Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

nixos/nsd: Don't override bind via nixpkgs.config #53365

Merged
merged 2 commits into from Jan 10, 2019
Merged

nixos/nsd: Don't override bind via nixpkgs.config #53365

merged 2 commits into from Jan 10, 2019

Conversation

aszlig
Copy link
Member

@aszlig aszlig commented Jan 4, 2019
edited

When generating values for the services.nsd.zones attribute using values from pkgs, we'll run into an infinite recursion because the nsd module has a condition on the top-level definition of nixpkgs.config.

While it would work to push the definition a few levels down, it will still only work if we don't use bind tools for generating zones.

As far as I could see, Python support for BIND seems to be only needed for the dnssec-* tools, so instead of using nixpkgs.config, we now directly override pkgs.bind instead of globally in nixpkgs.

To illustrate the problem with a small test case, instantiating the following Nix expression from the nixpkgs source root will cause the mentioned infinite recursion:

(import ./nixos {
  configuration = { lib, pkgs, ... }: {
    services.nsd.enable = true;
    services.nsd.zones = import (pkgs.writeText "foo.nix" ''
      { "foo.".data = "xyz";
        "foo.".dnssec = true;
      }
    '');
  };
}).vm

With this change, generating zones via import-from-derivation is now possible again.

@pngwjpgh: Can you please check whether DNSSEC still works after this?

Cc: @hrdinka

@aszlig
nixos/nsd: Don't override bind via nixpkgs.config
751bdac 
When generating values for the services.nsd.zones attribute using values
from pkgs, we'll run into an infinite recursion because the nsd module
has a condition on the top-level definition of nixpkgs.config.

While it would work to push the definition a few levels down, it will
still only work if we don't use bind tools for generating zones.

As far as I could see, Python support for BIND seems to be only needed
for the dnssec-* tools, so instead of using nixpkgs.config, we now
directly override pkgs.bind instead of globally in nixpkgs.

To illustrate the problem with a small test case, instantiating the
following Nix expression from the nixpkgs source root will cause the
mentioned infinite recursion:

  (import ./nixos {
    configuration = { lib, pkgs, ... }: {
      services.nsd.enable = true;
      services.nsd.zones = import (pkgs.writeText "foo.nix" ''
        { "foo.".data = "xyz";
          "foo.".dnssec = true;
        }
      '');
    };
  }).vm

With this change, generating zones via import-from-derivation is now
possible again.

Signed-off-by: aszlig <aszlig@nix.build>
Cc: @pngwjpgh
@aszlig
nixos/nsd: Improve checking for empty dnssec zones
6446d9e 
While at it (see previous commit), using attrNames in combination with
length is a bit verbose for checking whether the filtered attribute set
is empty, so let's just compare it against an empty attribute set.

Signed-off-by: aszlig <aszlig@nix.build>
@aszlig aszlig self-assigned this Jan 4, 2019
@aszlig aszlig requested a review from infinisil as a code owner January 4, 2019 01:06
@hrdinka
Copy link
Contributor

hrdinka commented Jan 4, 2019

@aszlig Thanks for the patch. I wasn't even aware of these DNSSEC changes :/

This should have never be done that way and your patch corrects it. Therefore I am happy with merging.

I don't think that this change will break anything. However my hoster does not support DNSSEC so lets wait for @pngwjpgh testing it.

@hrdinka
Copy link
Contributor

hrdinka commented Jan 10, 2019

@pngwjpgh If you need some more time for testing please drop a short line. If not I will merge this in a few days. It is a simple change and I don't want to have it sit around for too long.

vcunat
vcunat approved these changes Jan 10, 2019
View reviewed changes
Copy link
Member

@vcunat vcunat left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I feel certain about merging this. Magically overriding nixpkgs-wide bind was ugly.

I'm not even sure why enablePython is there, as the dnssec-* tools used here seem present even without it, but I can't say I know the bind dnssec-* toolset that well. Anyway, the whole override could be removed later; it seems of little consequence.

@vcunat
Copy link
Member

vcunat commented Jan 10, 2019

I even feel like picking this to 18.09, but I'll wait for a few days at least.

@vcunat vcunat merged commit 6446d9e into NixOS:master Jan 10, 2019
vdemeester pushed a commit to vdemeester/nixpkgs that referenced this pull request Jan 10, 2019
@vcunat
Merge NixOS#53365: nixos/nsd: Don't override bind via nixpkgs.config
829ada3
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@vcunat vcunat vcunat approved these changes

@infinisil infinisil Awaiting requested review from infinisil

Assignees

@aszlig aszlig

Labels
6.topic: nixos 8.has: module (update) 10.rebuild-darwin: 0 10.rebuild-linux: 0
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
4 participants
@aszlig @hrdinka @vcunat @GrahamcOfBorg