-
-
Notifications
You must be signed in to change notification settings - Fork 12.7k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
sssd: init at 1.14.2 #21150
sssd: init at 1.14.2 #21150
Conversation
@e-user, thanks for your PR! By analyzing the history of the files in this pull request, we identified @edolstra, @rickynils and @abbradar to be potential reviewers. |
Is there any guarantees which glibc gives on ABI stability of NSS modules? If yes, we may want weaken path requirements (ideally it would be just |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Generic packaging nitpicks. I'm not knowledgeable much about NSS in general and SSSD specifically, but overall I seem to understand what's going on and it seems good.
}; | ||
|
||
preConfigure = '' | ||
cd "$NIX_BUILD_TOP/$name-$version" |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This and further those should be unnecesary -- you don't change directory anywhere else.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
To be honest, I didn't even look at @benwbooth's original submission properly. I'm using this opportunity to clean up all of it. Do you think it's a good idea to update to the latest SSSD before finalizing the submission? There seem to have been a couple of releases ever since.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
yes, please update before.
''; | ||
|
||
buildPhase = '' | ||
cd "$NIX_BUILD_TOP/$name-$version" |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Same thing about cd
.
installPhase = '' | ||
cd "$NIX_BUILD_TOP/$name-$version" | ||
install -d -m755 "$out"/lib | ||
make DESTDIR="$out" install |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
You can rather do:
makeFlags = [ "DESTDIR=$(out)" ];
preInstall = ''install -d -m755 "$out"/lib'';
postInstall = ''mv "$out/bin/sx" "$out/bin/sgml2xml"'';
This way you'd reuse default installPhase
which runs Make.
It seems to me that ABI is stable: http://www.gnu.org/software/libc/manual/html_node/NSS-Basics.html . What do you think? |
Do you suggest dumping X in |
Ideally the first, but I'm not sure at all about compatibility. I can't found any claims or guarantees. On the contrary, I found that nss-myhostname has an update for new glibc NSS interfaces. I think we may want to ask around in libc-help about whether there are any de jure/de facto (historical) guarantees. Can you ask them and cc me (e-mail is in my profile)? |
This is also useful for other nss modules. Currently nss-myhostname is not working |
Done, email sent. |
I'd prefer not to have |
Hi @edolstra, may I point your attention to this bit from the RHEL documentation:
nscd's caching actually breaks the way SSSD works, which should always have precedence and does its own caching, AFAIK. From what I can collect on the net, SSSD is also meant to replace nscd, eventually. |
@e-user could SSSD make use of LD_LIBRARY_PATH? |
I can try to build SSSD so that it is only used through nscd and LD_LIBRARY_PATH. Maybe switching off nscd's caching for everything but host name resolution does the trick. |
This happens when attempting to start SSSD with nscd present:
Investigating. |
If |
I agree. It seems like SSSD will stop complaining if nscd is configured not to cache the services it provides. That means nscd's config needs to change when SSSD is enabled. I'm working on it. |
Great news: I set SSSD's |
8b420d0
to
2b8101a
Compare
I force-pushed a new branch that is cleansed from the previous mess and updates ding-libs to 0.6.0 and SSSD to the current stable release, 1.14.2. The most severe change is to how the NixOS nscd and SSSD modules are configured and interact, which will probably require a careful review. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Commented on several things.
If the package has dbus .service files you can enable them by adding sssd
to services.dbus.packages
. But I don't think it needs to have them, daemons can just register themselves in D-Bus when they start (should work out of the box).
Also let's just add PAM modules when SSSD is enabled. Not sure what to do about Kerberos... I don't think we have any module system for it right now (disclaimer: I know barely a thing about Kerberos).
@@ -28,5 +33,10 @@ in { | |||
}; | |||
|
|||
system.nssModules = optional cfg.enable pkgs.sssd; | |||
services.nscd = { | |||
enable = mkForce true; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think we shouldn't use mkForce
; rather, add an assertion
that it's enabled. It is anyway by default but this way if user disables it for some reason they'd know of problems explicitly and can choose what to do.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Good point, I didn't know that.
--with-nscd=${glibc.bin}/sbin/nscd | ||
${lib.optionalString (nscdConfig != null) '' | ||
--with-nscd=${glibc.bin}/sbin/nscd | ||
--with-nscd-conf=${nscdConfig} |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Ugh, why does it need nscd config? We can symlink it into /etc
to make it accessible. Otherwise people need to rebuild SSSD each time they change config, which is not nice.
EDIT: but maybe we can just point it to non-existent config? I'm not sure why would it need one.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Ha, I was exactly asking myself what the proper way to do this would be - so I let nscd create a symlink for its current configuration file in /etc
and just point SSSD at its absolute path..?
I can elaborate on the SSSD-nscd specific bit. SSSD queries whether nscd is running (--with-nscd
) and will additionally inspect its active configuration file (--with-nscd-conf
). If it's not running, it won't do anything. If it is running and the configuration file doesn't disable passwd, group, netgroup and services caching, it will print a warning to syslog because it essentially breaks SSSD.
In case you're interested about the details, it's defined in src/monitor.c
:
/* Warn if nscd seems to be running */
ret = check_file(NSCD_SOCKET_PATH,
-1, -1, S_IFSOCK, S_IFMT, NULL, false);
if (ret == EOK) {
ret = sss_nscd_parse_conf(NSCD_CONF_PATH);
switch (ret) {
case ENOENT:
sss_log(SSS_LOG_NOTICE,
"NSCD socket was detected. NSCD caching capabilities "
"may conflict with SSSD for users and groups. It is "
"recommended not to run NSCD in parallel with SSSD, "
"unless NSCD is configured not to cache the passwd, "
"group, netgroup and services nsswitch maps.");
break;
case EEXIST:
sss_log(SSS_LOG_NOTICE,
"NSCD socket was detected and seems to be configured "
"to cache some of the databases controlled by "
"SSSD [passwd,group,netgroup,services]. It is "
"recommended not to run NSCD in parallel with SSSD, "
"unless NSCD is configured not to cache these.");
break;
case EOK:
DEBUG(SSSDBG_TRACE_FUNC, "NSCD socket was detected and it "
"seems to be configured not to interfere with "
"SSSD's caching capabilities\n");
Thank you for elaborated response! I see now; well, let's then indeed link it to `/etc`. You can do it with `environment.etc`; let's then point nscd there too, just for consistency. Don't forget `restartTriggers` so that systemd services will be restarted when configuration file changes.
…On December 16, 2016 1:25:47 PM GMT+03:00, Alexander Kahl ***@***.***> wrote:
e-user commented on this pull request.
> @@ -39,7 +41,11 @@ stdenv.mkDerivation {
--without-semanage
--with-xml-catalog-path=''${SGML_CATALOG_FILES%%:*}
--with-ldb-lib-dir=$out/modules/ldb
- --with-nscd=${glibc.bin}/sbin/nscd
+ ${lib.optionalString (nscdConfig != null) ''
+ --with-nscd=${glibc.bin}/sbin/nscd
+ --with-nscd-conf=${nscdConfig}
Ha, I was exactly asking myself what the _proper_ way to do this would
be - so I let nscd create a symlink for its current configuration file
in `/etc` and just point SSSD at its absolute path..?
I can elaborate on the SSSD-nscd specific bit. SSSD queries whether
nscd is running (`--with-nscd`) and will additionally inspect its
active configuration file (`--with-nscd-conf`). If it's not running, it
won't do anything. If it is running and the configuration file doesn't
disable passwd, group, netgroup and services caching, it will print a
warning to syslog because it essentially breaks SSSD.
In case you're interested about the details, it's defined in
`src/monitor.c`:
```c
/* Warn if nscd seems to be running */
ret = check_file(NSCD_SOCKET_PATH,
-1, -1, S_IFSOCK, S_IFMT, NULL, false);
if (ret == EOK) {
ret = sss_nscd_parse_conf(NSCD_CONF_PATH);
switch (ret) {
case ENOENT:
sss_log(SSS_LOG_NOTICE,
"NSCD socket was detected. NSCD caching capabilities "
"may conflict with SSSD for users and groups. It is "
"recommended not to run NSCD in parallel with SSSD, "
"unless NSCD is configured not to cache the passwd, "
"group, netgroup and services nsswitch maps.");
break;
case EEXIST:
sss_log(SSS_LOG_NOTICE,
"NSCD socket was detected and seems to be configured "
"to cache some of the databases controlled by "
"SSSD [fpasswd,group,netgroup,services]. It is "
"recommended not to run NSCD in parallel with SSSD, "
"unless NSCD is configured not to cache these.");
break;
case EOK:
DEBUG(SSSDBG_TRACE_FUNC, "NSCD socket was detected and it "
"seems to be configured not to interfere with "
"SSSD's caching capabilities\n");
```
--
You are receiving this because you were mentioned.
Reply to this email directly or view it on GitHub:
#21150
--
Sent from my Android device with K-9 Mail. Please excuse my brevity.
|
Concerning PAM: I think the |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
New wave of comments (sorry for being persistent, I think we are getting close!).
Questions about PAM and KRB are out of my league, but I think we can rely on you there given that you actually use it ~_^.
@@ -16,7 +17,7 @@ in { | |||
}; | |||
|
|||
nixpkgs.config.packageOverrides = pkgs: { | |||
sssd = pkgs.sssd.override { nscdConfig = nscd.confFile; }; | |||
sssd = pkgs.sssd.override { nscdConfig = nscdConfig; }; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This will keep the problem because source
points to the changing path. Instead I'd drop nscdConfig
argument and just hardcode it to /etc/nscd.conf
in the package.. This way you'd also get rid of an override.
@@ -447,6 +455,7 @@ in | |||
# Include the PAM modules in the system path mostly for the manpages. | |||
[ pkgs.pam ] | |||
++ optional config.users.ldap.enable pam_ldap | |||
++ optionals config.services.sssd.enable [ pkgs.sssd ] |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Nitpick: use optional
.
|
||
serviceConfig = | ||
{ ExecStart = "@${pkgs.glibc.bin}/sbin/nscd nscd -f ${cfg.confFile}"; | ||
{ ExecStart = "@${pkgs.glibc.bin}/sbin/nscd nscd -f ${confFile}"; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
We can now just omit -f
because /etc/nscd.conf
is the default path.
@@ -83,7 +83,7 @@ in | |||
# its pid. So wait until it's ready. | |||
postStart = | |||
'' | |||
while ! ${pkgs.glibc.bin}/sbin/nscd -g -f ${cfg.confFile} > /dev/null; do | |||
while ! ${pkgs.glibc.bin}/sbin/nscd -g -f ${confFile} > /dev/null; do |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Same thing about -f
.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
More comments for the whole patch -- sorry, I should have done it in one go.
]; | ||
|
||
installPhase = '' | ||
make install \ |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Why call make
by hand? Instead I'd move all those flags to makeFlags
and use postInstall
-- you can use $out
there as $(out)
.
enableParallelBuilding = true; | ||
buildInputs = [ gcc gzip gnum4 ]; | ||
|
||
preConfigure = '' |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Instead: NIX_CFLAGS_COMPILE = [ "-fpermissive" "-Wno-deprecated" ];
-- let's not use Bash when we can rely on Nix. BTW -fpermissive
allows pretty scary things like calling undefined functions IIRC -- why is it needed?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Good question, I adopted it unchanged from the original submitter. ;)
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Oh, only now I have noticed that not all changes are yours! Still, are you okay with fixing those?
I took over some of your additions, @dezgeg. However, for some weird reason, |
I added this:
I don't know what's the way to change it for all modules, though it would be better obviously. |
@e-user one option I see is to disable nscd, when sssd is enabled. Would that work? |
@Mic92 unfortunately and quite paradoxically that will break SSSD. @edolstra doesn't like the original approach to load NSS modules from a fixed location to circumvent the circular sssd->glibc->sssd dependency problem, so we're essentially abusing nscd as a no-cache module loader. I'm not 100% happy with it, but it does actually work. |
I'll rebase once more and squash the commits. @dezgeg, would you like to become co-maintainer of SSSD and its new dependencies? |
Given that our current way of supporting NSS modules can't get full SSSD support (nscd only caches particular types of databases, so you don't get for example automount of shared corporate storages if I understand correctly) -- @edolstra, what do you think of moving to I personally don't have a strong opinion (arguments on both sides are strong and understandable) but we may want to review that once more in light of new problems. |
c5609b7
to
10c8036
Compare
I'm not sure whether waiting for @edolstra is worth it. I have to keep rebasing my changes and fixing conflicts while others and myself are waiting for this feature, so it might be easier to merge the changes and let me file a bug right afterwards that explains how supporting external NSS modules through nscd is a hack and lists things that don't work correctly. |
Indeed, moving to the new way of handling NSS is of a bigger scope than this PR. I don't have time to run tests for this (even with SSSD disabled, just to make sure nothing is broken) but may have more time at the weekend. If someone beats me to it I don't mind ~_^. |
Hey @abbradar, any news? |
Thanks for the reminder, life caught on. I'll look at this today.
--
Sent from my Android device with K-9 Mail. Please excuse my brevity.
|
Looks like
This is atop of current unstable channel. Any ideas? |
Still on the
I don't know if it applies to Maybe it's worth asking the glibc folks for a better way of doing this non-caching passthru with nscd (and support for automount maps). I'd imagine other distros would find this use case useful as well. |
@dezgeg You are correct, dependent libraries do taint address spaces, as was also mentioned in the mailing list discussion. That's the main disadvantage of using |
Using my own machine with its extensive system package collection is too time-consuming for master build cycles over and over again, so I'll start using some AWS EC2 power on Monday. @dezgeg @abbradar how are you guys' C programming skills? It might be worth looking into extending nscd. The objective would be to a) add the missing services and b) an additional passthru option for each of the services. |
10c8036
to
7b38b1a
Compare
@e-user You can build on the top of latest unstable channel, this should decrease the build times drastically. Testing it on unstable channel is good enough, I believe. I feel confident to write C but not confident enough to write complex and secure C (given that |
7b38b1a
to
9589ff1
Compare
@abbradar I just built jade successfully atop I'll take a look at nscd. Let's see whether its maintainers would want such a change in to begin with. |
perlPackages.TextWrapI18N: init at 0.06 perlPackages.Po4a: init at 0.47 jade: init at 1.2.1 ding-libs: init at 0.6.0 Switch nscd to no-caching mode if SSSD is enabled.
9589ff1
to
c438b81
Compare
Good news regarding sudoers and automount in nsswitch.conf: AFAIK from their respective documentation and glibc's source code, glibc doesn't implement queries for those itself but the respective services read nsswitch.conf autonomously and query NSS modules themselves. This also means that LD_LIBRARY_PATH have to be extended for them, correspondingly. @abbradar, would you like me to also add this for this pull request or create a subsequent ticket that reports the missing behavior as a bug? Also, is there anything else preventing a merge right now? Would you like me to provide documentation? I've never provided NixOS documentation before, are there any pointers how this works? |
It still fails for me -- do you have Apart from that I think nothing holds this from being merged -- you can leave improvements for subsequent PRs. |
Nope, sorry, still works with sandboxing on. Could you please try in a nixos-container or VM? |
After testing on other machines I found the reason -- I went ahead and merged it with this change. Thank you! |
Thank you @abbradar for your patience and persistence! |
perlPackages.TextWrapI18N: init at 0.06 perlPackages.Po4a: init at 0.47 jade: init at 1.2.1 ding-libs: init at 0.6.0 Switch nscd to no-caching mode if SSSD is enabled. abbradar: disable jade parallel building. Closes NixOS#21150
Motivation for this change
This pull request is meant to supersede #14697 and fix #11407. I need sssd for work myself.
My additional changes include:
/run/nss-modules/$UNIQUE_ID_OF_GLIBC_
, firstnss-modules
buildEnv package that includes all existing packages that used to refer tosystem.nssModules
, plus sssdI've ditched one of the original ideas to also support per-user NSS modules because I'm not sure how to meaningfully support them with the activation script for nss-modules. Additionally, it would require that numeric IDs don't change. Using the username would cause an infinite recursive loop when attempting to resolve the name, instead.
My system is still
nixos-rebuild --switch
ing for a full-fledged test, which will probably take really long.Things done
(nix.useSandbox on NixOS,
or option
build-use-sandbox
innix.conf
on non-NixOS)
nix-shell -p nox --run "nox-review wip"
./result/bin/
)