Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Disable nscd caching #50316

Merged
merged 8 commits into from
Dec 12, 2018
Merged

Disable nscd caching #50316

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
8 commits
Select commit Hold shift + click to select a range
eb88005
nixos/systemd: Add a regression test for #50273
arianvp Nov 13, 2018
e712417
nixos/nscd: Disable caching of group and passwd
arianvp Nov 13, 2018
99d3279
nixos/nscd: Disable negative caching of hosts
arianvp Nov 14, 2018
335b41b
nixos/nscd: Add release note entry about nscd changes
arianvp Nov 14, 2018
de76c16
nixos/nscd: Merge nscd and sssd-nscd config
arianvp Nov 16, 2018
a74619c
nixos/nscd: also add netgroup to the config
arianvp Nov 16, 2018
ef6ed03
nixos/nscd: Address doc feedback
arianvp Dec 12, 2018
1d5f4cb
nixos/nscd: Add a descriptive comment to the nscd configuration
arianvp Dec 12, 2018
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
59 changes: 59 additions & 0 deletions nixos/doc/manual/release-notes/rl-1903.xml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -245,6 +245,65 @@
options.
</para>
</listitem>
<listitem>
<para>
The <literal>nscd</literal> service now disables all caching of
<literal>passwd</literal> and <literal>group</literal> databases by
default. This was interferring with the correct functioning of the
<literal>libnss_systemd.so</literal> module which is used by
<literal>systemd</literal> to manage uids and usernames in the presence of
<literal>DynamicUser=</literal> in systemd services. This was already the
default behaviour in presence of <literal>services.sssd.enable =
true</literal> because nscd caching would interfere with
<literal>sssd</literal> in unpredictable ways as well. Because we're
using nscd not for caching, but for convincing glibc to find NSS modules
in the nix store instead of an absolute path, we have decided to disable
caching globally now, as it's usually not the behaviour the user wants and
can lead to surprising behaviour. Furthermore, negative caching of host
lookups is also disabled now by default. This should fix the issue of dns
lookups failing in the presence of an unreliable network.
</para>
<para>
If the old behaviour is desired, this can be restored by setting
the <literal>services.nscd.config</literal> option
with the desired caching parameters.
<programlisting>
services.nscd.config =
''
server-user nscd
threads 1
paranoia no
debug-level 0

enable-cache passwd yes
positive-time-to-live passwd 600
negative-time-to-live passwd 20
suggested-size passwd 211
check-files passwd yes
persistent passwd no
shared passwd yes

enable-cache group yes
positive-time-to-live group 3600
negative-time-to-live group 60
suggested-size group 211
check-files group yes
persistent group no
shared group yes

enable-cache hosts yes
positive-time-to-live hosts 600
negative-time-to-live hosts 5
suggested-size hosts 211
check-files hosts yes
persistent hosts no
shared hosts yes
'';
</programlisting>
See <link xlink:href="https://github.com/NixOS/nixpkgs/pull/50316">#50316</link>
for details.
</para>
</listitem>
<listitem>
<para>
GitLab Shell previously used the nix store paths for the
Expand Down
36 changes: 0 additions & 36 deletions nixos/modules/services/misc/nscd-sssd.conf
View file
Open in desktop

This file was deleted.

1 change: 0 additions & 1 deletion nixos/modules/services/misc/sssd.nix
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -75,7 +75,6 @@ in {
};

system.nssModules = optional cfg.enable pkgs.sssd;
services.nscd.config = builtins.readFile ./nscd-sssd.conf;
services.dbus.packages = [ pkgs.sssd ];
})

Expand Down
34 changes: 29 additions & 5 deletions nixos/modules/services/system/nscd.conf
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,28 +1,52 @@
# We basically use nscd as a proxy for forwarding nss requests to appropriate
# nss modules, as we run nscd with LD_LIBRARY_PATH set to the directory
# containing all such modules
# Note that we can not use `enable-cache no` As this will actually cause nscd
# to just reject the nss requests it receives, which then causes glibc to
# fallback to trying to handle the request by itself. Which won't work as glibc
# is not aware of the path in which the nss modules live. As a workaround, we
# have `enable-cache yes` with an explicit ttl of 0
server-user nscd
threads 1
paranoia no
debug-level 0

enable-cache passwd yes
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

do we want to disable caches where we set a zero ttl for both positive and negative? Seems less confusing to me :-)

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

As eelco mentioned, this would have a serious performance penalty. so I don't want to change it until #51911 is implemented. I think this is a good compromise where people do not get failed lookups when switching networks, but do also have performance. Until we figure out the resolved business

Copy link
Member Author

@arianvp arianvp Dec 12, 2018
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Oh I misread: See the original commit message why we can't do this:

Note that we can not just put in /etc/nscd.conf:
enable-cache passwd no

As this will actually cause glibc to _not_ forward the call to nscd
at all, and thus never reach the nss modules. Instead we set
the negative and positive cache ttls  to 0 seconds as a workaround.
This way, Glibc will always forward requests to nscd, but results
will never be cached.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I added this as a comment to nscd.conf to clarify

positive-time-to-live passwd 600
negative-time-to-live passwd 20
positive-time-to-live passwd 0
negative-time-to-live passwd 0
suggested-size passwd 211
check-files passwd yes
persistent passwd no
shared passwd yes

enable-cache group yes
positive-time-to-live group 3600
negative-time-to-live group 60
positive-time-to-live group 0
negative-time-to-live group 0
suggested-size group 211
check-files group yes
persistent group no
shared group yes

enable-cache netgroup yes
positive-time-to-live netgroup 0
negative-time-to-live netgroup 0
suggested-size netgroup 211
check-files netgroup yes
persistent netgroup no
shared netgroup yes

enable-cache hosts yes
positive-time-to-live hosts 600
negative-time-to-live hosts 5
negative-time-to-live hosts 0
Copy link
Member

@Mic92 Mic92 Nov 14, 2018
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I wonder if we at least should backport this one, since it can be quiet annoying if websites do not load correctly after connecting to a hotspot.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yes, I’ve had this problem for more than a month now, so the release must have it as well.

suggested-size hosts 211
check-files hosts yes
persistent hosts no
shared hosts yes

enable-cache services yes
positive-time-to-live services 0
negative-time-to-live services 0
suggested-size services 211
check-files services yes
persistent services no
shared services yes
5 changes: 5 additions & 0 deletions nixos/tests/systemd.nix
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -56,6 +56,11 @@ import ./make-test.nix {
$machine->succeed('test -z $(ls -1 /var/log/journal)');
};

# Regression test for https://github.com/NixOS/nixpkgs/issues/50273
subtest "DynamicUser actually allocates a user", sub {
$machine->succeed('systemd-run --pty --property=Type=oneshot --property=DynamicUser=yes --property=User=iamatest whoami | grep iamatest');
};

# Regression test for https://github.com/NixOS/nixpkgs/issues/35268
subtest "file system with x-initrd.mount is not unmounted", sub {
$machine->shutdown;
Expand Down