[thirdparty/systemd.git] / man / nss-mymachines.xml

<?xml version='1.0'?> <!--*-nxml-*-->
<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN"
  "http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd">
<!-- SPDX-License-Identifier: LGPL-2.1-or-later -->

<refentry id="nss-mymachines" conditional='ENABLE_NSS_MYMACHINES'>

  <refentryinfo>
    <title>nss-mymachines</title>
    <productname>systemd</productname>
  </refentryinfo>

  <refmeta>
    <refentrytitle>nss-mymachines</refentrytitle>
    <manvolnum>8</manvolnum>
  </refmeta>

  <refnamediv>
    <refname>nss-mymachines</refname>
    <refname>libnss_mymachines.so.2</refname>
    <refpurpose>Hostname resolution for local container instances</refpurpose>
  </refnamediv>

  <refsynopsisdiv>
    <para><filename>libnss_mymachines.so.2</filename></para>
  </refsynopsisdiv>

  <refsect1>
    <title>Description</title>

    <para><command>nss-mymachines</command> is a plug-in module for the GNU Name Service Switch (NSS) functionality of
    the GNU C Library (<command>glibc</command>), providing hostname resolution for the names of containers running
    locally that are registered with
    <citerefentry><refentrytitle>systemd-machined.service</refentrytitle><manvolnum>8</manvolnum></citerefentry>. The
    container names are resolved to the IP addresses of the specific container, ordered by their scope. This
    functionality only applies to containers using network namespacing (see the description of
    <option>--private-network</option> in
    <citerefentry><refentrytitle>systemd-nspawn</refentrytitle><manvolnum>1</manvolnum></citerefentry>).
    Note that the name that is resolved is the one registered with <command>systemd-machined</command>, which
    may be different than the hostname configured inside of the container.</para>

    <para>Note that this NSS module only makes available names of the containers running immediately below
    the current system context. It does not provide host name resolution for containers running side-by-side
    with the invoking system context, or containers further up or down the container hierarchy. Or in other
    words, on the host system it provides host name resolution for the containers running immediately below
    the host environment. When used inside a container environment however, it will not be able to provide
    name resolution for containers running on the host (as those are siblings and not children of the current
    container environment), but instead only for nested containers running immediately below its own
    container environment.</para>

    <para>To activate the NSS module, add <literal>mymachines</literal> to the line starting with
    <literal>hosts:</literal> in <filename>/etc/nsswitch.conf</filename>.</para>

    <para>It is recommended to place <literal>mymachines</literal> before the <literal>resolve</literal> or
    <literal>dns</literal> entry of the <literal>hosts:</literal> line of
    <filename>/etc/nsswitch.conf</filename> in order to make sure that its mappings are preferred over other
    resolvers such as DNS.</para>
  </refsect1>

  <refsect1>
    <title>Configuration in <filename>/etc/nsswitch.conf</filename></title>

    <para>Here is an example <filename>/etc/nsswitch.conf</filename> file that enables
    <command>nss-mymachines</command> correctly:</para>

    <!-- synchronize with other nss-* man pages and factory/etc/nsswitch.conf -->
    <programlisting>passwd:         files systemd
group:          files [SUCCESS=merge] systemd
shadow:         files systemd
gshadow:        files systemd

hosts:          <command>mymachines</command> resolve [!UNAVAIL=return] files myhostname dns
networks:       files

protocols:      db files
services:       db files
ethers:         db files
rpc:            db files

netgroup:       nis</programlisting>

  </refsect1>

  <refsect1>
    <title>Example: Mappings provided by <filename>nss-mymachines</filename></title>

    <para>The container <literal>rawhide</literal> is spawned using
    <citerefentry><refentrytitle>systemd-nspawn</refentrytitle><manvolnum>1</manvolnum></citerefentry>:
    </para>

    <programlisting># systemd-nspawn -M rawhide --boot --network-veth --private-users=pick
Spawning container rawhide on /var/lib/machines/rawhide.
Selected user namespace base 20119552 and range 65536.
...

$ machinectl --max-addresses=3
MACHINE CLASS     SERVICE        OS     VERSION ADDRESSES
rawhide container systemd-nspawn fedora 30      169.254.40.164 fe80::94aa:3aff:fe7b:d4b9

$ ping -c1 rawhide
PING rawhide(fe80::94aa:3aff:fe7b:d4b9%ve-rawhide (fe80::94aa:3aff:fe7b:d4b9%ve-rawhide)) 56 data bytes
64 bytes from fe80::94aa:3aff:fe7b:d4b9%ve-rawhide (fe80::94aa:3aff:fe7b:d4b9%ve-rawhide): icmp_seq=1 ttl=64 time=0.045 ms
...
$ ping -c1 -4 rawhide
PING rawhide (169.254.40.164) 56(84) bytes of data.
64 bytes from 169.254.40.164 (169.254.40.164): icmp_seq=1 ttl=64 time=0.064 ms
...

# machinectl shell rawhide /sbin/ip a
Connected to machine rawhide. Press ^] three times within 1s to exit session.
1: lo: &lt;LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    ...
2: host0@if21: &lt;BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
    link/ether 96:aa:3a:7b:d4:b9 brd ff:ff:ff:ff:ff:ff link-netnsid 0
    inet 169.254.40.164/16 brd 169.254.255.255 scope link host0
       valid_lft forever preferred_lft forever
    inet6 fe80::94aa:3aff:fe7b:d4b9/64 scope link
       valid_lft forever preferred_lft forever
Connection to machine rawhide terminated.
</programlisting>
  </refsect1>

  <refsect1>
    <title>See Also</title>
    <para><simplelist type="inline">
      <member><citerefentry><refentrytitle>systemd</refentrytitle><manvolnum>1</manvolnum></citerefentry></member>
      <member><citerefentry><refentrytitle>systemd-machined.service</refentrytitle><manvolnum>8</manvolnum></citerefentry></member>
      <member><citerefentry><refentrytitle>machinectl</refentrytitle><manvolnum>1</manvolnum></citerefentry></member>
      <member><citerefentry><refentrytitle>nss-systemd</refentrytitle><manvolnum>8</manvolnum></citerefentry></member>
      <member><citerefentry><refentrytitle>nss-resolve</refentrytitle><manvolnum>8</manvolnum></citerefentry></member>
      <member><citerefentry><refentrytitle>nss-myhostname</refentrytitle><manvolnum>8</manvolnum></citerefentry></member>
      <member><citerefentry project='man-pages'><refentrytitle>nsswitch.conf</refentrytitle><manvolnum>5</manvolnum></citerefentry></member>
      <member><citerefentry project='man-pages'><refentrytitle>getent</refentrytitle><manvolnum>1</manvolnum></citerefentry></member>
    </simplelist></para>
  </refsect1>

</refentry>
Commit	Line	Data
dbda6dce	1	<?xml version='1.0'?> <!---nxml--->
3a54a157	2	<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN"
eea10b26	3	"http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd">
db9ecf05	4	<!-- SPDX-License-Identifier: LGPL-2.1-or-later -->
dbda6dce	5
08540a95	6	<refentry id="nss-mymachines" conditional='ENABLE_NSS_MYMACHINES'>
dbda6dce	7
798d3a52 ZJS	8	<refentryinfo>
	9	<title>nss-mymachines</title>
	10	<productname>systemd</productname>
798d3a52 ZJS	11	</refentryinfo>
	12
	13	<refmeta>
	14	<refentrytitle>nss-mymachines</refentrytitle>
	15	<manvolnum>8</manvolnum>
	16	</refmeta>
	17
	18	<refnamediv>
	19	<refname>nss-mymachines</refname>
	20	<refname>libnss_mymachines.so.2</refname>
e9dd6984	21	<refpurpose>Hostname resolution for local container instances</refpurpose>
798d3a52 ZJS	22	</refnamediv>
	23
	24	<refsynopsisdiv>
	25	<para><filename>libnss_mymachines.so.2</filename></para>
	26	</refsynopsisdiv>
	27
	28	<refsect1>
	29	<title>Description</title>
	30
9053aaad LP	31	<para><command>nss-mymachines</command> is a plug-in module for the GNU Name Service Switch (NSS) functionality of
	32	the GNU C Library (<command>glibc</command>), providing hostname resolution for the names of containers running
	33	locally that are registered with
f2cca38e	34	<citerefentry><refentrytitle>systemd-machined.service</refentrytitle><manvolnum>8</manvolnum></citerefentry>. The
9053aaad	35	container names are resolved to the IP addresses of the specific container, ordered by their scope. This
f2cca38e ZJS	36	functionality only applies to containers using network namespacing (see the description of
	37	<option>--private-network</option> in
	38	<citerefentry><refentrytitle>systemd-nspawn</refentrytitle><manvolnum>1</manvolnum></citerefentry>).
	39	Note that the name that is resolved is the one registered with <command>systemd-machined</command>, which
	40	may be different than the hostname configured inside of the container.</para>
	41
74c88a25 LP	42	<para>Note that this NSS module only makes available names of the containers running immediately below
	43	the current system context. It does not provide host name resolution for containers running side-by-side
	44	with the invoking system context, or containers further up or down the container hierarchy. Or in other
	45	words, on the host system it provides host name resolution for the containers running immediately below
	46	the host environment. When used inside a container environment however, it will not be able to provide
	47	name resolution for containers running on the host (as those are siblings and not children of the current
	48	container environment), but instead only for nested containers running immediately below its own
	49	container environment.</para>
	50
38ccb557 LP	51	<para>To activate the NSS module, add <literal>mymachines</literal> to the line starting with
38ccb557 LP	52	<literal>hosts:</literal> in <filename>/etc/nsswitch.conf</filename>.</para>
798d3a52	53
d296c20f LP	54	<para>It is recommended to place <literal>mymachines</literal> before the <literal>resolve</literal> or
	55	<literal>dns</literal> entry of the <literal>hosts:</literal> line of
	56	<filename>/etc/nsswitch.conf</filename> in order to make sure that its mappings are preferred over other
	57	resolvers such as DNS.</para>
798d3a52 ZJS	58	</refsect1>
	59
	60	<refsect1>
f2cca38e	61	<title>Configuration in <filename>/etc/nsswitch.conf</filename></title>
798d3a52	62
9053aaad LP	63	<para>Here is an example <filename>/etc/nsswitch.conf</filename> file that enables
9053aaad LP	64	<command>nss-mymachines</command> correctly:</para>
798d3a52	65
94f760ec	66	<!-- synchronize with other nss-* man pages and factory/etc/nsswitch.conf -->
02e93087 LP	67	<programlisting>passwd: files systemd
	68	group: files [SUCCESS=merge] systemd
	69	shadow: files systemd
f43a19ec	70	gshadow: files systemd
798d3a52	71
d296c20f	72	hosts: <command>mymachines</command> resolve [!UNAVAIL=return] files myhostname dns
dbda6dce LP	73	networks: files
	74
	75	protocols: db files
	76	services: db files
c01ff965 LP	77	ethers: db files
c01ff965 LP	78	rpc: db files
dbda6dce LP	79
	80	netgroup: nis</programlisting>
	81
798d3a52 ZJS	82	</refsect1>
798d3a52 ZJS	83
f2cca38e	84	<refsect1>
38ccb557	85	<title>Example: Mappings provided by <filename>nss-mymachines</filename></title>
f2cca38e ZJS	86
	87	<para>The container <literal>rawhide</literal> is spawned using
	88	<citerefentry><refentrytitle>systemd-nspawn</refentrytitle><manvolnum>1</manvolnum></citerefentry>:
	89	</para>
	90
	91	<programlisting># systemd-nspawn -M rawhide --boot --network-veth --private-users=pick
	92	Spawning container rawhide on /var/lib/machines/rawhide.
	93	Selected user namespace base 20119552 and range 65536.
	94	...
	95
	96	$ machinectl --max-addresses=3
	97	MACHINE CLASS SERVICE OS VERSION ADDRESSES
	98	rawhide container systemd-nspawn fedora 30 169.254.40.164 fe80::94aa:3aff:fe7b:d4b9
	99
f2cca38e ZJS	100	$ ping -c1 rawhide
	101	PING rawhide(fe80::94aa:3aff:fe7b:d4b9%ve-rawhide (fe80::94aa:3aff:fe7b:d4b9%ve-rawhide)) 56 data bytes
	102	64 bytes from fe80::94aa:3aff:fe7b:d4b9%ve-rawhide (fe80::94aa:3aff:fe7b:d4b9%ve-rawhide): icmp_seq=1 ttl=64 time=0.045 ms
	103	...
	104	$ ping -c1 -4 rawhide
	105	PING rawhide (169.254.40.164) 56(84) bytes of data.
	106	64 bytes from 169.254.40.164 (169.254.40.164): icmp_seq=1 ttl=64 time=0.064 ms
	107	...
	108
	109	# machinectl shell rawhide /sbin/ip a
	110	Connected to machine rawhide. Press ^] three times within 1s to exit session.
	111	1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
	112	...
	113	2: host0@if21: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
	114	link/ether 96:aa:3a:7b:d4:b9 brd ff:ff:ff:ff:ff:ff link-netnsid 0
	115	inet 169.254.40.164/16 brd 169.254.255.255 scope link host0
	116	valid_lft forever preferred_lft forever
	117	inet6 fe80::94aa:3aff:fe7b:d4b9/64 scope link
	118	valid_lft forever preferred_lft forever
	119	Connection to machine rawhide terminated.
	120	</programlisting>
	121	</refsect1>
	122
798d3a52 ZJS	123	<refsect1>
798d3a52 ZJS	124	<title>See Also</title>
13a69c12 DT	125	<para><simplelist type="inline">
	126	<member><citerefentry><refentrytitle>systemd</refentrytitle><manvolnum>1</manvolnum></citerefentry></member>
	127	<member><citerefentry><refentrytitle>systemd-machined.service</refentrytitle><manvolnum>8</manvolnum></citerefentry></member>
	128	<member><citerefentry><refentrytitle>machinectl</refentrytitle><manvolnum>1</manvolnum></citerefentry></member>
	129	<member><citerefentry><refentrytitle>nss-systemd</refentrytitle><manvolnum>8</manvolnum></citerefentry></member>
	130	<member><citerefentry><refentrytitle>nss-resolve</refentrytitle><manvolnum>8</manvolnum></citerefentry></member>
	131	<member><citerefentry><refentrytitle>nss-myhostname</refentrytitle><manvolnum>8</manvolnum></citerefentry></member>
	132	<member><citerefentry project='man-pages'><refentrytitle>nsswitch.conf</refentrytitle><manvolnum>5</manvolnum></citerefentry></member>
	133	<member><citerefentry project='man-pages'><refentrytitle>getent</refentrytitle><manvolnum>1</manvolnum></citerefentry></member>
	134	</simplelist></para>
798d3a52	135	</refsect1>
dbda6dce LP	136
dbda6dce LP	137	</refentry>