-
-
Notifications
You must be signed in to change notification settings - Fork 12.7k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
sssd: init at 1.13.3 #14697
sssd: init at 1.13.3 #14697
Conversation
The bogus Travis failure should be fixed now. That is one (IMO too) huge diff... any chance of splitting this megacommit into smaller pieces? I count roughly 10 commits worth of changes. |
7fa4d65
to
87a8c39
Compare
I split up the commit into separate commits for each package. I also made a modification to the ld.so.conf, so it's populated using $NIX_PROFILES instead of hard-coding the /nix folders. This should make it work when nix is installed under a custom prefix. Please let me know if there is anything I can fix or improve. Thanks! |
hosts: files ${optionalString nssmdns "mdns_minimal [NOTFOUND=return]"} dns ${optionalString nssmdns "mdns"} ${optionalString nsswins "wins"} myhostname mymachines | ||
networks: files dns | ||
ethers: files | ||
services: files | ||
protocols: files | ||
automount: files ${optionalString ldap "ldap"} ${optionalString sssd "sss"} |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Does sssd support netgroup maps? I'm surprised that there isn't already a netgroup line in this file, come to think of it.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I'm not familiar with netgroup maps. Maybe someone else can provide more information?
The |
Is there some way this could work for nix when installed as a prefix on
|
What is the rationale for not wanting to use ld.so.conf in this way? To me it seemed like the ideal way to add to the library search path without having to patch glibc, since this search capability is already built into glibc. |
This PR as it is does not create the |
Also note that |
Looking at |
@vcunat thanks for your input! I'm working on fixing my patch with your suggestions. I'm going to go ahead and rebuild everything from scratch to make sure my glibc changes work, which could take awhile.
Can you elaborate on this? glibc on other linux systems searches /lib and /usr/lib for libnss_* libraries, do you think /nix/var/nix/profiles/system/sw/lib and /nix/var/nix/profiles/default/lib could have a significantly larger amount of files to search through? |
Okay, so I think I see another problem: the ld.so.cache file is caching the paths to each individual library, not the folders themselves. So if a new library is added to one of the profile folders, the ld.so.cache would have to be updated, which is of course impossible.... Damn, I guess the only way to do this is to patch glibc to search for other folders. What would be the performance implications of this? The ld.so.cache mechanism seems to be used to speed up dynamic library lookups. Telling glibc to search other directories that aren't cached in ld.so.cache could cause a performance hit, but I'm not sure how significant that would be. I'll have to think about this some more... |
Is there some way to get glibc to depend on sssd, so I can copy the libnss_sss.so file into the glibc folder, without causing infinite recursion? sssd depends on glibc, but glibc needs libnss_sss.so from sssd... |
The problem is that AFAIK adding stuff into
That's standard bootstrapping problem. It should be doable by changes to http://github.com/NixOS/nixpkgs/blob/master/pkgs/stdenv/linux/default.nix, but it would certainly seem better to have a solution that doesn't involve a mass rebuild when switching sssd on/off. I anticipate a couple options:
But one should consider:
|
I removed the texLive import and fixed a parallel build issue with jade. I also removed the glibc commit since it's currently broken. I'm not sure how to proceed since changing something as fundamental as glibc needs more guidance and supervision. It might make more sense to submit the glibc changes as a separate PR. Would it be possible to get sssd merged without the glibc changes? It wouldn't work properly until a solution to the glibc problem is found, but at least people could make use of use it with some hacks, e.g. manually copying the .so files into the glibc/lib folder. |
I played around with this, and its workable (on NixOS) without recompiling glibc. The main issue here is that creating a I could try and create a PR from this if you think its a viable solution.
Isn't that always the case? On any distribution, users can override |
@cruegge, how did you do this? I tried adding this to my configuration.nix:
The environment variable doesn't seem to be inherited by systemd. How did you modify the stage2 init script to make this work? Thanks! |
Also, how does your solution deal with prefix-installed Nix running on another distro? In that case, we don't have control over the init scripts, so I don't know how we could set the LD_LIBRARY_PATH. |
@benwbooth there seems to be a failure building this against the current nix master on a prefixed nix install
This seems specific to a prefixed install |
@vrthra Looks like a bug in glibc package. You should submit an issue for that package. I haven't tried a prefixed nix install so I'm not sure if I can help with this. |
Adding a solution posted at #554 here so that it will gain visibility. I noticed that not all packages require the libnss_sss plugin. Only a few packages do (git, redo, python, etc) that uses getpwuid. So why not create a second package Would this be acceptable? |
I would really like to get sssd into NixOS, I need it for FreeIPA support. What needs to be done to to finish this? Can I help somehow? |
So there seems to be no way around patching
One could also abuse the fact that there are usually (IIUC) no setuid binaries using Nix-installed libraries on non-NixOS systems, and make the plugin path root-writeable only on NixOS systems, but that somehow feels like a dirty solution. Moreover, the problem is not really relevant for per-user Nix installations, since then you won't have setuid binaries linking to your stuff unless you already have some way to become root, so the question is in how many cases these issues actually occur. To put it differently: why would there be a system-wide Nix installation, but admins not willing to add some additional logic to set up the proper site-specific nss modules (if only we came up with a sufficiently simple way to do that)? Also, none of this addresses possible versioning issues. A simple way might be to just have multiple plugin directories, like |
I rebased the original changes onto So next would be patching glibc to look for NSS modules in |
Update: I was able to produce a patch that makes glibc look for NSS modules in a specific additional location first, but only if |
For
If getent has the setuid flag set, it only looks for
Next up is making SSSD install its module into the new location and testing it. I'm still wondering whether I should create a new pull request..? |
@e-user I think it would be helpful to create new pull request with your changes. |
deprecated by #21150 |
Things done
nix-build --option build-use-chroot true
or nix.useChroot on NixOS)nix-shell -p nox --run "nox-review wip"
./result/bin/
)autofs: add ldap support
glibc: add default and system lib folders to ld.so.conf
ding-libs: init at 0.5.0
jade: init at 1.2.1
perlPackages.Po4a: init at 0.47
perlPackages.TextWrapI18N: init at 0.06
Fixes #11407.
Notes
This is a set of nix expressions to build SSSD, RedHat's identity and authentication daemon. We're using this at my work, so I wanted to get it packaged in NixOS. I've tested the changes out on my NixOS VM, and login, ssh login, su, sudo, automount maps, etc. seems to work just like on my ArchLinux VM.
This package had a lot of dependencies that weren't in nixpkgs, so I had to add them. Some of the packages use docbook for building documentation. I ended up having to do a lot of juggling with the SGML_CATALOG_FILES variable to get everything to compile correctly, because of the non-standard way Nix stores catalog XML files, and some deficiencies in the configure scripts.
By far the most troublesome/controversial change I made in this pull request is adding
/nix/var/nix/profiles/default/lib
and/nix/var/nix/profiles/system/sw/lib
to the (previously unused)${pkgs.glibc}/etc/ld.so.conf
lookup. I had to do this in order to get glibc to find the libnss_sss.so file. The libnss_sss.so file is required in order to get the "sss" entries in thensswitch.conf
file working. glibc uses the dynamic linker to find the libnss_* files. See #1868 for more information.I thought about a few other approaches, such as using LD_LIBRARY_PATH, but that would mean either wrapping every program which can use glibc for user/password lookup (sshd, perl, python), or adding LD_LIBRARY_PATH to /etc/profile, which wouldn't work when nix is used on non-NixOS systems.
Another idea I had was to simply add sssd as a dependency to glibc, and copy the libnss_sss.so file in as a
postInstall
step in glibc, but that created an infinite loop when trying to build glibc.So I guess modifying glibc means basically rebuilding everything. When I tested out these changes on my NixOS VM, rather than wait days for everything to re-compile, I instead re-mounted /nix/store as read-write, and just added the ld.so.conf and ld.so.cache files to the glibc folder in the nix store. Since I'm not actually patching glibc at all, I figured this was a good enough test.
My proposed ld.so.conf file puts
${pkgs.glibc}/lib
first in the lookup list, so dynamic linker lookup should work mostly the same as it did before. I just added/nix/var/nix/profiles/system/sw/lib
and/nix/var/nix/profiles/default/lib
, so that the dynamic linker also searches those paths if it doesn't find what it's looking for the the glibc's lib folder.This is a pretty big change, and since this is only my second package submission, my hope is that the NixOS main contributors can look over this change carefully and let me know if what I'm proposing could potentially break people's systems.
I did not add an option to generate the sssd.conf file from the user's configuration.nix file, since the sssd.conf file is required to be readable by root only. Putting it in configuration.nix, which is world-readable, would make those permissions pointless.
I should also mention that running the
passwd
command to try and change a LDAP user's password doesn't seem to work. It also doesn't work on my ArchLinux box with the stock SSSD package installed, so I'm not sure if this is just a deficiency in SSSD, or a problem with my sssd.conf configuration file. If anyone has any idea if it's possible to fix this, please let me know.Thanks!