Comparing changes
Open a pull request
base repository: NixOS/nixpkgs
base: 3c65adaa750a
head repository: NixOS/nixpkgs
compare: a0ba42e3f4e7
- 8 commits
- 2 files changed
- 2 contributors
Commits on Jul 3, 2019
-
nixos/nscd: no longer need to wait for readiness
This postStart step was introduced on 2014-04-24 with the comment that "Nscd forks into the background before it's ready to accept connections." However, that was fixed upstream almost two months earlier, on 2014-03-03, with the comment that "This, along with setting the nscd service type to forking in its systemd configuration file, allows systemd to be certain that the nscd service is ready and is accepting connections." The fix was released several months later in glibc 2.20, which was merged in NixOS sometime before 15.09, so it certainly should be safe to remove this workaround by now.
-
nixos/nscd: let systemd manage directories
Previously this module created both /var/db/nscd and /run/nscd using shell commands in a preStart script. Note that both of these paths are hard-coded in the nscd source. (Well, the latter is actually /var/run/nscd but /var/run is a symlink to /run so it works out the same.) /var/db/nscd is only used if the nscd.conf "persistent" option is turned on for one or more databases, which it is not in our default config file. I'm not even sure persistent mode can work under systemd, since `nscd --shutdown` is not synchronous so systemd will always unceremoniously kill nscd without reliably giving it time to mark the databases as unused. Nonetheless, if someone wants to use that option, they can ensure the directory exists using systemd.tmpfiles.rules. systemd can create /run/nscd for us with the RuntimeDirectory directive, with the added benefit of causing systemd to delete the directory on service stop or restart. The default value of RuntimeDirectoryMode is 755, the same as the mode which this module was using before. I don't think the `rm -f /run/nscd/nscd.pid` was necessary after NixOS switched to systemd and used its PIDFile directive, because systemd deletes the specified file after the service stops, and because the file can't persist across reboots since /run is a tmpfs. Even if the file still exists when nscd starts, it's only a problem if the pid it contains has been reused by another process, which is unlikely. Anyway, this change makes that deletion even less necessary, because now systemd deletes the entire /run/nscd directory when the service stops.
-
nixos/nscd: run with a dynamic user
nscd doesn't create any files outside of /run/nscd unless the nscd.conf "persistent" option is used, which we don't do by default. Therefore it doesn't matter what UID/GID we run this service as, so long as it isn't shared with any other running processes. /run/nscd does need to be owned by the same UID that the service is running as, but systemd takes care of that for us thanks to the RuntimeDirectory directive. If someone wants to turn on the "persistent" option, they need to manually configure users.users.nscd and systemd.tmpfiles.rules so that /var/db/nscd is owned by the same user that nscd runs as. In an all-defaults boot.isContainer configuration of NixOS, this removes the only user which did not have a pre-assigned UID.
-
nixos/nscd: delete redundant nscd.conf options
These options were being set to the same value as the defaults that are hardcoded in nscd. Delete them so it's clear which settings are actually important for NixOS. One exception is `threads 1`, which is different from the built-in default of 4. However, both values are equivalent because nscd forces the number of threads to be at least as many as the number of kinds of databases it supports, which is 5.
Commits on Jul 6, 2019
-
nixos/nscd: don't need to specify username
Thanks to @arianvp for pointing out that when DynamicUser is true, systemd defaults the value of User to be the name of the unit, which in this case is already "nscd".
Commits on Jul 7, 2019
-
nixos/nscd: only drop privs after nss module init
NixOS usually needs nscd just to have a single place where LD_LIBRARY_PATH can be set to include all NSS modules, but nscd is also useful if some of the NSS modules need to read files which are only accessible by root. For example, nixos/modules/config/ldap.nix needs this when users.ldap.enable = true; users.ldap.daemon.enable = false; and users.ldap.bind.passwordFile exists. In that case, the module creates an /etc/ldap.conf which is only readable by root, but which the NSS module needs to read in order to find out what LDAP server to connect to and with what credentials. If nscd is started as root and configured with the server-user option in nscd.conf, then it gives each NSS module the opportunity to initialize itself before dropping privileges. The initialization happens in the glibc-internal __nss_disable_nscd function, which pre-loads all the configured NSS modules for passwd, group, hosts, and services (but not netgroup for some reason?) and, for each loaded module, calls an init function if one is defined. After that finishes, nscd's main() calls nscd_init() which ends by calling finish_drop_privileges(). There are provisions in systemd for using DynamicUser with a service which needs to drop privileges itself, so this patch does that.
Commits on Jul 12, 2019
Commits on Jul 22, 2019
-
Merge pull request #64268 from jameysharp/nscd-dynamicuser
nixos/nscd: DynamicUser and other cleanups
This comparison is taking too long to generate.
Unfortunately it looks like we can’t render this comparison for you right now. It might be too big, or there might be something weird with your repository.
You can try running this command locally to see the comparison on your machine:
git diff 3c65adaa750a...a0ba42e3f4e7