Bug#846944: Installing libnss-resolve before libnss-mdns breaks mDNS name resolution

Thu Dec 8 14:20:34 GMT 2016

Am 04.12.2016 um 15:36 schrieb Alexander Kurtz:
> Package: libnss-resolve
> Version: 232-6
> Severity: serious
> Justification: Breaks another package
> 
> Hi!
> 
> A freshly installed Debian Stretch system will have a
> /etc/nsswitch.conf like this (see libc-bin's postinst and/or
> /usr/share/libc-bin/nsswitch.conf):
> 
> 	# /etc/nsswitch.conf
> 	#
> 	# Example configuration of GNU Name Service Switch functionality.
> 	# If you have the `glibc-doc-reference' and `info' packages installed, try:
> 	# `info libc "Name Service Switch"' for information about this file.
> 
> 	passwd:         compat
> 	group:          compat
> 	shadow:         compat
> 	gshadow:        files
> 
> 	hosts:          files dns
> 	networks:       files
> 
> 	protocols:      db files
> 	services:       db files
> 	ethers:         db files
> 	rpc:            db files
> 
> 	netgroup:       nis
> 
> Installing libnss-resolve makes these changes:
> 
> 	--- nsswitch.conf	2016-12-04 15:16:42.701978711 +0100
> 	+++ /etc/nsswitch.conf	2016-12-04 15:16:51.965961200
> +0100
> 	@@ -9,7 +9,7 @@
> 	 shadow:         compat
> 	 gshadow:        files
> 	 
> 	-hosts:          files dns
> 	+hosts:          files resolve [!UNAVAIL=return] dns
> 	 networks:       files
> 	 
> 	 protocols:      db files
> 
> If the user then installs for example the "gnome" meta package, 
> libnss-mdns and libnss-myhostname will be installed as well because of
> these dependencies/recommendations: 
> 
> 	gnome -> avahi-daemon -> libnss-mdns
> 	gnome -> gnome-core -> gnome-control-center -> libnss-myhostname
> 
> This results in the following hosts line:
> 
> 	hosts:          files resolve [!UNAVAIL=return] mdns4_minimal [NOTFOUND=return] dns myhostname
> 
> However, because of the "[!UNAVAIL=return]" introduced with [0],
> nothing after "resolve" will actually be tried. This is mostly
> harmless, since "resolve" provides a superset of "dns" and
> "myhostname", but it breaks mDNS as resolved currently does not resolve
> mDNS names like "foo.local".
> 
> Please note, that
> 
>  a) This bug depends on the order of package installations. Installing 
>     libnss-resolve *AFTER* everything else will avoid the problem.

Installing libnss-mdns, then libnss-resolve leads to

hosts:          files mdns4_minimal [NOTFOUND=return] resolve [!UNAVAIL=return] dns

Installing libnss-resolve, then libnss-mdns leads to

hosts:          files resolve [!UNAVAIL=return] mdns4_minimal [NOTFOUND=return] dns

So maybe the "obvious" fix is to change libnss-mdns to always insert itself
before dns *and* resolve? On the other hand, it's quite ugly that mdns needs to
be taught to cope with this new nss module.

Martin, Simon, what's your take on this?
With multiple packages mangling nsswitch.conf, this feels like it's becoming very brittle
and maybe we need a proper API like pam-auth-update.

Michael

-- 
Why is it that all of the instruments seeking intelligent life in the
universe are pointed away from Earth?

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <http://alioth-lists.debian.net/pipermail/pkg-systemd-maintainers/attachments/20161208/bae12e54/attachment-0002.sig>