Hi Aurelien
Am 07.09.21 um 12:41 schrieb Aurelien Jarno:
> Hi,
> 
> On 2021-09-07 10:39, Michael Hudson-Doyle wrote:
>> What's happening is that systemd is running with the old glibc, forks and
>> then does NSS things that cause the new glibc's NSS modules to load and
>> they don't necessarily work, leading to failures in any unit that specifies
>> User=. At least for Ubuntu's builds the NSS modules seem to be ABI
>> compatible between 2.32 and 2.33 (I didn't try 2.31 vs 2.32) but they are
>> definitely not between 2.33 and 2.34.
> 
> Thanks for this feedback and the pointer to the patch used in Ubuntu. It
> seems to be a good solution, and matches what is done for other init
> systems.
> 
> On the other hand, the problem is supposed to only happen for major
> glibc version upgrade where the NSS modules might have a different ABI.
> In that regard, I would be tempted to restart it only for major versions
> upgrade like it's done for other daemons. Now if the systemd maintainers
> consider it's fine restarting it for each glibc upgrade, we should
> probably go that way.
I guess you are in a better position to make a judgement call here. If I 
read the glibc bug report correctly, there aren't strictly any 
guarantees regarding NSS modules. What that means for glibc minor 
updates, I'm not really in a position to tell.
I think in practice minor version updates are probably going to be fine here, but also I think careful reexecing on every update is also likely to be fine in practice.
If you wanted to be suuuppppeeeerrr paranoid, I guess you could embed in the glibc postinst knowledge of which prior versions have binary-compatible NSS modules but that seems like a lot of work for not much benefit (would you only have to care about nss_files compatibility, or the full set?).
 
Fwiw, I don't have a better proposal then Michael's patch he added to 
Ubuntu. We could run with that and if it causes problems, reiterate on it.
Yeah, the point where we start to offer updates to 21.10 will at the least provide some data on how safe Ubuntu's approach is...
Cheers,
mwh