Merge pull request #196917 from flokli/nsncd

nixos/nscd: add option to use nsncd, init nsncd
2022-10-21 11:22:17 +02:00 · 2022-10-21 11:22:17 +02:00 · 690ccd9c4a
parent ee9ca83920 a86e080fa4
commit 690ccd9c4a
4 changed files with 96 additions and 12 deletions
--- a/nixos/modules/services/system/nscd.nix
+++ b/nixos/modules/services/system/nscd.nix
@ -27,6 +27,15 @@ in
        '';
      };

+      enableNsncd = mkOption {
+        type = types.bool;
+        default = false;
+        description = lib.mdDoc ''
+          Whether to use nsncd instead of nscd.
+          This is a nscd-compatible daemon, that proxies lookups, without any caching.
+        '';
+      };
+
      user = mkOption {
        type = types.str;
        default = "nscd";
@ -51,7 +60,8 @@ in

      package = mkOption {
        type = types.package;
-        default = if pkgs.stdenv.hostPlatform.libc == "glibc"
+        default =
+          if pkgs.stdenv.hostPlatform.libc == "glibc"
          then pkgs.stdenv.cc.libc.bin
          else pkgs.glibc.bin;
        defaultText = lib.literalExpression ''
@ -59,7 +69,10 @@ in
            then pkgs.stdenv.cc.libc.bin
            else pkgs.glibc.bin;
        '';
-        description = lib.mdDoc "package containing the nscd binary to be used by the service";
+        description = lib.mdDoc ''
+          package containing the nscd binary to be used by the service.
+          Ignored when enableNsncd is set to true.
+        '';
      };

    };
@ -77,10 +90,12 @@ in
      group = cfg.group;
    };

-    users.groups.${cfg.group} = {};
+    users.groups.${cfg.group} = { };

    systemd.services.nscd =
-      { description = "Name Service Cache Daemon";
+      {
+        description = "Name Service Cache Daemon"
+          + lib.optionalString cfg.enableNsncd " (nsncd)";

        before = [ "nss-lookup.target" "nss-user-lookup.target" ];
        wants = [ "nss-lookup.target" "nss-user-lookup.target" ];
@ -89,14 +104,14 @@ in

        environment = { LD_LIBRARY_PATH = nssModulesPath; };

-        restartTriggers = [
+        restartTriggers = lib.optionals (!cfg.enableNsncd) ([
          config.environment.etc.hosts.source
          config.environment.etc."nsswitch.conf".source
          config.environment.etc."nscd.conf".source
        ] ++ optionals config.users.mysql.enable [
          config.environment.etc."libnss-mysql.cfg".source
          config.environment.etc."libnss-mysql-root.cfg".source
-        ];
+        ]);

        # In some configurations, nscd needs to be started as root; it will
        # drop privileges after all the NSS modules have read their
@ -106,8 +121,11 @@ in
        # sill want to read their configuration files after the privilege drop
        # and so users can set the owner of those files to the nscd user.
        serviceConfig =
-          { ExecStart = "!@${cfg.package}/bin/nscd nscd";
-            Type = "forking";
+          {
+            ExecStart =
+              if cfg.enableNsncd then "${pkgs.nsncd}/bin/nsncd"
+              else "!@${cfg.package}/bin/nscd nscd";
+            Type = if cfg.enableNsncd then "notify" else "forking";
            User = cfg.user;
            Group = cfg.group;
            RemoveIPC = true;
@ -120,12 +138,12 @@ in
            PIDFile = "/run/nscd/nscd.pid";
            Restart = "always";
            ExecReload =
-              [ "${cfg.package}/bin/nscd --invalidate passwd"
+              lib.optionals (!cfg.enableNsncd) [
+                "${cfg.package}/bin/nscd --invalidate passwd"
                "${cfg.package}/bin/nscd --invalidate group"
                "${cfg.package}/bin/nscd --invalidate hosts"
              ];
          };
      };
-
  };
 }
--- a/nixos/tests/nscd.nix
+++ b/nixos/tests/nscd.nix
@ -21,10 +21,31 @@ in
      192.0.2.1 somehost.test
    '';

+    systemd.services.sockdump = {
+      wantedBy = [ "multi-user.target" ];
+      path = [
+        # necessary for bcc to unpack kernel headers and invoke modprobe
+        pkgs.gnutar
+        pkgs.xz.bin
+        pkgs.kmod
+      ];
+      environment.PYTHONUNBUFFERED = "1";
+
+      serviceConfig = {
+        ExecStart = "${pkgs.sockdump}/bin/sockdump /var/run/nscd/socket";
+        Restart = "on-failure";
+        RestartSec = "1";
+        Type = "simple";
+      };
+    };
+
    specialisation = {
      withUnscd.configuration = { ... }: {
        services.nscd.package = pkgs.unscd;
      };
+      withNsncd.configuration = { ... }: {
+        services.nscd.enableNsncd = true;
+      };
    };
  };

@ -40,9 +61,10 @@ in
                  "systemd-run --pty --property=Type=oneshot --property=DynamicUser=yes --property=User=iamatest whoami"
              )

-      # Test resolution of somehost.test with getent', to make sure we go via nscd
+      # Test resolution of somehost.test with getent', to make sure we go via
+      # nscd protocol
      def test_host_lookups():
-          with subtest("host lookups via nscd"):
+          with subtest("host lookups via nscd protocol"):
              # ahosts
              output = machine.succeed("${getent'} ahosts somehost.test")
              assert "192.0.2.1" in output
@ -62,6 +84,7 @@ in
              assert "somehost.test" in machine.succeed("${getent'} hosts 2001:db8::1")
              assert "somehost.test" in machine.succeed("${getent'} hosts 192.0.2.1")

+
      # Test host resolution via nss modules works
      # We rely on nss-myhostname in this case, which resolves *.localhost and
      # _gateway.
@ -87,6 +110,9 @@ in
      start_all()
      machine.wait_for_unit("default.target")

+      # give sockdump some time to finish attaching.
+      machine.sleep(5)
+
      # Test all tests with glibc-nscd.
      test_dynamic_user()
      test_host_lookups()
@ -103,5 +129,13 @@ in

          # known to fail, unscd doesn't load external NSS modules
          # test_nss_myhostname()
+
+      with subtest("nsncd"):
+          machine.succeed('${specialisations}/withNsncd/bin/switch-to-configuration test')
+          machine.wait_for_unit("default.target")
+
+          test_dynamic_user()
+          test_host_lookups()
+          test_nss_myhostname()
    '';
 })
--- a/pkgs/os-specific/linux/nsncd/default.nix
+++ b/pkgs/os-specific/linux/nsncd/default.nix
@ -0,0 +1,30 @@
+{ lib
+, stdenv
+, fetchFromGitHub
+, rustPlatform
+, nix-gitignore
+}:
+
+rustPlatform.buildRustPackage rec {
+  pname = "nsncd";
+  version = "unstable-2021-10-20";
+
+  src = fetchFromGitHub {
+    owner = "nix-community";
+    repo = "nsncd";
+    rev = "b9425070bb308565a6e4dc5aefd568952a07a4ed";
+    hash = "sha256-ZjInzPJo+PWAM2gAKhlasLXiqo+2Df4DIXpNwtqQVc8=";
+  };
+
+  cargoSha256 = "sha256-hxdI+HHB0PB/zDMI21Pg5Xr9mTDn4T+OcAAenUox4bs=";
+
+  meta = with lib; {
+    description = "the name service non-caching daemon";
+    longDescription = ''
+      nsncd is a nscd-compatible daemon that proxies lookups, without caching.
+    '';
+    homepage = "https://github.com/twosigma/nsncd";
+    license = licenses.asl20;
+    maintainers = with maintainers; [ flokli ninjatrappeur ];
+  };
+}
--- a/pkgs/top-level/all-packages.nix
+++ b/pkgs/top-level/all-packages.nix
@ -36653,6 +36653,8 @@ with pkgs;

  nhentai = callPackage ../applications/misc/nhentai { };

+  nsncd = callPackage ../os-specific/linux/nsncd { };
+
  nvd = callPackage ../tools/package-management/nvd { };

  solfege = python3Packages.callPackage ../misc/solfege { };