nixos/nscd: start in early boot

[Mic92]

Services that have dynamic users require nscd to resolve users
via pam_systemd. Those services might not even create
their own dynamic users itself i.e. iptables.
To make sure nscd is always started when this is happening we move
nscd to sysinit.target and make sure that it is always started before
starting/reloading/restarting any other service.

Motivation for this change

This pr was original opened here: #106336

Things done

• Built on platform(s)
  • x86_64-linux
  • aarch64-linux
  • x86_64-darwin
  • aarch64-darwin
• For non-Linux: Is sandbox = true set in nix.conf? (See Nix manual)
• Tested, as applicable:
  • NixOS test(s) (look inside nixos/tests)
  • and/or package tests
  • or, for functions and "core" functionality, tests in lib/tests or pkgs/test
  • made sure NixOS tests are linked to the relevant packages
• Tested compilation of all packages that depend on this change using nix-shell -p nixpkgs-review --run "nixpkgs-review rev HEAD". Note: all changes have to be committed, also see nixpkgs-review usage
• Tested basic functionality of all binary files (usually in ./result/bin/)
• 22.05 Release Notes (or backporting 21.11 Release notes)
  • (Package updates) Added a release notes entry if the change is major or breaking
  • (Module updates) Added a release notes entry if the change is significant
  • (Module addition) Added a release notes entry if adding a new NixOS module
  • (Release notes changes) Ran nixos/doc/manual/md-to-db.sh to update generated release notes
• Fits CONTRIBUTING.md.

[arcnmx]

Thanks, I can confirm this fixes the issue with DynamicUser services on switch!

Before:

restarting the following units: ddclient.timer, home-manager-arc.service, home-manager-root.service, polkit.service
starting the following units: accounts-daemon.service, nscd.service
warning: the following units failed: ddclient.service
...
3jifr0sab601i8l2ka07c2c2cak5csg2-ddclient-prestart[430095]: install: invalid user ‘ddclient’

After:

starting nscd
restarting the following units: ddclient.timer, home-manager-arc.service, home-manager-root.service, polkit.service
starting the following units: accounts-daemon.service

[dasJ]

I highly recommend stopIfChanged = false. While the default of true is already crappy in most cases, it's even worst for nscd because stc can stop nscd, restart a service, and then only start nscd afterwards, causing the service that is restarted in between to be started without a working nscd. This way we don't need to modify stc

[dasJ]

Source: We have been doing so in our downstream repo for ~1 year and have had no issues since then

[dasJ]

Not a fan of yet another special case

[Mic92]

I don't see a way around it without that does not involve getting rid of nscd.

[dasJ]

Also it may be helpful to just fix nscd.service instead:

$ systemctl show nscd | grep WantedBy
WantedBy=nss-user-lookup.target nss-lookup.target

$ systemctl show nss-lookup.target | grep By
$ systemctl show nss-user-lookup.target | grep By

Of course stc will not start nscd if nobody wants the service…

[Mic92]

I highly recommend stopIfChanged = false. While the default of true is already crappy in most cases, it's even worst for nscd because stc can stop nscd, restart a service, and then only start nscd afterwards, causing the service that is restarted in between to be started without a working nscd. This way we don't need to modify stc

This also has the big downside that nss changes no longer are applied until reboot.

[Mic92]

Also it may be helpful to just fix nscd.service instead:

$ systemctl show nscd | grep WantedBy
WantedBy=nss-user-lookup.target nss-lookup.target

$ systemctl show nss-lookup.target | grep By
$ systemctl show nss-user-lookup.target | grep By

Of course stc will not start nscd if nobody wants the service…

This is a foot gun at best. Non one expects a dependency on nscd when using DynamicUser.

[Mic92]

If we don't fix this I would consider DynamicUser not as fit for purpose in NixOS.

[arcnmx]

This is a foot gun at best. Non one expects a dependency on nscd when using DynamicUser.

Would it be a footgun if the module (systemd unit generator) automatically did it for you? That wouldn't work for units coming from systemd.packages, but it could probably assert it at build time and request that it be added?

[Mic92]

This is a foot gun at best. Non one expects a dependency on nscd when using DynamicUser.

Would it be a footgun if the module (systemd unit generator) automatically did it for you? That wouldn't work for units coming from systemd.packages, but it could probably assert it at build time and request that it be added?

Maybe but I feel this is more code/complexity in all of nixpkgs than just having them in the activation script. Also we can no longer use some of the upstream systemd units as is.

[flokli]

Can we drop this in favor of #155655?

With this in, requests before nscd is up should still work.

[erikarvstedt]

@flokli: It's common practice to use the stable NixOS release for the system modules and run services with binaries from unstable on top of that. When the glibc minor release differs between stable and unstable, #155655 won't work for these services.
So +1 for this PR, I don't see a simpler way to achieve this.

[flokli]

But I'd assume we can revert this after #155655 is merged, or in a followup PR, to get closer with upstream again?

[arianvp]

Given that #155655 still leaves nscd enabled by default this still seems a useful change no? Or would during early boot DynamicUser still work due to the fallback built in #155655 ?

[erikarvstedt]

For systems that have services using different glibc minor versions, #155655 is no replacement for this PR.
For all other systems, it is.
(#155655 only provides access to NSS modules for services using the system glibc.)
But we have to support the multi-glibc use case when nscd is enabled, so this PR is still needed, even with #155655.

[Mic92]

rebased.

[nrdxp]

Everything appears in order. @Mic92 is it ready for merge? I can pull the trigger if so.

[dasJ]

Still not a fan at all. Adding yet another special case to stc that could also be implemented by native systemd functionality.
#154620 would immensely improve the current situation, combined with stopIfChanged there almost no issues.

A fix that would involve only systemd logic would be to add the After=s in the systemd builder when DynamicUser is set. This way there is no additional NixOS-specific tinkering in a language most people dislike.

But do what you think is best.

[nrdxp]

You suggestion sounds reasonable to me.I'll leave open for a bit to give time for consideration.

[Mic92]

Rebased.

[Mic92]

Also I will check if #154620 is enough.

[symphorien]

Still not a fan at all. Adding yet another special case to stc that could also be implemented by native systemd functionality. #154620 would immensely improve the current situation, combined with stopIfChanged there almost no issues.

A fix that would involve only systemd logic would be to add the After=s in the systemd builder when DynamicUser is set. This way there is no additional NixOS-specific tinkering in a language most people dislike.

But do what you think is best.

this is what I proposed in #105354, but it was rejected.

[tilpner]

Isn't this already fixed by #154320?

[symphorien]

I had the issue on 2022-05-12 on a system updated daily.

[flokli]

@dasJ @ajs124 is this still necessary, with #186785 merged?

[dasJ]

I highly doubt it