[Freeipa-devel] [PATCH 0038] increase NSS memcache timeout for IPA server

Martin Basti mbasti at redhat.com
Tue Jun 30 07:47:01 UTC 2015 

On 27/05/15 13:40, Martin Babinsky wrote:
> On 05/27/2015 01:33 PM, Lukas Slebodnik wrote:
>> On (27/05/15 13:25), Martin Babinsky wrote:
>>> https://fedorahosted.org/freeipa/ticket/4964
>>>
>>> -- 
>>> Martin^3 Babinsky
>>
>>> From ef8481ee0267a720551832baae9398b435b3c6c5 Mon Sep 17 00:00:00 2001
>>> From: Martin Babinsky <mbabinsk at redhat.com>
>>> Date: Tue, 26 May 2015 18:11:08 +0200
>>> Subject: [PATCH] increase NSS memcache timeout for IPA server
>>>
>>> Increasing memcache timeout to 600 seconds when configuring sssd on 
>>> IPA server
>>> should improve performance when dealing with large groups in trusts.
>>>
>>> https://fedorahosted.org/freeipa/ticket/4964
>>> ---
>>> ipa-client/ipa-install/ipa-client-install | 9 +++++++++
>>> 1 file changed, 9 insertions(+)
>>>
>>> diff --git a/ipa-client/ipa-install/ipa-client-install 
>>> b/ipa-client/ipa-install/ipa-client-install
>>> index 
>>> 63e3c9800791f3d29c977d63815c4291f5a235b9..ab3bc8a652dad01b9db5a26b877f38b850cb07f1 
>>> 100755
>>> --- a/ipa-client/ipa-install/ipa-client-install
>>> +++ b/ipa-client/ipa-install/ipa-client-install
>>> @@ -1274,6 +1274,15 @@ def configure_sssd_conf(fstore, cli_realm, 
>>> cli_domain, cli_server, options, clie
>>>          # the master should only use itself for Kerberos
>>>          domain.set_option('ipa_server', cli_server[0])
>>>
>>> +        # increase memcache timeout to 10 minutes when in server mode
>>> +        try:
>>> +            nss_service = sssdconfig.get_service('nss')
>>> +        except SSSDConfig.NoServiceError:
>>> +            nss_service = sssdconfig.new_service('nss')
>>> +
>>> +        nss_service.set_option('memcache_timeout', 600)
>>> +        sssdconfig.save_service(nss_service)
>>> +
>>
>> NACK
>>
>> It should not be set to such high value for each client.
>>
>> It should be configured if and only if sssd is in the ipa-server mode
>> (trust with AD)
>>
>> LS
>>
> Lukas,
>
> it actually is set only when '--on-master' option is used, as can be 
> (hopefully) seen from the following code:
>
> """
>     if not options.on_master:
>         if options.primary:
>             domain.set_option('ipa_server', ', '.join(cli_server))
>         else:
>             domain.set_option('ipa_server', '_srv_, %s' % ', 
> '.join(cli_server))
>     else:
>         domain.set_option('ipa_server_mode', 'True')
>         # the master should only use itself for Kerberos
>         domain.set_option('ipa_server', cli_server[0])
>
>         # increase memcache timeout to 10 minutes when in server mode
>         try:
>             nss_service = sssdconfig.get_service('nss')
>         except SSSDConfig.NoServiceError:
>             nss_service = sssdconfig.new_service('nss')
>
>         nss_service.set_option('memcache_timeout', 600)
>         sssdconfig.save_service(nss_service)
> """
>
ACK

-- 
Martin Basti

More information about the Freeipa-devel mailing list