man/nss-mymachines.xml

   1 <?xml version='1.0'?> <!--*-nxml-*-->
   2 <!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN"
   3   "http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd">
   4 <!-- SPDX-License-Identifier: LGPL-2.1-or-later -->
   5
   6 <refentry id="nss-mymachines" conditional='ENABLE_NSS_MYMACHINES'>
   7
   8   <refentryinfo>
   9     <title>nss-mymachines</title>
  10     <productname>systemd</productname>
  11   </refentryinfo>
  12
  13   <refmeta>
  14     <refentrytitle>nss-mymachines</refentrytitle>
  15     <manvolnum>8</manvolnum>
  16   </refmeta>
  17
  18   <refnamediv>
  19     <refname>nss-mymachines</refname>
  20     <refname>libnss_mymachines.so.2</refname>
  21     <refpurpose>Hostname resolution for local container instances</refpurpose>
  22   </refnamediv>
  23
  24   <refsynopsisdiv>
  25     <para><filename>libnss_mymachines.so.2</filename></para>
  26   </refsynopsisdiv>
  27
  28   <refsect1>
  29     <title>Description</title>
  30
  31     <para><command>nss-mymachines</command> is a plug-in module for the GNU Name Service Switch (NSS) functionality of
  32     the GNU C Library (<command>glibc</command>), providing hostname resolution for the names of containers running
  33     locally that are registered with
  34     <citerefentry><refentrytitle>systemd-machined.service</refentrytitle><manvolnum>8</manvolnum></citerefentry>. The
  35     container names are resolved to the IP addresses of the specific container, ordered by their scope. This
  36     functionality only applies to containers using network namespacing (see the description of
  37     <option>--private-network</option> in
  38     <citerefentry><refentrytitle>systemd-nspawn</refentrytitle><manvolnum>1</manvolnum></citerefentry>).
  39     Note that the name that is resolved is the one registered with <command>systemd-machined</command>, which
  40     may be different than the hostname configured inside of the container.</para>
  41
  42     <para>Note that this NSS module only makes available names of the containers running immediately below
  43     the current system context. It does not provide host name resolution for containers running side-by-side
  44     with the invoking system context, or containers further up or down the container hierarchy. Or in other
  45     words, on the host system it provides host name resolution for the containers running immediately below
  46     the host environment. When used inside a container environment however, it will not be able to provide
  47     name resolution for containers running on the host (as those are siblings and not children of the current
  48     container environment), but instead only for nested containers running immediately below its own
  49     container environment.</para>
  50
  51     <para>To activate the NSS module, add <literal>mymachines</literal> to the line starting with
  52     <literal>hosts:</literal> in <filename>/etc/nsswitch.conf</filename>.</para>
  53
  54     <para>It is recommended to place <literal>mymachines</literal> before the <literal>resolve</literal> or
  55     <literal>dns</literal> entry of the <literal>hosts:</literal> line of
  56     <filename>/etc/nsswitch.conf</filename> in order to make sure that its mappings are preferred over other
  57     resolvers such as DNS.</para>
  58   </refsect1>
  59
  60   <refsect1>
  61     <title>Configuration in <filename>/etc/nsswitch.conf</filename></title>
  62
  63     <para>Here is an example <filename>/etc/nsswitch.conf</filename> file that enables
  64     <command>nss-mymachines</command> correctly:</para>
  65
  66     <!-- synchronize with other nss-* man pages and factory/etc/nsswitch.conf -->
  67     <programlisting>passwd:         files systemd
  68 group:          files [SUCCESS=merge] systemd
  69 shadow:         files systemd
  70 gshadow:        files systemd
  71
  72 hosts:          <command>mymachines</command> resolve [!UNAVAIL=return] files myhostname dns
  73 networks:       files
  74
  75 protocols:      db files
  76 services:       db files
  77 ethers:         db files
  78 rpc:            db files
  79
  80 netgroup:       nis</programlisting>
  81
  82   </refsect1>
  83
  84   <refsect1>
  85     <title>Example: Mappings provided by <filename>nss-mymachines</filename></title>
  86
  87     <para>The container <literal>rawhide</literal> is spawned using
  88     <citerefentry><refentrytitle>systemd-nspawn</refentrytitle><manvolnum>1</manvolnum></citerefentry>:
  89     </para>
  90
  91     <programlisting># systemd-nspawn -M rawhide --boot --network-veth --private-users=pick
  92 Spawning container rawhide on /var/lib/machines/rawhide.
  93 Selected user namespace base 20119552 and range 65536.
  94 ...
  95
  96 $ machinectl --max-addresses=3
  97 MACHINE CLASS     SERVICE        OS     VERSION ADDRESSES
  98 rawhide container systemd-nspawn fedora 30      169.254.40.164 fe80::94aa:3aff:fe7b:d4b9
  99
 100 $ ping -c1 rawhide
 101 PING rawhide(fe80::94aa:3aff:fe7b:d4b9%ve-rawhide (fe80::94aa:3aff:fe7b:d4b9%ve-rawhide)) 56 data bytes
 102 64 bytes from fe80::94aa:3aff:fe7b:d4b9%ve-rawhide (fe80::94aa:3aff:fe7b:d4b9%ve-rawhide): icmp_seq=1 ttl=64 time=0.045 ms
 103 ...
 104 $ ping -c1 -4 rawhide
 105 PING rawhide (169.254.40.164) 56(84) bytes of data.
 106 64 bytes from 169.254.40.164 (169.254.40.164): icmp_seq=1 ttl=64 time=0.064 ms
 107 ...
 108
 109 # machinectl shell rawhide /sbin/ip a
 110 Connected to machine rawhide. Press ^] three times within 1s to exit session.
 111 1: lo: &lt;LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
 112     ...
 113 2: host0@if21: &lt;BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
 114     link/ether 96:aa:3a:7b:d4:b9 brd ff:ff:ff:ff:ff:ff link-netnsid 0
 115     inet 169.254.40.164/16 brd 169.254.255.255 scope link host0
 116        valid_lft forever preferred_lft forever
 117     inet6 fe80::94aa:3aff:fe7b:d4b9/64 scope link
 118        valid_lft forever preferred_lft forever
 119 Connection to machine rawhide terminated.
 120 </programlisting>
 121   </refsect1>
 122
 123   <refsect1>
 124     <title>See Also</title>
 125     <para><simplelist type="inline">
 126       <member><citerefentry><refentrytitle>systemd</refentrytitle><manvolnum>1</manvolnum></citerefentry></member>
 127       <member><citerefentry><refentrytitle>systemd-machined.service</refentrytitle><manvolnum>8</manvolnum></citerefentry></member>
 128       <member><citerefentry><refentrytitle>machinectl</refentrytitle><manvolnum>1</manvolnum></citerefentry></member>
 129       <member><citerefentry><refentrytitle>nss-systemd</refentrytitle><manvolnum>8</manvolnum></citerefentry></member>
 130       <member><citerefentry><refentrytitle>nss-resolve</refentrytitle><manvolnum>8</manvolnum></citerefentry></member>
 131       <member><citerefentry><refentrytitle>nss-myhostname</refentrytitle><manvolnum>8</manvolnum></citerefentry></member>
 132       <member><citerefentry project='man-pages'><refentrytitle>nsswitch.conf</refentrytitle><manvolnum>5</manvolnum></citerefentry></member>
 133       <member><citerefentry project='man-pages'><refentrytitle>getent</refentrytitle><manvolnum>1</manvolnum></citerefentry></member>
 134     </simplelist></para>
 135   </refsect1>
 136
 137 </refentry>