[Freeipa-devel] [PATCH 0038] increase NSS memcache timeout for IPA server

Tomas Babej tbabej at redhat.com
Tue Jun 30 10:51:12 UTC 2015 


On 06/30/2015 09:47 AM, Martin Basti wrote:
> On 27/05/15 13:40, Martin Babinsky wrote:
>> On 05/27/2015 01:33 PM, Lukas Slebodnik wrote:
>>> On (27/05/15 13:25), Martin Babinsky wrote:
>>>> https://fedorahosted.org/freeipa/ticket/4964
>>>>
>>>> -- 
>>>> Martin^3 Babinsky
>>>
>>>> From ef8481ee0267a720551832baae9398b435b3c6c5 Mon Sep 17 00:00:00 2001
>>>> From: Martin Babinsky <mbabinsk at redhat.com>
>>>> Date: Tue, 26 May 2015 18:11:08 +0200
>>>> Subject: [PATCH] increase NSS memcache timeout for IPA server
>>>>
>>>> Increasing memcache timeout to 600 seconds when configuring sssd on
>>>> IPA server
>>>> should improve performance when dealing with large groups in trusts.
>>>>
>>>> https://fedorahosted.org/freeipa/ticket/4964
>>>> ---
>>>> ipa-client/ipa-install/ipa-client-install | 9 +++++++++
>>>> 1 file changed, 9 insertions(+)
>>>>
>>>> diff --git a/ipa-client/ipa-install/ipa-client-install
>>>> b/ipa-client/ipa-install/ipa-client-install
>>>> index
>>>> 63e3c9800791f3d29c977d63815c4291f5a235b9..ab3bc8a652dad01b9db5a26b877f38b850cb07f1
>>>> 100755
>>>> --- a/ipa-client/ipa-install/ipa-client-install
>>>> +++ b/ipa-client/ipa-install/ipa-client-install
>>>> @@ -1274,6 +1274,15 @@ def configure_sssd_conf(fstore, cli_realm,
>>>> cli_domain, cli_server, options, clie
>>>>          # the master should only use itself for Kerberos
>>>>          domain.set_option('ipa_server', cli_server[0])
>>>>
>>>> +        # increase memcache timeout to 10 minutes when in server mode
>>>> +        try:
>>>> +            nss_service = sssdconfig.get_service('nss')
>>>> +        except SSSDConfig.NoServiceError:
>>>> +            nss_service = sssdconfig.new_service('nss')
>>>> +
>>>> +        nss_service.set_option('memcache_timeout', 600)
>>>> +        sssdconfig.save_service(nss_service)
>>>> +
>>>
>>> NACK
>>>
>>> It should not be set to such high value for each client.
>>>
>>> It should be configured if and only if sssd is in the ipa-server mode
>>> (trust with AD)
>>>
>>> LS
>>>
>> Lukas,
>>
>> it actually is set only when '--on-master' option is used, as can be
>> (hopefully) seen from the following code:
>>
>> """
>>     if not options.on_master:
>>         if options.primary:
>>             domain.set_option('ipa_server', ', '.join(cli_server))
>>         else:
>>             domain.set_option('ipa_server', '_srv_, %s' % ',
>> '.join(cli_server))
>>     else:
>>         domain.set_option('ipa_server_mode', 'True')
>>         # the master should only use itself for Kerberos
>>         domain.set_option('ipa_server', cli_server[0])
>>
>>         # increase memcache timeout to 10 minutes when in server mode
>>         try:
>>             nss_service = sssdconfig.get_service('nss')
>>         except SSSDConfig.NoServiceError:
>>             nss_service = sssdconfig.new_service('nss')
>>
>>         nss_service.set_option('memcache_timeout', 600)
>>         sssdconfig.save_service(nss_service)
>> """
>>
> ACK
> 

Pushed to master: 90788a25d6d54b084541336a83946d37a73076ef

More information about the Freeipa-devel mailing list