Bug#1072380: cloud.debian.org: Azure deployment misconfigures /etc/hosts resulting in slow sudo

Tue Jun 4 23:53:17 BST 2024

Control: fixed -1 256~rc3-3

On Tue, 4 Jun 2024 15:24:19 -0700 Noah Meyerhans <noahm at debian.org>
wrote:
> Control: reassign -1 libnss-myhostname
> Control: affects -1 cloud.debian.org
> Control: retitle -1 incorrect nsswitch.conf entry for nss-myhostname
> 
> On Sat, Jun 01, 2024 at 11:13:32PM +0000, Michael Salivar wrote:
> >    * What led up to the situation?
> > 
> > This was not previously an issue some months back as I deployed
previous labs with the same scripts, but affected Bookworm deployments
on 2024-06-01 in Azure.
> > 
> > I found that /etc/hosts IPv4 loopback not configured with real
hostname.  This results in sudo taking approximately 20 seconds to
prompt for password, or run command in the case of passwordless.
> > 
> >    * What exactly did you do (or not do) that was effective (or
> >      ineffective)?
> > 
> > I changed the IPv4 loopback in /etc/hosts to include the real
hostname like so:
> > 
> > 127.0.0.1 localhost realhostname
> > 
> > Sudo now works as expected
> 
> It's not /etc/hosts, and in fact we haven't changed the content of
> /etc/hosts in the cloud images.  However, we did switch from
installing
> nss-resolve to nss-hostname ([1], [2]), which has uncovered a bug in
the
> systemd packaging.
> 
> The hosts entry in /etc/nsswitch.conf in current cloud images looks
> like:
> hosts:          files dns myhostname
> 
> What this means is that, when trying to map between hostnames and
> addresses, glibc will first consult /etc/hosts (which is why your
change
> to /etc/hosts seems to resolve the problem), then DNS, and then
> nss-myhostname, which synthesizes responses for certain queries.
> 
> The problem is that DNS is being consulted unnecessarily, and if DNS
> resolution is slow or unresponsive for any reason, that will be
> reflected in the response.
> 
> Per the nss-myhostname(8) documentation [3], "It is recommended to
place
> "myhostname" after "file" and before "dns". This resolves well-known
> hostnames like "localhost" and the machine hostnames locally." 
However,
> the nss-myhostname package in bookworm does not adhere to this
> recommendation, instead adding the myhostname entry to the *end* of
the
> module list.
> 
> This has recently been fixed in the systemd packages for sid/trixie.
[4]
> I'm going to reassign this to the systemd maintainers for now to see
if
> they're willing to backport (or accept a merge request to backport)
this
> fix to bookworm for an upcoming point release.  If they aren't
willing
> to do that (the blast radius for such a change is wide and they may
not
> be comfortable introducing it in a stable release), then we can
consider
> making the change in the cloud images.  That's less desirable because
it
> introduces a change to a conffile, which will introduce issues on
> upgrades, but we will see.

Such a change in a stable release would be very risky, and at the very
least it would need to get buy-in from the release team in advance. If
you want to ask RT if they are ok with it, and then thoroughly test it
and provide a MR, with RT's blessings, then I will merge it and include
it in the next point release.

-- 
Kind regards,
Luca Boccassi
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: This is a digitally signed message part
URL: <http://alioth-lists.debian.net/pipermail/pkg-systemd-maintainers/attachments/20240604/72d8f17f/attachment.sig>