Name service switch configuration

[Ludovic Courtès]

Hello Guix!

Commit 996ed73 adds support to configure libc’s name service switch
(NSS).  To enable something like nss-mdns (for the resolution of
‘.local’ names), one needs two things:

  1. Add this snippet to the ‘operating-system’ declaration:

     (name-service-switch (name-service-switch
                            (hosts (list %files
                                         (name-service
                                           (name "mdns_minimal")
                                           (reaction (lookup-specification
                                                      (not-found => return))))
                                         (name-service
                                           (name "dns"))
                                         (name-service
                                           (name "mdns"))))))

   2. Arrange to have ‘nscd-service’ called with:

        #:name-services (list nss-mdns)

And that works!

The reason to have complete bindings for nsswitch.conf, as opposed to
letting users write nsswitch.conf snippets directly, is that it’s
hopefully nicer to work with, allows for static checking, and is
inexpensive in terms of maintenance since the NSS interface is
essentially frozen.

However!  Currently, step #2 is absurdly difficult.  The ‘nscd-service’
call is buried in ‘%base-services’, so one needs to either expand
‘%base-services’, simply modifying the ‘nscd-service’ call to have the
required argument, or to maintain a local modification in (gnu system
base).  This sucks.

The solution to that will be to make service instances declarative (as
opposed to being a list of opaque monadic values as is currently the
case.)  That will allow users to, say, map/filter over ‘%base-services’
and change the options as they see fit.  I’ll try to come up with a
proposal for that soon, but ideas are welcome.

Below is the NSS documentation from the manual.

Comments welcome!

Ludo’.


6.2.9 Name Service Switch
-------------------------

The ‘(gnu system nss)’ module provides bindings to the configuration
file of libc’s "name service switch" or "NSS" (*note (libc)NSS
Configuration File::).  In a nutshell, the NSS is a mechanism that
allows libc to be extended with new “name” lookup methods for system
databases, which includes host names, service names, user accounts, and
more (*note System Databases and Name Service Switch: (libc)Name Service
Switch.).

   The NSS configuration specifies, for each system database, which
lookup method is to be used, and how the various methods are chained
together—for instance, under which circumstances NSS should try the next
method in the list.  The NSS configuration is given in the
‘name-service-switch’ field of ‘operating-system’ declarations (*note
‘name-service-switch’: operating-system Reference.).

   As an example, the declaration below configures the NSS to use the
‘nss-mdns’ back-end for host name lookups:

     (name-service-switch
        (hosts (list %files    ;first, check /etc/hosts

                     ;; If the above did not succeed, try
                     ;; with 'mdns_minimal'.
                     (name-service
                       (name "mdns_minimal")

                       ;; 'mdns_minimal' is authoritative for
                       ;; '.local'.  When it returns "not found",
                       ;; no need to try the next methods.
                       (reaction (lookup-specification
                                  (not-found => return))))

                     ;; Then fall back to DNS.
                     (name-service
                       (name "dns"))

                     ;; Finally, try with the "full" 'mdns'.
                     (name-service
                       (name "mdns")))))

   The reference for name service switch configuration is given below.
It is a direct mapping of the C library’s configuration file format, so
please refer to the C library manual for more information (*note
(libc)NSS Configuration File::).  Compared to libc’s NSS configuration
file format, it has the advantage not only of adding this warm
parenthetic feel that we like, but also static checks: you’ll know about
syntax errors and typos as soon as you run ‘guix system’.

 -- Scheme Variable: %default-nss
     This is the default name service switch configuration, a
     ‘name-service-switch’ object.

 -- Data Type: name-service-switch

     This is the data type representation the configuration of libc’s
     name service switch (NSS). Each field below represents one of the
     supported system databases.

     ‘aliases’
     ‘ethers’
     ‘group’
     ‘gshadow’
     ‘hosts’
     ‘initgroups’
     ‘netgroup’
     ‘networks’
     ‘password’
     ‘public-key’
     ‘rpc’
     ‘services’
     ‘shadow’
          The system databases handled by the NSS. Each of these fields
          must be a list of ‘<name-service>’ objects (see below.)

 -- Data Type: name-service

     This is the data type representing an actual name service and the
     associated lookup action.

     ‘name’
          A string denoting the name service (*note (libc)Services in
          the NSS configuration::).

          Note that name services listed here must be visible to nscd.
          This is achieved by passing the ‘#:name-services’ argument to
          ‘nscd-service’ the list of packages providing the needed name
          services (*note ‘nscd-service’: Base Services.).

     ‘reaction’
          An action specified using the ‘lookup-specification’ macro
          (*note (libc)Actions in the NSS configuration::).  For
          example:

               (lookup-specification (unavailable => continue)
                                     (success => return))

signature.asc
Description: PGP signature