Message ID | 20200206093633.251413-3-nolange79@gmail.com |
---|---|
State | Superseded |
Headers | show |
Series | Improvements to systemd | expand |
I don't have enough knowledge of nss, to vet this patch, but adding nss-systemd in nsswitch by itself is a great idea Le jeu. 6 févr. 2020 à 10:36, Norbert Lange <nolange79@gmail.com> a écrit : > The feature DynamicUser creates users/groups without > touching the /etc/{passwd,group} files on disk. > Adding the dynamic resolver to /etc/nsswitch.conf > ensures the Names are resolved consistently. > > Signed-off-by: Norbert Lange <nolange79@gmail.com> > --- > package/systemd/systemd.mk | 8 ++++++++ > 1 file changed, 8 insertions(+) > > diff --git a/package/systemd/systemd.mk b/package/systemd/systemd.mk > index 05b07cfd1b..a390cdd1a9 100644 > --- a/package/systemd/systemd.mk > +++ b/package/systemd/systemd.mk > @@ -409,7 +409,15 @@ define SYSTEMD_INSTALL_MACHINEID_HOOK > touch $(TARGET_DIR)/etc/machine-id > endef > > +define SYSTEMD_ADD_NSSCONFIG_HOOK > + grep >/dev/null '^passwd:.*systemd' > $(TARGET_DIR)/etc/nsswitch.conf || \ > + sed '/^passwd:/ s/$$/ systemd/' > $(TARGET_DIR)/etc/nsswitch.conf > + grep >/dev/null '^group:.*systemd' $(TARGET_DIR)/etc/nsswitch.conf > || \ > + sed '/^group:/ s/$$/ systemd/' > $(TARGET_DIR)/etc/nsswitch.conf > +endef > + > SYSTEMD_POST_INSTALL_TARGET_HOOKS += \ > + SYSTEMD_ADD_NSSCONFIG_HOOK \ > SYSTEMD_INSTALL_INIT_HOOK \ > SYSTEMD_INSTALL_MACHINEID_HOOK \ > SYSTEMD_INSTALL_RESOLVCONF_HOOK > -- > 2.24.1 > > _______________________________________________ > buildroot mailing list > buildroot@busybox.net > http://lists.busybox.net/mailman/listinfo/buildroot >
Nrobert, All, On 2020-02-06 10:36 +0100, Norbert Lange spake thusly: > The feature DynamicUser creates users/groups without > touching the /etc/{passwd,group} files on disk. > Adding the dynamic resolver to /etc/nsswitch.conf > ensures the Names are resolved consistently. > > Signed-off-by: Norbert Lange <nolange79@gmail.com> > --- > package/systemd/systemd.mk | 8 ++++++++ > 1 file changed, 8 insertions(+) > > diff --git a/package/systemd/systemd.mk b/package/systemd/systemd.mk > index 05b07cfd1b..a390cdd1a9 100644 > --- a/package/systemd/systemd.mk > +++ b/package/systemd/systemd.mk > @@ -409,7 +409,15 @@ define SYSTEMD_INSTALL_MACHINEID_HOOK > touch $(TARGET_DIR)/etc/machine-id > endef > > +define SYSTEMD_ADD_NSSCONFIG_HOOK > + grep >/dev/null '^passwd:.*systemd' $(TARGET_DIR)/etc/nsswitch.conf || \ While this is valid sytx, we customarily put the redirection at the end of the command. However, in this case, you would want to use 'grep -q', as that does not output anything. > + sed '/^passwd:/ s/$$/ systemd/' $(TARGET_DIR)/etc/nsswitch.conf How can that even work? By default, sed will out put to stdout, not replace in-place. This clearly has not been tested (or git-commit --amend was forgotten). In this case, you want to use $(SED) that includes the -i option to do in-place modifications. > + grep >/dev/null '^group:.*systemd' $(TARGET_DIR)/etc/nsswitch.conf || \ Ditto grep -q. > + sed '/^group:/ s/$$/ systemd/' $(TARGET_DIR)/etc/nsswitch.conf Ditto $(SED). Regards, Yann E. MORIN. > +endef > + > SYSTEMD_POST_INSTALL_TARGET_HOOKS += \ > + SYSTEMD_ADD_NSSCONFIG_HOOK \ > SYSTEMD_INSTALL_INIT_HOOK \ > SYSTEMD_INSTALL_MACHINEID_HOOK \ > SYSTEMD_INSTALL_RESOLVCONF_HOOK > -- > 2.24.1 >
Am So., 7. Juni 2020 um 13:40 Uhr schrieb Yann E. MORIN <yann.morin.1998@free.fr>: > > Nrobert, All, > > On 2020-02-06 10:36 +0100, Norbert Lange spake thusly: > > The feature DynamicUser creates users/groups without > > touching the /etc/{passwd,group} files on disk. > > Adding the dynamic resolver to /etc/nsswitch.conf > > ensures the Names are resolved consistently. > > > > Signed-off-by: Norbert Lange <nolange79@gmail.com> > > --- > > package/systemd/systemd.mk | 8 ++++++++ > > 1 file changed, 8 insertions(+) > > > > diff --git a/package/systemd/systemd.mk b/package/systemd/systemd.mk > > index 05b07cfd1b..a390cdd1a9 100644 > > --- a/package/systemd/systemd.mk > > +++ b/package/systemd/systemd.mk > > @@ -409,7 +409,15 @@ define SYSTEMD_INSTALL_MACHINEID_HOOK > > touch $(TARGET_DIR)/etc/machine-id > > endef > > > > +define SYSTEMD_ADD_NSSCONFIG_HOOK > > + grep >/dev/null '^passwd:.*systemd' $(TARGET_DIR)/etc/nsswitch.conf || \ > > While this is valid sytx, we customarily put the redirection at the end > of the command. > > However, in this case, you would want to use 'grep -q', as that does not > output anything. I will do if thats preferred, but I usually redirect because "Portable shell scripts should avoid both -q and -s and should redirect standard and error output to /dev/null instead." (https://www.gnu.org/software/grep/manual/html_node/General-Output-Control.html) > > > + sed '/^passwd:/ s/$$/ systemd/' $(TARGET_DIR)/etc/nsswitch.conf > > How can that even work? By default, sed will out put to stdout, not > replace in-place. Excellent point. > > This clearly has not been tested (or git-commit --amend was forgotten). It's tested in a way, that I have the resulting file in the rootfs overlay ;) > > In this case, you want to use $(SED) that includes the -i option to do > in-place modifications. > > > + grep >/dev/null '^group:.*systemd' $(TARGET_DIR)/etc/nsswitch.conf || \ > > Ditto grep -q. > > > + sed '/^group:/ s/$$/ systemd/' $(TARGET_DIR)/etc/nsswitch.conf > > Ditto $(SED). > > Regards, > Yann E. MORIN. > > > +endef > > + > > SYSTEMD_POST_INSTALL_TARGET_HOOKS += \ > > + SYSTEMD_ADD_NSSCONFIG_HOOK \ > > SYSTEMD_INSTALL_INIT_HOOK \ > > SYSTEMD_INSTALL_MACHINEID_HOOK \ > > SYSTEMD_INSTALL_RESOLVCONF_HOOK > > -- > > 2.24.1 > > > > -- > .-----------------.--------------------.------------------.--------------------. > | Yann E. MORIN | Real-Time Embedded | /"\ ASCII RIBBON | Erics' conspiracy: | > | +33 662 376 056 | Software Designer | \ / CAMPAIGN | ___ | > | +33 561 099 427 `------------.-------: X AGAINST | \e/ There is no | > | http://ymorin.is-a-geek.org/ | _/*\_ | / \ HTML MAIL | v conspiracy. | > '------------------------------^-------^------------------^--------------------' Come to think of it, systemd comes with 4 or so nss plugins, maybe it's a better approach to have a fully featured nsswitch.conf in the skeleton and then cut out the plugins that are NOT built? Or use the one from systemd (source: factory/etc/nsswitch.conf), after a sed 's,compat,files,g' Norbert
Le dim. 7 juin 2020 à 21:35, Norbert Lange <nolange79@gmail.com> a écrit : > Am So., 7. Juni 2020 um 13:40 Uhr schrieb Yann E. MORIN > <yann.morin.1998@free.fr>: > > > > Nrobert, All, > > > > On 2020-02-06 10:36 +0100, Norbert Lange spake thusly: > > > The feature DynamicUser creates users/groups without > > > touching the /etc/{passwd,group} files on disk. > > > Adding the dynamic resolver to /etc/nsswitch.conf > > > ensures the Names are resolved consistently. > > > > > > Signed-off-by: Norbert Lange <nolange79@gmail.com> > > > --- > > > package/systemd/systemd.mk | 8 ++++++++ > > > 1 file changed, 8 insertions(+) > > > > > > diff --git a/package/systemd/systemd.mk b/package/systemd/systemd.mk > > > index 05b07cfd1b..a390cdd1a9 100644 > > > --- a/package/systemd/systemd.mk > > > +++ b/package/systemd/systemd.mk > > > @@ -409,7 +409,15 @@ define SYSTEMD_INSTALL_MACHINEID_HOOK > > > touch $(TARGET_DIR)/etc/machine-id > > > endef > > > > > > +define SYSTEMD_ADD_NSSCONFIG_HOOK > > > + grep >/dev/null '^passwd:.*systemd' > $(TARGET_DIR)/etc/nsswitch.conf || \ > > > > While this is valid sytx, we customarily put the redirection at the end > > of the command. > > > > However, in this case, you would want to use 'grep -q', as that does not > > output anything. > > I will do if thats preferred, but I usually redirect because > > "Portable shell scripts should avoid both -q and -s and should > redirect standard and error output to /dev/null instead." > ( > https://www.gnu.org/software/grep/manual/html_node/General-Output-Control.html > ) > > > > > > + sed '/^passwd:/ s/$$/ systemd/' > $(TARGET_DIR)/etc/nsswitch.conf > > > > How can that even work? By default, sed will out put to stdout, not > > replace in-place. > > Excellent point. > > > > > This clearly has not been tested (or git-commit --amend was forgotten). > > It's tested in a way, that I have the resulting file in the rootfs overlay > ;) > > > > > In this case, you want to use $(SED) that includes the -i option to do > > in-place modifications. > > > > > + grep >/dev/null '^group:.*systemd' > $(TARGET_DIR)/etc/nsswitch.conf || \ > > > > Ditto grep -q. > > > > > + sed '/^group:/ s/$$/ systemd/' > $(TARGET_DIR)/etc/nsswitch.conf > > > > Ditto $(SED). > > > > Regards, > > Yann E. MORIN. > > > > > +endef > > > + > > > SYSTEMD_POST_INSTALL_TARGET_HOOKS += \ > > > + SYSTEMD_ADD_NSSCONFIG_HOOK \ > > > SYSTEMD_INSTALL_INIT_HOOK \ > > > SYSTEMD_INSTALL_MACHINEID_HOOK \ > > > SYSTEMD_INSTALL_RESOLVCONF_HOOK > > > -- > > > 2.24.1 > > > > > > > -- > > > .-----------------.--------------------.------------------.--------------------. > > | Yann E. MORIN | Real-Time Embedded | /"\ ASCII RIBBON | Erics' > conspiracy: | > > | +33 662 376 056 | Software Designer | \ / CAMPAIGN | ___ > | > > | +33 561 099 427 `------------.-------: X AGAINST | \e/ There > is no | > > | http://ymorin.is-a-geek.org/ | _/*\_ | / \ HTML MAIL | v > conspiracy. | > > > '------------------------------^-------^------------------^--------------------' > > Come to think of it, systemd comes with 4 or so nss plugins, maybe > it's a better approach > to have a fully featured nsswitch.conf in the skeleton and then cut > out the plugins that are NOT built? > Or use the one from systemd (source: factory/etc/nsswitch.conf), after > a sed 's,compat,files,g' > > > > Norbert > _______________________________________________ > buildroot mailing list > buildroot@busybox.net > http://lists.busybox.net/mailman/listinfo/buildroot > For the record : systemd's upstream nsswitch.conf # This file is part of systemd. passwd: compat mymachines systemd group: compat mymachines systemd shadow: compat hosts: files mymachines resolve [!UNAVAIL=return] dns myhostname networks: files protocols: db files services: db files ethers: db files rpc: db files netgroup: nis * mymachines add resolution for local (machinectl compatible) containers. It also resolves UID/GID assigned to said-containers * systemd adds UID/GID resolution for DynamicUser DynamicUser allows a service to run with a dynamically determined UID, thus simplifying configuration (no need for a line in /etc/passwd) so independently of "how" I think it makes sense to always enable nss-systemd and enable mymachines when systemd-nspawn is compiled in.
Am Mo., 8. Juni 2020 um 12:09 Uhr schrieb Jérémy ROSEN <jeremy.rosen@smile.fr>: > > > > Le dim. 7 juin 2020 à 21:35, Norbert Lange <nolange79@gmail.com> a écrit : >> >> Am So., 7. Juni 2020 um 13:40 Uhr schrieb Yann E. MORIN >> <yann.morin.1998@free.fr>: >> > >> > Nrobert, All, >> > >> > On 2020-02-06 10:36 +0100, Norbert Lange spake thusly: >> > > The feature DynamicUser creates users/groups without >> > > touching the /etc/{passwd,group} files on disk. >> > > Adding the dynamic resolver to /etc/nsswitch.conf >> > > ensures the Names are resolved consistently. >> > > >> > > Signed-off-by: Norbert Lange <nolange79@gmail.com> >> > > --- >> > > package/systemd/systemd.mk | 8 ++++++++ >> > > 1 file changed, 8 insertions(+) >> > > >> > > diff --git a/package/systemd/systemd.mk b/package/systemd/systemd.mk >> > > index 05b07cfd1b..a390cdd1a9 100644 >> > > --- a/package/systemd/systemd.mk >> > > +++ b/package/systemd/systemd.mk >> > > @@ -409,7 +409,15 @@ define SYSTEMD_INSTALL_MACHINEID_HOOK >> > > touch $(TARGET_DIR)/etc/machine-id >> > > endef >> > > >> > > +define SYSTEMD_ADD_NSSCONFIG_HOOK >> > > + grep >/dev/null '^passwd:.*systemd' $(TARGET_DIR)/etc/nsswitch.conf || \ >> > >> > While this is valid sytx, we customarily put the redirection at the end >> > of the command. >> > >> > However, in this case, you would want to use 'grep -q', as that does not >> > output anything. >> >> I will do if thats preferred, but I usually redirect because >> >> "Portable shell scripts should avoid both -q and -s and should >> redirect standard and error output to /dev/null instead." >> (https://www.gnu.org/software/grep/manual/html_node/General-Output-Control.html) >> >> > >> > > + sed '/^passwd:/ s/$$/ systemd/' $(TARGET_DIR)/etc/nsswitch.conf >> > >> > How can that even work? By default, sed will out put to stdout, not >> > replace in-place. >> >> Excellent point. >> >> > >> > This clearly has not been tested (or git-commit --amend was forgotten). >> >> It's tested in a way, that I have the resulting file in the rootfs overlay ;) >> >> > >> > In this case, you want to use $(SED) that includes the -i option to do >> > in-place modifications. >> > >> > > + grep >/dev/null '^group:.*systemd' $(TARGET_DIR)/etc/nsswitch.conf || \ >> > >> > Ditto grep -q. >> > >> > > + sed '/^group:/ s/$$/ systemd/' $(TARGET_DIR)/etc/nsswitch.conf >> > >> > Ditto $(SED). >> > >> > Regards, >> > Yann E. MORIN. >> > >> > > +endef >> > > + >> > > SYSTEMD_POST_INSTALL_TARGET_HOOKS += \ >> > > + SYSTEMD_ADD_NSSCONFIG_HOOK \ >> > > SYSTEMD_INSTALL_INIT_HOOK \ >> > > SYSTEMD_INSTALL_MACHINEID_HOOK \ >> > > SYSTEMD_INSTALL_RESOLVCONF_HOOK >> > > -- >> > > 2.24.1 >> > > >> > >> > -- >> > .-----------------.--------------------.------------------.--------------------. >> > | Yann E. MORIN | Real-Time Embedded | /"\ ASCII RIBBON | Erics' conspiracy: | >> > | +33 662 376 056 | Software Designer | \ / CAMPAIGN | ___ | >> > | +33 561 099 427 `------------.-------: X AGAINST | \e/ There is no | >> > | http://ymorin.is-a-geek.org/ | _/*\_ | / \ HTML MAIL | v conspiracy. | >> > '------------------------------^-------^------------------^--------------------' >> >> Come to think of it, systemd comes with 4 or so nss plugins, maybe >> it's a better approach >> to have a fully featured nsswitch.conf in the skeleton and then cut >> out the plugins that are NOT built? >> Or use the one from systemd (source: factory/etc/nsswitch.conf), after >> a sed 's,compat,files,g' >> >> >> >> Norbert >> _______________________________________________ >> buildroot mailing list >> buildroot@busybox.net >> http://lists.busybox.net/mailman/listinfo/buildroot > > > For the record : systemd's upstream nsswitch.conf > > # This file is part of systemd. > > passwd: compat mymachines systemd > group: compat mymachines systemd > shadow: compat > > hosts: files mymachines resolve [!UNAVAIL=return] dns myhostname > networks: files > > protocols: db files > services: db files > ethers: db files > rpc: db files > > netgroup: nis > > > * mymachines add resolution for local (machinectl compatible) containers. > It also resolves UID/GID assigned to said-containers > * systemd adds UID/GID resolution for DynamicUser > DynamicUser allows a service to run with a dynamically determined UID, > thus simplifying configuration (no need for a line in /etc/passwd) > > so independently of "how" I think it makes sense to always enable nss-systemd > and enable mymachines when systemd-nspawn is compiled in. Actually I would consider the rootfs broken if no nss-systemd is used, some services that ship with systemd use this feature and might behave odd. I havent re-rolled the entire series, but I changed the code to enable systemd, myhostname and resolve. mymachines is a bit tricky with the placement in the middle. (thats why I would prefer using a "full-featured" and just removing the non-existent ones, doesn't need a check to prevent adding multiple times either) > > -- > > > 20 rue des Jardins > 92600 Asnières-sur-Seine > > Jérémy ROSEN > Architecte technique > > jeremy.rosen@smile.fr > +33 6 88 25 87 42 > http://www.smile.eu > > >
diff --git a/package/systemd/systemd.mk b/package/systemd/systemd.mk index 05b07cfd1b..a390cdd1a9 100644 --- a/package/systemd/systemd.mk +++ b/package/systemd/systemd.mk @@ -409,7 +409,15 @@ define SYSTEMD_INSTALL_MACHINEID_HOOK touch $(TARGET_DIR)/etc/machine-id endef +define SYSTEMD_ADD_NSSCONFIG_HOOK + grep >/dev/null '^passwd:.*systemd' $(TARGET_DIR)/etc/nsswitch.conf || \ + sed '/^passwd:/ s/$$/ systemd/' $(TARGET_DIR)/etc/nsswitch.conf + grep >/dev/null '^group:.*systemd' $(TARGET_DIR)/etc/nsswitch.conf || \ + sed '/^group:/ s/$$/ systemd/' $(TARGET_DIR)/etc/nsswitch.conf +endef + SYSTEMD_POST_INSTALL_TARGET_HOOKS += \ + SYSTEMD_ADD_NSSCONFIG_HOOK \ SYSTEMD_INSTALL_INIT_HOOK \ SYSTEMD_INSTALL_MACHINEID_HOOK \ SYSTEMD_INSTALL_RESOLVCONF_HOOK
The feature DynamicUser creates users/groups without touching the /etc/{passwd,group} files on disk. Adding the dynamic resolver to /etc/nsswitch.conf ensures the Names are resolved consistently. Signed-off-by: Norbert Lange <nolange79@gmail.com> --- package/systemd/systemd.mk | 8 ++++++++ 1 file changed, 8 insertions(+)