coren has uploaded a new change for review. https://gerrit.wikimedia.org/r/157816
Change subject: Labs: provide saner nscd defaults ...................................................................... Labs: provide saner nscd defaults Labs has different use cases, and several assumptions about resolving can be made that impact the best settings for nscd: - users are very rarely removed - groups are slightly more mutable - DNS entries tend to have long lifetimes Accordingly, some of the caching values have been tweaked to reflect that reality and greatly reduce the load on the LDAP and DNS services, which are not all that robust under load. Note that this turns host caching back on, despite it being turned off by default in recent Ubuntu releases because of a known issue: https://sourceware.org/bugzilla/show_bug.cgi?id=4428 This bug has essentially no impact in Labs because the TTL of Openstack-created entries in dnsmasq is not normally tunable. Also, the worst case scenario is that some library calls returned cached values with a lifetime of the greater of the DNS TTL and that of the cache (which is incorrect, but mostly harmless since we keep our cache lifetime at 1h). In practice, this means that /if/ we have the TTL of a hostname under one hour, /and/ it changes while cached, it may persist for up to 1h more than it should or until the cache is manually invalidated. This seems to be acceptable. Bug: 70076 Change-Id: Ic41a10d2fbafabdd50c7db49580ace717499c829 --- A modules/ldap/files/nscd-labs.conf M modules/ldap/manifests/client.pp 2 files changed, 77 insertions(+), 1 deletion(-) git pull ssh://gerrit.wikimedia.org:29418/operations/puppet refs/changes/16/157816/1 diff --git a/modules/ldap/files/nscd-labs.conf b/modules/ldap/files/nscd-labs.conf new file mode 100644 index 0000000..294154c --- /dev/null +++ b/modules/ldap/files/nscd-labs.conf @@ -0,0 +1,73 @@ +# +# /etc/nscd.conf +# +# An example Name Service Cache config file. This file is needed by nscd. +# +# Legal entries are: +# +# logfile <file> +# debug-level <level> +# threads <initial #threads to use> +# max-threads <maximum #threads to use> +# server-user <user to run server as instead of root> +# server-user is ignored if nscd is started with -S parameters +# stat-user <user who is allowed to request statistics> +# reload-count unlimited|<number> +# paranoia <yes|no> +# restart-interval <time in seconds> +# +# enable-cache <service> <yes|no> +# positive-time-to-live <service> <time in seconds> +# negative-time-to-live <service> <time in seconds> +# suggested-size <service> <prime number> +# check-files <service> <yes|no> +# persistent <service> <yes|no> +# shared <service> <yes|no> +# max-db-size <service> <number bytes> +# auto-propagate <service> <yes|no> +# +# Currently supported cache names (services): passwd, group, hosts, services +# + + + debug-level 0 + paranoia no + + enable-cache passwd yes + positive-time-to-live passwd 3600 + negative-time-to-live passwd 30 + suggested-size passwd 3001 + check-files passwd yes + persistent passwd yes + shared passwd yes + max-db-size passwd 67108864 + auto-propagate passwd yes + + enable-cache group yes + positive-time-to-live group 60 + negative-time-to-live group 60 + suggested-size group 3001 + check-files group yes + persistent group yes + shared group yes + max-db-size group 67108864 + auto-propagate group yes + + enable-cache hosts yes + positive-time-to-live hosts 3600 + negative-time-to-live hosts 30 + suggested-size hosts 983 + check-files hosts yes + persistent hosts yes + shared hosts yes + max-db-size hosts 33554432 + + enable-cache services yes + positive-time-to-live services 3600 + negative-time-to-live services 10 + suggested-size services 211 + check-files services yes + persistent services yes + shared services yes + max-db-size services 33554432 + diff --git a/modules/ldap/manifests/client.pp b/modules/ldap/manifests/client.pp index 1ec4d10..53efecc 100644 --- a/modules/ldap/manifests/client.pp +++ b/modules/ldap/manifests/client.pp @@ -62,7 +62,10 @@ file { '/etc/nscd.conf': notify => Service['nscd'], - source => 'puppet:///modules/ldap/nscd.conf', + source => $::realm ? { + 'labs' => 'puppet:///modules/ldap/nscd-labs.conf', + default => 'puppet:///modules/ldap/nscd.conf', + } } file { '/etc/nsswitch.conf': -- To view, visit https://gerrit.wikimedia.org/r/157816 To unsubscribe, visit https://gerrit.wikimedia.org/r/settings Gerrit-MessageType: newchange Gerrit-Change-Id: Ic41a10d2fbafabdd50c7db49580ace717499c829 Gerrit-PatchSet: 1 Gerrit-Project: operations/puppet Gerrit-Branch: production Gerrit-Owner: coren <[email protected]> _______________________________________________ MediaWiki-commits mailing list [email protected] https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits
