From Fedora Project Wiki
< Changes
Submachine (talk | contribs) (Propose to deprecate rather than remove) |
|||
| Line 1: | Line 1: | ||
<!-- The actual name of your proposed change page should look something like: Changes/Your_Change_Proposal_Name. This keeps all change proposals in the same namespace --> | <!-- The actual name of your proposed change page should look something like: Changes/Your_Change_Proposal_Name. This keeps all change proposals in the same namespace --> | ||
= | = Deprecate ''nscd'' <!-- The name of your change proposal --> = | ||
== Summary == | == Summary == | ||
| Line 7: | Line 7: | ||
Note that motivation for the change should be in the Benefit to Fedora section below, and this part should answer the question "What?" rather than "Why?". --> | Note that motivation for the change should be in the Benefit to Fedora section below, and this part should answer the question "What?" rather than "Why?". --> | ||
This proposal intends to | This proposal intends to deprecate the ''nscd'' cache for named services. Fedora already uses ''systemd-resolved'' by default for caching the `hosts` database, while the ''sssd'' daemon provides caching for the other named services. | ||
== Owner == | == Owner == | ||
| Line 52: | Line 52: | ||
== Detailed Description == | == Detailed Description == | ||
''nscd'' is a daemon that provides caching for accesses of the `passwd`, `group`, `hosts`, `services`, and `netgroup` databases through standard libc interfaces (such as `getpwnam`, `getpwuid`, `getgrnam`, `getgrgid`, `gethostbyname`, etc.). This proposal intends to | ''nscd'' is a daemon that provides caching for accesses of the `passwd`, `group`, `hosts`, `services`, and `netgroup` databases through standard libc interfaces (such as `getpwnam`, `getpwuid`, `getgrnam`, `getgrgid`, `gethostbyname`, etc.). This proposal intends to deprecate ''nscd'' in Fedora. nscd has serious technical debt but no real upstream interest in fixing them. Also, currently ''systemd-resolved'' is enabled by default for DNS caching in Fedora, and ''sssd'' is capable of caching the remaining named services that nscd handles. nscd has thus become less relevant. Accordingly, the `nscd` sub-package of glibc will be marked `deprecated()'. | ||
<!-- | <!-- | ||
| Line 61: | Line 61: | ||
== Benefit to Fedora == | == Benefit to Fedora == | ||
While still maintained within the glibc source tree, ''nscd'' has received less than forty commits in the past three years and has gathered significant technical debt, and has bugs which are hard to fix. There are concurrency bugs in the shared mappings, cache unification (IPv4 vs. IPv6 vs. AF_UNSPEC) issues, and more which would require significant investment to fix in nscd. Such an investment seems like duplicate effort among our communities given the quality and state of ''sssd'', and ''systemd-resolved'' which is already | While still maintained within the glibc source tree, ''nscd'' has received less than forty commits in the past three years and has gathered significant technical debt, and has bugs which are hard to fix. There are concurrency bugs in the shared mappings, cache unification (IPv4 vs. IPv6 vs. AF_UNSPEC) issues, and more which would require significant investment to fix in nscd. Such an investment seems unlikely to come upstream, and even if it did, seems like duplicate effort among our communities given the quality and state of ''sssd'', and ''systemd-resolved'' which is already enabled by default from [[Changes/systemd-resolved | Fedora 33 onwards]]. | ||
At a high level, sssd and systemd-resolved together provide a caching solution that has feature parity with nscd, with systemd-resolved covering the hosts cache and sssd the rest. The | At a high level, sssd and systemd-resolved together provide a caching solution that has feature parity with nscd, with systemd-resolved covering the hosts cache and sssd the rest. The deprecation of nscd from Fedora signals our plan to stop providing is glibc sub-package in a future Fedora release and thus helps: | ||
* move the user base over to a more modern solution for named services caching, and | * move the user base over to a more modern solution for named services caching, and | ||
* reduce maintenance work on the Fedora glibc package and the duplication of effort on nscd upstream. | * reduce maintenance work on the Fedora glibc package and the duplication of effort on nscd upstream. | ||
| Line 99: | Line 99: | ||
<!-- What work do the feature owners have to accomplish to complete the feature in time for release? Is it a large change affecting many parts of the distribution or is it a very isolated change? What are those changes?--> | <!-- What work do the feature owners have to accomplish to complete the feature in time for release? Is it a large change affecting many parts of the distribution or is it a very isolated change? What are those changes?--> | ||
The volume of work required is minimal, with the only change being the | The volume of work required is minimal, with the only change being the marking of the nscd sub-package offered by glibc with a `Provides: deprecated()' and a comment explaining it in the spec file. Since nscd is not installed by default, even in the future with nscd possibly removed, the affect on the distribution is going to be minimal. Users who have installed nscd in an earlier release of Fedora will not be affected. | ||
* Other developers: | * Other developers: | ||
<!-- What work do other developers have to accomplish to complete the feature in time for release? Is it a large change affecting many parts of the distribution or is it a very isolated change? What are those changes?--> | <!-- What work do other developers have to accomplish to complete the feature in time for release? Is it a large change affecting many parts of the distribution or is it a very isolated change? What are those changes?--> | ||
`nss-pam-ldapd` has a weak dependency on nscd that will need to be removed. `libuser` has a build dependency on nscd that will also need to be removed. | None. | ||
In the future, when nscd will (possibly) be removed, two dependent packages will be affected: | |||
`nss-pam-ldapd` has a weak dependency on nscd that will need to be removed. `libuser` has a build dependency on nscd that will also need to be removed. Both changes appear to be easy, only involving a spec file edit. | |||
* Release engineering: | * Release engineering: | ||
| Line 122: | Line 125: | ||
<!-- Does your proposal align with the current Fedora Objectives: https://docs.fedoraproject.org/en-US/project/objectives/ ? It's okay if it doesn't, but it's something to consider --> | <!-- Does your proposal align with the current Fedora Objectives: https://docs.fedoraproject.org/en-US/project/objectives/ ? It's okay if it doesn't, but it's something to consider --> | ||
While this proposal does not match any of the [https://docs.fedoraproject.org/en-US/project/objectives current objectives], it is not opposed to any. | |||
== Upgrade/compatibility impact == | == Upgrade/compatibility impact == | ||
<!-- What happens to systems that have had a previous versions of Fedora installed and are updated to the version containing this change? Will anything require manual configuration or data migration? Will any existing functionality be no longer supported? --> | <!-- What happens to systems that have had a previous versions of Fedora installed and are updated to the version containing this change? Will anything require manual configuration or data migration? Will any existing functionality be no longer supported? --> | ||
Since the change is purely a deprecation, it will have no upgrade/compatibility impact. | |||
<!-- In the future, the removal and marking as obsolete of nscd will however have an upgrade impact: | |||
The nscd sub-package depends on a glibc version that is identical to itself. This means that once it is removed and obsoleted in Fedora 34, updating from a previous release of Fedora with nscd installed on it, the old nscd package will be uninstalled during the update. Named services caching will cease to function, but the only effect will be slower resolution due to the missing cache. This will be more marked in systems that use remote remote authentication services like LDAP. Functionality will not be affected in any way. | The nscd sub-package depends on a glibc version that is identical to itself. This means that once it is removed and obsoleted in Fedora 34, updating from a previous release of Fedora with nscd installed on it, the old nscd package will be uninstalled during the update. Named services caching will cease to function, but the only effect will be slower resolution due to the missing cache. This will be more marked in systems that use remote remote authentication services like LDAP. Functionality will not be affected in any way. | ||
The hosts cache will automatically be replaced by the one provided by systemd-resolved. However, in order to restore caching functionality for other caches provided by nscd, the system administrator will need to install and/or configure sssd (by enabling sssd with authconfig, and editing `/etc/sssd/sssd.conf` to enable it to work with nss). | The hosts cache will automatically be replaced by the one provided by systemd-resolved. However, in order to restore caching functionality for other caches provided by nscd, the system administrator will need to install and/or configure sssd (by enabling sssd with authconfig, and editing `/etc/sssd/sssd.conf` to enable it to work with nss). | ||
--> | |||
== How To Test == | == How To Test == | ||
| Line 159: | Line 167: | ||
- Green has been scientifically proven to be the most relaxing color. The move to a default background color of green with green text will result in Fedora users being the most relaxed users of any operating system. | - Green has been scientifically proven to be the most relaxing color. The move to a default background color of green with green text will result in Fedora users being the most relaxed users of any operating system. | ||
--> | --> | ||
This change will not enforce any change in user experience. However, upon upgrade to Fedora 34, system administrators who want to proactively respond to the deprecation might choose to configure sssd to cache named services if they were using nscd to do so in the past and want to be prepared for its possible removal/obsoletion in a future release. | |||
<!-- | |||
In the future, the possible removal of nscd will have the following affect on user experience on upgrade: | |||
* Most users will be unaffected by this change because nscd is not installed by default. It is usually used on systems configured with LDAP, where nscd provides caching of remote queries. | * Most users will be unaffected by this change because nscd is not installed by default. It is usually used on systems configured with LDAP, where nscd provides caching of remote queries. | ||
* On a system using nscd that is updated to Fedora 34 from a previous version, the system administrator will need to install and configure sssd to replace it after the update. Even when this is not done, the only visible affect will be slower resolution of named service queries due to a missing cache. | * On a system using nscd that is updated to Fedora 34 from a previous version, the system administrator will need to install and configure sssd to replace it after the update. Even when this is not done, the only visible affect will be slower resolution of named service queries due to a missing cache. | ||
* Users on a system running sssd and systemd-resolved instead of nscd shouldn't see any noticeable difference in system behaviour or latency in resolving named services. | * Users on a system running sssd and systemd-resolved instead of nscd shouldn't see any noticeable difference in system behaviour or latency in resolving named services. | ||
--> | |||
== Dependencies == | == Dependencies == | ||
<!-- What other packages (RPMs) depend on this package? Are there changes outside the developers' control on which completion of this change depends? In other words, completion of another change owned by someone else and might cause you to not be able to finish on time or that you would need to coordinate? Other upstream projects like the kernel (if this is not a kernel change)? --> | <!-- What other packages (RPMs) depend on this package? Are there changes outside the developers' control on which completion of this change depends? In other words, completion of another change owned by someone else and might cause you to not be able to finish on time or that you would need to coordinate? Other upstream projects like the kernel (if this is not a kernel change)? --> | ||
None. | |||
<!-- | |||
In future, if nscd is removed: | |||
* `nss-pam-ldapd` has a weak dependency on nscd that will need to be removed. | * `nss-pam-ldapd` has a weak dependency on nscd that will need to be removed. | ||
* `libuser` has a build dependency on nscd that will also need to be removed. | * `libuser` has a build dependency on nscd that will also need to be removed. | ||
Both changes are minimal, requiring a removal of the dependency in the spec file, and a rebuild. | Both changes are minimal, requiring a removal of the dependency in the spec file, and a rebuild. | ||
--> | |||
== Contingency Plan == | == Contingency Plan == | ||
<!-- If you cannot complete your feature by the final development freeze, what is the backup plan? This might be as simple as "Revert the shipped configuration". Or it might not (e.g. rebuilding a number of dependent packages). If you feature is not completed in time we want to assure others that other parts of Fedora will not be in jeopardy. --> | <!-- If you cannot complete your feature by the final development freeze, what is the backup plan? This might be as simple as "Revert the shipped configuration". Or it might not (e.g. rebuilding a number of dependent packages). If you feature is not completed in time we want to assure others that other parts of Fedora will not be in jeopardy. --> | ||
* Contingency mechanism: Revert changes to glibc spec file and continue to ship nscd | * Contingency mechanism: Revert changes to glibc spec file and continue to ship nscd as a regularly supported sub-package. | ||
<!-- When is the last time the contingency mechanism can be put in place? This will typically be the beta freeze. --> | <!-- When is the last time the contingency mechanism can be put in place? This will typically be the beta freeze. --> | ||
Revision as of 11:50, 2 December 2020
Deprecate nscd
Summary
This proposal intends to deprecate the nscd cache for named services. Fedora already uses systemd-resolved by default for caching the hosts database, while the sssd daemon provides caching for the other named services.
Owner
- Name: Arjun Shankar
- Email: arjun@redhat.com
Current status
- Targeted release: Fedora 34
- Last updated: 2020-12-02
- FESCo issue: #2501
- Tracker bug: <will be assigned by the Wrangler>
- Release notes tracker: <will be assigned by the Wrangler>
Detailed Description
nscd is a daemon that provides caching for accesses of the passwd, group, hosts, services, and netgroup databases through standard libc interfaces (such as getpwnam, getpwuid, getgrnam, getgrgid, gethostbyname, etc.). This proposal intends to deprecate nscd in Fedora. nscd has serious technical debt but no real upstream interest in fixing them. Also, currently systemd-resolved is enabled by default for DNS caching in Fedora, and sssd is capable of caching the remaining named services that nscd handles. nscd has thus become less relevant. Accordingly, the nscd sub-package of glibc will be marked `deprecated()'.
Benefit to Fedora
While still maintained within the glibc source tree, nscd has received less than forty commits in the past three years and has gathered significant technical debt, and has bugs which are hard to fix. There are concurrency bugs in the shared mappings, cache unification (IPv4 vs. IPv6 vs. AF_UNSPEC) issues, and more which would require significant investment to fix in nscd. Such an investment seems unlikely to come upstream, and even if it did, seems like duplicate effort among our communities given the quality and state of sssd, and systemd-resolved which is already enabled by default from Fedora 33 onwards.
At a high level, sssd and systemd-resolved together provide a caching solution that has feature parity with nscd, with systemd-resolved covering the hosts cache and sssd the rest. The deprecation of nscd from Fedora signals our plan to stop providing is glibc sub-package in a future Fedora release and thus helps:
- move the user base over to a more modern solution for named services caching, and
- reduce maintenance work on the Fedora glibc package and the duplication of effort on nscd upstream.
Scope
- Proposal owners:
The volume of work required is minimal, with the only change being the marking of the nscd sub-package offered by glibc with a Provides: deprecated()' and a comment explaining it in the spec file. Since nscd is not installed by default, even in the future with nscd possibly removed, the affect on the distribution is going to be minimal. Users who have installed nscd in an earlier release of Fedora will not be affected.
- Other developers:
None.
In the future, when nscd will (possibly) be removed, two dependent packages will be affected:
nss-pam-ldapd has a weak dependency on nscd that will need to be removed. libuser` has a build dependency on nscd that will also need to be removed. Both changes appear to be easy, only involving a spec file edit.
- Release engineering:
This change does not require coordination with or have impact on release engineering and does not require a mass rebuild.
- Policies and guidelines: N/A (not a System Wide Change)
- Trademark approval: N/A (not needed for this Change)
- Alignment with Objectives:
While this proposal does not match any of the current objectives, it is not opposed to any.
Upgrade/compatibility impact
Since the change is purely a deprecation, it will have no upgrade/compatibility impact.
How To Test
N/A (not a System Wide Change)
User Experience
This change will not enforce any change in user experience. However, upon upgrade to Fedora 34, system administrators who want to proactively respond to the deprecation might choose to configure sssd to cache named services if they were using nscd to do so in the past and want to be prepared for its possible removal/obsoletion in a future release.
Dependencies
None.
Contingency Plan
- Contingency mechanism: Revert changes to glibc spec file and continue to ship nscd as a regularly supported sub-package.
- Contingency deadline: Fedora 34 Beta Freeze
- Blocks release? N/A (not a System Wide Change)
- Blocks product? None
Documentation
N/A (not a System Wide Change)