The one thing I forgot to bring up today was the situation regarding nsswitch.conf on the current bookworm images. You can find context in https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1072380, but the short story is that, when we switched to installing libnss-myhostname instead of libnss-resolve on the bookworm images (both built from src:systemd), we uncovered a bug in the systemd packaging that results in the myhostname module being inserted in a suboptimal order in nsswitch.conf. Independently of the cloud images, the issue was fixed in sid/testing recently.
I'm working with the systemd maintainers and stable release team to get this addressed in bookworm. If, for some reason, we can't get this fixed in the systemd packages, we can work around it in our image builds. I don't antipate that being necessary, though. noah
