diff options
| author | Arthur Gautier <baloo@superbaloo.net> | 2021-10-16 01:39:14 +0000 |
|---|---|---|
| committer | Arthur Gautier <baloo@superbaloo.net> | 2021-10-16 02:55:25 +0000 |
| commit | fa4abe46e2cedfacc90c82177671a3000b229f28 (patch) | |
| tree | c1ff0db0e7400f1f463d639537200e3f46d148f3 | |
| parent | c345a4a1e8ad2c5274b06a72337b91a6d11c7f8a (diff) | |
preloadNSS: document the preload mechanism
Signed-off-by: Arthur Gautier <baloo@superbaloo.net>
| -rw-r--r-- | src/libmain/shared.cc | 18 |
1 files changed, 18 insertions, 0 deletions
diff --git a/src/libmain/shared.cc b/src/libmain/shared.cc index 5eb7871f3..b6bfea8cb 100644 --- a/src/libmain/shared.cc +++ b/src/libmain/shared.cc @@ -127,6 +127,24 @@ static void preloadNSS() { load its lookup libraries in the parent before any child gets a chance to. */ std::call_once(dns_resolve_flag, []() { #ifdef __GLIBC__ + /* On linux, glibc will run every lookup through the nss layer. + * That means every lookup goes, by default, through nscd, which acts as a local + * cache. + * Because we run builds in a sandbox, we also remove access to nscd otherwise + * lookups would leak into the sandbox. + * + * But now we have a new problem, we need to make sure the nss_dns backend that + * does the dns lookups when nscd is not available is loaded or available. + * + * We can't make it available without leaking nix's environment, so instead we'll + * load the backend, and configure nss so it does not try to run dns lookups + * through nscd. + * + * This is technically only used for builtins:fetch* functions so we only care + * about dns. + * + * All other platforms are unaffected. + */ if (dlopen (LIBNSS_DNS_SO, RTLD_NOW) == NULL) { printMsg(Verbosity::lvlWarn, fmt("Unable to load nss_dns backend")); } |