man: move 'files' module in NSS 'hosts:' line before myhostname

I am pretty sure /etc/hosts (i.e. an explicitly configured, local, trusted database) should be useful for overriding the automatic myhostname logic. resolved's internal logic handles it that way and hence we should suggest it in the NSS fallback line, too. Let's also bring the factory file back into sync with what the docs say. And update the prose a bit too, to actually match what we recommend.
2024-11-27 04:03:36 +08:00 · 2020-08-17 09:10:32 +02:00 · 2020-08-17 09:10:32 +02:00 · f918c67d38
commit f918c67d38
parent bfeb370abc
5 changed files with 25 additions and 27 deletions
--- a/factory/etc/nsswitch.conf
+++ b/factory/etc/nsswitch.conf
@ -4,7 +4,7 @@ passwd:         compat systemd
 group:          compat [SUCCESS=merge] systemd
 shadow:         compat

-hosts:          files mymachines resolve [!UNAVAIL=return] dns myhostname
+hosts:          mymachines resolve [!UNAVAIL=return] files myhostname dns
 networks:       files

 protocols:      db files
--- a/man/nss-myhostname.xml
+++ b/man/nss-myhostname.xml
@ -67,12 +67,12 @@
    <literal>hosts:</literal> in <filename>/etc/nsswitch.conf</filename>.</para>

    <para>It is recommended to place <literal>myhostname</literal> either between <literal>resolve</literal>
-    and "traditional" modules like <literal>files</literal> and <literal>dns</literal>, or after them. In the
-    first version, well-known names like <literal>localhost</literal> and the machine hostname are given
-    higher priority than the external configuration. This is recommended when the external DNS servers and
-    network are not absolutely trusted. In the second version, external configuration is given higher
-    priority and <command>nss-myhostname</command> only provides a fallback mechanism. This might be suitable
-    in closely controlled networks, for example on a company LAN.</para>
+    and "traditional" modules like <literal>dns</literal>, or after them. In the first version, well-known
+    names like <literal>localhost</literal> and the machine hostname are given higher priority than the
+    external configuration. This is recommended when the external DNS servers and network are not absolutely
+    trusted. In the second version, external configuration is given higher priority and
+    <command>nss-myhostname</command> only provides a fallback mechanism. This might be suitable in closely
+    controlled networks, for example on a company LAN.</para>
  </refsect1>

  <refsect1>
@ -83,11 +83,11 @@

    <!-- synchronize with other nss-* man pages and factory/etc/nsswitch.conf -->
 <programlisting>passwd:         compat systemd
-group:          compat systemd
+group:          compat [SUCCESS=merge] systemd
 shadow:         compat

-# Either (untrusted network):
-hosts:          mymachines resolve [!UNAVAIL=return] <command>myhostname</command> files dns
+# Either (untrusted network, see above):
+hosts:          mymachines resolve [!UNAVAIL=return] files <command>myhostname</command> dns
 # Or (only trusted networks):
 hosts:          mymachines resolve [!UNAVAIL=return] files dns <command>myhostname</command>
 networks:       files
--- a/man/nss-mymachines.xml
+++ b/man/nss-mymachines.xml
@ -42,10 +42,10 @@
    <para>To activate the NSS module, add <literal>mymachines</literal> to the line starting with
    <literal>hosts:</literal> in <filename>/etc/nsswitch.conf</filename>.</para>

-    <para>It is recommended to place <literal>mymachines</literal> after the <literal>files</literal> or
-    <literal>compat</literal> entry of the <filename>/etc/nsswitch.conf</filename> line to make sure that its
-    mappings are preferred over other resolvers such as DNS, but so that <filename>/etc/hosts</filename>
-    based mappings take precedence.</para>
+    <para>It is recommended to place <literal>mymachines</literal> before the <literal>resolve</literal> or
+    <literal>dns</literal> entry of the <literal>hosts:</literal> line of
+    <filename>/etc/nsswitch.conf</filename> in order to make sure that its mappings are preferred over other
+    resolvers such as DNS.</para>
  </refsect1>

  <refsect1>
@ -56,10 +56,10 @@

    <!-- synchronize with other nss-* man pages and factory/etc/nsswitch.conf -->
    <programlisting>passwd:         compat systemd
-group:          compat systemd
+group:          compat [SUCCESS=merge] systemd
 shadow:         compat

-hosts:          <command>mymachines</command> resolve [!UNAVAIL=return] myhostname files dns
+hosts:          <command>mymachines</command> resolve [!UNAVAIL=return] files myhostname dns
 networks:       files

 protocols:      db files
--- a/man/nss-resolve.xml
+++ b/man/nss-resolve.xml
@ -44,14 +44,12 @@
    <literal>dns</literal> somewhere after <literal>resolve</literal>, to fall back to
    <command>nss-dns</command> if <filename>systemd-resolved.service</filename> is not available.</para>

-    <para>Note that <command>systemd-resolved</command> will synthesize DNS resource
-    records in a few cases, for example for <literal>localhost</literal> and the
-    current hostname, see
-    <citerefentry><refentrytitle>systemd-resolved</refentrytitle><manvolnum>8</manvolnum></citerefentry>
-    for the full list. This duplicates the functionality of
-    <citerefentry><refentrytitle>nss-myhostname</refentrytitle><manvolnum>8</manvolnum></citerefentry>,
-    but it is still recommended (see examples below) to keep
-    <command>nss-myhostname</command> configured in
+    <para>Note that <command>systemd-resolved</command> will synthesize DNS resource records in a few cases,
+    for example for <literal>localhost</literal> and the current local hostname, see
+    <citerefentry><refentrytitle>systemd-resolved</refentrytitle><manvolnum>8</manvolnum></citerefentry> for
+    the full list. This duplicates the functionality of
+    <citerefentry><refentrytitle>nss-myhostname</refentrytitle><manvolnum>8</manvolnum></citerefentry>, but
+    it is still recommended (see examples below) to keep <command>nss-myhostname</command> configured in
    <filename>/etc/nsswitch.conf</filename>, to keep those names resolveable if
    <command>systemd-resolved</command> is not running.</para>
  </refsect1>
@ -64,10 +62,10 @@

    <!-- synchronize with other nss-* man pages and factory/etc/nsswitch.conf -->
 <programlisting>passwd:         compat systemd
-group:          compat systemd
+group:          compat [SUCCESS=merge] systemd
 shadow:         compat

-hosts:          mymachines <command>resolve [!UNAVAIL=return]</command> myhostname files dns
+hosts:          mymachines <command>resolve [!UNAVAIL=return]</command> files myhostname dns
 networks:       files

 protocols:      db files
--- a/man/nss-systemd.xml
+++ b/man/nss-systemd.xml
@ -65,7 +65,7 @@
 group:          compat [SUCCESS=merge] <command>systemd</command>
 shadow:         compat

-hosts:          mymachines resolve [!UNAVAIL=return] myhostname files dns
+hosts:          mymachines resolve [!UNAVAIL=return] files myhostname dns
 networks:       files

 protocols:      db files