unofficial mirror of guix-devel@gnu.org 
 help / color / mirror / Atom feed
* Dealing with foreign distros without nscd
@ 2020-08-28  9:38 Ludovic Courtès
  2020-08-28 10:03 ` Ricardo Wurmus
  0 siblings, 1 reply; 3+ messages in thread
From: Ludovic Courtès @ 2020-08-28  9:38 UTC (permalink / raw)
  To: guix-devel

Hello Guix!

One of the most important pieces of advice we give to use Guix on
foreign distros is to make sure the distro runs nscd, so we don’t end up
dlopening NSS modules in Guix-produced programs:

  https://guix.gnu.org/manual/en/html_node/Application-Setup.html#Name-Service-Switch

A situation where this is not possible is HPC clusters: you would like
to run packs there, but you’re not root and cannot spawn nscd, and those
machines typically use a Red Hat derivative with ‘sssd’:

--8<---------------cut here---------------start------------->8---
$ grep sss /etc/nsswitch.conf
passwd:     files sss
shadow:     files sss
group:      files sss
services:   files sss
netgroup:   files sss
automount:  files sss
--8<---------------cut here---------------end--------------->8---

If you try to run binaries from ‘guix pack’ there, they’ll fail to find
libnss_sss.so, and so user name lookups etc. (e.g., getpw(3)) will fail.

The workaround I found is to add ‘sssd’ to the pack, like so:

  guix pack -RR -S /lib=lib -S /bin=bin sssd guile

That way, on the other machine, you can set LD_LIBRARY_PATH such that
Guix’ libnss_sss.so gets loaded:

  tar xf /path/to/pack.tgz
  LD_LIBRARY_PATH=$PWD/lib ./bin/guile -c '(pk (getpw (getuid)))'

It works!  However, if people have ideas of less arcane workarounds, I’m
interested.

For the record, I pushed one commit that fixes ‘sssd’¹ and another one
to have LD_LIBRARY_PATH honored when using
GUIX_EXECUTION_ENGINE=fakechroot².

Ludo’.

¹ https://git.savannah.gnu.org/cgit/guix.git/commit/?id=8df6900dffa9e1c74ac3f64877f067974eee0eeb
² https://git.savannah.gnu.org/cgit/guix.git/commit/?id=28dce8f02db38a41e59ecdf3786baa6f732636ff


^ permalink raw reply	[flat|nested] 3+ messages in thread

* Re: Dealing with foreign distros without nscd
  2020-08-28  9:38 Dealing with foreign distros without nscd Ludovic Courtès
@ 2020-08-28 10:03 ` Ricardo Wurmus
  2020-08-29 10:07   ` Ludovic Courtès
  0 siblings, 1 reply; 3+ messages in thread
From: Ricardo Wurmus @ 2020-08-28 10:03 UTC (permalink / raw)
  To: Ludovic Courtès; +Cc: guix-devel


Ludovic Courtès <ludovic.courtes@inria.fr> writes:

> The workaround I found is to add ‘sssd’ to the pack, like so:
>
>   guix pack -RR -S /lib=lib -S /bin=bin sssd guile
>
> That way, on the other machine, you can set LD_LIBRARY_PATH such that
> Guix’ libnss_sss.so gets loaded:
>
>   tar xf /path/to/pack.tgz
>   LD_LIBRARY_PATH=$PWD/lib ./bin/guile -c '(pk (getpw (getuid)))'
>
> It works!  However, if people have ideas of less arcane workarounds, I’m
> interested.

Interesting!  I wonder if this really is a general solution or if it
only works under special circumstances (like the cluster node using sssd
already).  Will, for example, accounts that are managed via Active
Directory / LDAP be visible if all we do is preload the Guix sssd
libraries?

-- 
Ricardo


^ permalink raw reply	[flat|nested] 3+ messages in thread

* Re: Dealing with foreign distros without nscd
  2020-08-28 10:03 ` Ricardo Wurmus
@ 2020-08-29 10:07   ` Ludovic Courtès
  0 siblings, 0 replies; 3+ messages in thread
From: Ludovic Courtès @ 2020-08-29 10:07 UTC (permalink / raw)
  To: Ricardo Wurmus; +Cc: guix-devel

Hi!

Ricardo Wurmus <rekado@elephly.net> skribis:

> Ludovic Courtès <ludovic.courtes@inria.fr> writes:
>
>> The workaround I found is to add ‘sssd’ to the pack, like so:
>>
>>   guix pack -RR -S /lib=lib -S /bin=bin sssd guile
>>
>> That way, on the other machine, you can set LD_LIBRARY_PATH such that
>> Guix’ libnss_sss.so gets loaded:
>>
>>   tar xf /path/to/pack.tgz
>>   LD_LIBRARY_PATH=$PWD/lib ./bin/guile -c '(pk (getpw (getuid)))'
>>
>> It works!  However, if people have ideas of less arcane workarounds, I’m
>> interested.
>
> Interesting!  I wonder if this really is a general solution or if it
> only works under special circumstances (like the cluster node using sssd
> already).  Will, for example, accounts that are managed via Active
> Directory / LDAP be visible if all we do is preload the Guix sssd
> libraries?

In general, you have to put the modules /etc/nsswitch.conf refers to in
$LD_LIBRARY_PATH.  The example above works for ‘sss’ but you would do
something similar for ‘mdns’, ‘ldap’, or whatever.

It’s clunky because you have to know beforehand, when you make the pack,
what nsswitch.conf requires.

Ludo’.


^ permalink raw reply	[flat|nested] 3+ messages in thread

end of thread, other threads:[~2020-08-29 10:08 UTC | newest]

Thread overview: 3+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2020-08-28  9:38 Dealing with foreign distros without nscd Ludovic Courtès
2020-08-28 10:03 ` Ricardo Wurmus
2020-08-29 10:07   ` Ludovic Courtès

unofficial mirror of guix-devel@gnu.org 

This inbox may be cloned and mirrored by anyone:

	git clone --mirror https://yhetil.org/guix-devel/0 guix-devel/git/0.git

	# If you have public-inbox 1.1+ installed, you may
	# initialize and index your mirror using the following commands:
	public-inbox-init -V2 guix-devel guix-devel/ https://yhetil.org/guix-devel \
		guix-devel@gnu.org
	public-inbox-index guix-devel

Example config snippet for mirrors.
Newsgroups are available over NNTP:
	nntp://news.yhetil.org/yhetil.gnu.guix.devel
	nntp://news.gmane.io/gmane.comp.gnu.guix.devel


AGPL code for this site: git clone https://public-inbox.org/public-inbox.git