https://fedoraproject.org/wiki/Changes/FlexibleLocalUserCache
== Summary ==
Allow to switch SSSD’s fast cache for local users on and off at runtime.
== Owner ==
* Name: [[User:sbose| Sumit Bose]]
* Email: sb...@redhat.com
== Detailed Description ==
In Fedora 26 SSSD’s fast cache for local users was introduced by
[[Changes/SSSDCacheForLocalUsers|SSSDCacheForLocalUsers]]. It is
currently enabled by default which means that ''sss'' is the first
module listed for the ''passwd'' and ''group'' databases in
''/etc/nsswitch.conf'' and that the ''sssd'' monitor process, the
''sssd_nss'' responder and the ''sssd_be'' backend process are running
by default. Those defaults made sense because at this time changes to
''/etc/nsswitch.conf'' required a reboot because long running
processes were not aware of the changes because ''/etc/nsswitch.conf''
was read only once during the first lookup (it might be sufficient to
restart all long running processes but a reboot is typically easier).
With ''glibc'' version 2.33, available since Fedora 34,
''/etc/nsswitch.conf'' will be reread automatically for the next
lookup if it was modified (timestamp changed). This allows to enable
or disable SSSD’s fast cache for local users and update
''/etc/nsswitch.conf'' accordingly at runtime as it e.g. was possible
with ''nscd'' (''nscd'' is deprecated in Fedora 34 by
[[Changes/DeprecateNSCD|DeprecateNSCD]] because SSSD can provide the
caching as well, this Change is not in conflict with deprecating
''nscd'' since SSSD can still provide the caching of local users and
groups but can now also be switched on and off at runtime without
potential impacts on local user lookups).
Given that SSSD will not be started by default anymore to provide the
cached local users it should not be the first entry in
''/etc/nsswitch.conf'' anymore. It would even be possible to not have
the ''sss'' entry in the default ''/etc/nsswitch.conf'' and let
''authselect'' add it if a SSSD related profile is selected.
The following components will be affected by the change:
* the SSSD package will be built without the ''--enable-files-domain''
and the service file will be extended so that SSSD will not be started
if no configuration is present
** ''--enable-files-domain'' is already dropped for non-Fedora builds
https://src.fedoraproject.org/rpms/sssd/blob/rawhide/f/sssd.spec#_506
** changes to the service file are already available
https://github.com/SSSD/sssd/commit/a25256fe22dd0b976093d15a5c7c73e1dc64bbcc
and are added already on non-Fedora build where
''--enable-files-domain'' is not set
* in ''authselect'' the ''sssd'' profile will have a new feature, e.g.
''with-files-domain'' to set the order in ''nsswitch.conf'' at runtime
https://github.com/pbrezina/authselect/commit/cc1d6b15310d8c9616d2ae1c8879baf3ed0f70ab
* the default order in ''nsswitch.conf'' in glibc should be updated so
that ''files'' is the first.
https://src.fedoraproject.org/rpms/glibc/blob/rawhide/f/glibc-fedora-nsswitch.patch
== Benefit to Fedora ==
With this change fewer processes will run in a default or minimal
Fedora installation. The runtime enable and disablement will allow to
switch on caching of local users and groups when needed but keep the
number of processes small when the benefit would be neglectable.
The changes to ''/etc/nsswitch.conf'' will be beneficial for
environments where the SSSD client libraries are not installed at all
as proposed by F35 Change proposal:
[[Changes/SmallerContainerBase|Smaller Container Base Image]].
== Scope ==
* Proposal owners: The SSSD maintainers will enable the needed changes
to the SSSD packages and create pull-requests for the changes to
''authselect'' and the modified default ''/etc/nsswitch.conf'' file.
* Other developers: ''authselect'' and ''glibc'' maintainers have to
accept the pull-requests for their components.
* Release engineering: No action from Release engineering is needed.
* Policies and guidelines: N/A (not needed for this Change)
* Trademark approval: N/A (not needed for this Change)
* Alignment with Objectives:
== Upgrade/compatibility impact ==
Caching of local users and groups by SSSD is not enabled by default
anymore and must be enabled manually if needed.
== How To Test ==
SSSD will not be run by default anymore. Caching of local users and
groups can be enabled manually if needed as it was with ''nscd''. The
manual steps are
authselect select sssd with-files-domain
echo -e '[sssd]\nenable_files_domain = True' >
/etc/sssd/conf.d/files_domain.conf
chmod 600 /etc/sssd/conf.d/files_domain.conf
systemctl start sssd
== User Experience ==
A default installation will have less running processing since the
SSSD components are not running by default anymore.
== Dependencies ==
The ''glibc'' maintainers have to accept a pull-request to modify the
default ''/etc/nsswitch.conf'' file.
== Contingency Plan ==
* Contingency mechanism: Revert SSSD spec file changes and order
changes in ''/etc/nsswitch.conf''
* Contingency deadline: beta freeze
* Blocks release? No
== Documentation ==
N/A
--
Ben Cotton
He / Him / His
Fedora Program Manager
Red Hat
TZ=America/Indiana/Indianapolis
_______________________________________________
devel-announce mailing list -- devel-announce@lists.fedoraproject.org
To unsubscribe send an email to devel-announce-le...@lists.fedoraproject.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedoraproject.org/archives/list/devel-announce@lists.fedoraproject.org
Do not reply to spam on the list, report it:
https://pagure.io/fedora-infrastructure
