Submachine (talk | contribs) (Fill out benefits and scope) |
Submachine (talk | contribs) (More details) |
||
Line 106: | Line 106: | ||
`nss-pam-ldapd` has a weak dependency on nscd that will need to be removed. `libuser` has a build dependency on nscd that will also need to be removed. | `nss-pam-ldapd` has a weak dependency on nscd that will need to be removed. `libuser` has a build dependency on nscd that will also need to be removed. | ||
* Release engineering: [https://pagure.io/releng/issues #Releng issue number] (a check of an impact with Release Engineering is needed) | * Release engineering: | ||
<!-- [https://pagure.io/releng/issues #Releng issue number] (a check of an impact with Release Engineering is needed) REQUIRED FOR SYSTEM WIDE CHANGES --> | |||
<!-- Does this feature require coordination with release engineering (e.g. changes to installer image generation or update package delivery)? Is a mass rebuild required? include a link to the releng issue. | <!-- Does this feature require coordination with release engineering (e.g. changes to installer image generation or update package delivery)? Is a mass rebuild required? include a link to the releng issue. | ||
The issue is required to be filed prior to feature submission, to ensure that someone is on board to do any process development work and testing and that all changes make it into the pipeline; a bullet point in a change is not sufficient communication --> | The issue is required to be filed prior to feature submission, to ensure that someone is on board to do any process development work and testing and that all changes make it into the pipeline; a bullet point in a change is not sufficient communication --> | ||
This change does not require coordination with or have impact on release engineering and does not require a mass rebuild. | |||
* Policies and guidelines: N/A (not a System Wide Change) <!-- REQUIRED FOR SYSTEM WIDE CHANGES --> | * Policies and guidelines: N/A (not a System Wide Change) <!-- REQUIRED FOR SYSTEM WIDE CHANGES --> | ||
Line 123: | Line 126: | ||
== Upgrade/compatibility impact == | == Upgrade/compatibility impact == | ||
<!-- What happens to systems that have had a previous versions of Fedora installed and are updated to the version containing this change? Will anything require manual configuration or data migration? Will any existing functionality be no longer supported? --> | <!-- What happens to systems that have had a previous versions of Fedora installed and are updated to the version containing this change? Will anything require manual configuration or data migration? Will any existing functionality be no longer supported? --> | ||
The nscd sub-package depends on a glibc version that is identical to itself. This means that updating from a previous version of Fedora with nscd installed on it to Fedora 34 (which will not ship nscd) will require nscd to be removed first so that glibc can be updated. | |||
The hosts cache will automatically be replaced by the one provided by systemd-resolved. However, in order to restore caching functionality for other caches provided by nscd, user will need to install and/or configure sssd (by enabling sssd with authconfig, and editing `/etc/sssd/sssd.conf` to enable it to work with nss). | |||
== How To Test == | == How To Test == | ||
Line 160: | Line 163: | ||
<!-- What other packages (RPMs) depend on this package? Are there changes outside the developers' control on which completion of this change depends? In other words, completion of another change owned by someone else and might cause you to not be able to finish on time or that you would need to coordinate? Other upstream projects like the kernel (if this is not a kernel change)? --> | <!-- What other packages (RPMs) depend on this package? Are there changes outside the developers' control on which completion of this change depends? In other words, completion of another change owned by someone else and might cause you to not be able to finish on time or that you would need to coordinate? Other upstream projects like the kernel (if this is not a kernel change)? --> | ||
* `nss-pam-ldapd` has a weak dependency on nscd that will need to be removed. | |||
* `libuser` has a build dependency on nscd that will also need to be removed. | |||
Both changes are minimal, requiring a removal of the dependency in the spec file, and a rebuild. | |||
== Contingency Plan == | == Contingency Plan == | ||
<!-- If you cannot complete your feature by the final development freeze, what is the backup plan? This might be as simple as "Revert the shipped configuration". Or it might not (e.g. rebuilding a number of dependent packages). If you feature is not completed in time we want to assure others that other parts of Fedora will not be in jeopardy. --> | <!-- If you cannot complete your feature by the final development freeze, what is the backup plan? This might be as simple as "Revert the shipped configuration". Or it might not (e.g. rebuilding a number of dependent packages). If you feature is not completed in time we want to assure others that other parts of Fedora will not be in jeopardy. --> | ||
* Contingency mechanism: | * Contingency mechanism: Revert changes to glibc spec file and continue to ship nscd. Revert changes to libuser and nss-pam-ldapd packages; this will need to be done by the respective package maintainers. | ||
<!-- When is the last time the contingency mechanism can be put in place? This will typically be the beta freeze. --> | <!-- When is the last time the contingency mechanism can be put in place? This will typically be the beta freeze. --> | ||
* Contingency deadline: | * Contingency deadline: Fedora 34 Beta Freeze | ||
<!-- Does finishing this feature block the release, or can we ship with the feature in incomplete state? --> | <!-- Does finishing this feature block the release, or can we ship with the feature in incomplete state? --> | ||
* Blocks release? N/A (not a System Wide Change) | * Blocks release? N/A (not a System Wide Change) | ||
* Blocks product? | * Blocks product? None | ||
== Documentation == | == Documentation == |
Revision as of 10:33, 21 October 2020
Remove and deprecate nscd in favour of sssd and systemd-resolved
Summary
This proposal intends to replace the nscd cache for named services with systemd-resolved for the hosts
database and the sssd daemon for everything else.
Owner
- Name: Arjun Shankar
- Email: arjun@redhat.com
Current status
- Targeted release: Fedora 34
- Last updated: 2020-10-21
- FESCo issue: <will be assigned by the Wrangler>
- Tracker bug: <will be assigned by the Wrangler>
- Release notes tracker: <will be assigned by the Wrangler>
Detailed Description
nscd is a daemon that provides caching for accesses of the passwd
, group
, hosts
, services
, and netgroup
databases through standard libc interfaces (such as getpwnam
, getpwuid
, getgrnam
, getgrgid
, gethostbyname
, etc.). This proposal intends to replace nscd in Fedora with systemd-resolved for the hosts
database and the sssd daemon for everything else. Accordingly, the nscd
sub-package of glibc will be removed.
Benefit to Fedora
While still maintained within the glibc source tree, nscd has received less than forty commits in the past three years and has gathered significant technical debt, and has bugs which are hard to fix. There are concurrency bugs in the shared mappings, cache unification (IPv4 vs. IPv6 vs. AF_UNSPEC) issues, and more which would require significant investment to fix in nscd. Such an investment seems like duplicate effort among our communities given the quality and state of sssd, and systemd-resolved which is already proposed to be enabled by default from Fedora 33 onwards.
At a high level, sssd and systemd-resolved together provide a caching solution that has feature parity with nscd, with systemd-resolved covering the hosts cache and sssd the rest. The removal of nscd from Fedora will (a) move the user base over to a more modern solution for named services caching, and (b) reduce maintenance work on the Fedora glibc package and the duplication of effort on nscd upstream.
Scope
- Proposal owners:
The volume of work required is minimal, with the only change being the removal of the nscd sub-package offered by glibc which can be achieved by minor changes to the spec file. Since nscd is not installed by default, the affect on the distribution is minimal. Users who have installed nscd will need to install and configure sssd instead.
- Other developers:
nss-pam-ldapd
has a weak dependency on nscd that will need to be removed. libuser
has a build dependency on nscd that will also need to be removed.
- Release engineering:
This change does not require coordination with or have impact on release engineering and does not require a mass rebuild.
- Policies and guidelines: N/A (not a System Wide Change)
- Trademark approval: N/A (not needed for this Change)
- Alignment with Objectives:
Yes, this proposal aligns with the current objective of "Fedora Minimization".
Upgrade/compatibility impact
The nscd sub-package depends on a glibc version that is identical to itself. This means that updating from a previous version of Fedora with nscd installed on it to Fedora 34 (which will not ship nscd) will require nscd to be removed first so that glibc can be updated.
The hosts cache will automatically be replaced by the one provided by systemd-resolved. However, in order to restore caching functionality for other caches provided by nscd, user will need to install and/or configure sssd (by enabling sssd with authconfig, and editing /etc/sssd/sssd.conf
to enable it to work with nss).
How To Test
N/A (not a System Wide Change)
User Experience
Dependencies
nss-pam-ldapd
has a weak dependency on nscd that will need to be removed.libuser
has a build dependency on nscd that will also need to be removed.
Both changes are minimal, requiring a removal of the dependency in the spec file, and a rebuild.
Contingency Plan
- Contingency mechanism: Revert changes to glibc spec file and continue to ship nscd. Revert changes to libuser and nss-pam-ldapd packages; this will need to be done by the respective package maintainers.
- Contingency deadline: Fedora 34 Beta Freeze
- Blocks release? N/A (not a System Wide Change)
- Blocks product? None
Documentation
N/A (not a System Wide Change)