Home Explore Blog CI



nixpkgs
4th chunk of `nixos/doc/manual/release-notes/rl-1903.section.md`
bbdab15a98787adbc285833f9dcd16d15766182d6d1d4bf10000000100000ffb
- The `nscd` service now disables all caching of `passwd` and `group` databases by default. This was interfering with the correct functioning of the `libnss_systemd.so` module which is used by `systemd` to manage uids and usernames in the presence of `DynamicUser=` in systemd services. This was already the default behaviour in presence of `services.sssd.enable = true` because nscd caching would interfere with `sssd` in unpredictable ways as well. Because we're using nscd not for caching, but for convincing glibc to find NSS modules in the nix store instead of an absolute path, we have decided to disable caching globally now, as it's usually not the behaviour the user wants and can lead to surprising behaviour. Furthermore, negative caching of host lookups is also disabled now by default. This should fix the issue of dns lookups failing in the presence of an unreliable network.

  If the old behaviour is desired, this can be restored by setting the `services.nscd.config` option with the desired caching parameters.

  ```nix
  {
    services.nscd.config =
    ''
    server-user             nscd
    threads                 1
    paranoia                no
    debug-level             0

    enable-cache            passwd          yes
    positive-time-to-live   passwd          600
    negative-time-to-live   passwd          20
    suggested-size          passwd          211
    check-files             passwd          yes
    persistent              passwd          no
    shared                  passwd          yes

    enable-cache            group           yes
    positive-time-to-live   group           3600
    negative-time-to-live   group           60
    suggested-size          group           211
    check-files             group           yes
    persistent              group           no
    shared                  group           yes

    enable-cache            hosts           yes
    positive-time-to-live   hosts           600
    negative-time-to-live   hosts           5
    suggested-size          hosts           211
    check-files             hosts           yes
    persistent              hosts           no
    shared                  hosts           yes
    '';
  }
  ```

  See [\#50316](https://github.com/NixOS/nixpkgs/pull/50316) for details.

- GitLab Shell previously used the nix store paths for the `gitlab-shell` command in its `authorized_keys` file, which might stop working after garbage collection. To circumvent that, we regenerated that file on each startup. As `gitlab-shell` has now been changed to use `/var/run/current-system/sw/bin/gitlab-shell`, this is not necessary anymore, but there might be leftover lines with a nix store path. Regenerate the `authorized_keys` file via `sudo -u git -H gitlab-rake gitlab:shell:setup` in that case.

- The `pam_unix` account module is now loaded with its control field set to `required` instead of `sufficient`, so that later PAM account modules that might do more extensive checks are being executed. Previously, the whole account module verification was exited prematurely in case a nss module provided the account name to `pam_unix`. The LDAP and SSSD NixOS modules already add their NSS modules when enabled. In case your setup breaks due to some later PAM account module previously shadowed, or failing NSS lookups, please file a bug. You can get back the old behaviour by manually setting `security.pam.services.<name?>.text`.

- The `pam_unix` password module is now loaded with its control field set to `sufficient` instead of `required`, so that password managed only by later PAM password modules are being executed. Previously, for example, changing an LDAP account's password through PAM was not possible: the whole password module verification was exited prematurely by `pam_unix`, preventing `pam_ldap` to manage the password as it should.

- `fish` has been upgraded to 3.0. It comes with a number of improvements and backwards incompatible changes. See the `fish` [release notes](https://github.com/fish-shell/fish-shell/releases/tag/3.0.0) for more information.
Title: NixOS 19.03: Further Backward Incompatibilities - nscd, GitLab Shell, and PAM
Summary
This section details more backward-incompatible changes in NixOS 19.03. It covers the disabling of caching in the `nscd` service to avoid conflicts with `libnss_systemd.so`, and includes instructions for restoring the old behavior. It also addresses changes to GitLab Shell regarding the `authorized_keys` file and recommends regenerating it. Additionally, it outlines changes to the `pam_unix` account and password modules, modifying their control fields to 'required' and 'sufficient' respectively, to allow for more comprehensive PAM module execution. Lastly, it mentions the upgrade of `fish` to version 3.0 and directs users to the release notes for details on changes.