[Nix-dev] Impossible to use Nix + fetchgit on any Linux configured with LDAP authentication /libnss_sss

Adrien Devresse Adev at adev.name
Tue Jun 23 14:50:05 CEST 2015


>> Ideally, libnss_sss should be part of stdenv.
> That's not going to happen because there are any number of NSS modules that we
> can't possibly all add to stdenv.
>

Indeed, I was not thinking about making it part of stdenv by default.

What about  "enrich" stdenv ( through config.nix or configuration.nix)
on some specific platforms without triggering a full recompilation ?


> Yes, by using nscd.

It is not a solution. Red Hat itself documents  to not use nscd and sssd
together

https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Deployment_Guide/usingnscd-sssd.html

sssd is very likely going to be the new norm for ldap authentication (
for good reasons ) .

Make it supported into Nix by wrapping old daemons around is probably
not a very good long term solution.

> If possible, you could also enable chroot builds. It might be possible to
> override /etc/nsswitch.conf in the chroot by setting the Nix option
> "build-chroot-dirs = /etc/nsswitch.conf=/path/to/my-nsswitch.conf" (where
> my-nsswitch.conf doesn't contain libnss_nss). However, looking at the code, it
> may not be possible to override /etc/nsswitch.conf at the moment, but fixing
> that wouldn't be hard.

Would this work as a non-root user ?
If the current user is an LDAP-referenced user, this will cause a
failure too even if sss is not configured through /etc/nsswitch.conf


> As a hack, it might also be possible to add LD_LIBRARY_PATH to the impureEnvVars
> attribute of fetchgit and other affected fixed-output derivations. (Fixed-output
> derivations are allowed to have some "impure" inputs because their output is
> guaranteed to be the same regardless of the inputs.) So you could pass in an
> LD_LIBRARY_PATH pointing to a directory containing the required NSS modules.

That's would make it for git.
But like I said, the problem is not limited to git.

For instance, all core-utils derivations would still fail.

core-util check phase run some tests related to user-right command line
tools ... and naturally, these tests need libnss_sss to succeed too...

Any other derivation that use user/passwd/group syscall triggers the
error too.


Adrien



Le 23/06/2015 12:48, Eelco Dolstra a écrit :
> Hi,
>
> On 23/06/15 11:47, Adrien Devresse wrote:
>
>> Ideally, libnss_sss should be part of stdenv.
> That's not going to happen because there are any number of NSS modules that we
> can't possibly all add to stdenv.
>
>> Do you have any elegant way in Nix to add a "module" / modify the stdenv
>> without retriggering a compilation of the entire system ?
> Yes, by using nscd.
>
> If possible, you could also enable chroot builds. It might be possible to
> override /etc/nsswitch.conf in the chroot by setting the Nix option
> "build-chroot-dirs = /etc/nsswitch.conf=/path/to/my-nsswitch.conf" (where
> my-nsswitch.conf doesn't contain libnss_nss). However, looking at the code, it
> may not be possible to override /etc/nsswitch.conf at the moment, but fixing
> that wouldn't be hard.
>
> As a hack, it might also be possible to add LD_LIBRARY_PATH to the impureEnvVars
> attribute of fetchgit and other affected fixed-output derivations. (Fixed-output
> derivations are allowed to have some "impure" inputs because their output is
> guaranteed to be the same regardless of the inputs.) So you could pass in an
> LD_LIBRARY_PATH pointing to a directory containing the required NSS modules.
>


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: OpenPGP digital signature
Url : http://lists.science.uu.nl/pipermail/nix-dev/attachments/20150623/0e10fc40/attachment.bin 


More information about the nix-dev mailing list