-
-
Notifications
You must be signed in to change notification settings - Fork 14.8k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
nixos/nsswitch cleanup nss modules #87016
Conversation
@GrahamcOfBorg test google-oslogin avahi Samba test doesn't seem to be testing the right stuff. |
The code looks good to me, but I haven't tested it (as I don't use most of the stuff), which is why I'm commenting instead of approving. Thanks for spotting my mistake with the groups, looks good now. |
I say what @dasJ says. |
@ajs124 As a general rule of thumb or only in this particular case? |
squashed the fixup commit and rebased on master. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Does look reasonable to me.
Do we have some tests or can you write some integration tests with beaker? ;)
nixos/modules/config/nsswitch.nix uses `passwdArray` for both `passwd` and `group`, but when moving this into the sss module in edddc7c, it didn't get split appropriately.
nixos/modules/config/nsswitch.nix uses `passwdArray` for both `passwd` and `group`, but when moving this into the google-oslogin module in 4b71b6f, it didn't get split appropriately.
nixos/modules/config/nsswitch.nix uses `passwdArray` for both `passwd` and `group`, but when moving this into the systemd module in c0995d2, it didn't get split appropriately.
now that passwdArray and shadowArray aren't used anymore, these can be folded.
This is now already triggered by the nsswitch module, as we set system.nssModules.
A disabled nscd breaks nss module loading on NixOS, and systemd without its nss modules doesn't really work either - instead of silently disabling its nss modules if nscd is disabled, let the assertion in nsswitch handle this.
This is all inside a global cfg.enable conditional, so we don't need to check here again.
Show the config option triggering the assertion, so people don't necessary lookup the nixpkgs source code.
Improved the error message as described, and rebased on top of master another time. PTAL. |
Okay, let's cook this in unstable. |
The current error message is not very helpful, I still had to look at the source code, look up the commit and this PR to understand what is going on:
I'd suggest a more actionable error message:
(I guess that those who have already disabled nscd would rather keep it disabled and do not need this assertion at all. However, the new users might like to be warned when they disable nscd for the first time…) |
@orivej the problem was that people disabling Most code adding to nss modules only did this "optionally" when nscd was enabled (and by doing this, never triggering the assertion). However, there's a lot of places in NixOS where we rely on a functional NSS system, so alerting in these cases by actually triggering the assertion is preferrable. The suggested error message isn't that clear either on what's preferred now. If we want to avoid people having to read the source, we probably need to be a bit more verbose. What about this?
Can you elaborate on usecases to disable nscd? When would one explicitly want to opt in to have broken NSS lookups? |
I have disabled nscd because I do not want to erase the boundary between Linux network namespaces when it comes to DNS — otherwise the requests from nscd-aware applications originate from the nscd namespace rather than the application namespace. (Here are the relevant bits of my config: #52411 (comment).) I know that this disables some systemd-based name resolution and I'm OK with that since I never encounter such names. I'd suggest this edit:
|
@orivej thanks for the pointer! That's an interesting usecase. I wonder if you could just make nscd unavailable from these namespaced units, via I don't remember exactly how the breakages looked (need to check), but "systemd dynamic user lookup and container hostname resolution" are only examples on a basic installation - with disabled nscd, all custom nss modules will break. |
This moves the remaining NSS modules to their corresponding modules, and contains some follow-up fixes, where we missed adding to the
group
database (as thepasswdArray
was used both forsystem.nssDatabases.passed
andsystem.nssDatabases.group
).It also removes the conditional loading of systemd nss modules, as requested in #86940 (comment).
closes #86350.
Motivation for this change
#86350
Things done
sandbox
innix.conf
on non-NixOS linux)nix-shell -p nixpkgs-review --run "nixpkgs-review wip"
./result/bin/
)nix path-info -S
before and after)