From 39b627e612ab54d1e8cb58777d3064e9feb6c86f Mon Sep 17 00:00:00 2001 From: Tomas Halman Date: Thu, 14 Dec 2023 09:06:40 +0100 Subject: [PATCH 1/2] Use LDB_NOSYNC to make domain cache faster Using LDB_NOSYNC option significantly improves the cache performance. However, it still uses the cache recovery area, so the cache is still resilient when using this option even if SSSD is forcibly terminated. There is small chance that cache become inconsistent, when computer is unexpectedly switched off while transaction is being written to cache file. :config: New option 'cache_in_memory_transaction' to use fast transaction and improve cache performance. --- src/confdb/confdb.c | 8 ++++++++ src/confdb/confdb.h | 2 ++ src/config/SSSDConfig/sssdoptions.py | 1 + src/config/SSSDConfigTest.py | 6 ++++-- src/config/cfg_rules.ini | 1 + src/config/etc/sssd.api.conf | 1 + src/db/sysdb_init.c | 9 +++++++-- src/man/sssd.conf.5.xml | 24 ++++++++++++++++++++++++ 8 files changed, 48 insertions(+), 4 deletions(-) diff --git a/src/confdb/confdb.c b/src/confdb/confdb.c index b4d133a2c80..e1dbc6737d1 100644 --- a/src/confdb/confdb.c +++ b/src/confdb/confdb.c @@ -1017,6 +1017,14 @@ static errno_t confdb_init_domain(struct sss_domain_info *domain, goto done; } + ret = get_entry_as_bool(res->msgs[0], &domain->cache_in_memory_transactions, + CONFDB_DOMAIN_CACHE_IN_MEMORY_TRANSACTIONS, 0); + if (ret != EOK) { + DEBUG(SSSDBG_FATAL_FAILURE, + "Invalid value for %s\n", CONFDB_DOMAIN_CACHE_IN_MEMORY_TRANSACTIONS); + goto done; + } + ret = get_entry_as_uint32(res->msgs[0], &domain->override_gid, CONFDB_DOMAIN_OVERRIDE_GID, 0); if (ret != EOK) { diff --git a/src/confdb/confdb.h b/src/confdb/confdb.h index 39f4ab63d3e..7513f057fe9 100644 --- a/src/confdb/confdb.h +++ b/src/confdb/confdb.h @@ -270,6 +270,7 @@ #define CONFDB_DOMAIN_TYPE_APP "application" #define CONFDB_DOMAIN_INHERIT_FROM "inherit_from" #define CONFDB_DOMAIN_LOCAL_AUTH_POLICY "local_auth_policy" +#define CONFDB_DOMAIN_CACHE_IN_MEMORY_TRANSACTIONS "cache_in_memory_transactions" /* Proxy Provider */ #define CONFDB_PROXY_LIBNAME "proxy_lib_name" @@ -389,6 +390,7 @@ struct sss_domain_info { bool cache_credentials; uint32_t cache_credentials_min_ff_length; + bool cache_in_memory_transactions; bool case_sensitive; bool case_preserve; diff --git a/src/config/SSSDConfig/sssdoptions.py b/src/config/SSSDConfig/sssdoptions.py index e915bbec436..a76db399ddd 100644 --- a/src/config/SSSDConfig/sssdoptions.py +++ b/src/config/SSSDConfig/sssdoptions.py @@ -224,6 +224,7 @@ def __init__(self): 'the first authentication factor (long term password) must ' 'have to be saved as SHA512 hash into the cache.'), 'local_auth_policy': _('Local authentication methods policy '), + 'cache_in_memory_transactions': _('Perform cache transactions in memory.'), # [provider/ipa] 'ipa_domain': _('IPA domain'), diff --git a/src/config/SSSDConfigTest.py b/src/config/SSSDConfigTest.py index ef4dcd295a7..91da81e2632 100755 --- a/src/config/SSSDConfigTest.py +++ b/src/config/SSSDConfigTest.py @@ -622,7 +622,8 @@ def testListOptions(self): 'pam_gssapi_indicators_map', 'refresh_expired_interval', 'refresh_expired_interval_offset', - 'local_auth_policy'] + 'local_auth_policy', + 'cache_in_memory_transactions'] self.assertTrue(type(options) == dict, "Options should be a dictionary") @@ -984,7 +985,8 @@ def testRemoveProvider(self): 'refresh_expired_interval_offset', 'dyndns_refresh_interval', 'dyndns_refresh_interval_offset', - 'local_auth_policy'] + 'local_auth_policy', + 'cache_in_memory_transactions'] self.assertTrue(type(options) == dict, "Options should be a dictionary") diff --git a/src/config/cfg_rules.ini b/src/config/cfg_rules.ini index 9bb3d8a53cb..e3a4dcb4430 100644 --- a/src/config/cfg_rules.ini +++ b/src/config/cfg_rules.ini @@ -391,6 +391,7 @@ option = offline_timeout_max option = offline_timeout_random_offset option = cache_credentials option = cache_credentials_minimal_first_factor_length +option = cache_in_memory_transactions option = use_fully_qualified_names option = ignore_group_members option = entry_cache_timeout diff --git a/src/config/etc/sssd.api.conf b/src/config/etc/sssd.api.conf index 28f057978db..1cc6ba12a35 100644 --- a/src/config/etc/sssd.api.conf +++ b/src/config/etc/sssd.api.conf @@ -193,6 +193,7 @@ pam_gssapi_services = str, None, false pam_gssapi_check_upn = bool, None, false pam_gssapi_indicators_map = str, None, false local_auth_policy = str, None, false +cache_in_memory_transactions = bool, None, false #Entry cache timeouts entry_cache_user_timeout = int, None, false diff --git a/src/db/sysdb_init.c b/src/db/sysdb_init.c index 85db5f9e153..504ace6ac1a 100644 --- a/src/db/sysdb_init.c +++ b/src/db/sysdb_init.c @@ -729,12 +729,17 @@ static errno_t sysdb_cache_connect(TALLOC_CTX *mem_ctx, bool newly_created; bool ldb_file_exists; errno_t ret; + int ldb_flags = 0; + + if (domain->cache_in_memory_transactions) { + ldb_flags |= LDB_FLG_NOSYNC; + } ldb_file_exists = !(access(sysdb->ldb_file, F_OK) == -1 && errno == ENOENT); ret = sysdb_cache_connect_helper(mem_ctx, domain, sysdb->ldb_file, - 0, SYSDB_VERSION, SYSDB_BASE_LDIF, - &newly_created, ldb, version); + ldb_flags, SYSDB_VERSION, SYSDB_BASE_LDIF, + &newly_created, ldb, version); /* The cache has been newly created. */ if (ret == EOK && newly_created && !ldb_file_exists) { diff --git a/src/man/sssd.conf.5.xml b/src/man/sssd.conf.5.xml index 88817b53628..b9f0acf238e 100644 --- a/src/man/sssd.conf.5.xml +++ b/src/man/sssd.conf.5.xml @@ -2935,6 +2935,30 @@ pam_gssapi_indicators_map = sudo:pkinit, sudo-i:pkinit + + cache_in_memory_transaction (boolean) + + + The cache can perform the update and hold the entire + transaction in memory before it is written to the + cache file. + + + Cache performance with this option set to TRUE is + much better. There is a negligible chance that data + in the cache may become inconsistent when the entire + computer is unexpectedly powered off while updating + the cache. + + + For this reason, it is not recommended to set this + option to TRUE along with + cache_credentials or when + computer is expected to be used offline. + + + + cache_credentials (bool) From 644cde99df101aa19f49a5c0c98a041507f6361a Mon Sep 17 00:00:00 2001 From: Tomas Halman Date: Mon, 17 Jun 2024 15:24:09 +0200 Subject: [PATCH 2/2] Remove this commit before merging This patch sets default for in-memory transaction to true! --- src/confdb/confdb.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/confdb/confdb.c b/src/confdb/confdb.c index e1dbc6737d1..b4adc8130aa 100644 --- a/src/confdb/confdb.c +++ b/src/confdb/confdb.c @@ -1018,7 +1018,7 @@ static errno_t confdb_init_domain(struct sss_domain_info *domain, } ret = get_entry_as_bool(res->msgs[0], &domain->cache_in_memory_transactions, - CONFDB_DOMAIN_CACHE_IN_MEMORY_TRANSACTIONS, 0); + CONFDB_DOMAIN_CACHE_IN_MEMORY_TRANSACTIONS, 1); if (ret != EOK) { DEBUG(SSSDBG_FATAL_FAILURE, "Invalid value for %s\n", CONFDB_DOMAIN_CACHE_IN_MEMORY_TRANSACTIONS);