Control: reassign -1 libnss-myhostname Control: affects -1 cloud.debian.org Control: retitle -1 incorrect nsswitch.conf entry for nss-myhostname
On Sat, Jun 01, 2024 at 11:13:32PM +0000, Michael Salivar wrote: > * What led up to the situation? > > This was not previously an issue some months back as I deployed previous labs > with the same scripts, but affected Bookworm deployments on 2024-06-01 in > Azure. > > I found that /etc/hosts IPv4 loopback not configured with real hostname. > This results in sudo taking approximately 20 seconds to prompt for password, > or run command in the case of passwordless. > > * What exactly did you do (or not do) that was effective (or > ineffective)? > > I changed the IPv4 loopback in /etc/hosts to include the real hostname like > so: > > 127.0.0.1 localhost realhostname > > Sudo now works as expected It's not /etc/hosts, and in fact we haven't changed the content of /etc/hosts in the cloud images. However, we did switch from installing nss-resolve to nss-hostname ([1], [2]), which has uncovered a bug in the systemd packaging. The hosts entry in /etc/nsswitch.conf in current cloud images looks like: hosts: files dns myhostname What this means is that, when trying to map between hostnames and addresses, glibc will first consult /etc/hosts (which is why your change to /etc/hosts seems to resolve the problem), then DNS, and then nss-myhostname, which synthesizes responses for certain queries. The problem is that DNS is being consulted unnecessarily, and if DNS resolution is slow or unresponsive for any reason, that will be reflected in the response. Per the nss-myhostname(8) documentation [3], "It is recommended to place "myhostname" after "file" and before "dns". This resolves well-known hostnames like "localhost" and the machine hostnames locally." However, the nss-myhostname package in bookworm does not adhere to this recommendation, instead adding the myhostname entry to the *end* of the module list. This has recently been fixed in the systemd packages for sid/trixie. [4] I'm going to reassign this to the systemd maintainers for now to see if they're willing to backport (or accept a merge request to backport) this fix to bookworm for an upcoming point release. If they aren't willing to do that (the blast radius for such a change is wide and they may not be comfortable introducing it in a stable release), then we can consider making the change in the cloud images. That's less desirable because it introduces a change to a conffile, which will introduce issues on upgrades, but we will see. noah 1. https://salsa.debian.org/cloud-team/debian-cloud-images/-/commit/2d881ea09c53e91635d23f64dbf0b6ad9d9ceaec 2. https://salsa.debian.org/cloud-team/debian-cloud-images/-/commit/577f9c17cdc0f74a98d6ca2908201522864580a5 3. https://manpages.debian.org/bookworm/libnss-myhostname/nss-myhostname.8.en.html 4. https://salsa.debian.org/systemd-team/systemd/-/merge_requests/162
