Skip to content

Instantly share code, notes, and snippets.

@erikarvstedt

erikarvstedt/remove-nscd..add-nss-modules-path.diff

Created January 19, 2022 15:50
Show Gist options
  • Save erikarvstedt/9362ee4b7961129ea618e8e39c5b1b41 to your computer and use it in GitHub Desktop.
Save erikarvstedt/9362ee4b7961129ea618e8e39c5b1b41 to your computer and use it in GitHub Desktop.
Download ZIP
Raw
remove-nscd..add-nss-modules-path.diff
diff --git a/nixos/doc/manual/from_md/release-notes/rl-2111.section.xml b/nixos/doc/manual/from_md/release-notes/rl-2111.section.xml
index b7b01f9ce68..59da373f38e 100644
--- a/nixos/doc/manual/from_md/release-notes/rl-2111.section.xml
+++ b/nixos/doc/manual/from_md/release-notes/rl-2111.section.xml
@@ -1653,36 +1653,6 @@ Superuser created successfully.
</listitem>
</itemizedlist>
</listitem>
- <listitem>
- <para>
- NSS modules are now globally provided (by a
- <literal>/run/nss-modules</literal> symlink), similar to how
- we handle OpenGL drivers.
- </para>
- <para>
- This removes the need for nscd as a proxy for all NSS
- requests, and avoids DNS requests leaking across network
- namespaces.
- </para>
- <para>
- While doing this upgrade, existing applications need to be
- restarted, so they know how to pick up NSS modules from
- <literal>/run/nss-modules/lib</literal>.
- </para>
- <para>
- If you want to defer application restart to a later time,
- explicitly enable <literal>nscd</literal> via
- <literal>services.nscd.enable</literal> until the application
- restarts.
- </para>
- <para>
- We can mix NSS modules from any version of glibc according to
- https://sourceware.org/legacy-ml/libc-help/2016-12/msg00008.html,
- so future glibc upgrades shouldn’t break old userland loading
- more recent NSS modules (and most likely, NSS modules are
- already loaded)
- </para>
- </listitem>
<listitem>
<para>
The
diff --git a/nixos/doc/manual/release-notes/rl-2111.section.md b/nixos/doc/manual/release-notes/rl-2111.section.md
index c74c35fd109..1b59842e020 100644
--- a/nixos/doc/manual/release-notes/rl-2111.section.md
+++ b/nixos/doc/manual/release-notes/rl-2111.section.md
@@ -489,23 +489,6 @@ In addition to numerous new and upgraded packages, this release has the followin
- A new [scanOnLowSignal](options.html#opt-networking.wireless.scanOnLowSignal) option has been added to facilitate fast roaming between access points (enabled by default).
- A new [networks.&lt;name&gt;.authProtocols](options.html#opt-networking.wireless.networks._name_.authProtocols) option has been added to change the authentication protocols used when connecting to a network.
-- NSS modules are now globally provided (by a `/run/nss-modules` symlink),
- similar to how we handle OpenGL drivers.
-
- This removes the need for nscd as a proxy for all NSS requests, and avoids
- DNS requests leaking across network namespaces.
-
- While doing this upgrade, existing applications need to be restarted, so
- they know how to pick up NSS modules from `/run/nss-modules/lib`.
-
- If you want to defer application restart to a later time, explicitly enable
- `nscd` via `services.nscd.enable` until the application restarts.
-
- We can mix NSS modules from any version of glibc according to
- https://sourceware.org/legacy-ml/libc-help/2016-12/msg00008.html,
- so future glibc upgrades shouldn't break old userland loading more recent NSS
- modules (and most likely, NSS modules are already loaded)
-
- The [networking.wireless.iwd](options.html#opt-networking.wireless.iwd.enable) module has a new [networking.wireless.iwd.settings](options.html#opt-networking.wireless.iwd.settings) option.
- The [services.smokeping.host](options.html#opt-services.smokeping.host) option was added and defaulted to `localhost`. Before, `smokeping` listened to all interfaces by default. NixOS defaults generally aim to provide non-Internet-exposed defaults for databases and internal monitoring tools, see e.g. [#100192](https://github.com/NixOS/nixpkgs/issues/100192). Further, the systemd service for `smokeping` got reworked defaults for increased operational stability, see [PR #144127](https://github.com/NixOS/nixpkgs/pull/144127) for details.
diff --git a/nixos/modules/config/nsswitch.nix b/nixos/modules/config/nsswitch.nix
index ff600eb2493..ec7ecc59922 100644
--- a/nixos/modules/config/nsswitch.nix
+++ b/nixos/modules/config/nsswitch.nix
@@ -73,13 +73,11 @@ with lib;
];
config = {
- # Provide configured NSS modules at /run/nss-modules
- # We can mix NSS modules from any version of glibc according to
- # https://sourceware.org/legacy-ml/libc-help/2016-12/msg00008.html,
- # so glibc upgrades shouldn't break old userland loading more recent NSS
- # modules (and most likely, NSS modules are already loaded)
- systemd.tmpfiles.rules = [
- "L+ /run/nss-modules - - - - ${config.system.nssModules.path}"
+ # Provide NSS modules at a platform-specific path in /run
+ systemd.tmpfiles.rules = let
+ glibcPlatform = "${if pkgs.stdenv.hostPlatform.is64bit then "64" else "32"}-${pkgs.glibc.version}";
+ in [
+ "L+ /run/nss-modules-${glibcPlatform} - - - - ${config.system.nssModules.path}"
];
# Name Service Switch configuration file. Required by the C
diff --git a/nixos/modules/services/system/nscd.nix b/nixos/modules/services/system/nscd.nix
index dfe4882180b..2347a4ba894 100644
--- a/nixos/modules/services/system/nscd.nix
+++ b/nixos/modules/services/system/nscd.nix
@@ -22,9 +22,13 @@ in
enable = mkOption {
type = types.bool;
- default = false;
+ default = true;
description = ''
Whether to enable the Name Service Cache Daemon.
+
+ When this option is disabled, NSS lookups from non-glibc NSS modules are disabled for:
+ - binaries that use a glibc version different from the system glibc
+ - 32-bit binaries on 64-bit hosts.
'';
};
diff --git a/nixos/tests/all-tests.nix b/nixos/tests/all-tests.nix
index b2f223e7ccd..d808273a73d 100644
--- a/nixos/tests/all-tests.nix
+++ b/nixos/tests/all-tests.nix
@@ -335,6 +335,7 @@ in
nomad = handleTest ./nomad.nix {};
novacomd = handleTestOn ["x86_64-linux"] ./novacomd.nix {};
nsd = handleTest ./nsd.nix {};
+ nssmodules-without-nscd = handleTest ./nssmodules-without-nscd.nix {};
nzbget = handleTest ./nzbget.nix {};
nzbhydra2 = handleTest ./nzbhydra2.nix {};
oh-my-zsh = handleTest ./oh-my-zsh.nix {};
diff --git a/nixos/tests/nssmodules-without-nscd.nix b/nixos/tests/nssmodules-without-nscd.nix
new file mode 100644
index 00000000000..b58155343d4
--- /dev/null
+++ b/nixos/tests/nssmodules-without-nscd.nix
@@ -0,0 +1,21 @@
+# Ensure that NSS modules are accessible by glibc client binaries when
+# nscd is disabled
+
+import ./make-test-python.nix ({ lib, ... } : {
+ name = "nssmodules-without-nscd";
+
+ meta = with lib.maintainers; {
+ maintainers = [ earvstedt flokli ];
+ };
+
+ nodes.node = {
+ services.nscd.enable = false;
+ };
+
+ # Test dynamic user resolution via `libnss_systemd.so` which is only available
+ # through `system.nssModules`
+ testScript = ''
+ node.succeed("systemd-run --property=DynamicUser=yes --property=User=testuser sleep infinity")
+ node.succeed("getent passwd testuser")
+ '';
+})
diff --git a/nixos/tests/resolv.nix b/nixos/tests/resolv.nix
index 5ff9491036b..f0aa7e42aaf 100644
--- a/nixos/tests/resolv.nix
+++ b/nixos/tests/resolv.nix
@@ -29,6 +29,7 @@ import ./make-test-python.nix ({ pkgs, ... } : {
start_all()
+ resolv.wait_for_unit("nscd")
ipv4 = ["192.0.2.1", "192.0.2.2"]
ipv6 = ["2001:db8::2:1", "2001:db8::2:2"]
diff --git a/pkgs/development/libraries/glibc/0001-nss_module.c-try-loading-NSS-modules-from-run-nss-mo.patch b/pkgs/development/libraries/glibc/0001-nss_module.c-try-loading-NSS-modules-from-run-nss-mo.patch
deleted file mode 100644
index 2ad20c6a9ff..00000000000
--- a/pkgs/development/libraries/glibc/0001-nss_module.c-try-loading-NSS-modules-from-run-nss-mo.patch
+++ /dev/null
@@ -1,51 +0,0 @@
-From 65a211ee3604733dceba13062f956256a573f27c Mon Sep 17 00:00:00 2001
-From: Florian Klink <[email protected]>
-Date: Sun, 19 Sep 2021 13:26:33 +0200
-Subject: [PATCH] nss_module.c: try loading NSS modules from /run/nss-modules
- as a fallback
-
-Previously, glibc only looked for NSS modules in ${glibc.out}/lib
-and LD_LIBRARY_PATH.
-
-LD_LIBRARY_PATH is very invasive, so we don't want to set that globally
-on NixOS. We previously worked around this by running nscd with
-LD_LIBRARY_PATH set, but nscd has some caching issues, and leaks DNS
-requests across network namespaces, so it's cleaner to have glibc look
-for NSS modules in an additional path that's provided by NixOS.
-
-On non-NixOS distributions, this shouldn't change behaviour, as the path
-doesn't exist there.
----
- nss/nss_module.c | 16 ++++++++++++++++
- 1 file changed, 16 insertions(+)
-
-diff --git a/nss/nss_module.c b/nss/nss_module.c
-index 6c5f341f..44cfc2a4 100644
---- a/nss/nss_module.c
-+++ b/nss/nss_module.c
-@@ -133,6 +133,22 @@ module_load (struct nss_module *module)
- return false;
-
- handle = __libc_dlopen (shlib_name);
-+
-+ /* After loading from the default locations, try loading from
-+ /run/nss-modules, to allow loading NixOS-provided NSS modules. */
-+ if(handle == NULL)
-+ {
-+ const char *nix_glibc_nss_path = "/run/nss-modules/lib/";
-+ char shlib_path[1024];
-+ size_t shlib_pathlen = strlen(nix_glibc_nss_path) + strlen(shlib_name);
-+
-+ if (shlib_pathlen < sizeof (shlib_path))
-+ {
-+ __stpcpy (__stpcpy (&shlib_path[0], nix_glibc_nss_path), shlib_name);
-+ handle = __libc_dlopen (shlib_path);
-+ }
-+ }
-+
- free (shlib_name);
- }
-
---
-2.32.0
-
diff --git a/pkgs/development/libraries/glibc/add-extra-module-load-path.patch b/pkgs/development/libraries/glibc/add-extra-module-load-path.patch
new file mode 100644
index 00000000000..c134cc090fb
--- /dev/null
+++ b/pkgs/development/libraries/glibc/add-extra-module-load-path.patch
@@ -0,0 +1,47 @@
+Add NSS module load path /run/nss-modules-${word_size}-${glibc_version}/lib
+as a fallback. Previously, glibc only looked for NSS modules in ${glibc.out}/lib and
+LD_LIBRARY_PATH.
+
+On NixOS, this removes the dependency on nscd for enabling NSS functionality in
+glibc clients.
+nscd has caching bugs and leaks DNS requests across network namespaces.
+
+The module load path is only used by binaries that use the same glibc
+version and word size as the NSS modules. This avoids failures due to ABI
+incompatibilities. Incompatible binaries can still be served by nscd.
+
+On non-NixOS systems, this patch doesn't change behaviour, as the path
+doesn't exist there.
+
+diff --git a/nss/nss_module.c b/nss/nss_module.c
+index 6c5f341f..80b6eac0 100644
+--- a/nss/nss_module.c
++++ b/nss/nss_module.c
+@@ -133,5 +133,27 @@ module_load (struct nss_module *module)
+ return false;
+
+ handle = __libc_dlopen (shlib_name);
++
++ /* After loading from the default locations, try loading from
++ the NixOS module load path. */
++ if (handle == NULL) {
++
++ #define STR_(x) #x
++ #define STR(x) STR_(x)
++
++ const char nix_nss_path[] = "/run/nss-modules-" STR(__WORDSIZE) "-"
++ STR(__GLIBC__) "." STR(__GLIBC_MINOR__) "/lib/";
++ char shlib_path[1024];
++ size_t nix_nss_path_len = sizeof(nix_nss_path) - 1;
++ size_t shlib_name_len = strlen(shlib_name);
++ size_t shlib_path_len = nix_nss_path_len + shlib_name_len;
++
++ if (shlib_path_len < sizeof(shlib_path)) {
++ memcpy(&shlib_path[0], nix_nss_path, nix_nss_path_len);
++ memcpy(&shlib_path[nix_nss_path_len], shlib_name, shlib_name_len + 1);
++ handle = __libc_dlopen(shlib_path);
++ }
++ }
++
+ free (shlib_name);
+ }
diff --git a/pkgs/development/libraries/glibc/common.nix b/pkgs/development/libraries/glibc/common.nix
index 571a263c447..2ac8d7587af 100644
--- a/pkgs/development/libraries/glibc/common.nix
+++ b/pkgs/development/libraries/glibc/common.nix
@@ -126,7 +126,7 @@ stdenv.mkDerivation ({
/* https://github.com/NixOS/nixpkgs/pull/137601 */
./nix-nss-open-files.patch
- ./0001-nss_module.c-try-loading-NSS-modules-from-run-nss-mo.patch
+ ./add-extra-module-load-path.patch
]
++ lib.optional stdenv.hostPlatform.isMusl ./fix-rpc-types-musl-conflicts.patch
++ lib.optional stdenv.buildPlatform.isDarwin ./darwin-cross-build.patch;
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment