[Freeipa-devel] [PATCH 0038] increase NSS memcache timeout for IPA server
Martin Basti
mbasti at redhat.com
Tue Jun 30 07:47:01 UTC 2015
On 27/05/15 13:40, Martin Babinsky wrote:
> On 05/27/2015 01:33 PM, Lukas Slebodnik wrote:
>> On (27/05/15 13:25), Martin Babinsky wrote:
>>> https://fedorahosted.org/freeipa/ticket/4964
>>>
>>> --
>>> Martin^3 Babinsky
>>
>>> From ef8481ee0267a720551832baae9398b435b3c6c5 Mon Sep 17 00:00:00 2001
>>> From: Martin Babinsky <mbabinsk at redhat.com>
>>> Date: Tue, 26 May 2015 18:11:08 +0200
>>> Subject: [PATCH] increase NSS memcache timeout for IPA server
>>>
>>> Increasing memcache timeout to 600 seconds when configuring sssd on
>>> IPA server
>>> should improve performance when dealing with large groups in trusts.
>>>
>>> https://fedorahosted.org/freeipa/ticket/4964
>>> ---
>>> ipa-client/ipa-install/ipa-client-install | 9 +++++++++
>>> 1 file changed, 9 insertions(+)
>>>
>>> diff --git a/ipa-client/ipa-install/ipa-client-install
>>> b/ipa-client/ipa-install/ipa-client-install
>>> index
>>> 63e3c9800791f3d29c977d63815c4291f5a235b9..ab3bc8a652dad01b9db5a26b877f38b850cb07f1
>>> 100755
>>> --- a/ipa-client/ipa-install/ipa-client-install
>>> +++ b/ipa-client/ipa-install/ipa-client-install
>>> @@ -1274,6 +1274,15 @@ def configure_sssd_conf(fstore, cli_realm,
>>> cli_domain, cli_server, options, clie
>>> # the master should only use itself for Kerberos
>>> domain.set_option('ipa_server', cli_server[0])
>>>
>>> + # increase memcache timeout to 10 minutes when in server mode
>>> + try:
>>> + nss_service = sssdconfig.get_service('nss')
>>> + except SSSDConfig.NoServiceError:
>>> + nss_service = sssdconfig.new_service('nss')
>>> +
>>> + nss_service.set_option('memcache_timeout', 600)
>>> + sssdconfig.save_service(nss_service)
>>> +
>>
>> NACK
>>
>> It should not be set to such high value for each client.
>>
>> It should be configured if and only if sssd is in the ipa-server mode
>> (trust with AD)
>>
>> LS
>>
> Lukas,
>
> it actually is set only when '--on-master' option is used, as can be
> (hopefully) seen from the following code:
>
> """
> if not options.on_master:
> if options.primary:
> domain.set_option('ipa_server', ', '.join(cli_server))
> else:
> domain.set_option('ipa_server', '_srv_, %s' % ',
> '.join(cli_server))
> else:
> domain.set_option('ipa_server_mode', 'True')
> # the master should only use itself for Kerberos
> domain.set_option('ipa_server', cli_server[0])
>
> # increase memcache timeout to 10 minutes when in server mode
> try:
> nss_service = sssdconfig.get_service('nss')
> except SSSDConfig.NoServiceError:
> nss_service = sssdconfig.new_service('nss')
>
> nss_service.set_option('memcache_timeout', 600)
> sssdconfig.save_service(nss_service)
> """
>
ACK
--
Martin Basti
More information about the Freeipa-devel
mailing list