nixos/nscd: Add release note entry about nscd changes

2018-11-14 13:03:13 +01:00 · 2018-11-14 13:03:13 +01:00 · 335b41b3fb
commit 335b41b3fb
parent 99d3279952
1 changed files with 60 additions and 0 deletions
--- a/nixos/doc/manual/release-notes/rl-1903.xml
+++ b/nixos/doc/manual/release-notes/rl-1903.xml
@ -245,6 +245,66 @@
     options.
   </para>
  </listitem>
+  <listitem>
+   <para>
+     The <literal>nscd</literal> now disables all caching of
+     <literal>passwd</literal> and <literal>group</literal> databases by
+     default. This was interferring with the correct functioning of the
+     <literal>libnss_systemd.so</literal> module which is used by
+     <literal>systemd</literal> to manage uids and usernames in the presence
+     of <literal>DynamicUser=</literal> in systemd services.
+     The was already the default behaviour in presence of
+     <literal>services.sssd.enable = true</literal> because nscd caching
+     would interfere sssd in unpredictable ways as well.Because we're using nscd
+     not for caching, but for convincing glibc to find NSS modules in the
+     nix store instead of an absolute path, we have decided to disable
+     caching globally now, as it's usually not the behaviour the user wants
+     and can lead to surprising behaviour.
+     Furthermore, negative caching of host lookups is also disabled now by
+     default. This should fix the issue of dns lookups failing in the
+     presence of an unreliable network.
+   </para>
+   <para>
+     If the old behaviour is desired, this can be restored by setting
+     the <literal>services.nscd.config</literal> option
+     with the desired caching parameters.
+     <programlisting>
+     services.nscd.config =
+     ''
+     server-user             nscd
+     threads                 1
+     paranoia                no
+     debug-level             0
+
+     enable-cache            passwd          yes
+     positive-time-to-live   passwd          600
+     negative-time-to-live   passwd          20
+     suggested-size          passwd          211
+     check-files             passwd          yes
+     persistent              passwd          no
+     shared                  passwd          yes
+
+     enable-cache            group           yes
+     positive-time-to-live   group           3600
+     negative-time-to-live   group           60
+     suggested-size          group           211
+     check-files             group           yes
+     persistent              group           no
+     shared                  group           yes
+
+     enable-cache            hosts           yes
+     positive-time-to-live   hosts           600
+     negative-time-to-live   hosts           5
+     suggested-size          hosts           211
+     check-files             hosts           yes
+     persistent              hosts           no
+     shared                  hosts           yes
+     '';
+     </programlisting>
+     See <link xlink:href="https://github.com/NixOS/nixpkgs/pull/50316">#50316</link>
+     for details.
+   </para>
+  </listitem>
  <listitem>
   <para>
     GitLab Shell previously used the nix store paths for the