Merge pull request #50316 from arianvp/fix-dynamic-user
Disable nscd caching
This commit is contained in:
commit
5feba458a2
|
@ -245,6 +245,65 @@
|
|||
options.
|
||||
</para>
|
||||
</listitem>
|
||||
<listitem>
|
||||
<para>
|
||||
The <literal>nscd</literal> service now disables all caching of
|
||||
<literal>passwd</literal> and <literal>group</literal> databases by
|
||||
default. This was interferring with the correct functioning of the
|
||||
<literal>libnss_systemd.so</literal> module which is used by
|
||||
<literal>systemd</literal> to manage uids and usernames in the presence of
|
||||
<literal>DynamicUser=</literal> in systemd services. This was already the
|
||||
default behaviour in presence of <literal>services.sssd.enable =
|
||||
true</literal> because nscd caching would interfere with
|
||||
<literal>sssd</literal> in unpredictable ways as well. Because we're
|
||||
using nscd not for caching, but for convincing glibc to find NSS modules
|
||||
in the nix store instead of an absolute path, we have decided to disable
|
||||
caching globally now, as it's usually not the behaviour the user wants and
|
||||
can lead to surprising behaviour. Furthermore, negative caching of host
|
||||
lookups is also disabled now by default. This should fix the issue of dns
|
||||
lookups failing in the presence of an unreliable network.
|
||||
</para>
|
||||
<para>
|
||||
If the old behaviour is desired, this can be restored by setting
|
||||
the <literal>services.nscd.config</literal> option
|
||||
with the desired caching parameters.
|
||||
<programlisting>
|
||||
services.nscd.config =
|
||||
''
|
||||
server-user nscd
|
||||
threads 1
|
||||
paranoia no
|
||||
debug-level 0
|
||||
|
||||
enable-cache passwd yes
|
||||
positive-time-to-live passwd 600
|
||||
negative-time-to-live passwd 20
|
||||
suggested-size passwd 211
|
||||
check-files passwd yes
|
||||
persistent passwd no
|
||||
shared passwd yes
|
||||
|
||||
enable-cache group yes
|
||||
positive-time-to-live group 3600
|
||||
negative-time-to-live group 60
|
||||
suggested-size group 211
|
||||
check-files group yes
|
||||
persistent group no
|
||||
shared group yes
|
||||
|
||||
enable-cache hosts yes
|
||||
positive-time-to-live hosts 600
|
||||
negative-time-to-live hosts 5
|
||||
suggested-size hosts 211
|
||||
check-files hosts yes
|
||||
persistent hosts no
|
||||
shared hosts yes
|
||||
'';
|
||||
</programlisting>
|
||||
See <link xlink:href="https://github.com/NixOS/nixpkgs/pull/50316">#50316</link>
|
||||
for details.
|
||||
</para>
|
||||
</listitem>
|
||||
<listitem>
|
||||
<para>
|
||||
GitLab Shell previously used the nix store paths for the
|
||||
|
|
|
@ -1,36 +0,0 @@
|
|||
server-user nscd
|
||||
threads 1
|
||||
paranoia no
|
||||
debug-level 0
|
||||
|
||||
enable-cache passwd yes
|
||||
positive-time-to-live passwd 0
|
||||
negative-time-to-live passwd 0
|
||||
suggested-size passwd 211
|
||||
check-files passwd yes
|
||||
persistent passwd no
|
||||
shared passwd yes
|
||||
|
||||
enable-cache group yes
|
||||
positive-time-to-live group 0
|
||||
negative-time-to-live group 0
|
||||
suggested-size group 211
|
||||
check-files group yes
|
||||
persistent group no
|
||||
shared group yes
|
||||
|
||||
enable-cache hosts yes
|
||||
positive-time-to-live hosts 600
|
||||
negative-time-to-live hosts 5
|
||||
suggested-size hosts 211
|
||||
check-files hosts yes
|
||||
persistent hosts no
|
||||
shared hosts yes
|
||||
|
||||
enable-cache services yes
|
||||
positive-time-to-live services 0
|
||||
negative-time-to-live services 0
|
||||
suggested-size services 211
|
||||
check-files services yes
|
||||
persistent services no
|
||||
shared services yes
|
|
@ -75,7 +75,6 @@ in {
|
|||
};
|
||||
|
||||
system.nssModules = optional cfg.enable pkgs.sssd;
|
||||
services.nscd.config = builtins.readFile ./nscd-sssd.conf;
|
||||
services.dbus.packages = [ pkgs.sssd ];
|
||||
})
|
||||
|
||||
|
|
|
@ -1,28 +1,52 @@
|
|||
# We basically use nscd as a proxy for forwarding nss requests to appropriate
|
||||
# nss modules, as we run nscd with LD_LIBRARY_PATH set to the directory
|
||||
# containing all such modules
|
||||
# Note that we can not use `enable-cache no` As this will actually cause nscd
|
||||
# to just reject the nss requests it receives, which then causes glibc to
|
||||
# fallback to trying to handle the request by itself. Which won't work as glibc
|
||||
# is not aware of the path in which the nss modules live. As a workaround, we
|
||||
# have `enable-cache yes` with an explicit ttl of 0
|
||||
server-user nscd
|
||||
threads 1
|
||||
paranoia no
|
||||
debug-level 0
|
||||
|
||||
enable-cache passwd yes
|
||||
positive-time-to-live passwd 600
|
||||
negative-time-to-live passwd 20
|
||||
positive-time-to-live passwd 0
|
||||
negative-time-to-live passwd 0
|
||||
suggested-size passwd 211
|
||||
check-files passwd yes
|
||||
persistent passwd no
|
||||
shared passwd yes
|
||||
|
||||
enable-cache group yes
|
||||
positive-time-to-live group 3600
|
||||
negative-time-to-live group 60
|
||||
positive-time-to-live group 0
|
||||
negative-time-to-live group 0
|
||||
suggested-size group 211
|
||||
check-files group yes
|
||||
persistent group no
|
||||
shared group yes
|
||||
|
||||
enable-cache netgroup yes
|
||||
positive-time-to-live netgroup 0
|
||||
negative-time-to-live netgroup 0
|
||||
suggested-size netgroup 211
|
||||
check-files netgroup yes
|
||||
persistent netgroup no
|
||||
shared netgroup yes
|
||||
|
||||
enable-cache hosts yes
|
||||
positive-time-to-live hosts 600
|
||||
negative-time-to-live hosts 5
|
||||
negative-time-to-live hosts 0
|
||||
suggested-size hosts 211
|
||||
check-files hosts yes
|
||||
persistent hosts no
|
||||
shared hosts yes
|
||||
|
||||
enable-cache services yes
|
||||
positive-time-to-live services 0
|
||||
negative-time-to-live services 0
|
||||
suggested-size services 211
|
||||
check-files services yes
|
||||
persistent services no
|
||||
shared services yes
|
||||
|
|
|
@ -56,6 +56,11 @@ import ./make-test.nix {
|
|||
$machine->succeed('test -z $(ls -1 /var/log/journal)');
|
||||
};
|
||||
|
||||
# Regression test for https://github.com/NixOS/nixpkgs/issues/50273
|
||||
subtest "DynamicUser actually allocates a user", sub {
|
||||
$machine->succeed('systemd-run --pty --property=Type=oneshot --property=DynamicUser=yes --property=User=iamatest whoami | grep iamatest');
|
||||
};
|
||||
|
||||
# Regression test for https://github.com/NixOS/nixpkgs/issues/35268
|
||||
subtest "file system with x-initrd.mount is not unmounted", sub {
|
||||
$machine->shutdown;
|
||||
|
|
Loading…
Reference in New Issue