[sssd PR#5722][opened] NSS client: avoid using NETDB_INTERNAL if daemon is not available
URL: https://github.com/SSSD/sssd/pull/5722 Author: grawity Title: #5722: NSS client: avoid using NETDB_INTERNAL if daemon is not available Action: opened
PR body: """ It seems that returning NETDB_INTERNAL as h_errno will cause glibc's getaddrinfo() to immediately return EAI_SYSTEM *without* falling through to other configured NSS modules.
This means that if /etc/nsswitch.conf has 'sss' listed before 'dns' (for example), hostname resolution will be completely broken whenever SSSD is not running.
(Even hostname lookups done by SSSD itself will fail, as the _SSS_LOOPS environment variable merely forces errno=0 but the getaddrinfo() call as a whole still returns EAI_SYSTEM.)
This commit makes the NSS client return h_errno=NO_RECOVERY, as that's what systemd's nss-resolve and nss-mymachines seem to be doing. """
To pull the PR as Git branch: git remote add ghsssd https://github.com/SSSD/sssd git fetch ghsssd pull/5722/head:pr5722 git checkout pr5722
URL: https://github.com/SSSD/sssd/pull/5722 Author: grawity Title: #5722: NSS client: avoid using NETDB_INTERNAL if daemon is not available Action: synchronized
To pull the PR as Git branch: git remote add ghsssd https://github.com/SSSD/sssd git fetch ghsssd pull/5722/head:pr5722 git checkout pr5722
URL: https://github.com/SSSD/sssd/pull/5722 Title: #5722: NSS client: avoid using NETDB_INTERNAL if daemon is not available
grawity commented: """ (Should failures from sss_nss_gethost_readrep() be handled the same way? I'm not sure. They *do* return NSS_STATUS_TRYAGAIN, so it feels like they should be setting h_errno to NO_RECOVERY as well.) """
See the full comment at https://github.com/SSSD/sssd/pull/5722#issuecomment-883935953
URL: https://github.com/SSSD/sssd/pull/5722 Title: #5722: NSS client: avoid using NETDB_INTERNAL if daemon is not available
sumit-bose commented: """ Hi,
thanks for the patch. According to the comment https://sourceware.org/git/?p=glibc.git;a=blob;f=resolv/nss_dns/dns-host.c;h... returning `NO_RECOVERY` if SSSD is not running makes sure that other sources are used as well.
In the `sss_nss_gethost_readrep()` this is different because here `ERANGE` can be returned to indicate that the supplied buffer is too small to carry all result. Here it is expected that glibc immediately returns this information to the caller without looking at other modules and the caller repeats the call with an increased buffer.
I will run some tests with your patch to understand the general glibc behavior better.
bye, Sumit """
See the full comment at https://github.com/SSSD/sssd/pull/5722#issuecomment-891764934
URL: https://github.com/SSSD/sssd/pull/5722 Title: #5722: NSS client: avoid using NETDB_INTERNAL if daemon is not available
alexey-tikhonov commented: """ Hi @sumit-bose , did you have a chance to take a look at this? """
See the full comment at https://github.com/SSSD/sssd/pull/5722#issuecomment-932140451
URL: https://github.com/SSSD/sssd/pull/5722 Title: #5722: NSS client: avoid using NETDB_INTERNAL if daemon is not available
sumit-bose commented: """
Hi @sumit-bose , did you have a chance to take a look at this?
Hi,
thanks for the reminder. I'm fine with the patch as it is. Imo `NETDB_INTERNAL` should still be used after calling `sss_nss_gethost_readrep()` because the most common issue would be `ERANGE` where the caller should increase the buffer immediately. There is `EBASMSG` as well, which mostly would indicate internal errors, like e.g. not enough data send by the nss responder. Here I think a hard error would be better instead of a fallback to other configured modules which would hide the issue. So, ACK.
bye, Sumit """
See the full comment at https://github.com/SSSD/sssd/pull/5722#issuecomment-933294156
URL: https://github.com/SSSD/sssd/pull/5722 Title: #5722: NSS client: avoid using NETDB_INTERNAL if daemon is not available
Label: +Accepted
URL: https://github.com/SSSD/sssd/pull/5722 Title: #5722: NSS client: avoid using NETDB_INTERNAL if daemon is not available
Label: +Ready to push
URL: https://github.com/SSSD/sssd/pull/5722 Title: #5722: NSS client: avoid using NETDB_INTERNAL if daemon is not available
pbrezina commented: """ Pushed PR: https://github.com/SSSD/sssd/pull/5722
* `master` * 1a1e914b95c6415533f318f32da58a04015fa912 - NSS client: avoid using NETDB_INTERNAL if daemon is not available
"""
See the full comment at https://github.com/SSSD/sssd/pull/5722#issuecomment-935800928
URL: https://github.com/SSSD/sssd/pull/5722 Title: #5722: NSS client: avoid using NETDB_INTERNAL if daemon is not available
Label: +Pushed
URL: https://github.com/SSSD/sssd/pull/5722 Title: #5722: NSS client: avoid using NETDB_INTERNAL if daemon is not available
Label: -Accepted
URL: https://github.com/SSSD/sssd/pull/5722 Title: #5722: NSS client: avoid using NETDB_INTERNAL if daemon is not available
Label: -Ready to push
URL: https://github.com/SSSD/sssd/pull/5722 Author: grawity Title: #5722: NSS client: avoid using NETDB_INTERNAL if daemon is not available Action: closed
To pull the PR as Git branch: git remote add ghsssd https://github.com/SSSD/sssd git fetch ghsssd pull/5722/head:pr5722 git checkout pr5722
sssd-devel@lists.fedorahosted.org
-
alexey-tikhonov -
grawity
-
pbrezina
-
sssd-bot
-
sumit-bose