[Freedombox-pkg-team] Bug#877935: Bug#877935: freedombox-setup: Consider switch from libnss-gw-name to systemd-resolved and libnss-resolve

[Sunil Mohan Adapa]

On Saturday 07 October 2017 07:55 PM, James Valleroy wrote:
[...]
> There is an RFA (#805266) for libnss-gw-name. The current maintainer
> mentions that systemd-resolved and libnss-resolve provide the same
> functionality as libnss-gw-name. We should consider whether to switch
> to these alternatives.

systemd-resolved's name resolution is quite well suited for FreedomBox's
purposes and we are better of using it.  The DNSSEC plan is not as great
as unbound+NetworkManager combination.  It works nicely with
NetworkManager that we are using to configure network connections.  I
don't know how well it would sit with out plan of using bind as and
authoritative server.

Here are things I found:

- Use systemd-resolved.  This is already happening because vmdebootstrap
enables both systemd-networkd and systemd-resolved unless
--no-systemd-networkd is specific (which we are not doing).  Daemon
running is good for clients that talk native systemd-resolved protocol
for making DNS queries.  This means that some of the recent images that
we have built should already be running systemd-resolved by default.
However, we need to worry about people upgrading from an older version
of FreedomBox.

- systemd-resolved does not clash ports with bind9 that we have.  Former
listens on 127.0.0.53%lo:53 and latter on 127.0.0.1:53 and :::53 and
apparently that is not a clash.  I verify both to be working fine no
matter which one starts first.

- Make /etc/resolv.conf symlink to /run/systemd/resolved/resolv.conf.
/etc/resolv.conf is useful for programs that use this file directly to
make their DNS queries.  Again vmdebootstrap does this for us during
image build.  This means that some of the recent images that we have
built should already be using systemd-resolved via /etc/resolv.conf.
Again we need think about people upgrading from older version of FreedomBox.

- Make NetworkManager use systemd-resolved.  This is necessary because
when a connection is brought up and an upstream DHCP server provides a
list of DNS servers, these must be used instead of whatever
systemd-resolved is using.  Likewise, they must be removed when a
connection is down.  In order to make this integration happen, we don't
have do anything and things are already integrated.  When NetworkManager
configuratio of 'dns=' is not specified, and if /etc/resolv.conf is
symlinked to use systemd-resolved, then NetworkManager automatically
uses systemd-resovled.  This means DNS servers from upstream DHCP
servers are added and removed from systemd-resolved by NetworkManager.

- Use libnss-resolve.  We can add this as dependency and remove
libnss-gw-name.  This will edit the /etc/nsswitch.conf such that glibc
based programs send DNS queries to systemd-resolved before even
considering /etc/resolv.conf.  This also proper DNSSEC if enabled.  When
systemd-resolved is not running, this does not cause a problem as
nsswitch is configured to fallback to usual mechanism in such a
scenario.  libnss-resolve seems to enable systemd-resolved and make
necessary changes to /etc/nsswitch.conf.

- Deal with the problem of systemd-resolved not running in chroot and
causing freedom-maker image build failures.  vmdebootstrap incorrectly
turns off predictable network names and systemd-resolved when
--no-systemd-networkd is passed.  Joseph and I are still facing this
issue the related bug has been closed as non-reproducible.  A workaround
could be that we copy host /etc/resolv.conf to chroot /etc/resolv.conf
temporarily and restore the symlink to /run/systemd/resolved/resolv.conf
when we are done.

Thanks,

-- 
Sunil