libvirtd NSS module not working (nscd, nsncd, libnss, libc)

[michaelfranzl]

Describe the bug

I was happy to learn that in NixOS 24.05 the virtualization module gained NSS module support for libvirtd.

However, I found it not working: getent hosts <hostname> does not resolve to an IP address, even though the VM host name and IP is present in libvirt.

Steps To Reproduce

With the following NixOS configuration:

virtualisation = {
    libvirtd = {
      enable = true;
      nss = {
        enable = true;
        enableGuest = true;
      };
    };
  };

The following entry in /etc/nsswitch.conf is correctly created:

hosts:     mymachines resolve [!UNAVAIL=return] files myhostname libvirt libvirt_guest dns

The path to libnss_libvirt.so.2 and libnss_libvirt_guest.so.2 is also correctly added to the LD_LIBRARY_PATH environment variable of the nscd.service, as evidenced by systemctl show nscd:

Environment=LD_LIBRARY_PATH=/nix/store/gzvzqc3lyya4xwjrplmfk3x6l160rr62-libvirt-10.0.0/lib:/nix/store/xjiifrz7ha6s29gp0p0j3w0155phxmia-systemd-255.6/lib

The data source of libnss_libvirt* are plain text files in /var/lib/libvirt/dnsmasq, which makes it a lot easier to reproduce the issue because no actual VMs have to be created using libvirt. Here are two files that can be used for reproduction (Note: The expiry-time below is significant, and should lie in your future, otherwise the name lookups will not work.)

/var/lib/libvirt/dnsmasq/virbr0.macs:

[
  {
    "domain": "debian11",
    "macs": [
      "52:54:00:60:dc:fe"
    ]
  }
] 

/var/lib/libvirt/dnsmasq/virbr0.status:

[
  {
    "ip-address": "192.168.122.8",
    "mac-address": "52:54:00:60:dc:fe",
    "hostname": "debian11",
    "expiry-time": 1819155914
  }
] 

The actual querying of the name can now be done with getent hosts debian11. This does not return a result (exit code 2).

Expected behavior

getent hosts debian11 should return the IP address 192.168.122.8.

Additional context

Having more than one directory in LD_LIBRARY_PATH does not work.

Having just one directory in LD_LIBRARY_PATH, the libvirt one, does work.

To verify those two statements, do the following steps as root.

Please take extra care below to distinguish between nscd and nsncd.

systemctl stop nscd
nix-shell -p nsncd
LD_LIBRARY_PATH="/nix/store/gzvzqc3lyya4xwjrplmfk3x6l160rr62-libvirt-10.0.0/lib" NSNCD_WORKER_COUNT=1 NSNCD_HANDOFF_TIMOUT=10 strace -f nsncd 2>&1 | grep dnsmasq # adapt the libvirt path to your Nix store

In a different terminal, the name resolution is successful:

getent hosts debian11
# ->192.168.122.8   debian11

strace in the first terminal shows that the data source /var/lib/libvirt/ndsmasq is actually consulted:

[pid  9358] openat(AT_FDCWD, "/var/lib/libvirt/dnsmasq/", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 8
[pid  9358] openat(AT_FDCWD, "/var/lib/libvirt/dnsmasq//virbr0.status", O_RDONLY) = 8
[pid  9358] openat(AT_FDCWD, "/var/lib/libvirt/dnsmasq/", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 8
[pid  9358] openat(AT_FDCWD, "/var/lib/libvirt/dnsmasq//virbr0.macs", O_RDONLY) = 9
[pid  9358] openat(AT_FDCWD, "/var/lib/libvirt/dnsmasq//virbr0.status", O_RDONLY) = 8
[pid  9358] openat(AT_FDCWD, "/var/lib/libvirt/dnsmasq/", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 8
[pid  9358] openat(AT_FDCWD, "/var/lib/libvirt/dnsmasq//virbr0.status", O_RDONLY) = 8

Now, repeat the same experiment, but add the second path to LD_LIBRARY_PATH (the actual value from systemd show nscd), e.g.
LD_LIBRARY_PATH="/nix/store/gzvzqc3lyya4xwjrplmfk3x6l160rr62-libvirt-10.0.0/lib:/nix/store/xjiifrz7ha6s29gp0p0j3w0155phxmia-systemd-255.6/lib" to the nsncd invocation.

This time, grep does not match any lines and getent hosts debian11 does not return a result.

Note: If you pass --service libvirt (or similar) to getent, this will bypass the call to nscd and attempt to go to the libnss libraries directly, so this will always fail on NixOS (unless the needed shared libraries are in scope).

I do not know enough about the actual NSS mechanism inside glibc to understand why libnss_libvirt.so.2 and libnss_libvirt_guest.so.2 are not consulted.

Since nsncd does not do actual lookups, and only calls into glibc (gethostbyname() or such), this looks to me like a glibc issue, but this is currently out of my depth to analyze.

In any case, the NixOS feature as I think it was intended to work, does not, hence I think that this is a bug.

I'm happy to provide more details if needed.

Notify maintainers

Sorry for notifying so many of you but this issue looks like it could be interconnected between several parts.

nixos/modules/virtualization/libvirtd.nix: @jchv

nixos/modules/config/nsswitch.nix: @dasJ

nsncd: @flokli @picnoir

libvirt: @fpletz @globin @lovesegfault

Metadata

[user@system:~]$ nix-shell -p nix-info --run "nix-info -m"

 - system: `"x86_64-linux"`
 - host os: `Linux 6.6.33, NixOS, 24.05 (Uakari), 24.05.20240615.752c634`
 - multi-user?: `yes`
 - sandbox: `yes`
 - version: `nix-env (Nix) 2.18.2`
 - nixpkgs: `/nix/store/mcwr2j04fikfsrsaq76f4bviinvl6zql-source`

---

Add a 👍 reaction to issues you find important.

[jchv]

Interesting. FWIW, it works for me on nixos-unstable (I use it with enableGuest regularly) but it's likely that I've done it wrong and it's only working by accident on my machines. I did modify the libvirt NixOS test to make use of the NSS module as well, to help ensure it does not accidentally break.

I wonder how this can be reliably reproduced.

[michaelfranzl]

@jchv The following flake declares a system that exhibits the issue:

# flake.nix
{
  inputs = {
    nixpkgs.url = "github:nixos/nixpkgs/nixos-24.05";
    nixos-generators = {
      url = "github:nix-community/nixos-generators";
      inputs.nixpkgs.follows = "nixpkgs";
    };
  };
  outputs = { self, nixpkgs, nixos-generators, ... }: {
    packages.x86_64-linux = {
      default = nixos-generators.nixosGenerate {
        system = "x86_64-linux";
        format = "qcow";
        modules = [
          ({ ... }: { nix.registry.nixpkgs.flake = nixpkgs; })
          ({
            lib,
            pkgs,
            ...
          }: {
            services.sshd.enable = true;
            system.stateVersion = lib.version;
            users.users.root.password = "root";
            services.openssh.settings.PermitRootLogin = lib.mkOverride 999 "yes";
            services.getty.autologinUser = lib.mkOverride 999 "root";
            services.resolved.enable = true;
            virtualisation = {
              libvirtd = {
                enable = true;
                nss = {
                  enable = true;
                  enableGuest = true;
                };
              };
            };
          })
        ];
      };
    };
  };
}

I can't attach flake.lock, so here quoted for full reproducibility:

{
  "nodes": {
    "nixlib": {
      "locked": {
        "lastModified": 1712450863,
        "narHash": "sha256-K6IkdtMtq9xktmYPj0uaYc8NsIqHuaAoRBaMgu9Fvrw=",
        "owner": "nix-community",
        "repo": "nixpkgs.lib",
        "rev": "3c62b6a12571c9a7f65ab037173ee153d539905f",
        "type": "github"
      },
      "original": {
        "owner": "nix-community",
        "repo": "nixpkgs.lib",
        "type": "github"
      }
    },
    "nixos-generators": {
      "inputs": {
        "nixlib": "nixlib",
        "nixpkgs": [
          "nixpkgs"
        ]
      },
      "locked": {
        "lastModified": 1718025593,
        "narHash": "sha256-WZ1gdKq/9u1Ns/oXuNsDm+W0salonVA0VY1amw8urJ4=",
        "owner": "nix-community",
        "repo": "nixos-generators",
        "rev": "35c20ba421dfa5059e20e0ef2343c875372bdcf3",
        "type": "github"
      },
      "original": {
        "owner": "nix-community",
        "repo": "nixos-generators",
        "type": "github"
      }
    },
    "nixpkgs": {
      "locked": {
        "lastModified": 1719145550,
        "narHash": "sha256-K0i/coxxTEl30tgt4oALaylQfxqbotTSNb1/+g+mKMQ=",
        "owner": "nixos",
        "repo": "nixpkgs",
        "rev": "e4509b3a560c87a8d4cb6f9992b8915abf9e36d8",
        "type": "github"
      },
      "original": {
        "owner": "nixos",
        "ref": "nixos-24.05",
        "repo": "nixpkgs",
        "type": "github"
      }
    },
    "root": {
      "inputs": {
        "nixos-generators": "nixos-generators",
        "nixpkgs": "nixpkgs"
      }
    }
  },
  "root": "root",
  "version": 7
}

On the host, build the image and start the VM:

nix build
cp result/nixos.qcow2 .
export LIBVIRT_DEFAULT_URI=qemu:///system
virt-install --disk ./nixos.qcow2 --os-variant=debian11 --name nsstest --import --noautoconsole

In the VM:

# stub the VM IP address to resolve
cat <<EOF > /var/lib/libvirt/dnsmasq/virbr0.macs
[
  {
    "domain": "debian11",
    "macs": [
      "52:54:00:60:dc:fe"
    ]
  }
]
EOF

cat <<EOF > /var/lib/libvirt/dnsmasq/virbr0.status
[
  {
    "ip-address": "192.168.122.8",
    "mac-address": "52:54:00:60:dc:fe",
    "hostname": "debian11",
    "expiry-time": 1819155914
  }
]
EOF

getent hosts debian11 # this should get the IP address out of the plain text file in /var/lib/libvirt/dnsmasq
# no result, exit code 2

[jchv]

This seems to be an issue with systemd-resolved. I don't know how to fix it, but disabling resolved should fix the repro. I suspect there is no problem with the NSS module; systemd-resolved has all kinds of unusual behaviors and is known to have trouble with bare single-label domains among other things.

edit: This message is a bit confused (see next reply) but for posterity sake the problems I am referring to here (which might be relevant for trying to make a similar thing work in a pure systemd-resolved setup) are documented on the Arch wiki; long story short, it may be necessary to set ResolveUnicastSingleLabel=yes and disable LLMNR for systemd-resolved to properly resolve a bare single-label domain like debian11.

[jchv]

After thinking about it more, I realized what I am saying is a bit off. When I typed this I was thinking for some reason that resolved would impact the way NSS worked but of course it doesn't, resolved is just another NSS module. The real trouble is what NixOS does when resolved is enabled:

hosts:     mymachines resolve [!UNAVAIL=return] files myhostname libvirt libvirt_guest dns

That !UNAVAIL=return is a problem. Per the man page:

unavail    
       The service is permanently unavailable.  This can mean
       either that the required file cannot be read, or, for
       network services, that the server is not available or
       does not allow queries.  The default action for this
       condition is "continue".
...
return Return a result now.  Do not call any further lookup
       functions.  However, for compatibility reasons, if
       this is the selected action for the group database and
       the notfound status, and the configuration file does
       not contain the initgroups line, the next lookup
       function is always called, without affecting the
       search result.

So, as long as resolved can be reached, none of the other NSS modules will be consulted. This makes sense: systemd-resolved supports a lot of the functionality normally handled by multiple NSS modules (like mDNS) and so it doesn't really make sense to run the vast majority of NSS modules.

I don't really know what the best thing to do here would be. I'm pretty sure we don't really want the libvirt NSS modules to be higher priority than resolved, and we also don't want the fallback NSS modules to run if resolved is working. I don't think the nsswitch.conf file has advanced enough syntax to support this.

Really, I think the best bet would be to add an assertion to the libvirt NSS module that ensures it is not enabled with resolved, at least for now. Assuming there's no more obvious better solution here, the better way to go is probably to just avoid the NSS modules altogether and integrate with systemd-resolved more directly somehow.

Sorry for the confusion, I always get tangled up in the details with these things.

[jchv]

I think the best workaround I can come up with for now is to manually add the NSS module(s) you want at a higher priority than resolved. This may have some negative implications depending on your DNS configuration, but after playing around with things none of my other ideas worked well. (Another idea I had was to have resolve appear twice in the nsswitch.conf hosts list, but I wasn't able to get the desired result, and doing something like that would be a potentially gnarly breaking change, too.)

{
    system.nssModules = [ config.virtualisation.libvirtd.package ];
    system.nssDatabases.hosts = lib.mkBefore [ "libvirt libvirt_guest" ];
}

For the previous reproduction, something like this should work as expected:

{
  inputs = {
    nixpkgs.url = "github:nixos/nixpkgs/nixos-24.05";
    nixos-generators = {
      url = "github:nix-community/nixos-generators";
      inputs.nixpkgs.follows = "nixpkgs";
    };
  };
  outputs =
    { nixpkgs, nixos-generators, ... }:
    {
      packages.x86_64-linux = {
        default = nixos-generators.nixosGenerate {
          system = "x86_64-linux";
          format = "qcow";
          modules = [
            { nix.registry.nixpkgs.flake = nixpkgs; }
            (
              { lib, config, ... }:
              {
                services.sshd.enable = true;
                system.stateVersion = lib.version;
                users.users.root.password = "root";
                services.openssh.settings.PermitRootLogin = lib.mkOverride 999 "yes";
                services.getty.autologinUser = lib.mkOverride 999 "root";
                services.resolved.enable = true;
                system.nssModules = [ config.virtualisation.libvirtd.package ];
                system.nssDatabases.hosts = lib.mkBefore [ "libvirt libvirt_guest" ];
                virtualisation.libvirtd.enable = true;
              }
            )
          ];
        };
      };
    };
}

It's unfortunate that there is no "nicer" solution here, but hopefully this at least helps.

I think I have hit a stopping point finally, sorry about sending a bunch of replies.

[michaelfranzl]

Thanks for your viewpoints.

So, as long as resolved can be reached, none of the other NSS modules will be consulted.

This is indeed how NixOS currently writes nsswitch.conf, but this explicitly and practically prevents all current and future resolving methods other than resolved, which cannot be the goal.

But I might have found the original reason for coding it like this in NixOS. From man nss-resolve (my emphasis):

To activate the NSS module, add "resolve [!UNAVAIL=return]" to the line starting with "hosts:" in /etc/nsswitch.conf. Specifically, it is recommended to place "resolve" early in /etc/nsswitch.conf's "hosts:" line. It should be before the "files" entry, since systemd-resolved supports /etc/hosts internally, but with caching. To the contrary, it should be after "mymachines", to give hostnames given to local VMs and containers precedence over names received over DNS. Finally, we recommend placing "dns" somewhere after "resolve", to fall back to nss-dns if systemd-resolved.service is not available.

So far, NixOS got that right: mymachines is before the resolved module. However, the libvirt module is conceptually very close -- or even identical -- to mymachines (because "hostnames given to local VMs"). So I would argue that the "workaround" that you suggested is the actual solution that should be permanently implemented in NixOS, iow. that libvirt and libvirt_guest should be right next to mymachines. Note that the man page (just) recommends "early" and means with this "before the 'files' entry", but it does not insist on being first or excluding other modules.

That internal domains take precedence over the DNS is pretty much expected.

[jchv]

Yeah, I think pretty much all documentation shows the libvirt NSS modules early in the chain, so it seems safe enough.

We can solve this pretty easily in NixOS by using mkBefore. The resolve NSS module is put at such a priority that it will always come just after mkBefore'd NSS modules. I'll make a new PR when I get a chance.

[michaelfranzl]

Sounds good. It should be also performant because libnss_libvirt just reads local files, there is no network involved.

While reading code, I saw that the entries in nssDatabases are actually sorted by mkOrder priorities: mymachines is 400, and resolve is 501; so values for libvirt would lie somewhere in between.

[jchv]

resolve is 501 because it's the number directly after mkBefore (500): see comment. So, I think making libvirt NSS modules mkBefore is the right way to go. Not sure if it's worth adding a NixOS test for, but it wouldn't be hard.

[michaelfranzl]

With mkBefore (prio 500), there would be no slot left between libvirt and resolve (prio 501) to insert other modules; this would go against the Open-Closed Principle. I would choose priority 450 so that there is enough space on both sides; or even 430 because it's conceptually closer to mymachines than to resolve. Choosing a prio would also be explicit, which is good. It would also be consistent with other nssDatabase modules who also picked and coded a priority explicitly.