'\" t .TH "NSS\-MYMACHINES" "8" "" "systemd 241" "nss-mymachines" .\" ----------------------------------------------------------------- .\" * Define some portability stuff .\" ----------------------------------------------------------------- .\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ .\" http://bugs.debian.org/507673 .\" http://lists.gnu.org/archive/html/groff/2009-02/msg00013.html .\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ .ie \n(.g .ds Aq \(aq .el .ds Aq ' .\" ----------------------------------------------------------------- .\" * set default formatting .\" ----------------------------------------------------------------- .\" disable hyphenation .nh .\" disable justification (adjust text to left margin only) .ad l .\" ----------------------------------------------------------------- .\" * MAIN CONTENT STARTS HERE * .\" ----------------------------------------------------------------- .SH "NAME" nss-mymachines, libnss_mymachines.so.2 \- Provide hostname resolution for local container instances\&. .SH "SYNOPSIS" .PP libnss_mymachines\&.so\&.2 .SH "DESCRIPTION" .PP \fBnss\-mymachines\fR is a plug\-in module for the GNU Name Service Switch (NSS) functionality of the GNU C Library (\fBglibc\fR), providing hostname resolution for the names of containers running locally that are registered with \fBsystemd-machined.service\fR(8)\&. The container names are resolved to the IP addresses of the specific container, ordered by their scope\&. This functionality only applies to containers using network namespacing (see the description of \fB\-\-private\-network\fR in \fBsystemd-nspawn\fR(1))\&. Note that the name that is resolved is the one registered with \fBsystemd\-machined\fR, which may be different than the hostname configured inside of the container\&. .PP The module also provides name resolution for user and group identifiers mapped to containers\&. All names from the range allocated to a given container \fIcontainer\fR are exposed on the host as "vu\-\fIcontainer\fR\-\fIuid\fR" and "vg\-\fIcontainer\fR\-\fIgid\fR" (see example below)\&. This functionality only applies to containers using user namespacing (see the description of \fB\-\-private\-users\fR in \fBsystemd-nspawn\fR(1))\&. .PP To activate the NSS module, add "mymachines" to the lines starting with "hosts:", "passwd:" and "group:" in /etc/nsswitch\&.conf\&. .PP It is recommended to place "mymachines" after the "files" or "compat" entry of the /etc/nsswitch\&.conf lines to make sure that its mappings are preferred over other resolvers such as DNS, but so that /etc/hosts, /etc/passwd and /etc/group based mappings take precedence\&. .SH "CONFIGURATION IN /ETC/NSSWITCH\&.CONF" .PP Here is an example /etc/nsswitch\&.conf file that enables \fBnss\-mymachines\fR correctly: .sp .if n \{\ .RS 4 .\} .nf passwd: compat \fBmymachines\fR systemd group: compat \fBmymachines\fR systemd shadow: compat hosts: files \fBmymachines\fR resolve [!UNAVAIL=return] dns myhostname networks: files protocols: db files services: db files ethers: db files rpc: db files netgroup: nis .fi .if n \{\ .RE .\} .SH "MAPPINGS PROVIDED BY NSS\-MYMACHINES" .PP The container "rawhide" is spawned using \fBsystemd-nspawn\fR(1): .sp .if n \{\ .RS 4 .\} .nf # systemd\-nspawn \-M rawhide \-\-boot \-\-network\-veth \-\-private\-users=pick Spawning container rawhide on /var/lib/machines/rawhide\&. Selected user namespace base 20119552 and range 65536\&. \&.\&.\&. $ machinectl \-\-max\-addresses=3 MACHINE CLASS SERVICE OS VERSION ADDRESSES rawhide container systemd\-nspawn fedora 30 169\&.254\&.40\&.164 fe80::94aa:3aff:fe7b:d4b9 $ getent passwd vu\-rawhide\-0 vu\-rawhide\-81 vu\-rawhide\-0:*:20119552:65534:vu\-rawhide\-0:/:/sbin/nologin vu\-rawhide\-81:*:20119633:65534:vu\-rawhide\-81:/:/sbin/nologin $ getent group vg\-rawhide\-0 vg\-rawhide\-81 vg\-rawhide\-0:*:20119552: vg\-rawhide\-81:*:20119633: $ ps \-o user:15,pid,tty,command \-e|grep \*(Aq^vu\-rawhide\*(Aq vu\-rawhide\-0 692 ? /lib/systemd/systemd vu\-rawhide\-0 731 ? /lib/systemd/systemd\-journald vu\-rawhide\-192 734 ? /lib/systemd/systemd\-networkd vu\-rawhide\-193 738 ? /lib/systemd/systemd\-resolved vu\-rawhide\-0 742 ? /lib/systemd/systemd\-logind vu\-rawhide\-81 744 ? /usr/bin/dbus\-daemon \-\-system \-\-address=systemd: \-\-nofork \-\-nopidfile \-\-systemd\-activation \-\-syslog\-only vu\-rawhide\-0 746 ? /usr/sbin/sshd \-D \&.\&.\&. vu\-rawhide\-0 752 ? /lib/systemd/systemd \-\-user vu\-rawhide\-0 753 ? (sd\-pam) vu\-rawhide\-0 1628 ? login \-\- zbyszek vu\-rawhide\-1000 1630 ? /lib/systemd/systemd \-\-user vu\-rawhide\-1000 1631 ? (sd\-pam) vu\-rawhide\-1000 1637 pts/8 \-zsh $ ping \-c1 rawhide PING rawhide(fe80::94aa:3aff:fe7b:d4b9%ve\-rawhide (fe80::94aa:3aff:fe7b:d4b9%ve\-rawhide)) 56 data bytes 64 bytes from fe80::94aa:3aff:fe7b:d4b9%ve\-rawhide (fe80::94aa:3aff:fe7b:d4b9%ve\-rawhide): icmp_seq=1 ttl=64 time=0\&.045 ms \&.\&.\&. $ ping \-c1 \-4 rawhide PING rawhide (169\&.254\&.40\&.164) 56(84) bytes of data\&. 64 bytes from 169\&.254\&.40\&.164 (169\&.254\&.40\&.164): icmp_seq=1 ttl=64 time=0\&.064 ms \&.\&.\&. # machinectl shell rawhide /sbin/ip a Connected to machine rawhide\&. Press ^] three times within 1s to exit session\&. 1: lo: mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000 \&.\&.\&. 2: host0@if21: mtu 1500 qdisc noqueue state UP group default qlen 1000 link/ether 96:aa:3a:7b:d4:b9 brd ff:ff:ff:ff:ff:ff link\-netnsid 0 inet 169\&.254\&.40\&.164/16 brd 169\&.254\&.255\&.255 scope link host0 valid_lft forever preferred_lft forever inet6 fe80::94aa:3aff:fe7b:d4b9/64 scope link valid_lft forever preferred_lft forever Connection to machine rawhide terminated\&. .fi .if n \{\ .RE .\} .SH "SEE ALSO" .PP \fBsystemd\fR(1), \fBsystemd-machined.service\fR(8), \fBmachinectl\fR(1), \fBnss-systemd\fR(8), \fBnss-resolve\fR(8), \fBnss-myhostname\fR(8), \fBnsswitch.conf\fR(5), \fBgetent\fR(1)