Re: RFC should authselect require nss_altfiles

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On 10/9/24 14:52, Lennart Poettering wrote:
On Mi, 09.10.24 12:56, Pavel Březina (pbrezina@xxxxxxxxxx) wrote:

Hi Fedora,
nss-altfiles is not currently part of the default installation and can be
optionally added to nsswitch.conf via authselect's with-altfiles.

This however breaks ostree composes since it uses and requires alltfiles to
provide system users. This is handled in authselect spec file that tinkers
with the shipped profiles and hardcodes altfiles to the configuration. [1]
It works as expected.

Downside is that the authselect content we ship is different for ostree
systems and standard composes.

There is also an issue with bootc. Authselect have to be part of the source
bootc image, if it is installed later by dnf, it does not work because there
is no /run/ostree-booted during container image build time. This, however,
does not really affect Fedora 38+ since authselect is required by pam and
part of default installation. It may affect other distributions though.

Unless there is some push back, I would like to change authselect to require
nss-altfiles and hardcode altfiles in nsswitch.conf for everyone and finally
get rid of this duality.

Are there any strong opinions?

Hmm, so I'd advise against this for now. There's work ongoing to allow
glibc to read NSS databases directly from /usr/:

https://sourceware.org/pipermail/libc-alpha/2024-September/160272.html

(thread continues into the next month, might need to click around in
the archive)

While this has different semantics compared to nss-altfiles (the
native glibc logic would use only one version of the database, while
nss-altfiles combines if both exist), but at the very least there
seems to be some discussion that is still ongoing on how this should
look like in the end, and particular what the right paths are to use
for the 2nd copy.

I'd recommend to wait for this discussion to be resolved.

Thank you for the heads up, I'll wait.

Pavel

--
_______________________________________________
devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx
Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue




[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Index of Archives]     [Fedora Announce]     [Fedora Users]     [Fedora Kernel]     [Fedora Testing]     [Fedora Formulas]     [Fedora PHP Devel]     [Kernel Development]     [Fedora Legacy]     [Fedora Maintainers]     [Fedora Desktop]     [PAM]     [Red Hat Development]     [Gimp]     [Yosemite News]

  Powered by Linux