forked from lix-project/lix
Merge pull request #5384 from baloo/baloo/dns-timeout
preloadNSS / dns timeout
This commit is contained in:
commit
5fcf7f04a9
1 changed files with 31 additions and 17 deletions
|
@ -15,9 +15,14 @@
|
||||||
#include <sys/stat.h>
|
#include <sys/stat.h>
|
||||||
#include <unistd.h>
|
#include <unistd.h>
|
||||||
#include <signal.h>
|
#include <signal.h>
|
||||||
#include <sys/types.h>
|
#ifdef __linux__
|
||||||
#include <sys/socket.h>
|
#include <features.h>
|
||||||
#include <netdb.h>
|
#endif
|
||||||
|
#ifdef __GLIBC__
|
||||||
|
#include <gnu/lib-names.h>
|
||||||
|
#include <nss.h>
|
||||||
|
#include <dlfcn.h>
|
||||||
|
#endif
|
||||||
|
|
||||||
#include <openssl/crypto.h>
|
#include <openssl/crypto.h>
|
||||||
|
|
||||||
|
@ -121,21 +126,30 @@ static void preloadNSS() {
|
||||||
been loaded in the parent. So we force a lookup of an invalid domain to force the NSS machinery to
|
been loaded in the parent. So we force a lookup of an invalid domain to force the NSS machinery to
|
||||||
load its lookup libraries in the parent before any child gets a chance to. */
|
load its lookup libraries in the parent before any child gets a chance to. */
|
||||||
std::call_once(dns_resolve_flag, []() {
|
std::call_once(dns_resolve_flag, []() {
|
||||||
struct addrinfo *res = NULL;
|
#ifdef __GLIBC__
|
||||||
|
/* On linux, glibc will run every lookup through the nss layer.
|
||||||
/* nss will only force the "local" (not through nscd) dns resolution if its on the LOCALDOMAIN.
|
* That means every lookup goes, by default, through nscd, which acts as a local
|
||||||
We need the resolution to be done locally, as nscd socket will not be accessible in the
|
* cache.
|
||||||
sandbox. */
|
* Because we run builds in a sandbox, we also remove access to nscd otherwise
|
||||||
char * previous_env = getenv("LOCALDOMAIN");
|
* lookups would leak into the sandbox.
|
||||||
setenv("LOCALDOMAIN", "invalid", 1);
|
*
|
||||||
if (getaddrinfo("this.pre-initializes.the.dns.resolvers.invalid.", "http", NULL, &res) == 0) {
|
* But now we have a new problem, we need to make sure the nss_dns backend that
|
||||||
if (res) freeaddrinfo(res);
|
* does the dns lookups when nscd is not available is loaded or available.
|
||||||
}
|
*
|
||||||
if (previous_env) {
|
* We can't make it available without leaking nix's environment, so instead we'll
|
||||||
setenv("LOCALDOMAIN", previous_env, 1);
|
* load the backend, and configure nss so it does not try to run dns lookups
|
||||||
} else {
|
* through nscd.
|
||||||
unsetenv("LOCALDOMAIN");
|
*
|
||||||
|
* This is technically only used for builtins:fetch* functions so we only care
|
||||||
|
* about dns.
|
||||||
|
*
|
||||||
|
* All other platforms are unaffected.
|
||||||
|
*/
|
||||||
|
if (dlopen (LIBNSS_DNS_SO, RTLD_NOW) == NULL) {
|
||||||
|
printMsg(Verbosity::lvlWarn, fmt("Unable to load nss_dns backend"));
|
||||||
}
|
}
|
||||||
|
__nss_configure_lookup ("hosts", "dns");
|
||||||
|
#endif
|
||||||
});
|
});
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
Loading…
Reference in a new issue