Note: This bug is displayed in read-only format because
the product is no longer active in Red Hat Bugzilla.
RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
Version: glibc-2.3.2-95.27
When the NSS subsystem parses the contents of /etc/nsswitch.conf, it
does so only once. While sufficient for short-lived processes, this
strategy is not appropriate for daemons. If the file has changed,
each daemon using the file must be either restarted, SIGHUP'ed, or
who knows what else -- because man pages typically do not document
how to force nsswitch.conf to reload. Apparently, /etc/nsswitch.conf
was deemed constant enough that it was not worth mentioning. Yet
occasionally it does change -- should the user be forced to reboot at
those times? (PAM faces the same issue, and re-reads its
configuration file each time.)
RedHat's own authconfig handles this issue by maintaining a built-in
list of daemons to restart, and when nsswitch.conf is modified,
restarts them. There is no public interface for additional daemons to
gain membership to this list, nor for other services which modify
nsswitch.conf to access the list. The drawback to authconfig's
approach is that the maintainer must be concerned about proper start-
up dependencies between daemons, new daemons, and the small time
interval when the daemon is off-line.
The enhancement I propose is that the NSS subsystem reload its
service_table if the nsswitch.conf has been modified since the last
time it was read. Optimization: to avoid frequent requests for the
file's last modification time, which is entirely unnecessary for
short-lived processes, I suggest omitting file system checks sooner
than 10 minutes since the last check.
The proposed change simplifies every daemon that uses NSS, makes
daemon restarts less necessary, simplifies authconfig, and simplifies
the issues for every sys admin who modifies nsswitch.conf.
That file will never be automatically reloaded. The file is not
supposed to be changed after the initial configuration and if it does,
better reboot and restart all relevant programs. I will not add any
code which penalizes normal operations.
All this can in general be avoided by using nscd. If nscd is used
only this one program needs to be restarted for the new setting to be
used. If you need to use change the nsswitch.conf setting for
services other than passwd, group, and hosts then this is something
else. The solution then might be to add support for these other
services to nscd.
So in summary, us nscd and never let programs directly use NSS services.
Now that we're out of the dark ages of 2004, and inotify is generally everywhere, can we re-open this and set an inotify trigger that re-reads the file if changes.
This doesn't help systems without inotify, but it will at least un-break 90% of the systems out there and make for a better user experience.
I'm reopening this bug to see if this can be solved for RHEL8.
RHEL8 currently ships authselect, which is a successor of authconfig. Both these tools configures nsswitch.conf per customer requirements. Given the current focus on Ansible and similar automation of system provisioning, it would be very nice to not require system reboot after nsswitch.conf is changed.
In addition, we hit an issue in authselect that requires at least systemd-logind to be restarted to allow authentication of remote users [1]. This is because we made pam_systemd for session phase required [2] instead of optional and of course without fetching changes in nsswitch.conf pam_systemd is not aware of users from newly added passwd modules. This can be worked around in authselect or systemd but it would only solve the issue for this one process. Doing this on glibc level would solve it globally.
Thank you for reconsideration.
[1] https://bugzilla.redhat.com/show_bug.cgi?id=1657295
[2] https://bugzilla.redhat.com/show_bug.cgi?id=1643928
We're going to review this during the next development cycle. In general we have been moving certain services to support dynamic reloading via carefully considered semantics. For example we now reload /etc/resolv.conf for dyanmic network changes. In the case of NSS things are a little more complicated, we can't unload any existing services (so RSS goes up if you keep changing services) since they might currently be in use, but we could load new services and transition to using them (may require some slightly different structure for the locking). We will keep this issue updated with any progress, but it might not be until RHEL 9 that we get this fixed. The fix has to get accepted upstream first, and we will want to test it out thoroughly, stablize it, all before we consider inclusion in RHEL.
I want to clarify a few of the expected semantics when it comes to /etc/nsswitch.conf reloading.
There are two aspects to this problem:
(a) Reloading of /etc/nsswitch.conf upon change.
(b) Retrying NSS services which previously failed to load.
Note that (b) is critically important because there is a race where it may not be possible to guarantee that the nsswitch.conf is updated first before the listed module is finished being written to disk. Therefore we must manage both scenarios correctly, and consider their implications on an upstream solution.
Upstream patches are currently under review. We will consider backporting these changes once they become available upstream. Until then, this enhancement is only tracked upstream.
Given the life-cycle stage of Red Hat Enterprise Linux 8, we do not plan to address this issue.
In Red Hat Enterprise Linux 9, glibc automatically reloads /etc/nsswitch.conf and reacts to changes.