nrabulinski/lix
0
0
Fork 0
forked from lix-project/lix
Code Pull requests Activity

Merge pull request #5384 from baloo/baloo/dns-timeout

Browse source 
preloadNSS / dns timeout
This commit is contained in:
Eelco Dolstra 2021-11-25 17:37:53 +01:00 committed by GitHub
parent d5d0621250 fa4abe46e2
commit 5fcf7f04a9
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
1 changed files with 31 additions and 17 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

48
src/libmain/shared.cc
View file

@ -15,9 +15,14 @@
#include <sys/stat.h> #include <sys/stat.h>
#include <unistd.h> #include <unistd.h>
#include <signal.h> #include <signal.h>
#include <sys/types.h> #ifdef __linux__
#include <sys/socket.h> #include <features.h>
#include <netdb.h> #endif
#ifdef __GLIBC__
#include <gnu/lib-names.h>
#include <nss.h>
#include <dlfcn.h>
#endif
#include <openssl/crypto.h> #include <openssl/crypto.h>
@ -121,21 +126,30 @@ static void preloadNSS() {
been loaded in the parent. So we force a lookup of an invalid domain to force the NSS machinery to been loaded in the parent. So we force a lookup of an invalid domain to force the NSS machinery to
load its lookup libraries in the parent before any child gets a chance to. */ load its lookup libraries in the parent before any child gets a chance to. */
std::call_once(dns_resolve_flag, []() { std::call_once(dns_resolve_flag, []() {
struct addrinfo *res = NULL; #ifdef __GLIBC__
/* On linux, glibc will run every lookup through the nss layer.
/* nss will only force the "local" (not through nscd) dns resolution if its on the LOCALDOMAIN. * That means every lookup goes, by default, through nscd, which acts as a local
We need the resolution to be done locally, as nscd socket will not be accessible in the * cache.
sandbox. */ * Because we run builds in a sandbox, we also remove access to nscd otherwise
char * previous_env = getenv("LOCALDOMAIN"); * lookups would leak into the sandbox.
setenv("LOCALDOMAIN", "invalid", 1); *
if (getaddrinfo("this.pre-initializes.the.dns.resolvers.invalid.", "http", NULL, &res) == 0) { * But now we have a new problem, we need to make sure the nss_dns backend that
if (res) freeaddrinfo(res); * does the dns lookups when nscd is not available is loaded or available.
} *
if (previous_env) { * We can't make it available without leaking nix's environment, so instead we'll
setenv("LOCALDOMAIN", previous_env, 1); * load the backend, and configure nss so it does not try to run dns lookups
} else { * through nscd.
unsetenv("LOCALDOMAIN"); *
* This is technically only used for builtins:fetch* functions so we only care
* about dns.
*
* All other platforms are unaffected.
*/
if (dlopen (LIBNSS_DNS_SO, RTLD_NOW) == NULL) {
printMsg(Verbosity::lvlWarn, fmt("Unable to load nss_dns backend"));
} }
__nss_configure_lookup ("hosts", "dns");
#endif
}); });
} }