Bug 1574959
| Summary: | Set IPAddressDeny= in systemd-logind service file | ||
|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | Ido Schimmel <idosch> |
| Component: | nss_nis | Assignee: | Matej Mužila <mmuzila> |
| Status: | CLOSED ERRATA | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
| Severity: | unspecified | Docs Contact: | |
| Priority: | unspecified | ||
| Version: | 28 | CC: | edgar.hoch, eloranta, mmuzila, paolini, rkudyba |
| Target Milestone: | --- | ||
| Target Release: | --- | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| Whiteboard: | |||
| Fixed In Version: | nss_nis-3.0-6.fc28 | Doc Type: | If docs needed, set a value |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2018-08-17 16:17:19 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
|
Description
Ido Schimmel
2018-05-04 12:22:13 UTC
Yes, this is very annoying bug that hit my 28 servers too. It would be important to have an official fix rather than starting to patch things by hand. This bug affects everyone running NIS, so this should be high priority. We also experience the same problem. The proposed solution given above works for us and it seems to suggest a "drop-in" file to be added in the nss_nis package with [Service] IPAddressDeny= and placed in /lib/systemd/system/systemd-logind.service.d I think it should be done upstream, but in the meantime an rpm with the fix seems in order... I got also crashes from other systemd services, e.g. systemd-udevd, because they also need to look up hosts, users, groups, netgroups, etc., using nis (if nis is an entry in lines in /etc/nsswitch.conf). So the "workaround" should also be done for (all?) other systemd services that uses the same mechanism. # grep -ri IPAddressDeny /usr/lib/systemd/system/ /usr/lib/systemd/system/systemd-timedated.service:IPAddressDeny=any /usr/lib/systemd/system/systemd-logind.service:IPAddressDeny=any /usr/lib/systemd/system/systemd-machined.service:IPAddressDeny=any /usr/lib/systemd/system/systemd-journald.service:IPAddressDeny=any /usr/lib/systemd/system/systemd-udevd.service:IPAddressDeny=any /usr/lib/systemd/system/systemd-localed.service:IPAddressDeny=any /usr/lib/systemd/system/systemd-coredump@.service:IPAddressDeny=any /usr/lib/systemd/system/systemd-hostnamed.service:IPAddressDeny=any I am currently trying using nscd instead of allowing networking for these services, but I don't currently know if this solves all problems, because nscd does not cache all nis maps (as far as I know, e.g. ethers.byname, ethers.byaddr, auto.master, auto.home, mail.aliases), but it may be that these systemd services don't need access to these nis maps. nss_nis-3.0-6.fc28 has been submitted as an update to Fedora 28. https://bodhi.fedoraproject.org/updates/FEDORA-2018-78f95660f9 nss_nis-3.0-6.fc28 has been pushed to the Fedora 28 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2018-78f95660f9 nss_nis-3.0-6.fc28 has been pushed to the Fedora 28 stable repository. If problems still persist, please make note of it in this bug report. |