Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

nixos/nsd: Don't override bind via nixpkgs.config #53365

Merged
merged 2 commits into from Jan 10, 2019

Conversation

Projects
None yet
4 participants
@aszlig
Copy link
Member

commented Jan 4, 2019

When generating values for the services.nsd.zones attribute using values from pkgs, we'll run into an infinite recursion because the nsd module has a condition on the top-level definition of nixpkgs.config.

While it would work to push the definition a few levels down, it will still only work if we don't use bind tools for generating zones.

As far as I could see, Python support for BIND seems to be only needed for the dnssec-* tools, so instead of using nixpkgs.config, we now directly override pkgs.bind instead of globally in nixpkgs.

To illustrate the problem with a small test case, instantiating the following Nix expression from the nixpkgs source root will cause the mentioned infinite recursion:

(import ./nixos {
  configuration = { lib, pkgs, ... }: {
    services.nsd.enable = true;
    services.nsd.zones = import (pkgs.writeText "foo.nix" ''
      { "foo.".data = "xyz";
        "foo.".dnssec = true;
      }
    '');
  };
}).vm

With this change, generating zones via import-from-derivation is now possible again.


@pngwjpgh: Can you please check whether DNSSEC still works after this?

Cc: @hrdinka

aszlig added some commits Jan 4, 2019

nixos/nsd: Don't override bind via nixpkgs.config
When generating values for the services.nsd.zones attribute using values
from pkgs, we'll run into an infinite recursion because the nsd module
has a condition on the top-level definition of nixpkgs.config.

While it would work to push the definition a few levels down, it will
still only work if we don't use bind tools for generating zones.

As far as I could see, Python support for BIND seems to be only needed
for the dnssec-* tools, so instead of using nixpkgs.config, we now
directly override pkgs.bind instead of globally in nixpkgs.

To illustrate the problem with a small test case, instantiating the
following Nix expression from the nixpkgs source root will cause the
mentioned infinite recursion:

  (import ./nixos {
    configuration = { lib, pkgs, ... }: {
      services.nsd.enable = true;
      services.nsd.zones = import (pkgs.writeText "foo.nix" ''
        { "foo.".data = "xyz";
          "foo.".dnssec = true;
        }
      '');
    };
  }).vm

With this change, generating zones via import-from-derivation is now
possible again.

Signed-off-by: aszlig <aszlig@nix.build>
Cc: @pngwjpgh
nixos/nsd: Improve checking for empty dnssec zones
While at it (see previous commit), using attrNames in combination with
length is a bit verbose for checking whether the filtered attribute set
is empty, so let's just compare it against an empty attribute set.

Signed-off-by: aszlig <aszlig@nix.build>
@hrdinka

This comment has been minimized.

Copy link
Contributor

commented Jan 4, 2019

@aszlig Thanks for the patch. I wasn't even aware of these DNSSEC changes :/

This should have never be done that way and your patch corrects it. Therefore I am happy with merging.

I don't think that this change will break anything. However my hoster does not support DNSSEC so lets wait for @pngwjpgh testing it.

@hrdinka

This comment has been minimized.

Copy link
Contributor

commented Jan 10, 2019

@pngwjpgh If you need some more time for testing please drop a short line. If not I will merge this in a few days. It is a simple change and I don't want to have it sit around for too long.

@vcunat

vcunat approved these changes Jan 10, 2019

Copy link
Member

left a comment

I feel certain about merging this. Magically overriding nixpkgs-wide bind was ugly.

I'm not even sure why enablePython is there, as the dnssec-* tools used here seem present even without it, but I can't say I know the bind dnssec-* toolset that well. Anyway, the whole override could be removed later; it seems of little consequence.

@vcunat

This comment has been minimized.

Copy link
Member

commented Jan 10, 2019

I even feel like picking this to 18.09, but I'll wait for a few days at least.

@vcunat vcunat merged commit 6446d9e into NixOS:master Jan 10, 2019

9 checks passed

grahamcofborg-eval ^.^!
Details
grahamcofborg-eval-check-meta config.nix: checkMeta = true
Details
grahamcofborg-eval-nixos-manual nix-instantiate --arg nixpkgs { outPath=./.; revCount=999999; shortRev="ofborg"; } ./nixos/release.nix -A manual
Details
grahamcofborg-eval-nixos-options nix-instantiate --arg nixpkgs { outPath=./.; revCount=999999; shortRev="ofborg"; } ./nixos/release.nix -A options
Details
grahamcofborg-eval-nixpkgs-manual nix-instantiate --arg nixpkgs { outPath=./.; revCount=999999; shortRev="ofborg"; } ./pkgs/top-level/release.nix -A manual
Details
grahamcofborg-eval-nixpkgs-tarball nix-instantiate --arg nixpkgs { outPath=./.; revCount=999999; shortRev="ofborg"; } ./pkgs/top-level/release.nix -A tarball
Details
grahamcofborg-eval-nixpkgs-unstable-jobset nix-instantiate --arg nixpkgs { outPath=./.; revCount=999999; shortRev="ofborg"; } ./pkgs/top-level/release.nix -A unstable
Details
grahamcofborg-eval-package-list nix-env -qa --json --file .
Details
grahamcofborg-eval-package-list-no-aliases nix-env -qa --json --file . --arg config { allowAliases = false; }
Details

vdemeester pushed a commit to vdemeester/nixpkgs that referenced this pull request Jan 10, 2019

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.