diff options
author | Jörg Thalheim <Mic92@users.noreply.github.com> | 2018-12-12 23:18:09 +0000 |
---|---|---|
committer | GitHub <noreply@github.com> | 2018-12-12 23:18:09 +0000 |
commit | 5feba458a260e9f9821bf373eb83280d08b1a657 (patch) | |
tree | 850e53ba75634b992dbaca38a0b8249fecddf40e /nixos | |
parent | 7cbb09a2ecc85bc9ff699ee1a8ec5ac716986090 (diff) | |
parent | 1d5f4cbb784904e0a6420cc62b0b24ca0873abc5 (diff) | |
download | nixlib-5feba458a260e9f9821bf373eb83280d08b1a657.tar nixlib-5feba458a260e9f9821bf373eb83280d08b1a657.tar.gz nixlib-5feba458a260e9f9821bf373eb83280d08b1a657.tar.bz2 nixlib-5feba458a260e9f9821bf373eb83280d08b1a657.tar.lz nixlib-5feba458a260e9f9821bf373eb83280d08b1a657.tar.xz nixlib-5feba458a260e9f9821bf373eb83280d08b1a657.tar.zst nixlib-5feba458a260e9f9821bf373eb83280d08b1a657.zip |
Merge pull request #50316 from arianvp/fix-dynamic-user
Disable nscd caching
Diffstat (limited to 'nixos')
-rw-r--r-- | nixos/doc/manual/release-notes/rl-1903.xml | 59 | ||||
-rw-r--r-- | nixos/modules/services/misc/nscd-sssd.conf | 36 | ||||
-rw-r--r-- | nixos/modules/services/misc/sssd.nix | 1 | ||||
-rw-r--r-- | nixos/modules/services/system/nscd.conf | 34 | ||||
-rw-r--r-- | nixos/tests/systemd.nix | 5 |
5 files changed, 93 insertions, 42 deletions
diff --git a/nixos/doc/manual/release-notes/rl-1903.xml b/nixos/doc/manual/release-notes/rl-1903.xml index bade93c0984e..9405bf063d51 100644 --- a/nixos/doc/manual/release-notes/rl-1903.xml +++ b/nixos/doc/manual/release-notes/rl-1903.xml @@ -247,6 +247,65 @@ </listitem> <listitem> <para> + The <literal>nscd</literal> service now disables all caching of + <literal>passwd</literal> and <literal>group</literal> databases by + default. This was interferring with the correct functioning of the + <literal>libnss_systemd.so</literal> module which is used by + <literal>systemd</literal> to manage uids and usernames in the presence of + <literal>DynamicUser=</literal> in systemd services. This was already the + default behaviour in presence of <literal>services.sssd.enable = + true</literal> because nscd caching would interfere with + <literal>sssd</literal> in unpredictable ways as well. Because we're + using nscd not for caching, but for convincing glibc to find NSS modules + in the nix store instead of an absolute path, we have decided to disable + caching globally now, as it's usually not the behaviour the user wants and + can lead to surprising behaviour. Furthermore, negative caching of host + lookups is also disabled now by default. This should fix the issue of dns + lookups failing in the presence of an unreliable network. + </para> + <para> + If the old behaviour is desired, this can be restored by setting + the <literal>services.nscd.config</literal> option + with the desired caching parameters. + <programlisting> + services.nscd.config = + '' + server-user nscd + threads 1 + paranoia no + debug-level 0 + + enable-cache passwd yes + positive-time-to-live passwd 600 + negative-time-to-live passwd 20 + suggested-size passwd 211 + check-files passwd yes + persistent passwd no + shared passwd yes + + enable-cache group yes + positive-time-to-live group 3600 + negative-time-to-live group 60 + suggested-size group 211 + check-files group yes + persistent group no + shared group yes + + enable-cache hosts yes + positive-time-to-live hosts 600 + negative-time-to-live hosts 5 + suggested-size hosts 211 + check-files hosts yes + persistent hosts no + shared hosts yes + ''; + </programlisting> + See <link xlink:href="https://github.com/NixOS/nixpkgs/pull/50316">#50316</link> + for details. + </para> + </listitem> + <listitem> + <para> GitLab Shell previously used the nix store paths for the <literal>gitlab-shell</literal> command in its <literal>authorized_keys</literal> file, which might stop working after diff --git a/nixos/modules/services/misc/nscd-sssd.conf b/nixos/modules/services/misc/nscd-sssd.conf deleted file mode 100644 index 92380f3e4ba4..000000000000 --- a/nixos/modules/services/misc/nscd-sssd.conf +++ /dev/null @@ -1,36 +0,0 @@ -server-user nscd -threads 1 -paranoia no -debug-level 0 - -enable-cache passwd yes -positive-time-to-live passwd 0 -negative-time-to-live passwd 0 -suggested-size passwd 211 -check-files passwd yes -persistent passwd no -shared passwd yes - -enable-cache group yes -positive-time-to-live group 0 -negative-time-to-live group 0 -suggested-size group 211 -check-files group yes -persistent group no -shared group yes - -enable-cache hosts yes -positive-time-to-live hosts 600 -negative-time-to-live hosts 5 -suggested-size hosts 211 -check-files hosts yes -persistent hosts no -shared hosts yes - -enable-cache services yes -positive-time-to-live services 0 -negative-time-to-live services 0 -suggested-size services 211 -check-files services yes -persistent services no -shared services yes diff --git a/nixos/modules/services/misc/sssd.nix b/nixos/modules/services/misc/sssd.nix index e818f4a4804d..fe472a6c68e5 100644 --- a/nixos/modules/services/misc/sssd.nix +++ b/nixos/modules/services/misc/sssd.nix @@ -75,7 +75,6 @@ in { }; system.nssModules = optional cfg.enable pkgs.sssd; - services.nscd.config = builtins.readFile ./nscd-sssd.conf; services.dbus.packages = [ pkgs.sssd ]; }) diff --git a/nixos/modules/services/system/nscd.conf b/nixos/modules/services/system/nscd.conf index 6d0dcacf9778..603a5d01acce 100644 --- a/nixos/modules/services/system/nscd.conf +++ b/nixos/modules/services/system/nscd.conf @@ -1,28 +1,52 @@ +# We basically use nscd as a proxy for forwarding nss requests to appropriate +# nss modules, as we run nscd with LD_LIBRARY_PATH set to the directory +# containing all such modules +# Note that we can not use `enable-cache no` As this will actually cause nscd +# to just reject the nss requests it receives, which then causes glibc to +# fallback to trying to handle the request by itself. Which won't work as glibc +# is not aware of the path in which the nss modules live. As a workaround, we +# have `enable-cache yes` with an explicit ttl of 0 server-user nscd threads 1 paranoia no debug-level 0 enable-cache passwd yes -positive-time-to-live passwd 600 -negative-time-to-live passwd 20 +positive-time-to-live passwd 0 +negative-time-to-live passwd 0 suggested-size passwd 211 check-files passwd yes persistent passwd no shared passwd yes enable-cache group yes -positive-time-to-live group 3600 -negative-time-to-live group 60 +positive-time-to-live group 0 +negative-time-to-live group 0 suggested-size group 211 check-files group yes persistent group no shared group yes +enable-cache netgroup yes +positive-time-to-live netgroup 0 +negative-time-to-live netgroup 0 +suggested-size netgroup 211 +check-files netgroup yes +persistent netgroup no +shared netgroup yes + enable-cache hosts yes positive-time-to-live hosts 600 -negative-time-to-live hosts 5 +negative-time-to-live hosts 0 suggested-size hosts 211 check-files hosts yes persistent hosts no shared hosts yes + +enable-cache services yes +positive-time-to-live services 0 +negative-time-to-live services 0 +suggested-size services 211 +check-files services yes +persistent services no +shared services yes diff --git a/nixos/tests/systemd.nix b/nixos/tests/systemd.nix index 65aa553b3148..4d470126abee 100644 --- a/nixos/tests/systemd.nix +++ b/nixos/tests/systemd.nix @@ -56,6 +56,11 @@ import ./make-test.nix { $machine->succeed('test -z $(ls -1 /var/log/journal)'); }; + # Regression test for https://github.com/NixOS/nixpkgs/issues/50273 + subtest "DynamicUser actually allocates a user", sub { + $machine->succeed('systemd-run --pty --property=Type=oneshot --property=DynamicUser=yes --property=User=iamatest whoami | grep iamatest'); + }; + # Regression test for https://github.com/NixOS/nixpkgs/issues/35268 subtest "file system with x-initrd.mount is not unmounted", sub { $machine->shutdown; |