statepath = "/var/lib/nsscash/state.json"Last updated 2020-01-16
Nsscash (a pun on cache) is a simple file-based cache for NSS similar to nsscache. The goal is to distribute users/groups/etc. to multiple systems without having to rely on a (single) stable server. Traditional systems like LDAP or NIS require a stable server or users/groups cannot be resolved. By distributing the data to all systems, temporary outages of the server cause no issues on the clients. In addition the local storage is much faster than remote network access. To update the local caches polling via HTTP/HTTPS is performed, for example every minute, only downloading new data if anything has changed.
Nsscash consists of two parts: nsscash, written in Go, which downloads files
via HTTP or HTTPS, parses them, creates indices and writes the result to a
local file. The second part is the NSS module (libnss_cash.so.2), written in
C, which provides integration via /etc/nsswitch.conf. It’s specifically
designed to be very simple and uses the data prepared by nsscash for
lookups. To support quick lookups, in O(log n), the files utilize indices.
Nsscash can also be used separately from the NSS module to deploy arbitrary files to many hosts and keep them up-to-date.
Nsscash is very careful when deploying the changes (see the README for details) and has an extensive test suite.
Nsscash is licensed under AGPL version 3 or later.
Go, for nsscash
github.com/pkg/errors
github.com/BurntSushi/toml
C compiler, for libnss_cash.so.2
HTTP(S) server to provide the passwd/group/etc. files
NSS module is only supported on Little-endian systems (for now)
Tested on Debian Buster, but should work on any GNU/Linux system. With adaptations to the NSS module it should work on any UNIX-like system which uses NSS.
An example configuration file looks like this:
statepath = "/var/lib/nsscash/state.json"[[file]]
type = "passwd"
url = "https://example.org/passwd"
path = "/etc/passwd.nsscash"[[file]]
type = "group"
url = "https://example.org/group"
path = "/etc/group.nsscash"# Optional, but useful to deploy files which are not supported by the
# nsscash NSS module, but by libc's "files" NSS module. nsscash takes care
# of the atomic replacement and updates; an "netgroup: files" entry in
# "/etc/nsswitch.conf" makes the netgroups available.
[[file]]
type = "plain"
url = "https://example.org/netgroup"
path = "/etc/netgroup"This config fetches the passwd, group, netgroup files from
https://example.org/ and writes the result to /etc/.
After manually creating the target paths (to prevent permission issues nsscash
won’t create new files) run nsscash fetch /path/to/config/nsscash.toml to
fetch the files.
To use the users/groups provided by nsscash configure the NSS service in
/etc/nsswitch.conf:
passwd: files cash
group: files cash
[...]
# Optional
netgroup filesSupport for client certificates and basic auth is available. See the README for more detailed instructions, full descriptions of all available options and background information.
Current development happens in the git repository (also browsable as Gitweb):
git clone https://ruderich.org/simon/nsscash/nsscash.gitVersion 0.2 (2020-01-16):
Future proofing to guarantee durability on file systems with laxer consistency guarantees (call fsync on directory after rename)
Update dependencies
Download: nsscash-0.2.tar.gz, nsscash-0.2.tar.gz.asc
Version 0.1 (2019-12-15):
First release
Download: nsscash-0.1.tar.gz, nsscash-0.1.tar.gz.asc
Last updated 2020-01-16