[Freeipa-devel] [PATCH 0038] increase NSS memcache timeout for IPA server
Tomas Babej
tbabej at redhat.com
Tue Jun 30 10:51:12 UTC 2015
On 06/30/2015 09:47 AM, Martin Basti wrote:
> On 27/05/15 13:40, Martin Babinsky wrote:
>> On 05/27/2015 01:33 PM, Lukas Slebodnik wrote:
>>> On (27/05/15 13:25), Martin Babinsky wrote:
>>>> https://fedorahosted.org/freeipa/ticket/4964
>>>>
>>>> --
>>>> Martin^3 Babinsky
>>>
>>>> From ef8481ee0267a720551832baae9398b435b3c6c5 Mon Sep 17 00:00:00 2001
>>>> From: Martin Babinsky <mbabinsk at redhat.com>
>>>> Date: Tue, 26 May 2015 18:11:08 +0200
>>>> Subject: [PATCH] increase NSS memcache timeout for IPA server
>>>>
>>>> Increasing memcache timeout to 600 seconds when configuring sssd on
>>>> IPA server
>>>> should improve performance when dealing with large groups in trusts.
>>>>
>>>> https://fedorahosted.org/freeipa/ticket/4964
>>>> ---
>>>> ipa-client/ipa-install/ipa-client-install | 9 +++++++++
>>>> 1 file changed, 9 insertions(+)
>>>>
>>>> diff --git a/ipa-client/ipa-install/ipa-client-install
>>>> b/ipa-client/ipa-install/ipa-client-install
>>>> index
>>>> 63e3c9800791f3d29c977d63815c4291f5a235b9..ab3bc8a652dad01b9db5a26b877f38b850cb07f1
>>>> 100755
>>>> --- a/ipa-client/ipa-install/ipa-client-install
>>>> +++ b/ipa-client/ipa-install/ipa-client-install
>>>> @@ -1274,6 +1274,15 @@ def configure_sssd_conf(fstore, cli_realm,
>>>> cli_domain, cli_server, options, clie
>>>> # the master should only use itself for Kerberos
>>>> domain.set_option('ipa_server', cli_server[0])
>>>>
>>>> + # increase memcache timeout to 10 minutes when in server mode
>>>> + try:
>>>> + nss_service = sssdconfig.get_service('nss')
>>>> + except SSSDConfig.NoServiceError:
>>>> + nss_service = sssdconfig.new_service('nss')
>>>> +
>>>> + nss_service.set_option('memcache_timeout', 600)
>>>> + sssdconfig.save_service(nss_service)
>>>> +
>>>
>>> NACK
>>>
>>> It should not be set to such high value for each client.
>>>
>>> It should be configured if and only if sssd is in the ipa-server mode
>>> (trust with AD)
>>>
>>> LS
>>>
>> Lukas,
>>
>> it actually is set only when '--on-master' option is used, as can be
>> (hopefully) seen from the following code:
>>
>> """
>> if not options.on_master:
>> if options.primary:
>> domain.set_option('ipa_server', ', '.join(cli_server))
>> else:
>> domain.set_option('ipa_server', '_srv_, %s' % ',
>> '.join(cli_server))
>> else:
>> domain.set_option('ipa_server_mode', 'True')
>> # the master should only use itself for Kerberos
>> domain.set_option('ipa_server', cli_server[0])
>>
>> # increase memcache timeout to 10 minutes when in server mode
>> try:
>> nss_service = sssdconfig.get_service('nss')
>> except SSSDConfig.NoServiceError:
>> nss_service = sssdconfig.new_service('nss')
>>
>> nss_service.set_option('memcache_timeout', 600)
>> sssdconfig.save_service(nss_service)
>> """
>>
> ACK
>
Pushed to master: 90788a25d6d54b084541336a83946d37a73076ef
More information about the Freeipa-devel
mailing list