Include /etc/nsswitch.conf in chroot jail

Changelog: added
author: Daniel Estermann <soundcracker@gmail.com> 2021-06-07 17:54:24 +0300
committer: Daniel Estermann <Daniel.Estermann@ti8m.ch> 2021-06-09 12:04:11 +0300
commit: 56273e40459345534203433d02682c4539507c73 (patch)
tree: 05f8810cb84d23b448f65ab08d8431abd541d5a3
parent: b741f846dc1b0886c8907906f8fcda2732a674c6 (diff)
2 files changed, 10 insertions, 3 deletions
diff --git a/README.md b/README.md
index dad3646b..65bf127a 100644
--- a/README.md
+++ b/README.md
@@ -92,7 +92,7 @@ as.
 
 The daemon starts listening on ports and reads certificates as root, then
 re-executes itself as the specified user. When re-executing it creates a chroot jail
-containing a copy of its own binary, `/etc/hosts`, `/etc/resolv.conf`, and a bind mount of `pages-root`.
+containing a copy of its own binary, `/etc/hosts`, `/etc/nsswitch.conf`, `/etc/resolv.conf`, and a bind mount of `pages-root`.
 
 When `-artifacts-server` points to an HTTPS URL we also need a list of certificates for
 the trusted Certification Authorities to copy inside the jail.
@@ -110,7 +110,7 @@ $ sudo ./gitlab-pages -listen-http ":80" -pages-root path/to/gitlab/shared/pages
 
 #### Caveats
 
-The `/etc/hosts` and `/etc/resolv.conf` files, and any file pointed to by the `SSL_CERT_FILE`
+The `/etc/hosts`, `/etc/resolv.conf` and `/etc/nsswitch.conf` files, and any file pointed to by the `SSL_CERT_FILE`
 environment variable, will be copied into the jail. As a result, changes to
 these files will not be reflected in Pages until it's restarted.
 
diff --git a/daemon.go b/daemon.go
index c2a995d8..48962b19 100644
--- a/daemon.go
+++ b/daemon.go
@@ -229,7 +229,7 @@ func jailCreate(cmd *exec.Cmd) (*jail.Jail, error) {
 		return nil, err
 	}
 
-	// Add /etc/resolv.conf and /etc/hosts inside the jail
+	// Add /etc/resolv.conf, /etc/hosts and /etc/nsswitch.conf inside the jail
 	cage.MkDir("/etc", 0755)
 	err = cage.Copy("/etc/resolv.conf")
 	if err != nil {
@@ -240,6 +240,13 @@ func jailCreate(cmd *exec.Cmd) (*jail.Jail, error) {
 		return nil, err
 	}
 
+	// When cgo is disabled, Go does not read `/etc/hosts` unless `/etc/nsswitch.conf` exists
+	// https://github.com/golang/go/issues/22846
+	err = cage.Copy("/etc/nsswitch.conf")
+	if err != nil {
+		log.WithError(err).Warn("/etc/nsswitch.conf couldn't be copied to the jail, /etc/hosts might not be applicable")
+	}
+
 	// Add certificates inside the jail
 	err = jailDaemonCerts(cmd, cage)
 	if err != nil {
author	Daniel Estermann <soundcracker@gmail.com>	2021-06-07 17:54:24 +0300
committer	Daniel Estermann <Daniel.Estermann@ti8m.ch>	2021-06-09 12:04:11 +0300
commit	56273e40459345534203433d02682c4539507c73 (patch)
tree	05f8810cb84d23b448f65ab08d8431abd541d5a3
parent	b741f846dc1b0886c8907906f8fcda2732a674c6 (diff)