6008246790
When a system has a wrong date and time timesyncd is unable to synchronize it because DNSSEC doesn't work. In order to break this chicken and egg problem systemd-timesync disables DNSSEC validation by setting SYSTEMD_NSS_RESOLVE_VALIDATE=0 in the unit file. However, it doesn't work in NixOS because it uses NSCD. This patch disables NSCD in systemd-timesyncd when SYSTEMD_NSS_RESOLVE_VALIDATE is set to 0 so that it uses NSS libraries directly. In order for it to be able to find the libnss_resolve.so.2 library this patch adds the systemd directory in the nix store to the LD_LIBRARY_PATH.
46 lines
1.7 KiB
Diff
46 lines
1.7 KiB
Diff
From 7a27556920fe1feefd17096841c8f3ca1294a1b3 Mon Sep 17 00:00:00 2001
|
|
From: Yuri Nesterov <yuriy.nesterov@unikie.com>
|
|
Date: Wed, 21 Jun 2023 17:17:38 +0300
|
|
Subject: [PATCH] timesyncd: disable NSCD when DNSSEC validation is disabled
|
|
|
|
Systemd-timesyncd sets SYSTEMD_NSS_RESOLVE_VALIDATE=0 in the unit file
|
|
to disable DNSSEC validation but it doesn't work when NSCD is used in
|
|
the system. This patch disabes NSCD in systemd-timesyncd when
|
|
SYSTEMD_NSS_RESOLVE_VALIDATE is set to 0 so that it uses NSS libraries
|
|
directly.
|
|
---
|
|
src/timesync/timesyncd.c | 11 +++++++++++
|
|
1 file changed, 11 insertions(+)
|
|
|
|
diff --git a/src/timesync/timesyncd.c b/src/timesync/timesyncd.c
|
|
index 1d8ebecc91..2b0ae361ff 100644
|
|
--- a/src/timesync/timesyncd.c
|
|
+++ b/src/timesync/timesyncd.c
|
|
@@ -21,6 +21,11 @@
|
|
#include "timesyncd-conf.h"
|
|
#include "timesyncd-manager.h"
|
|
#include "user-util.h"
|
|
+#include "env-util.h"
|
|
+
|
|
+struct traced_file;
|
|
+extern void __nss_disable_nscd(void (*)(size_t, struct traced_file *));
|
|
+static void register_traced_file(size_t dbidx, struct traced_file *finfo) {}
|
|
|
|
static int advance_tstamp(int fd, const struct stat *st) {
|
|
assert_se(fd >= 0);
|
|
@@ -198,6 +203,12 @@ static int run(int argc, char *argv[]) {
|
|
if (r < 0)
|
|
return log_error_errno(r, "Failed to parse fallback server strings: %m");
|
|
|
|
+ r = getenv_bool_secure("SYSTEMD_NSS_RESOLVE_VALIDATE");
|
|
+ if (r == 0) {
|
|
+ log_info("Disabling NSCD because DNSSEC validation is turned off");
|
|
+ __nss_disable_nscd(register_traced_file);
|
|
+ }
|
|
+
|
|
log_debug("systemd-timesyncd running as pid " PID_FMT, getpid_cached());
|
|
|
|
notify_message = notify_start("READY=1\n"
|
|
--
|
|
2.34.1
|
|
|