On Wed, 8 Sept 2021 at 07:04, Michael Biebl <bi...@debian.org> wrote:
> Hi Aurelien > > Am 07.09.21 um 12:41 schrieb Aurelien Jarno: > > Hi, > > > > On 2021-09-07 10:39, Michael Hudson-Doyle wrote: > > >> What's happening is that systemd is running with the old glibc, forks > and > >> then does NSS things that cause the new glibc's NSS modules to load and > >> they don't necessarily work, leading to failures in any unit that > specifies > >> User=. At least for Ubuntu's builds the NSS modules seem to be ABI > >> compatible between 2.32 and 2.33 (I didn't try 2.31 vs 2.32) but they > are > >> definitely not between 2.33 and 2.34. > > > > Thanks for this feedback and the pointer to the patch used in Ubuntu. It > > seems to be a good solution, and matches what is done for other init > > systems. > > > > On the other hand, the problem is supposed to only happen for major > > glibc version upgrade where the NSS modules might have a different ABI. > > In that regard, I would be tempted to restart it only for major versions > > upgrade like it's done for other daemons. Now if the systemd maintainers > > consider it's fine restarting it for each glibc upgrade, we should > > probably go that way. > > I guess you are in a better position to make a judgement call here. If I > read the glibc bug report correctly, there aren't strictly any > guarantees regarding NSS modules. What that means for glibc minor > updates, I'm not really in a position to tell. > I think in practice minor version updates are probably going to be fine here, but also I think careful reexecing on every update is also likely to be fine in practice. If you wanted to be suuuppppeeeerrr paranoid, I guess you could embed in the glibc postinst knowledge of which prior versions have binary-compatible NSS modules but that seems like a lot of work for not much benefit (would you only have to care about nss_files compatibility, or the full set?). > Fwiw, I don't have a better proposal then Michael's patch he added to > Ubuntu. We could run with that and if it causes problems, reiterate on it. > Yeah, the point where we start to offer updates to 21.10 will at the least provide some data on how safe Ubuntu's approach is... Cheers, mwh