[Nix-dev] Pull request for sssd package, RFC
Ben Booth
benwbooth at gmail.com
Thu Apr 21 01:15:08 CEST 2016
Hi all,
I recently submitted a pull request to nixpkgs to add the sssd package:
https://github.com/NixOS/nixpkgs/pull/14697
For those not familiar, sssd is RedHat's daemon for managing LDAP authentication, automount maps, and other things. The website is here:
https://fedorahosted.org/sssd/
One troublesome thing about installing sssd on nix is that it requires a libnss_sss.so file to be installed in the dynamic linker lookup path, which on NixOS is limited to glibc's lib folder in /nix/store. More information on this problem is here:
https://github.com/NixOS/nixpkgs/issues/1868
There are a few ways I can think of to try and workaround/fix this problem:
1. set LD_LIBRARY_PATH in some global location like /etc/profile to point to the sssd lib folder in /nix/store
2. wrap every program that potentially uses glibc for nsswitch lookup in a script that sets LD_LIBRARY_PATH (e.g. perl, python, plus a lot more...)
3. modify the glibc nix expression to depend on sssd, and copy in the libnss_sss.so file from sssd (causes infinite recursion)
4. patch glibc to look in other places for libnss_sss.so
5. use the currently-unused ld.so.conf file in glibc's /etc/ folder in /nix/store to add system and profile lib folders to the search path
My pull request implements the fifth option, but since this changes glibc's build hash, and pretty much everything depends on glibc, it basically means rebuilding everything. I've had trouble testing the glibc changes adequately, since it will require rebuilding every package on my machine. I basically had to remount /nix/store as read-write and manually add ld.so.conf and cache file to the glibc folder.
I've gotten comments on the pull request that the ld.so.conf approach would not be well received by the NixOS devs. Does anyone know why using ld.so.conf could be a problem? If patching glibc would be preferable, I don't mind at all, I just want to understand the rationale, since ld.so.conf functionality already exists and serves the same purpose. One comment said to patch glibc to look in some place like /run/nss-modules for extra libnss_* modules, but that would only work on NixOS. I would like to get this working for nix installations on other OS's as well, so the search path would have to be somewhere in the nix prefix.
I would like to get this pull request accepted, since all the other major linux distros have sssd support. We're using sssd at my work, and I'd like to start using NixOS VMs at work. But I think the glibc issue could be a blocker for this pull request.
Does anyone have any tips, comments, or ideas how to proceed?
Thanks!
Ben Booth
More information about the nix-dev
mailing list