Disable nscd caching

[arianvp]

Motivation for this change

Nscd caching was interferring with systemd's nss module. Disable caching as
caching is not the reason why we use nscd. We use it to resolve nss modules correctly. See commit message for more
detailed information.

Fixes #50273

Things done

• Tested using sandboxing (nix.useSandbox on NixOS, or option sandbox in nix.conf on non-NixOS)
• Built on platform(s)
  • NixOS
  • macOS
  • other Linux distributions
• Tested via one or more NixOS test(s) if existing and applicable for the change (look inside nixos/tests)
• Tested compilation of all pkgs that depend on this change using nix-shell -p nox --run "nox-review wip"
• Tested execution of all binary files (usually in ./result/bin/)
• Determined the impact on package closure size (by running nix path-info -S before and after)
• Fits CONTRIBUTING.md.

---

[arianvp]

Supersedes #50042 if we also disable host caching

[arianvp]

CC @Mic92 . We could also replace it with unscd while we're at it.

[arianvp]

I haven't actually tried setting enable-cache no but just took @dezgeg 's word for it that it only works if we set ttls to 0 . We do the same when we enable sssd. I also elaborated this in the commit message but haven't actually tested this hypothesis. I could also try fully disabling the caches.

[Mic92]

I think we should first disable negative-time-to-live caches for hosts:

negative-time-to-live hosts 0

This should fix problems people have when they cannot reach a site, when the hostname was resolved while having no connectivity.
And then test unscd for a while. It could have even funnier bugs.

[lheckemann]

I think this is worth mentioning in the release notes.

[peterhoeg]

I think we should first disable negative-time-to-live caches

We might as well disable the positive TTL too and say that nscd is not for caching. Whenever something unexplained happens with name resolution, my first step is always just to restart nscd which solves it nine times out of 10.

[edolstra]

Hm, what's the advantage of disabling caching of positive results?

[arianvp]

Basically I wanted to be 100% sure nothing fishy is happening. I disabled everything to be 100% sure no funny stuff is happening. Systemd project acknowledged that they are not nscd-aware and they might look into fixing that. This means there might be more subtle bugs lurking in the presence of caching. I'm not sure if the positive cache is invalidated when a systemd unit with Dynamic users stops. If it doesn't, this might cause funny bugs when another systemd service with Dynamic users recycles that uid and discovers there's already a name associated to the uid.

user lookups are basically instantaneous and the only moment we would want to cache them is in the presence of LDAP to improve performance. But sssd already does its own caching and so we already disable nscd caching when sssd is enabled in NixOS and Red Hat (https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/6/html/deployment_guide/usingnscd-sssd)

So the only moment we seem to have caching is when the passwd database is backed by a file. I think this is a bit overkill and will cause more issues than gains.

Edit: @edolstra oh I think I now just realised you were talking about caching of hosts, not the other caches.

[arianvp]

I've disabled negative caching for hosts for now. and left positive caching in.

I'm not very familiar with the release process of NixOS. What should a release notes entry look like, and where do I put it?

[Mic92]

You can take the last release as an example:

https://github.com/NixOS/nixpkgs/blob/master/nixos/doc/manual/release-notes/rl-1809.xml

your one should go here:

https://github.com/NixOS/nixpkgs/blob/master/nixos/doc/manual/release-notes/rl-1903.xml

[arianvp]

Now that sssd and nscd ship basically the same config, is it worth to remove the settings from sssd ?

[Mic92]

@arianvp when they are 100% the same, we can drop the sssd one.

[Mic92]

I wonder if we at least should backport this one, since it can be quiet annoying if websites do not load correctly after connecting to a hotspot.

[Profpatsch]

Yes, I’ve had this problem for more than a month now, so the release must have it as well.

[peterhoeg]

Hm, what's the advantage of disabling caching of positive results?

We don't gain anything by having it enabled and disabling it removes one potential source of problems.

[jokogr]

Should be </literal> the closing tag in group

[lheckemann]

nix build -f my-nixpkgs/nixos config.system.build.manual --arg configuration {} to make sure the manual builds :)

[Mic92]

@peterhoeg we gain a dns cache if it is enabled. I don't see how this would cause problems if it caches valid entries. DNS is designed around for those caches and uses TTLs itself to control invalidation.

[arianvp]

@edolstra I reverted your revert, as I don't think it fixes anything. I'm 100% sure that nscd already invalidates the cache when /etc/resolv.conf is changed, through inotify.

[arianvp]

After reading the discussion at #42569 perhaps we should only unrevert the commit Eelco did, after we fully disable caching in nscd. I added Eelco's revert to the patchset again ...

I think we should merge this as is, and then in a next PR:

1. introducde systemd-resolved
2. Disable positive caching of domains in nscd
3. Remove all forms of restart triggers / cache invalidations of nscd

[flokli]

Suggested change

	The was already the default behaviour in presence of
	This was already the default behaviour in presence of

[flokli]

more doc feedback

[arianvp]

I have addressed the doc issues. I think this is ready for merge. I have created a follow-up ticket with the rest of the tasks that popped up in this discussion #51911

[flokli]

do we want to disable caches where we set a zero ttl for both positive and negative? Seems less confusing to me :-)

[arianvp]

As eelco mentioned, this would have a serious performance penalty. so I don't want to change it until #51911 is implemented. I think this is a good compromise where people do not get failed lookups when switching networks, but do also have performance. Until we figure out the resolved business

[arianvp]

Oh I misread: See the original commit message why we can't do this:

Note that we can not just put in /etc/nscd.conf:
enable-cache passwd no

As this will actually cause glibc to _not_ forward the call to nscd
at all, and thus never reach the nss modules. Instead we set
the negative and positive cache ttls  to 0 seconds as a workaround.
This way, Glibc will always forward requests to nscd, but results
will never be cached.

[arianvp]

I added this as a comment to nscd.conf to clarify

[flokli]

LGTM.

[Mic92]

I backported @edolstra revert in 25d0880, which fix the biggest pain point we had at the moment. Before backporting a change like this one, I would give a test period on unstable. We might not need to backport at all since the problems with DynamicUser should not affect many people.

[flokli]

@arianvp Had a discussion at FOSDEM about how we (ab)use nscd to pass nss modules, as described in 1d5f4cb.

This seems to be a bad idea, due to glibc falling back to local resolving (with broken nss modules) after very quick timeouts.

Can we get glibc to load nss modules from some global /run/nss-modules path instead, pointing to something in the nix-store?

[Mic92]

@flokli This can break if a program was linked against a different version of glibc
since. This is why we use nscd in the first place.

[arianvp]

Only in the case where glibc breaks abi right? We do something similar for OpenGL/Vulkan iirc

[flokli]

I opened #55276 about that.

[Mic92]

@arianvp This could make it impossible to mix releases, but not just for OpenGL applications but every application.