Disable NSS modules when using the leakchecker

[KJTsanaktsidis]

The leakchecker will report leaked file descriptors when tests do things like access Etc.getgrgid, for example, if NSS modules (like sss) handle these lookups by connecting to a daemon like sssd and leave the connection open.

To address this, we can call glibc's __nss_configure_lookup to override NSS modules configured in /etc/nsswitch.conf and only use ordinary file/DNS lookups.

This should fix the rubyci.org failures on Amazon Linux like this one: http://rubyci.s3.amazonaws.com/amazon2023/ruby-master/log/20240119T003005Z.log.html.gz#rubyspec

[KJTsanaktsidis]

@eregon @headius do you see any problems with doing this on jruby or truffleruby? AFAICT jruby seems to have a working FFI implementation and I can't see a reason why the NSS modules wouldn't be just as problematic on the JVM?

[eregon]

Do you know how the test-all leakchecker deal with this case?

Your description makes a lot of sense, I'm just wondering if there is another way to handle this because calling __nss_configure_lookup feels a bit low-level.

[eregon]

@eregon @headius do you see any problems with doing this on jruby or truffleruby? AFAICT jruby seems to have a working FFI implementation and I can't see a reason why the NSS modules wouldn't be just as problematic on the JVM?

It likely does indeed.
The MSpec LeakChecker is opt-in, I think currently neither TruffleRuby nor JRuby enable it (using CHECK_LEAKS=true).
One reason is it uses ObjectSpace.each_object and that's really expensive on non-CRuby.

[eregon]

Thank you for the PR and the investigation!

[eregon]

Could you rebase so we get a run of ruby/spec in CI?
I changed the Check ruby/spec still passes with MSpec changes job to use Ruby 3.3.0 in #63

[KJTsanaktsidis]

Do you know how the test-all leakchecker deal with this case?

I think it just doesn't - i've definitely seen lsof output from this line https://github.com/ruby/ruby/blob/ac4046d34b4e0850e9ff7573b795284fea6c2741/tool/lib/leakchecker.rb#L115 on CI, i think it just doesn't cause the test to fail. I could certainly add something like this there as well.

Your description makes a lot of sense, I'm just wondering if there is another way to handle this because calling __nss_configure_lookup feels a bit low-level.

I really expected there to be an environment variable to disable NSS modules, but there just isn't - i spent quite a while staring at the glibc & sss source code looking for something. There is a way to ask NSS module to clean up, by calling __libc_freeres(), but that instructs glibc to free all of its resources - it's designed for valgrind to call before process exit, and if you call it and keep running all kinds of strange things happen (like *environ getting freed). So, short version, no :(

[KJTsanaktsidis]

Hm. It has the same failures as https://github.com/ruby/mspec/actions/runs/7582829391/job/20653202072. I don't know why, the ruby spec suite passed when I ran it with this mspec branch on my machine.

[KJTsanaktsidis]

Oh, I see cruby has disabled the failing set tests, for example, because the set gem v1.1.0 has a stricter test for sett-iness: ruby/ruby@dc7785e

I thought that ruby/spec was mirrored into ruby/ruby but seems like the correspondence is somewhat looser.

[KJTsanaktsidis]

Anyway I'll merge this (ruby/mspec is mirrored into the ruby/ruby tree afaict), the set stuff is a different problem.

[eregon]

@KJTsanaktsidis This broke ruby/spec CI on 3.0 and 3.1 on Linux, see https://github.com/ruby/spec/actions/runs/7624400587/job/20766459296?pr=1129
Could you fix it?

[KJTsanaktsidis]

Oh I see, I must be using fiddle features that are too new (did we move the names of the types around?). I’ll fix it first thing tomorrow - sorry about this!

[KJTsanaktsidis]

Yeah, looks like we can't depend on ruby/fiddle@49fa723 or ruby/fiddle@0ffcaa3 being available.

#66 should fix it @eregon . My apologies again!

[eregon]

@KJTsanaktsidis No worries, it happens, it's tricky to support older Rubies.