Commit Graph

75 Commits

Author SHA1 Message Date
Arian van Putten
e712417936 nixos/nscd: Disable caching of group and passwd
Systemd provides an option for allocating DynamicUsers
which we want to use in NixOS to harden service configuration.
However, we discovered that the user wasn't allocated properly
for services. After some digging this turned out to be, of course,
a cache inconsistency problem.

When a DynamicUser creation is performed, Systemd check beforehand
whether the requested user already exists statically. If it does,
it bails out. If it doesn't, systemd continues with allocating the
user.

However, by checking whether the user exists,  nscd will store
the fact that the user does not exist in it's negative cache.
When the service tries to lookup what user is associated to its
uid (By calling whoami, for example), it will try to consult
libnss_systemd.so However this will read from the cache and tell
report that the user doesn't exist, and thus will return that
there is no user associated with the uid. It will continue
to do so for the cache duration time.  If the service
doesn't immediately looks up its username, this bug is not
triggered, as the cache will be invalidated around this time.
However, if the service is quick enough, it might end up
in a situation where it's incorrectly reported that the
user doesn't exist.

Preferably, we would not be using nscd at all. But we need to
use it because glibc reads  nss modules from /etc/nsswitch.conf
by looking relative to the global LD_LIBRARY_PATH.  Because LD_LIBRARY_PATH
is not set globally (as that would lead to impurities and ABI issues),
glibc will fail to find any nss modules.
Instead, as a hack, we start up nscd with LD_LIBRARY_PATH set
for only that service. Glibc will forward all nss syscalls to
nscd, which will then respect the LD_LIBRARY_PATH and only
read from locations specified in the NixOS config.
we can load nss modules in a pure fashion.

However, I think by accident, we just copied over the default
settings of nscd, which actually caches user and group lookups.
We already disable this when sssd is enabled, as this interferes
with the correct working of libnss_sss.so as it already
does its own caching of LDAP requests.
(See https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/6/html/deployment_guide/usingnscd-sssd)

Because nscd caching is now also interferring with libnss_systemd.so
and probably also with other nsss modules, lets just pre-emptively
disable caching for now for all options related to users and groups,
but keep it for caching hosts ans services lookups.

Note that we can not just put in /etc/nscd.conf:
enable-cache passwd no

As this will actually cause glibc to _not_ forward the call to nscd
at all, and thus never reach the nss modules. Instead we set
the negative and positive cache ttls  to 0 seconds as a workaround.
This way, Glibc will always forward requests to nscd, but results
will never be cached.

Fixes #50273
2018-12-12 15:35:40 +01:00
Craig Younkins
eff461c8ef treewide: systemd timeout arguments to use infinity instead of 0 (#50934)
Fixes https://github.com/NixOS/nixpkgs/issues/49700
2018-11-25 13:33:22 +01:00
Jörg Thalheim
a5c74762cb
nixos/cloud-init: add enable suffix to ext4/btrfs
Makes the optional more self-describing and allows future extensions
2018-11-13 10:28:40 +00:00
Ding Xiang Fei
a965921af9 allow cloud-init to support creating btrfs partitions 2018-11-13 13:14:34 +08:00
Pavel Goran
858b263bf0 nixos: correct improper uses of mkEnableOption, clarify service descriptions
Several service definitions used `mkEnableOption` with text starting
with "Whether to", which produced funny option descriptions like
"Whether to enable Whether to run the rspamd daemon..".

This commit corrects this, and adds short descriptions of services
to affected service definitions.
2018-10-05 13:14:45 +07:00
Matthew Bauer
4120a9dda7
Merge pull request #42295 from avnik/libprefixed-to-multioutput/heimdal
Libprefixed to multioutput/heimdal
2018-09-05 13:50:13 -05:00
Jan Tojnar
fe51bf322c
Merge pull request #44820 from michaelpj/fix/redshift-geoclue-agents
redshift/geoclue/localtime: progress in fixing agent confusion
2018-08-14 17:13:09 +02:00
Michael Peyton Jones
80d4fa725b
localtime: simplify module a little 2018-08-14 15:55:05 +01:00
Alexander V. Nikolaev
e808b7da20 heimdal: adjust daemon paths, they are in libexec now 2018-08-08 13:38:40 +03:00
Vincent Bernat
57840dbffb nixos/cloud-init: order after network-online.target (#44633)
Some modules of cloud-init can cope with a network not immediately
available (notably, the EC2 module), but some others won't retry if
network is not available (notably, the Cloudstack module).
network.target doesn't give much guarantee about the network
availability. Applications not able to start without a fully
configured network should be ordered after network-online.target.

Also see #44573 and #44524.
2018-08-08 00:09:00 +02:00
volth
6d2857a311 [bot] treewide: remove unused 'inherit' in let blocks 2018-07-20 19:38:19 +00:00
volth
87f5930c3f [bot]: remove unreferenced code 2018-07-20 18:48:37 +00:00
Allan Espinosa
da994fb64e nixos/kerberos: update binary folder pointer
${pkg.tcp_wrappers}/sbin does not exist anymore.
2018-07-02 20:15:11 -04:00
Florian Klink
fff5923686 nixos/modules: users.(extraUsers|extraGroup->users|group) 2018-06-30 03:02:58 +02:00
Michael Raitza
e598fdf229 dbus: Add NSS modules path to dbus system bus service
DBus seems to resolve user IDs directly via glibc, circumventing nscd. In more
 advanced setups this leads to user's coming from LDAP or SSSD not being
 resolved by the dbus system bus daemon. The effect for such users is, that all
 access to the system bus (e.g. busctl or nmcli) is denied.

 Adding the respective NSS modules to the service's environment solves the issue
 the same way it does for nscd.
2018-06-07 16:44:04 +02:00
Domen Kožar
d64ba1c060
Add localtime package and nixos module
Simple daemon for keeping system timezone up-to-date via geoclue2.

Sadly i3 status needs to be restarted for timezone changes.
2017-12-03 11:42:51 +01:00
Franz Pletz
00b6ac7bd3 Merge pull request #26419 from roblabla/feature-sasl
cyrus-sasl: Add saslauthd service and LDAP support
2017-07-20 20:23:52 +02:00
roblabla
c18c50a42e cyrus-sasl: Add saslauthd service support 2017-06-06 12:59:47 +02:00
Frederik Rietdijk
a2598e4ca1 Merge pull request #23024 from phile314/cloud-init-update
cloud-init: 0.7.6 -> 0.7.9 + module improvements
2017-05-22 16:33:31 +02:00
Philipp Hausmann
59ca1f6486 cloud-init: Disable broken hostname functionality by default 2017-04-20 19:12:27 +02:00
Leon Isenberg
db30cff500 earlyoom service: init 2017-03-24 23:16:16 +01:00
Philipp Hausmann
a0f4a720c8 cloud-init module: Replace hard-coded config by option. 2017-03-06 17:36:24 +01:00
Nikolay Amiantov
ac0cdc1952 dbus service: use makeDBusConf 2017-02-16 15:41:23 +03:00
Parnell Springmeyer
9e36a58649
Merging against upstream master 2017-02-13 17:16:28 -06:00
Nikolay Amiantov
72b3746266 dbus service: remove {system,session}.conf from config dir
They are already included by dbus from /run/current-system/sw/share/dbus-1.
2017-02-01 15:37:24 +03:00
Nikolay Amiantov
39344a36d3 dbus service: use /etc/dbus-1 for configuration
Also use upstream systemd units.
2017-02-01 15:03:22 +03:00
Parnell Springmeyer
6777e6f812
Merging with upstream 2017-01-29 05:54:01 -06:00
Parnell Springmeyer
a8cb2afa98
Fixing a bunch of issues 2017-01-29 01:58:12 -06:00
Parnell Springmeyer
e92b8402b0
Addressing PR feedback 2017-01-28 20:48:03 -08:00
Guillaume Maudoux
29667f639c dbus: catch new services without reboot (#20871)
DBus daemon now loads its config from /run/current-system/dbus.
Reloading the daemon makes it re-read that file and catch the updates
after a system upgrade.
2017-01-27 14:46:13 +01:00
Parnell Springmeyer
bae00e8aa8
setcap-wrapper: Merging with upstream master and resolving conflicts 2017-01-25 11:08:05 -08:00
Alexander Kahl
61d125b842 sssd: init at 1.14.2
perlPackages.TextWrapI18N: init at 0.06
perlPackages.Po4a: init at 0.47
jade: init at 1.2.1
ding-libs: init at 0.6.0

Switch nscd to no-caching mode if SSSD is enabled.

abbradar: disable jade parallel building.

Closes #21150
2017-01-04 03:07:20 +03:00
Jörg Thalheim
aa854f192e
cgmanager: add module 2016-12-02 13:52:04 +01:00
Peter Hoeg
639e5401ff dbus: add socket activation but do not enable it
The following changes are included:

1) install user unit files from upstream dbus
2) use absolute paths to config for --system and --session instances
3) make socket activation of user units configurable

There has been a number of PRs to address this, so this one does the
bare minimum, which is to make the functionality available and
configurable but defaults to off.

Related PRs:
 - #18382
 - #18222

(cherry picked from commit f7215c9b5b)
Signed-off-by: Domen Kožar <domen@dev.si>
2016-09-30 13:14:53 +02:00
Eelco Dolstra
75a1ec8a65 NixOS: Use runCommand instead of mkDerivation in a few places 2016-09-29 13:05:28 +02:00
Eelco Dolstra
ba70ce28ae no-x-libs.nix: Ensure that dbus doesn't use X11
It appears that packageOverrides no longer overrides aliases, so
aliases like

  dbus_tools = self.dbus.out;
  dbus_daemon = self.dbus.daemon;

now use the old, non-overriden version of dbus. That seems like a
pretty serious regression in general, but for this particular problem,
I've fixed it by replacing dbus_daemon by dbus.daemon and dbus_tools
by dbus.
2016-09-05 13:45:59 +02:00
Parnell Springmeyer
98c058a1ee Adapting everything for the merged permissions wrappers work. 2016-09-01 19:21:06 -05:00
Philip Potter
36c7c50512 services.dbus module: more complete docstring
The docstring for the `services.dbus.packages` configuration option only
mentioned one directory, but the implementation actually looked for DBus
config files in four separate places within the target packages.  This
commit updates the docstring to reflect the actual implementation
behaviour.
2016-06-28 08:24:32 +01:00
Tuomas Tynkkynen
2132c86c45 nixos/dbus: Reference correct output of 'dbus' 2016-05-18 22:58:00 +03:00
William A. Kennington III
4dc716115f Add missing files
(cherry picked from commit 5917fc2f50c87bbdd6ba0be339849a030a7eba10)
2016-05-02 13:04:41 -05:00
William A. Kennington III
60b3484928 dbus: Fix for new 1.10 version
(cherry picked from commit 68a4a6df3971d66aa988bba680351a30fbadbed3)
2016-05-02 13:04:20 -05:00
Nikolay Amiantov
23a093ebe8 dbus service: fix path to the launch helper 2016-04-26 16:10:30 +03:00
David Guibert
23e3cbeca4 kerberos_server: fix evaluation (closes #14928) 2016-04-24 22:05:45 +02:00
obadz
079e1c76cf Revert "dbus nixos module: add units for systemd user session"
This reverts commit 83cb6ec399.

Was breaking: nix-build '<nixos/release.nix>' -A tests.xfce.x86_64-linux
2016-04-14 12:38:36 +01:00
Tuomas Tynkkynen
b9eb944990 treewide: Mass replace 'dbus_daemon}/bin' to refer to the correct outputs 2016-04-14 08:32:20 +03:00
Vladimír Čunát
30f14243c3 Merge branch 'master' into closure-size
Comparison to master evaluations on Hydra:
  - 1255515 for nixos
  - 1255502 for nixpkgs
2016-04-10 11:17:52 +02:00
Peter Hoeg
83cb6ec399 dbus nixos module: add units for systemd user session
This patch makes dbus launch with any user session instead of
leaving it up to the desktop environment launch script to run it.

It has been tested with KDE, which simply uses the running daemon
instead of launching its own.

This is upstream's recommended way to run dbus.
2016-04-02 23:11:57 +08:00
Vladimír Čunát
ab15a62c68 Merge branch 'master' into closure-size
Beware that stdenv doesn't build. It seems something more will be needed
than just resolution of merge conflicts.
2016-04-01 10:06:01 +02:00
Al Zohali
896a70aa52 KDC description fix 2016-03-07 23:24:35 +03:00
Vladimír Čunát
ae74c356d9 Merge recent 'staging' into closure-size
Let's get rid of those merge conflicts.
2016-02-03 16:57:19 +01:00