diff options
author | Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl> | 2023-07-11 23:43:27 +0200 |
---|---|---|
committer | Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl> | 2024-06-28 18:51:56 +0200 |
commit | 28f1f1a5e652508d6e61ace8918e8b831e4b62b4 (patch) | |
tree | eac8fdb36611df8a88fcc5e8049ec6075c751878 /src/shared | |
parent | meson: Drop genkey target (diff) | |
download | systemd-28f1f1a5e652508d6e61ace8918e8b831e4b62b4.tar.xz systemd-28f1f1a5e652508d6e61ace8918e8b831e4b62b4.zip |
Drop support for nscd
nscd is known to be racy [1] and it was already deprecated and later dropped in
Fedora a while back [1,2]. We don't need to support obsolete stuff in systemd,
and the cache in systemd-resolved provides a better solution anyway.
We announced the plan to drop nscd in d44934f3785ad9ca4aab757beb80a9b11ba4bc04.
[1] https://fedoraproject.org/wiki/Changes/DeprecateNSCD
[2] https://fedoraproject.org/wiki/Changes/RemoveNSCD
The option is kept as a stub without any effect to make the transition easier.
Diffstat (limited to 'src/shared')
-rw-r--r-- | src/shared/meson.build | 4 | ||||
-rw-r--r-- | src/shared/nscd-flush.c | 142 | ||||
-rw-r--r-- | src/shared/nscd-flush.h | 8 |
3 files changed, 0 insertions, 154 deletions
diff --git a/src/shared/meson.build b/src/shared/meson.build index eac5b83972..b7ae5959e8 100644 --- a/src/shared/meson.build +++ b/src/shared/meson.build @@ -247,10 +247,6 @@ if conf.get('HAVE_PAM') == 1 shared_sources += files('pam-util.c') endif -if conf.get('ENABLE_NSCD') == 1 - shared_sources += files('nscd-flush.c') -endif - if conf.get('HAVE_LIBFIDO2') == 1 and conf.get('HAVE_LIBCRYPTSETUP') == 1 shared_sources += files('cryptsetup-fido2.c') endif diff --git a/src/shared/nscd-flush.c b/src/shared/nscd-flush.c deleted file mode 100644 index 3d47ae3655..0000000000 --- a/src/shared/nscd-flush.c +++ /dev/null @@ -1,142 +0,0 @@ -/* SPDX-License-Identifier: LGPL-2.1-or-later */ - -#include <fcntl.h> -#include <poll.h> - -#include "fd-util.h" -#include "io-util.h" -#include "nscd-flush.h" -#include "socket-util.h" -#include "strv.h" -#include "time-util.h" - -#define NSCD_FLUSH_CACHE_TIMEOUT_USEC (5*USEC_PER_SEC) - -struct nscdInvalidateRequest { - int32_t version; - int32_t type; /* in glibc this is an enum. We don't replicate this here 1:1. Also, wtf, how unportable is that - * even? */ - int32_t key_len; - char dbname[]; -}; - -static int nscd_flush_cache_one(const char *database, usec_t end) { - size_t req_size, has_written = 0, has_read = 0, l; - struct nscdInvalidateRequest *req; - _cleanup_close_ int fd = -EBADF; - int32_t resp; - int events, r; - - assert(database); - - l = strlen(database); - req_size = offsetof(struct nscdInvalidateRequest, dbname) + l + 1; - - req = alloca_safe(req_size); - *req = (struct nscdInvalidateRequest) { - .version = 2, - .type = 10, - .key_len = l + 1, - }; - - strcpy(req->dbname, database); - - fd = socket(AF_UNIX, SOCK_STREAM|SOCK_CLOEXEC|SOCK_NONBLOCK, 0); - if (fd < 0) - return log_debug_errno(errno, "Failed to allocate nscd socket: %m"); - - /* Note: connect() returns EINPROGRESS if O_NONBLOCK is set and establishing a connection takes time. The - * kernel lets us know this way that the connection is now being established, and we should watch with poll() - * to learn when it is fully established. That said, AF_UNIX on Linux never triggers this IRL (connect() is - * always instant on AF_UNIX), hence handling this is mostly just an exercise in defensive, protocol-agnostic - * programming. - * - * connect() returns EAGAIN if the socket's backlog limit has been reached. When we see this we give up right - * away, after all this entire function here is written in a defensive style so that a non-responding nscd - * doesn't stall us for good. (Even if we wanted to handle this better: the Linux kernel doesn't really have a - * nice way to connect() to a server synchronously with a time limit that would also cover dealing with the - * backlog limit. After all SO_RCVTIMEO and SR_SNDTIMEO don't apply to connect(), and alarm() is frickin' ugly - * and not really reasonably usable from threads-aware code.) */ - r = connect_unix_path(fd, AT_FDCWD, "/run/nscd/socket"); - if (r < 0) { - if (r == -EAGAIN) - return log_debug_errno(r, "nscd is overloaded (backlog limit reached) and refuses to take further connections: %m"); - if (r != -EINPROGRESS) - return log_debug_errno(r, "Failed to connect to nscd socket: %m"); - - /* Continue in case of EINPROGRESS, but don't bother with send() or recv() until being notified that - * establishing the connection is complete. */ - events = 0; - } else - events = POLLIN|POLLOUT; /* Let's assume initially that we can write and read to the fd, to suppress - * one poll() invocation */ - for (;;) { - usec_t p; - - if (events & POLLOUT) { - ssize_t m; - - assert(has_written < req_size); - - m = send(fd, (uint8_t*) req + has_written, req_size - has_written, MSG_NOSIGNAL); - if (m < 0) { - if (errno != EAGAIN) /* Note that EAGAIN is returned by the kernel whenever it can't - * take the data right now, and that includes if the connect() is - * asynchronous and we saw EINPROGRESS on it, and it hasn't - * completed yet. */ - return log_debug_errno(errno, "Failed to write to nscd socket: %m"); - } else - has_written += m; - } - - if (events & (POLLIN|POLLERR|POLLHUP)) { - ssize_t m; - - if (has_read >= sizeof(resp)) - return log_debug_errno(SYNTHETIC_ERRNO(EIO), "Response from nscd longer than expected."); - - m = recv(fd, (uint8_t*) &resp + has_read, sizeof(resp) - has_read, 0); - if (m < 0) { - if (errno != EAGAIN) - return log_debug_errno(errno, "Failed to read from nscd socket: %m"); - } else if (m == 0) { /* EOF */ - if (has_read == 0 && has_written >= req_size) /* Older nscd immediately terminated the - * connection, accept that as OK */ - return 1; - - return log_debug_errno(SYNTHETIC_ERRNO(EIO), "nscd prematurely ended connection."); - } else - has_read += m; - } - - if (has_written >= req_size && has_read >= sizeof(resp)) { /* done? */ - if (resp < 0) - return log_debug_errno(SYNTHETIC_ERRNO(EBADMSG), "nscd sent us a negative error number: %i", resp); - if (resp > 0) - return log_debug_errno(resp, "nscd return failure code on invalidating '%s'.", database); - return 1; - } - - p = now(CLOCK_MONOTONIC); - if (p >= end) - return -ETIMEDOUT; - - events = fd_wait_for_event(fd, POLLIN | (has_written < req_size ? POLLOUT : 0), end - p); - if (events < 0) - return events; - } -} - -int nscd_flush_cache(char **databases) { - int r = 0; - - /* Tries to invalidate the specified database in nscd. We do this carefully, with a 5s timeout, - * so that we don't block indefinitely on another service. */ - - usec_t end = usec_add(now(CLOCK_MONOTONIC), NSCD_FLUSH_CACHE_TIMEOUT_USEC); - - STRV_FOREACH(i, databases) - RET_GATHER(r, nscd_flush_cache_one(*i, end)); - - return r; -} diff --git a/src/shared/nscd-flush.h b/src/shared/nscd-flush.h deleted file mode 100644 index dac223e658..0000000000 --- a/src/shared/nscd-flush.h +++ /dev/null @@ -1,8 +0,0 @@ -/* SPDX-License-Identifier: LGPL-2.1-or-later */ -#pragma once - -#if ENABLE_NSCD -int nscd_flush_cache(char **databases); -#else -static inline void nscd_flush_cache(char **databases) {} -#endif |