From d296c20f1fff6a258cc6eacd2141058daa49a1ff Mon Sep 17 00:00:00 2001
From: Lennart Poettering <lennart@poettering.net>
Date: Mon, 17 Aug 2020 09:10:32 +0200
Subject: [PATCH] man: move 'files' module in NSS 'hosts:' line before
 myhostname

I am pretty sure /etc/hosts (i.e. an explicitly configured, local,
trusted database) should be useful for overriding the automatic
myhostname logic.

resolved's internal logic handles it that way and hence we should
suggest it in the NSS fallback line, too.

Let's also bring the factory file back into sync with what the docs say.

And update the prose a bit too, to actually match what we recommend.
---
 factory/etc/nsswitch.conf |  2 +-
 man/nss-myhostname.xml    | 18 +++++++++---------
 man/nss-mymachines.xml    | 12 ++++++------
 man/nss-resolve.xml       | 18 ++++++++----------
 man/nss-systemd.xml       |  2 +-
 5 files changed, 25 insertions(+), 27 deletions(-)

diff --git a/factory/etc/nsswitch.conf b/factory/etc/nsswitch.conf
index da74b19d90..d87f8811ec 100644
--- a/factory/etc/nsswitch.conf
+++ b/factory/etc/nsswitch.conf
@@ -4,7 +4,7 @@ passwd:         compat systemd
 group:          compat [SUCCESS=merge] systemd
 shadow:         compat
 
-hosts:          files mymachines resolve [!UNAVAIL=return] dns myhostname
+hosts:          mymachines resolve [!UNAVAIL=return] files myhostname dns
 networks:       files
 
 protocols:      db files
diff --git a/man/nss-myhostname.xml b/man/nss-myhostname.xml
index a41c383bb3..b424f1fbd2 100644
--- a/man/nss-myhostname.xml
+++ b/man/nss-myhostname.xml
@@ -67,12 +67,12 @@
     <literal>hosts:</literal> in <filename>/etc/nsswitch.conf</filename>.</para>
 
     <para>It is recommended to place <literal>myhostname</literal> either between <literal>resolve</literal>
-    and "traditional" modules like <literal>files</literal> and <literal>dns</literal>, or after them. In the
-    first version, well-known names like <literal>localhost</literal> and the machine hostname are given
-    higher priority than the external configuration. This is recommended when the external DNS servers and
-    network are not absolutely trusted. In the second version, external configuration is given higher
-    priority and <command>nss-myhostname</command> only provides a fallback mechanism. This might be suitable
-    in closely controlled networks, for example on a company LAN.</para>
+    and "traditional" modules like <literal>dns</literal>, or after them. In the first version, well-known
+    names like <literal>localhost</literal> and the machine hostname are given higher priority than the
+    external configuration. This is recommended when the external DNS servers and network are not absolutely
+    trusted. In the second version, external configuration is given higher priority and
+    <command>nss-myhostname</command> only provides a fallback mechanism. This might be suitable in closely
+    controlled networks, for example on a company LAN.</para>
   </refsect1>
 
   <refsect1>
@@ -83,11 +83,11 @@
 
     <!-- synchronize with other nss-* man pages and factory/etc/nsswitch.conf -->
 <programlisting>passwd:         compat systemd
-group:          compat systemd
+group:          compat [SUCCESS=merge] systemd
 shadow:         compat
 
-# Either (untrusted network):
-hosts:          mymachines resolve [!UNAVAIL=return] <command>myhostname</command> files dns
+# Either (untrusted network, see above):
+hosts:          mymachines resolve [!UNAVAIL=return] files <command>myhostname</command> dns
 # Or (only trusted networks):
 hosts:          mymachines resolve [!UNAVAIL=return] files dns <command>myhostname</command>
 networks:       files
diff --git a/man/nss-mymachines.xml b/man/nss-mymachines.xml
index e0e6989c40..56ee073c8a 100644
--- a/man/nss-mymachines.xml
+++ b/man/nss-mymachines.xml
@@ -42,10 +42,10 @@
     <para>To activate the NSS module, add <literal>mymachines</literal> to the line starting with
     <literal>hosts:</literal> in <filename>/etc/nsswitch.conf</filename>.</para>
 
-    <para>It is recommended to place <literal>mymachines</literal> after the <literal>files</literal> or
-    <literal>compat</literal> entry of the <filename>/etc/nsswitch.conf</filename> line to make sure that its
-    mappings are preferred over other resolvers such as DNS, but so that <filename>/etc/hosts</filename>
-    based mappings take precedence.</para>
+    <para>It is recommended to place <literal>mymachines</literal> before the <literal>resolve</literal> or
+    <literal>dns</literal> entry of the <literal>hosts:</literal> line of
+    <filename>/etc/nsswitch.conf</filename> in order to make sure that its mappings are preferred over other
+    resolvers such as DNS.</para>
   </refsect1>
 
   <refsect1>
@@ -56,10 +56,10 @@
 
     <!-- synchronize with other nss-* man pages and factory/etc/nsswitch.conf -->
     <programlisting>passwd:         compat systemd
-group:          compat systemd
+group:          compat [SUCCESS=merge] systemd
 shadow:         compat
 
-hosts:          <command>mymachines</command> resolve [!UNAVAIL=return] myhostname files dns
+hosts:          <command>mymachines</command> resolve [!UNAVAIL=return] files myhostname dns
 networks:       files
 
 protocols:      db files
diff --git a/man/nss-resolve.xml b/man/nss-resolve.xml
index c377468953..e6963e5812 100644
--- a/man/nss-resolve.xml
+++ b/man/nss-resolve.xml
@@ -44,14 +44,12 @@
     <literal>dns</literal> somewhere after <literal>resolve</literal>, to fall back to
     <command>nss-dns</command> if <filename>systemd-resolved.service</filename> is not available.</para>
 
-    <para>Note that <command>systemd-resolved</command> will synthesize DNS resource
-    records in a few cases, for example for <literal>localhost</literal> and the
-    current hostname, see
-    <citerefentry><refentrytitle>systemd-resolved</refentrytitle><manvolnum>8</manvolnum></citerefentry>
-    for the full list. This duplicates the functionality of
-    <citerefentry><refentrytitle>nss-myhostname</refentrytitle><manvolnum>8</manvolnum></citerefentry>,
-    but it is still recommended (see examples below) to keep
-    <command>nss-myhostname</command> configured in
+    <para>Note that <command>systemd-resolved</command> will synthesize DNS resource records in a few cases,
+    for example for <literal>localhost</literal> and the current local hostname, see
+    <citerefentry><refentrytitle>systemd-resolved</refentrytitle><manvolnum>8</manvolnum></citerefentry> for
+    the full list. This duplicates the functionality of
+    <citerefentry><refentrytitle>nss-myhostname</refentrytitle><manvolnum>8</manvolnum></citerefentry>, but
+    it is still recommended (see examples below) to keep <command>nss-myhostname</command> configured in
     <filename>/etc/nsswitch.conf</filename>, to keep those names resolveable if
     <command>systemd-resolved</command> is not running.</para>
   </refsect1>
@@ -64,10 +62,10 @@
 
     <!-- synchronize with other nss-* man pages and factory/etc/nsswitch.conf -->
 <programlisting>passwd:         compat systemd
-group:          compat systemd
+group:          compat [SUCCESS=merge] systemd
 shadow:         compat
 
-hosts:          mymachines <command>resolve [!UNAVAIL=return]</command> myhostname files dns
+hosts:          mymachines <command>resolve [!UNAVAIL=return]</command> files myhostname dns
 networks:       files
 
 protocols:      db files
diff --git a/man/nss-systemd.xml b/man/nss-systemd.xml
index 34aee0e880..6285b8da9d 100644
--- a/man/nss-systemd.xml
+++ b/man/nss-systemd.xml
@@ -65,7 +65,7 @@
 group:          compat [SUCCESS=merge] <command>systemd</command>
 shadow:         compat
 
-hosts:          mymachines resolve [!UNAVAIL=return] myhostname files dns
+hosts:          mymachines resolve [!UNAVAIL=return] files myhostname dns
 networks:       files
 
 protocols:      db files