Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Update SSSD, move to portage-stable #2501

Merged
merged 14 commits into from
Dec 4, 2024
Merged

Update SSSD, move to portage-stable #2501

merged 14 commits into from
Dec 4, 2024

Conversation

krnowak
Copy link
Member

@krnowak krnowak commented Dec 3, 2024

CI: http://jenkins.infra.kinvolk.io:8080/job/container/job/packages_all_arches/5083/cldsv/

Closes flatcar/Flatcar#1489

--

  • sys-auth/sssd: [PROD] [DEV]

    • from 2.3.1-r6 to 2.9.5
    • EAPI 8
    • fixes CVE-2023-3758
    • dropped most of our modifications, the ones that are still needed are moved to config overrides or user patches
      • systemd sssd.service is replaced by upstream, but it has similar modifications to what we have done
      • tmpfiles config file is gone - it only had entries for /etc and /var
        • /etc entries are not needed - we now have /etc as an overlay
          • the only thing needed was to have a default config made from an example config, and it's done in config overrides
        • /var entries are not needed - they are generated during image build
      • stop modifying dependencies
        • pulls in net-dns/bind-tools instead of net-dns/bind…
        • enabled gssapi on net-dns/bind-tools (used to have issues on arm64)
        • enabled winbind in net-fs/samba (no idea why it was dropped before)
      • retained modifications:
        • pam config moved from /etc to /usr (config override)
        • create a default sssd config in /etc (config override)
        • cross-compilation fix for a broken openldap check (user patch)
        • enable nss lookups with sss plugin even if sssd is not running (user patch)
    • dropped USE=+locator, enabled unconditionally
    • dropped USE=pac, folded into USE=samba
    • dropped USE=valgrind
    • added USE=subid, something to do with subuid and subgid allocation, disabled
    • added USE=systemtap, for enabling instrumentation, disabled
    • replaced a dependency on dev-libs/libpcre with dev-libs/libpcre2
      • this makes dev-libs/libpcre unused
    • dropped a dependency on net-libs/http-parser
      • this makes net-libs/http-parser unused
    • added required USE=experimental on net-nds/openldap
  • net-dns/bind-tools:

    • added back, dependency of sys-auth/sssd
      • it's temporary, the package is deprecated, so it will be eventually replaced with net-dns/bind
  • net-nds/openldap:

    • enabled USE=experimental, required by sys-auth/sssd
  • net-fs/samba:

    • enabled USE=winbind, required by sys-auth/sssd
  • profiles:

    • dropped unused oem-aci profiles

--

  • Changelog entries added in the respective changelog/ directory (user-facing change, bug fix, security fix, update)
  • Inspected CI output for image differences: /boot and /usr size, packages, list files for any missing binaries, kernel modules, config files, kernel modules, etc.

@krnowak krnowak added the main label Dec 3, 2024
@krnowak krnowak requested a review from a team December 3, 2024 13:55
@krnowak
Copy link
Member Author

krnowak commented Dec 3, 2024

First CI run succeeded, but I kicked off another one, since I added another user-patch and dropped two now-unused packages.

Copy link

github-actions bot commented Dec 3, 2024

@@ -1 +1,11 @@
export ac_cv_member_struct_ldap_conncb_lc_arg=no
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Wouldn't it be better to just keep this instead of adding the patch? Or if you're confident about this check being redundant, I could just add this line to Gentoo.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I wanted to switch it to "yes", because our version of OpenLDAP has the lc_arg member in struct ldap_conncb and using it seems to allow SSSD to track some referrals or something (in general this seems to be preferred). But the "yes" case has a runtime check for a bug that was fixed 16 years ago. And we know that runtime checks and cross-compilation do go along.

I think that long-term my preferences would be in this order:

  1. Upstream to drop the runtime check, just like my user-patch is doing.
  2. Upstream adding a --enable-ldap-conncb-i-know-what-i-am-doing flag that skips the runtime check.
  3. Gentoo taking my patch.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Ah, I had it backwards. In that case, a better option may be to populate the 4th AC_RUN_IFELSE argument, which is currently [], to simply assume HAVE_LDAP_CONNCB=1 when cross-compiling. This seems like a reasonable compromise given how old that release is now. Upstream may be more willing to do that than drop the check entirely.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I have filed a PR to SSSD, let's see how it goes - SSSD/sssd#7743

It's from Gentoo commit 2093b3c01a818dc3721376c181e7ae9b74f88508.
Copy link
Contributor

@chewi chewi left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

You can wait on the outcome of our sssd patch discussion, but this is fine as-is in any case.

@krnowak krnowak merged commit d2514c2 into main Dec 4, 2024
1 check was waiting
@krnowak krnowak deleted the krnowak/move-sssd branch December 4, 2024 16:30
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Projects
Development

Successfully merging this pull request may close these issues.

update: sssd
2 participants