https://redmine.koumbit.net/https://redmine.koumbit.net/themes/purplemine2/favicon/favicon.ico2019-12-23T22:49:04ZKoumbit's RedminePuppet LDAP - Bug #32066: le profile ldap devrait conserver "systemd" dans nsswitch.confhttps://redmine.koumbit.net/issues/32066?journal_id=1702182019-12-23T22:49:04ZGabriel Filiongabriel@koumbit.org
<ul><li><strong>Statut</strong> changé de <i>New</i> à <i>In progress</i></li><li><strong>Assigné à</strong> mis à <i>Gabriel Filion</i></li></ul><p>jessie a pas `systemd` dans nsswitch.conf par défaut.</p>
<p>stretch non plus.</p>
<p>buster oui.</p>
<p>donc seulement buster+</p> Puppet LDAP - Bug #32066: le profile ldap devrait conserver "systemd" dans nsswitch.confhttps://redmine.koumbit.net/issues/32066?journal_id=1704372020-01-06T15:48:30ZKienan Stewartkienan@koumbit.org
<ul><li><strong>Tâche parente</strong> mis à <i>#32104</i></li></ul> Puppet LDAP - Bug #32066: le profile ldap devrait conserver "systemd" dans nsswitch.confhttps://redmine.koumbit.net/issues/32066?journal_id=1713392020-01-20T15:28:45ZKienan Stewartkienan@koumbit.org
<ul><li><strong>Tâche parente</strong> changé de <i>#32104</i> à <i>#32250</i></li></ul> Puppet LDAP - Bug #32066: le profile ldap devrait conserver "systemd" dans nsswitch.confhttps://redmine.koumbit.net/issues/32066?journal_id=1726712020-02-04T23:05:41ZGabriel Filiongabriel@koumbit.org
<ul><li><strong>Tâche parente</strong> changé de <i>#32250</i> à <i>#32445</i></li></ul> Puppet LDAP - Bug #32066: le profile ldap devrait conserver "systemd" dans nsswitch.confhttps://redmine.koumbit.net/issues/32066?journal_id=1743122020-03-02T20:53:51ZKienan Stewartkienan@koumbit.org
<ul><li><strong>Tâche parente</strong> changé de <i>#32445</i> à <i>#32714</i></li></ul> Puppet LDAP - Bug #32066: le profile ldap devrait conserver "systemd" dans nsswitch.confhttps://redmine.koumbit.net/issues/32066?journal_id=1826562020-06-26T17:28:29ZGabriel Filiongabriel@koumbit.org
<ul><li><strong>Tâche parente</strong> changé de <i>#32714</i> à <i>#33845</i></li></ul> Puppet LDAP - Bug #32066: le profile ldap devrait conserver "systemd" dans nsswitch.confhttps://redmine.koumbit.net/issues/32066?journal_id=1859122020-08-14T20:39:49ZKienan Stewartkienan@koumbit.org
<ul><li><strong>Tâche parente</strong> changé de <i>#33845</i> à <i>#34262</i></li></ul> Puppet LDAP - Bug #32066: le profile ldap devrait conserver "systemd" dans nsswitch.confhttps://redmine.koumbit.net/issues/32066?journal_id=1887352020-10-01T20:05:26ZKienan Stewartkienan@koumbit.org
<ul><li><strong>Tâche parente</strong> changé de <i>#34262</i> à <i>#34595</i></li></ul> Puppet LDAP - Bug #32066: le profile ldap devrait conserver "systemd" dans nsswitch.confhttps://redmine.koumbit.net/issues/32066?journal_id=1921512020-11-20T19:32:52ZGabriel Filiongabriel@koumbit.org
<ul><li><strong>Tâche parente</strong> changé de <i>#34595</i> à <i>#35035</i></li></ul> Puppet LDAP - Bug #32066: le profile ldap devrait conserver "systemd" dans nsswitch.confhttps://redmine.koumbit.net/issues/32066?journal_id=1956782021-01-18T16:43:18ZJohn Béjot
<ul><li><strong>Assigné à</strong> changé de <i>Gabriel Filion</i> à <i>John Béjot</i></li></ul> Puppet LDAP - Bug #32066: le profile ldap devrait conserver "systemd" dans nsswitch.confhttps://redmine.koumbit.net/issues/32066?journal_id=1967942021-02-03T20:24:18ZJohn Béjot
<ul><li><strong>Statut</strong> changé de <i>In progress</i> à <i>Needs deployment</i></li></ul><p>Bon, le changement était minime (littéralement rajouter "systemd" dans `site/profile/files/ldap/etc/nsswitch.conf`).<br />Par contre, c'est la partie <strong>test</strong> qui représente le gros du travail (en plus de tout le travail qu'il m'a fallu pour me remettre dans Puppet, voir comment LDAP est sétupé, comment NSS marche, pourquoi mes VMs m'ont demandé des mdp pour root etc).</p>
Simplement:
<ul>
<li>il faut déployer LDAP sur `pc_buster` et s'assurer qu'un service utilisant `DynamicUser` démarre toujours</li>
</ul>
Cependant:
<ul>
<li>je ne suis pas vraiment certain d'avoir déployé LDAP correctement en local, j'ai utilisé `basic_instance` pour `pc_buster` mais il se plaignait tout le temps de `nss_ldap: could not connect to any LDAP server as (null)` pour `ldap://ldap0.office.koumbit.net` - est-ce que je suis sensé déployer tout un serveur LDAP en local pour mes tests?</li>
<li>à aucun moment en déployant `basic_instance` le contenu de `/etc/nsswitch.conf` changeait pour enlever `systemd`, ça a l'air que ça reste dans le fichier une fois que ça y est</li>
<li>j'ai déployé `basic_instance` avec et sans `systemd` dans `/etc/nsswitch.conf` et dans les deux cas mon service avec `DynamicUser=yes` marchait donc soit mes tests n'était pas complets soit la config n'est pas vitale ?</li>
</ul> Puppet LDAP - Bug #32066: le profile ldap devrait conserver "systemd" dans nsswitch.confhttps://redmine.koumbit.net/issues/32066?journal_id=1967952021-02-03T20:24:43ZJohn Béjot
<ul><li><strong>Statut</strong> changé de <i>Needs deployment</i> à <i>Needs testing</i></li></ul> Puppet LDAP - Bug #32066: le profile ldap devrait conserver "systemd" dans nsswitch.confhttps://redmine.koumbit.net/issues/32066?journal_id=1979012021-02-22T15:44:34ZJohn Béjot
<ul><li><strong>Statut</strong> changé de <i>Needs testing</i> à <i>Needs deployment</i></li></ul><p>Merge ticket: <a class="external" href="https://redmine.koumbit.net/issues/35815">https://redmine.koumbit.net/issues/35815</a></p> Puppet LDAP - Bug #32066: le profile ldap devrait conserver "systemd" dans nsswitch.confhttps://redmine.koumbit.net/issues/32066?journal_id=1979192021-02-22T16:48:23ZJohn Béjot
<ul><li><strong>Statut</strong> changé de <i>Needs deployment</i> à <i>In progress</i></li></ul> Puppet LDAP - Bug #32066: le profile ldap devrait conserver "systemd" dans nsswitch.confhttps://redmine.koumbit.net/issues/32066?journal_id=1982312021-02-24T21:01:55ZKienan Stewartkienan@koumbit.org
<ul></ul><p>Pour nsswitch.conf, de ce que je comprends est que ce n'est pas embêtant de lister un module qui n'est pas présent. Pour chaque module listé sous une base de données particulière, un objet partagé est loadé puis libc échoue de manière graceful s'il n'existe pas. Ref: <a class="external" href="https://www.gnu.org/software/libc/manual/html_node/Services-in-the-NSS-configuration.html">https://www.gnu.org/software/libc/manual/html_node/Services-in-the-NSS-configuration.html</a></p>
<p>La librarie systemd est normalement fourni dans le package libnss-systemd. Celà est installé par défaut sur Debian buster, disponible mais ne pas installé par défaut sur Debian stretch et finalement ce n'est pas disponible sur Debian jessie.</p>
<p>Voici ce qui arrive sur Stretch si ce n'est pas installé et que systemd est placé avant <code>files</code>: <pre>
root@pc-stretch:/etc# strace -o /home/vagrant/output getent passwd vagrant
vagrant:x:942:942:vagrant,,,:/home/vagrant:/bin/bash
</pre></p>
<p>Puis dans le strace, on voit que systemd a été essayé mais la lib n'existe pas, donc ça a passé au prochain: <pre>
execve("/usr/bin/getent", ["getent", "passwd", "vagrant"], [/* 22 vars */]) = 0
brk(NULL) = 0x2350000
access("/etc/ld.so.nohwcap", F_OK) = -1 ENOENT (No such file or directory)
access("/etc/ld.so.preload", R_OK) = -1 ENOENT (No such file or directory)
open("/etc/ld.so.cache", O_RDONLY|O_CLOEXEC) = 3
fstat(3, {st_mode=S_IFREG|0644, st_size=31603, ...}) = 0
mmap(NULL, 31603, PROT_READ, MAP_PRIVATE, 3, 0) = 0x7f58ddd24000
close(3) = 0
access("/etc/ld.so.nohwcap", F_OK) = -1 ENOENT (No such file or directory)
open("/lib/x86_64-linux-gnu/libc.so.6", O_RDONLY|O_CLOEXEC) = 3
read(3, "\177ELF\2\1\1\3\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0\0\4\2\0\0\0\0\0"..., 832) = 832
fstat(3, {st_mode=S_IFREG|0755, st_size=1689360, ...}) = 0
mmap(NULL, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f58ddd22000
mmap(NULL, 3795296, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0x7f58dd76a000
mprotect(0x7f58dd8ff000, 2097152, PROT_NONE) = 0
mmap(0x7f58ddaff000, 24576, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x195000) = 0x7f58ddaff000
mmap(0x7f58ddb05000, 14688, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x7f58ddb05000
close(3) = 0
arch_prctl(ARCH_SET_FS, 0x7f58ddd23440) = 0
mprotect(0x7f58ddaff000, 16384, PROT_READ) = 0
mprotect(0x604000, 4096, PROT_READ) = 0
mprotect(0x7f58ddd2c000, 4096, PROT_READ) = 0
munmap(0x7f58ddd24000, 31603) = 0
brk(NULL) = 0x2350000
brk(0x2371000) = 0x2371000
open("/usr/lib/locale/locale-archive", O_RDONLY|O_CLOEXEC) = 3
fstat(3, {st_mode=S_IFREG|0644, st_size=2932240, ...}) = 0
mmap(NULL, 2932240, PROT_READ, MAP_PRIVATE, 3, 0) = 0x7f58dd49e000
close(3) = 0
socket(AF_UNIX, SOCK_STREAM|SOCK_CLOEXEC|SOCK_NONBLOCK, 0) = 3
connect(3, {sa_family=AF_UNIX, sun_path="/var/run/nscd/socket"}, 110) = -1 ENOENT (No such file or directory)
close(3) = 0
socket(AF_UNIX, SOCK_STREAM|SOCK_CLOEXEC|SOCK_NONBLOCK, 0) = 3
connect(3, {sa_family=AF_UNIX, sun_path="/var/run/nscd/socket"}, 110) = -1 ENOENT (No such file or directory)
close(3) = 0
open("/etc/nsswitch.conf", O_RDONLY|O_CLOEXEC) = 3
fstat(3, {st_mode=S_IFREG|0644, st_size=505, ...}) = 0
read(3, "# /etc/nsswitch.conf\n#\n# Example"..., 4096) = 505
read(3, "", 4096) = 0
close(3) = 0
open("/etc/ld.so.cache", O_RDONLY|O_CLOEXEC) = 3
fstat(3, {st_mode=S_IFREG|0644, st_size=31603, ...}) = 0
mmap(NULL, 31603, PROT_READ, MAP_PRIVATE, 3, 0) = 0x7f58ddd24000
close(3) = 0
access("/etc/ld.so.nohwcap", F_OK) = -1 ENOENT (No such file or directory)
open("/lib/x86_64-linux-gnu/tls/x86_64/libnss_systemd.so.2", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory)
stat("/lib/x86_64-linux-gnu/tls/x86_64", 0x7fff92df43c0) = -1 ENOENT (No such file or directory)
open("/lib/x86_64-linux-gnu/tls/libnss_systemd.so.2", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory)
stat("/lib/x86_64-linux-gnu/tls", 0x7fff92df43c0) = -1 ENOENT (No such file or directory)
open("/lib/x86_64-linux-gnu/x86_64/libnss_systemd.so.2", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory)
stat("/lib/x86_64-linux-gnu/x86_64", 0x7fff92df43c0) = -1 ENOENT (No such file or directory)
open("/lib/x86_64-linux-gnu/libnss_systemd.so.2", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory)
stat("/lib/x86_64-linux-gnu", {st_mode=S_IFDIR|0755, st_size=12288, ...}) = 0
open("/usr/lib/x86_64-linux-gnu/tls/x86_64/libnss_systemd.so.2", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory)
stat("/usr/lib/x86_64-linux-gnu/tls/x86_64", 0x7fff92df43c0) = -1 ENOENT (No such file or directory)
open("/usr/lib/x86_64-linux-gnu/tls/libnss_systemd.so.2", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory)
stat("/usr/lib/x86_64-linux-gnu/tls", 0x7fff92df43c0) = -1 ENOENT (No such file or directory)
open("/usr/lib/x86_64-linux-gnu/x86_64/libnss_systemd.so.2", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory)
stat("/usr/lib/x86_64-linux-gnu/x86_64", 0x7fff92df43c0) = -1 ENOENT (No such file or directory)
open("/usr/lib/x86_64-linux-gnu/libnss_systemd.so.2", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory)
stat("/usr/lib/x86_64-linux-gnu", {st_mode=S_IFDIR|0755, st_size=20480, ...}) = 0
open("/lib/tls/x86_64/libnss_systemd.so.2", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory)
stat("/lib/tls/x86_64", 0x7fff92df43c0) = -1 ENOENT (No such file or directory)
open("/lib/tls/libnss_systemd.so.2", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory)
stat("/lib/tls", 0x7fff92df43c0) = -1 ENOENT (No such file or directory)
open("/lib/x86_64/libnss_systemd.so.2", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory)
stat("/lib/x86_64", 0x7fff92df43c0) = -1 ENOENT (No such file or directory)
open("/lib/libnss_systemd.so.2", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory)
stat("/lib", {st_mode=S_IFDIR|0755, st_size=4096, ...}) = 0
open("/usr/lib/tls/x86_64/libnss_systemd.so.2", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory)
stat("/usr/lib/tls/x86_64", 0x7fff92df43c0) = -1 ENOENT (No such file or directory)
open("/usr/lib/tls/libnss_systemd.so.2", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory)
stat("/usr/lib/tls", 0x7fff92df43c0) = -1 ENOENT (No such file or directory)
open("/usr/lib/x86_64/libnss_systemd.so.2", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory)
stat("/usr/lib/x86_64", 0x7fff92df43c0) = -1 ENOENT (No such file or directory)
open("/usr/lib/libnss_systemd.so.2", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory)
stat("/usr/lib", {st_mode=S_IFDIR|0755, st_size=4096, ...}) = 0
munmap(0x7f58ddd24000, 31603) = 0
open("/etc/ld.so.cache", O_RDONLY|O_CLOEXEC) = 3
fstat(3, {st_mode=S_IFREG|0644, st_size=31603, ...}) = 0
mmap(NULL, 31603, PROT_READ, MAP_PRIVATE, 3, 0) = 0x7f58ddd24000
close(3) = 0
access("/etc/ld.so.nohwcap", F_OK) = -1 ENOENT (No such file or directory)
open("/lib/x86_64-linux-gnu/libnss_compat.so.2", O_RDONLY|O_CLOEXEC) = 3
read(3, "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0\260\22\0\0\0\0\0\0"..., 832) = 832
fstat(3, {st_mode=S_IFREG|0644, st_size=31616, ...}) = 0
mmap(NULL, 2126944, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0x7f58dd296000
mprotect(0x7f58dd29d000, 2093056, PROT_NONE) = 0
mmap(0x7f58dd49c000, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x6000) = 0x7f58dd49c000
close(3) = 0
access("/etc/ld.so.nohwcap", F_OK) = -1 ENOENT (No such file or directory)
open("/lib/x86_64-linux-gnu/libnsl.so.1", O_RDONLY|O_CLOEXEC) = 3
read(3, "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0\320?\0\0\0\0\0\0"..., 832) = 832
fstat(3, {st_mode=S_IFREG|0644, st_size=89064, ...}) = 0
mmap(NULL, 2194008, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0x7f58dd07e000
mprotect(0x7f58dd092000, 2097152, PROT_NONE) = 0
mmap(0x7f58dd292000, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x14000) = 0x7f58dd292000
mmap(0x7f58dd294000, 6744, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x7f58dd294000
close(3) = 0
mprotect(0x7f58dd292000, 4096, PROT_READ) = 0
mprotect(0x7f58dd49c000, 4096, PROT_READ) = 0
munmap(0x7f58ddd24000, 31603) = 0
open("/etc/ld.so.cache", O_RDONLY|O_CLOEXEC) = 3
fstat(3, {st_mode=S_IFREG|0644, st_size=31603, ...}) = 0
mmap(NULL, 31603, PROT_READ, MAP_PRIVATE, 3, 0) = 0x7f58ddd24000
close(3) = 0
access("/etc/ld.so.nohwcap", F_OK) = -1 ENOENT (No such file or directory)
open("/lib/x86_64-linux-gnu/libnss_nis.so.2", O_RDONLY|O_CLOEXEC) = 3
read(3, "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0\340 \0\0\0\0\0\0"..., 832) = 832
fstat(3, {st_mode=S_IFREG|0644, st_size=47688, ...}) = 0
mmap(NULL, 2143656, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0x7f58dce72000
mprotect(0x7f58dce7d000, 2093056, PROT_NONE) = 0
mmap(0x7f58dd07c000, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0xa000) = 0x7f58dd07c000
close(3) = 0
access("/etc/ld.so.nohwcap", F_OK) = -1 ENOENT (No such file or directory)
open("/lib/x86_64-linux-gnu/libnss_files.so.2", O_RDONLY|O_CLOEXEC) = 3
read(3, "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0\320!\0\0\0\0\0\0"..., 832) = 832
fstat(3, {st_mode=S_IFREG|0644, st_size=47632, ...}) = 0
mmap(NULL, 2168600, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0x7f58dcc60000
mprotect(0x7f58dcc6a000, 2097152, PROT_NONE) = 0
mmap(0x7f58dce6a000, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0xa000) = 0x7f58dce6a000
mmap(0x7f58dce6c000, 22296, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x7f58dce6c000
close(3) = 0
mprotect(0x7f58dce6a000, 4096, PROT_READ) = 0
mprotect(0x7f58dd07c000, 4096, PROT_READ) = 0
munmap(0x7f58ddd24000, 31603) = 0
open("/etc/passwd", O_RDONLY|O_CLOEXEC) = 3
lseek(3, 0, SEEK_CUR) = 0
fstat(3, {st_mode=S_IFREG|0644, st_size=3621, ...}) = 0
mmap(NULL, 3621, PROT_READ, MAP_SHARED, 3, 0) = 0x7f58ddd2b000
lseek(3, 3621, SEEK_SET) = 3621
munmap(0x7f58ddd2b000, 3621) = 0
close(3) = 0
fstat(1, {st_mode=S_IFCHR|0620, st_rdev=makedev(136, 0), ...}) = 0
write(1, "vagrant:x:942:942:vagrant,,,:/ho"..., 53) = 53
exit_group(0) = ?
+++ exited with 0 +++
</pre></p>
<p>Tout celà pour dire que même si la librarie n'existe pas sur jessie ni stretch, je pense pas que ça pose un problème. La pénalité est un peu de perte de performance sur des loads d'objet partagé qui échouera tjrs.</p> Puppet LDAP - Bug #32066: le profile ldap devrait conserver "systemd" dans nsswitch.confhttps://redmine.koumbit.net/issues/32066?journal_id=1982372021-02-24T21:04:21ZKienan Stewartkienan@koumbit.org
<ul><li><strong>Statut</strong> changé de <i>In progress</i> à <i>Closed</i></li></ul>