| 5 Apr 2026 |
 m1cr0man | Yeah, early here too. Ttyl if you are around but thanks for the quick checks | 02:53:58 |
| m1cr0man | Just for sanity: the docs on mymachines demonstrate clearly that an ipv6 ping should return a scope ID
https://www.freedesktop.org/software/systemd/man/latest/nss-mymachines.html | 03:00:55 |
| m1cr0man | A couple of straces later, I've found that libnss_mymachines.so.2 isn't in the standard library path. Adding it via LD_LIBRARY_PATH makes getent ahosts work as expected. Uh, this is where my nixos knowledge is not great - what's the right way to make this library available for the whole system? It's always dynamically loaded based on nsswitch.conf, so I can't compile it in to the necessary binaries. | 10:35:05 |
| m1cr0man | Another person has walked this path before 😅 systemd/lib is in nscd.service's LD_LIBRARY_PATH, and nscd.conf has an interesting note:
# Note that we can not use `enable-cache no` As this will actually cause nscd
# to just reject the nss requests it receives, which then causes glibc to
# fallback to trying to handle the request by itself. Which won't work as glibc
# is not aware of the path in which the nss modules live. As a workaround, we
# have `enable-cache yes` with an explicit ttl of 0
| 10:40:43 |
| m1cr0man | But this still doesn't explain why ping is not getting the result from mymachines. Perhaps nscd doesn't have permission to send the dbus message to systemd to get the container addresses? | 10:45:36 |
| m1cr0man | It does have perms, stracing nscd proves the same output. But somewhere between nscd getting a response from mymachines/getaddrinfo and responding to the requesting client, the scope_id is lost | 11:59:44 |
| m1cr0man | * It does have perms, stracing nscd proves the same output. But somewhere between nscd getting a response from mymachines and responding to the requesting client, the scope_id is lost | 12:01:38 |
| m1cr0man | nsncd/nscd just doesn't support scope IDs, and that's the end of the story. nss-mymachines is working fine, but with the way nixos is configured you would have to make sure libsystemd is in the LD_LIBRARY_PATH for all processes that need to do lookups. I can achieve that in my case, but it's awkward. Would be much nicer if systemd-resolved or some other tool could be a better replacement here | 17:50:29 |
 ma27 (networkd by default when) | that's kinda why I query the machines via some mechanism and nsupdate this into an authoritative dns server fwiw. | 17:55:37 |
| m1cr0man | Well, I think it is important to understand why stuff like that is necessary. The clean and easy solution would/does work without nscd. For the ease of use for users, I would love to make it just work tm, but it looks like that requires some edits to nsncd at least | 18:01:21 |
| m1cr0man | Oh nevermind, this is a wire protocol limitation on nscd. Funnn. That is so annoying | 18:04:01 |
 hexa (clat on linux when) | nscd is flokli territory | 18:04:39 |
| hexa (clat on linux when) | and ninjatrappeur, whom I can't point out right now | 18:04:51 |
 flokli | nsncd is | 18:05:02 |
| flokli | nscd is glibc | 18:05:06 |
| hexa (clat on linux when) | true | 18:05:20 |
| m1cr0man | yeah either or, this is a wire protocol limitation right? I did give your blog post a good read :) | 18:05:32 |
| flokli | yes | 18:05:43 |
| flokli | i should write a followup rant complaining about the lack of scope ids in the wire protocol | 18:06:17 |
| flokli | or someone else does it and I link to it, or somethign | 18:06:34 |
| flokli | * | 18:06:36 |
| m1cr0man | Alas, this is only an issue for ipv6 link local addresses, and one of the easiest solutions for nspawn is to just assign a ULA or global ipv6 prefix to the container. I think I can live with that. | 18:10:55 |
| flokli | ok | 18:11:12 |
| m1cr0man | It's the year of RFC108 if I can help it :) | 18:11:31 |
| ma27 (networkd by default when) | not sure I follow: don't we use nsncd as nss via ipc thing to prevent a whole lot of ABI issues you'd get by dlopening misc nss libraries into processes directly? | 18:30:54 |
| m1cr0man | Yeah that's all spot on. My hope in "edits to nsncd" was to make it send the scope_id, but it is a protocol issue, so that won't work. I'm not sure how prolific the dlopen issues would really be for this specifically (on my own system) because the only special ones are in the systemd package, so adding that to a global LD_LIBRARY_PATH would be OK for me - but that's not tenable for nixos defaults. | 20:50:15 |
