Users are now expected to use authselect to configure the system and packages should no longer support non-authselect configurations. Fedora Change Page: https://fedoraproject.org/wiki/Changes/Make_Authselect_Mandatory As part of this change, authselect takes ownership of /etc/nsswitch.conf. I will prepare a pull request and coordinate a Fedora build.
(In reply to Pavel Březina from comment #0) > Users are now expected to use authselect to configure the system and > packages should no longer support non-authselect configurations. > > Fedora Change Page: > https://fedoraproject.org/wiki/Changes/Make_Authselect_Mandatory > > As part of this change, authselect takes ownership of /etc/nsswitch.conf. > > I will prepare a pull request and coordinate a Fedora build. Thanks. Note that we currently have various build issues with Fedora rawhide glibc due to toolchain changes. We are working on fixing things. glibc build failure due to Systemtap probe change https://sourceware.org/pipermail/libc-alpha/2021-November/133134.html
*** Bug 1717384 has been marked as a duplicate of this bug. ***
FEDORA-2021-c2b61f2725 has been submitted as an update to Fedora 36. https://bodhi.fedoraproject.org/updates/FEDORA-2021-c2b61f2725
FEDORA-2021-c2b61f2725 has been pushed to the Fedora 36 stable repository. If problem still persists, please make note of it in this bug report.
Do I understand correctly that container images now need to pull in authselect to get a working /etc/nsswitch.conf file? We have ELN container images that started to break because /etc/nsswitch.conf is now missing without authselect installed. When installing authselect, this gets pulled in e.g. on registry.fedoraproject.org/fedora:rawhide: # dnf install authselect Dependencies resolved. =================================================================================================== Package Architecture Version Repository Size =================================================================================================== Installing: authselect x86_64 1.2.4-2.fc36 rawhide 127 k Installing dependencies: acl x86_64 2.3.1-2.fc35 rawhide 71 k authselect-libs x86_64 1.2.4-2.fc36 rawhide 222 k cryptsetup-libs x86_64 2.4.2-1.fc36 rawhide 438 k dbus x86_64 1:1.12.20-5.fc36 rawhide 7.4 k dbus-broker x86_64 29-4.fc36 rawhide 171 k dbus-common noarch 1:1.12.20-5.fc36 rawhide 14 k device-mapper x86_64 1.02.175-6.fc35 rawhide 140 k device-mapper-libs x86_64 1.02.175-6.fc35 rawhide 179 k findutils x86_64 1:4.8.0-4.fc35 rawhide 538 k kmod-libs x86_64 29-6.fc36 rawhide 67 k libargon2 x86_64 20171227-7.fc35 rawhide 28 k libfdisk x86_64 2.37.2-1.fc36 rawhide 155 k libseccomp x86_64 2.5.3-1.fc36 rawhide 71 k libutempter x86_64 1.2.1-5.fc35 rawhide 26 k systemd x86_64 250~rc1-2.fc36 rawhide 4.2 M systemd-libs x86_64 250~rc1-2.fc36 rawhide 630 k systemd-pam x86_64 250~rc1-2.fc36 rawhide 333 k util-linux x86_64 2.37.2-1.fc36 rawhide 2.2 M util-linux-core x86_64 2.37.2-1.fc36 rawhide 434 k xkeyboard-config noarch 2.34-1.fc36 rawhide 782 k Installing weak dependencies: diffutils x86_64 3.8-1.fc35 rawhide 400 k libbpf x86_64 2:0.5.0-1.fc36 rawhide 146 k libxkbcommon x86_64 1.3.1-1.fc36 rawhide 140 k qrencode-libs x86_64 4.0.2-8.fc35 rawhide 58 k systemd-networkd x86_64 250~rc1-2.fc36 rawhide 556 k systemd-resolved x86_64 250~rc1-2.fc36 rawhide 271 k Transaction Summary =================================================================================================== Install 27 Packages Total download size: 12 M Installed size: 45 M
What does the failure look like? Thanks. /etc/nsswitch.conf is an optional configuration file.
(In reply to Florian Weimer from comment #6) > What does the failure look like? Thanks. > > /etc/nsswitch.conf is an optional configuration file. Running such a container image in GitLab CI, `getent hosts localhost` etc does not return anything. I have trouble reproducing that locally in podman/docker with that container image though. The container image was built with the ELN buildroot enabled. No complete 'dnf upgrade' was run after adding the buildroot to dnf, so there might be a slight inconsistency of packages. Example of such a GitLab job with nothing returned by `getent`: https://gitlab.com/cki-project/pipeline-definition/-/jobs/1886783437#L44
Further debugging this image, running a `dnf upgrade` after enabling the buildroot fixes it. I attached the difference in installed packages.
(In reply to Michael Hofmann from comment #8) > Further debugging this image, running a `dnf upgrade` after enabling the > buildroot fixes it. I attached the difference in installed packages. So it was a temporary glitch, and everything is working as expected now? Thanks.
The updated images have authselect installed. So even though I have no idea why it was broken without /etc/nsswitch.conf, having it because of the authselect packages installed at least coincides with fixed images 🙈. It still seems a bit much to pull in authselect and its dependencies (dbus/systemd) in container images by default, but I suppose that is another issue 😂. Thank you for your time 🤗!
No worries. I think container images should have working user and host name lookup without any /etc/nsswitch.conf file. If they don't, this is something we can and should fix.
nsswitch.conf disappearing on upgrades hit us hard today as well, I filed bug 2033020. At first sight it just looks like a simple missing dependency to a new enough pam.
About authselect dependencies, authselect currently requires: Requires: coreutils Requires: findutils Requires: gawk Requires: grep Requires: sed Requires: systemd Besides systemd, those packages are required in authselect scriptlets, that are currently not trivial. If those are a problem for containers, we can probably get rid of some of them and convert the rest to lua. systemd is required because pam uses pam_systemd and nsswitch.conf uses various systemd module. I believe we can remove this dependency (or make it super weak), since both pam and nsswitch will just ignore the systemd modules if not installed.