1 localhost realhostname > > > > Sudo now works as expected > > It's not /etc/hosts, and in fact we haven't changed the content of > /etc/hosts in the cloud images. However, we did switch from installing > nss-resolve to nss-hostname ([1], [2]), which has uncovered a bug in the > systemd packaging. > > The hosts entry in /etc/nsswitch.conf in current cloud images looks > like: > hosts: files dns myhostname > > What this means is that, when trying to map between hostnames and > addresses, glibc will first consult /etc/hosts (which is why your change > to /etc/hosts seems to resolve the problem), then DNS, and then > nss-myhostname, which synthesizes responses for certain queries. > > The problem is that DNS is being consulted unnecessarily, and if DNS > resolution is slow or unresponsive for any reason, that will be > reflected in the response. > > Per the nss-myhostname(8) documentation [3], "It is recommended to place > "myhostname" after "file" and before "dns". This resolves well-known > hostnames like "localhost" and the machine hostnames locally." However, > the nss-myhostname package in bookworm does not adhere to this > recommendation, instead adding the myhostname entry to the *end* of the > module list. > > This has recently been fixed in the systemd packages for sid/trixie. [4] > I'm going to reassign this to the systemd maintainers for now to see if > they're willing to backport (or accept a merge request to backport) this > fix to bookworm for an upcoming point release. If they aren't willing > to do that (the blast radius for such a change is wide and they may not > be comfortable introducing it in a stable release), then we can consider > making the change in the cloud images. That's less desirable because it > introduces a change to a conffile, which will introduce issues on > upgrades, but we will see.
Such a change in a stable release would be very risky, and at the very least it would need to get buy-in from the release team in advance. If you want to ask RT if they are ok with it, and then thoroughly test it and provide a MR, with RT's blessings, then I will merge it and include it in the next point release. -- Kind regards, Luca Boccassi
signature.asc
Description: This is a digitally signed message part
