URL: https://github.com/SSSD/sssd/pull/636
Author: pbrezina
Title: #636: failover: tune up default timeouts
Action: synchronized
To pull the PR as Git branch:
git remote add ghsssd https://github.com/SSSD/sssd
git fetch ghsssd pull/636/head:pr636
git checkout pr636
From b08ad925428707fe96c1eccbd66d1f7b370ec305 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Pavel=20B=C5=99ezina?= <pbrez...@redhat.com>
Date: Tue, 11 Jun 2019 13:49:13 +0200
Subject: [PATCH 1/5] man: fix description of dns_resolver_op_timeout
---
src/man/include/failover.xml | 8 +++++++-
1 file changed, 7 insertions(+), 1 deletion(-)
diff --git a/src/man/include/failover.xml b/src/man/include/failover.xml
index cd6fd4d798..11ff86a388 100644
--- a/src/man/include/failover.xml
+++ b/src/man/include/failover.xml
@@ -77,7 +77,13 @@
</term>
<listitem>
<para>
- How long would SSSD talk to a single DNS server.
+ Time in seconds to tell how long would SSSD try
+ to resolve single DNS query (e.g. resolution of a
+ hostname or an SRV record) before trying the next
+ hostname or discovery domain.
+ </para>
+ <para>
+ Default: 6
</para>
</listitem>
</varlistentry>
From ee3cae37b2caad4edec8f582d53fef11a28b0fbe Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Pavel=20B=C5=99ezina?= <pbrez...@redhat.com>
Date: Tue, 11 Jun 2019 13:49:33 +0200
Subject: [PATCH 2/5] man: fix description of dns_resolver_timeout
---
src/man/include/failover.xml | 3 +++
1 file changed, 3 insertions(+)
diff --git a/src/man/include/failover.xml b/src/man/include/failover.xml
index 11ff86a388..7b451d8315 100644
--- a/src/man/include/failover.xml
+++ b/src/man/include/failover.xml
@@ -98,6 +98,9 @@
include several steps, such as resolving DNS SRV
queries or locating the site.
</para>
+ <para>
+ Default: 6
+ </para>
</listitem>
</varlistentry>
</variablelist>
From 4bf80993a17426f1d275f10faf012b92bc2b12df Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Pavel=20B=C5=99ezina?= <pbrez...@redhat.com>
Date: Tue, 11 Jun 2019 13:37:23 +0200
Subject: [PATCH 3/5] failover: add dns_resolver_server_timeout option
---
src/config/SSSDConfig/__init__.py.in | 1 +
src/config/SSSDConfigTest.py | 1 +
src/config/cfg_rules.ini | 1 +
src/config/etc/sssd.api.conf | 1 +
src/man/include/failover.xml | 17 ++++++++++++++++-
src/providers/data_provider.h | 1 +
src/providers/data_provider_fo.c | 3 +++
src/resolv/async_resolv.c | 10 ++++++----
src/resolv/async_resolv.h | 2 +-
9 files changed, 31 insertions(+), 6 deletions(-)
diff --git a/src/config/SSSDConfig/__init__.py.in b/src/config/SSSDConfig/__init__.py.in
index 9642fe6baf..2d1214e16b 100644
--- a/src/config/SSSDConfig/__init__.py.in
+++ b/src/config/SSSDConfig/__init__.py.in
@@ -171,6 +171,7 @@ option_strings = {
'entry_cache_timeout' : _('Entry cache timeout length (seconds)'),
'lookup_family_order' : _('Restrict or prefer a specific address family when performing DNS lookups'),
'account_cache_expiration' : _('How long to keep cached entries after last successful login (days)'),
+ 'dns_resolver_server_timeout' : _('How long should SSSD talk to single DNS server before trying next server (miliseconds)'),
'dns_resolver_timeout' : _('How long to wait for replies from DNS when resolving servers (seconds)'),
'dns_discovery_domain' : _('The domain part of service discovery DNS query'),
'override_gid' : _('Override GID value from the identity provider with this value'),
diff --git a/src/config/SSSDConfigTest.py b/src/config/SSSDConfigTest.py
index 727df71abf..2ffa5a0f28 100755
--- a/src/config/SSSDConfigTest.py
+++ b/src/config/SSSDConfigTest.py
@@ -606,6 +606,7 @@ def testListOptions(self):
'refresh_expired_interval',
'lookup_family_order',
'account_cache_expiration',
+ 'dns_resolver_server_timeout',
'dns_resolver_timeout',
'dns_discovery_domain',
'dyndns_update',
diff --git a/src/config/cfg_rules.ini b/src/config/cfg_rules.ini
index 929e6149a7..a2efb3a677 100644
--- a/src/config/cfg_rules.ini
+++ b/src/config/cfg_rules.ini
@@ -367,6 +367,7 @@ option = account_cache_expiration
option = pwd_expiration_warning
option = filter_users
option = filter_groups
+option = dns_resolver_server_timeout
option = dns_resolver_timeout
option = dns_discovery_domain
option = override_gid
diff --git a/src/config/etc/sssd.api.conf b/src/config/etc/sssd.api.conf
index c6d6690fb4..288b1cfe75 100644
--- a/src/config/etc/sssd.api.conf
+++ b/src/config/etc/sssd.api.conf
@@ -170,6 +170,7 @@ account_cache_expiration = int, None, false
pwd_expiration_warning = int, None, false
filter_users = list, str, false
filter_groups = list, str, false
+dns_resolver_server_timeout = int, None, false
dns_resolver_timeout = int, None, false
dns_discovery_domain = str, None, false
override_gid = int, None, false
diff --git a/src/man/include/failover.xml b/src/man/include/failover.xml
index 7b451d8315..f2a01b933e 100644
--- a/src/man/include/failover.xml
+++ b/src/man/include/failover.xml
@@ -71,6 +71,20 @@
</citerefentry>,
manual page.
<variablelist>
+ <varlistentry>
+ <term>
+ dns_resolver_server_timeout
+ </term>
+ <listitem>
+ <para>
+ Time in milliseconds that sets how long would SSSD
+ talk to a single DNS server before trying next one.
+ </para>
+ <para>
+ Default: 2000
+ </para>
+ </listitem>
+ </varlistentry>
<varlistentry>
<term>
dns_resolver_op_timeout
@@ -111,7 +125,8 @@
<quote>ldap_opt_timeout></quote> timeout should be set to
a larger value than <quote>dns_resolver_timeout</quote>
which in turn should be set to a larger value than
- <quote>dns_resolver_op_timeout</quote>.
+ <quote>dns_resolver_op_timeout</quote> which should be larger
+ than <quote>dns_resolver_server_timeout</quote>.
</para>
</refsect2>
</refsect1>
diff --git a/src/providers/data_provider.h b/src/providers/data_provider.h
index a0a21cc123..2d10dbb5bc 100644
--- a/src/providers/data_provider.h
+++ b/src/providers/data_provider.h
@@ -265,6 +265,7 @@ enum dp_res_opts {
DP_RES_OPT_FAMILY_ORDER,
DP_RES_OPT_RESOLVER_TIMEOUT,
DP_RES_OPT_RESOLVER_OP_TIMEOUT,
+ DP_RES_OPT_RESOLVER_SERVER_TIMEOUT,
DP_RES_OPT_DNS_DOMAIN,
DP_RES_OPTS /* attrs counter */
diff --git a/src/providers/data_provider_fo.c b/src/providers/data_provider_fo.c
index 473b667e58..a7af3e2a54 100644
--- a/src/providers/data_provider_fo.c
+++ b/src/providers/data_provider_fo.c
@@ -833,6 +833,7 @@ static struct dp_option dp_res_default_opts[] = {
{ "lookup_family_order", DP_OPT_STRING, { "ipv4_first" }, NULL_STRING },
{ "dns_resolver_timeout", DP_OPT_NUMBER, { .number = 6 }, NULL_NUMBER },
{ "dns_resolver_op_timeout", DP_OPT_NUMBER, { .number = 6 }, NULL_NUMBER },
+ { "dns_resolver_server_timeout", DP_OPT_NUMBER, { .number = 2000 }, NULL_NUMBER },
{ "dns_discovery_domain", DP_OPT_STRING, NULL_STRING, NULL_STRING },
DP_OPTION_TERMINATOR
};
@@ -894,6 +895,8 @@ errno_t be_res_init(struct be_ctx *ctx)
ret = resolv_init(ctx, ctx->ev,
dp_opt_get_int(ctx->be_res->opts,
DP_RES_OPT_RESOLVER_OP_TIMEOUT),
+ dp_opt_get_int(ctx->be_res->opts,
+ DP_RES_OPT_RESOLVER_SERVER_TIMEOUT),
&ctx->be_res->resolv);
if (ret != EOK) {
talloc_zfree(ctx->be_res);
diff --git a/src/resolv/async_resolv.c b/src/resolv/async_resolv.c
index bb27011548..b833d72116 100644
--- a/src/resolv/async_resolv.c
+++ b/src/resolv/async_resolv.c
@@ -60,8 +60,6 @@
#define DNS_RR_LEN(r) DNS__16BIT((r) + 8)
#define DNS_RR_TTL(r) DNS__32BIT((r) + 4)
-#define RESOLV_TIMEOUTMS 2000
-
enum host_database default_host_dbs[] = { DB_FILES, DB_DNS, DB_SENTINEL };
struct fd_watch {
@@ -83,6 +81,9 @@ struct resolv_ctx {
/* Time in milliseconds before canceling a DNS request */
int timeout;
+ /* Time in milliseconds for communication with single DNS server. */
+ int ares_timeout;
+
/* The timeout watcher periodically calls ares_process_fd() to check
* if our pending requests didn't timeout. */
int pending_requests;
@@ -423,7 +424,7 @@ recreate_ares_channel(struct resolv_ctx *ctx)
*/
options.sock_state_cb = fd_event;
options.sock_state_cb_data = ctx;
- options.timeout = RESOLV_TIMEOUTMS;
+ options.timeout = ctx->ares_timeout;
/* Only affects ares_gethostbyname */
options.lookups = discard_const("f");
options.tries = 1;
@@ -450,7 +451,7 @@ recreate_ares_channel(struct resolv_ctx *ctx)
int
resolv_init(TALLOC_CTX *mem_ctx, struct tevent_context *ev_ctx,
- int timeout, struct resolv_ctx **ctxp)
+ int timeout, int ares_timeout, struct resolv_ctx **ctxp)
{
int ret;
struct resolv_ctx *ctx;
@@ -467,6 +468,7 @@ resolv_init(TALLOC_CTX *mem_ctx, struct tevent_context *ev_ctx,
ctx->ev_ctx = ev_ctx;
ctx->timeout = timeout;
+ ctx->ares_timeout = ares_timeout;
ret = recreate_ares_channel(ctx);
if (ret != EOK) {
diff --git a/src/resolv/async_resolv.h b/src/resolv/async_resolv.h
index 90ed037075..d83a7be447 100644
--- a/src/resolv/async_resolv.h
+++ b/src/resolv/async_resolv.h
@@ -52,7 +52,7 @@
struct resolv_ctx;
int resolv_init(TALLOC_CTX *mem_ctx, struct tevent_context *ev_ctx,
- int timeout, struct resolv_ctx **ctxp);
+ int timeout, int ares_timeout, struct resolv_ctx **ctxp);
void resolv_reread_configuration(struct resolv_ctx *ctx);
From fc6fdd707ee5970b55e6d70295cc5bc7d0aa3779 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Pavel=20B=C5=99ezina?= <pbrez...@redhat.com>
Date: Tue, 11 Jun 2019 14:01:17 +0200
Subject: [PATCH 4/5] failover: change default timeouts
---
src/man/include/failover.xml | 6 +++---
src/man/sssd-ldap.5.xml | 2 +-
src/providers/ad/ad_opts.c | 2 +-
src/providers/data_provider_fo.c | 4 ++--
src/providers/ipa/ipa_opts.c | 2 +-
src/providers/ldap/ldap_opts.c | 2 +-
6 files changed, 9 insertions(+), 9 deletions(-)
diff --git a/src/man/include/failover.xml b/src/man/include/failover.xml
index f2a01b933e..288d91807a 100644
--- a/src/man/include/failover.xml
+++ b/src/man/include/failover.xml
@@ -81,7 +81,7 @@
talk to a single DNS server before trying next one.
</para>
<para>
- Default: 2000
+ Default: 1000
</para>
</listitem>
</varlistentry>
@@ -97,7 +97,7 @@
hostname or discovery domain.
</para>
<para>
- Default: 6
+ Default: 2
</para>
</listitem>
</varlistentry>
@@ -113,7 +113,7 @@
queries or locating the site.
</para>
<para>
- Default: 6
+ Default: 4
</para>
</listitem>
</varlistentry>
diff --git a/src/man/sssd-ldap.5.xml b/src/man/sssd-ldap.5.xml
index f0bc82db5f..c205aea64d 100644
--- a/src/man/sssd-ldap.5.xml
+++ b/src/man/sssd-ldap.5.xml
@@ -1432,7 +1432,7 @@
StartTLS operation.
</para>
<para>
- Default: 6
+ Default: 8
</para>
</listitem>
</varlistentry>
diff --git a/src/providers/ad/ad_opts.c b/src/providers/ad/ad_opts.c
index 978c395ef2..3f7ec08b1d 100644
--- a/src/providers/ad/ad_opts.c
+++ b/src/providers/ad/ad_opts.c
@@ -65,7 +65,7 @@ struct dp_option ad_def_ldap_opts[] = {
{ "ldap_default_authtok", DP_OPT_BLOB, NULL_BLOB, NULL_BLOB },
{ "ldap_search_timeout", DP_OPT_NUMBER, { .number = 6 }, NULL_NUMBER },
{ "ldap_network_timeout", DP_OPT_NUMBER, { .number = 6 }, NULL_NUMBER },
- { "ldap_opt_timeout", DP_OPT_NUMBER, { .number = 6 }, NULL_NUMBER },
+ { "ldap_opt_timeout", DP_OPT_NUMBER, { .number = 8 }, NULL_NUMBER },
{ "ldap_tls_reqcert", DP_OPT_STRING, { "hard" }, NULL_STRING },
{ "ldap_user_search_base", DP_OPT_STRING, NULL_STRING, NULL_STRING },
{ "ldap_user_search_scope", DP_OPT_STRING, { "sub" }, NULL_STRING },
diff --git a/src/providers/data_provider_fo.c b/src/providers/data_provider_fo.c
index a7af3e2a54..c634b8d49f 100644
--- a/src/providers/data_provider_fo.c
+++ b/src/providers/data_provider_fo.c
@@ -832,8 +832,8 @@ void _be_fo_set_port_status(struct be_ctx *ctx,
static struct dp_option dp_res_default_opts[] = {
{ "lookup_family_order", DP_OPT_STRING, { "ipv4_first" }, NULL_STRING },
{ "dns_resolver_timeout", DP_OPT_NUMBER, { .number = 6 }, NULL_NUMBER },
- { "dns_resolver_op_timeout", DP_OPT_NUMBER, { .number = 6 }, NULL_NUMBER },
- { "dns_resolver_server_timeout", DP_OPT_NUMBER, { .number = 2000 }, NULL_NUMBER },
+ { "dns_resolver_op_timeout", DP_OPT_NUMBER, { .number = 3 }, NULL_NUMBER },
+ { "dns_resolver_server_timeout", DP_OPT_NUMBER, { .number = 1000 }, NULL_NUMBER },
{ "dns_discovery_domain", DP_OPT_STRING, NULL_STRING, NULL_STRING },
DP_OPTION_TERMINATOR
};
diff --git a/src/providers/ipa/ipa_opts.c b/src/providers/ipa/ipa_opts.c
index c38a7da0ed..7974cb8ea0 100644
--- a/src/providers/ipa/ipa_opts.c
+++ b/src/providers/ipa/ipa_opts.c
@@ -76,7 +76,7 @@ struct dp_option ipa_def_ldap_opts[] = {
{ "ldap_default_authtok", DP_OPT_BLOB, NULL_BLOB, NULL_BLOB },
{ "ldap_search_timeout", DP_OPT_NUMBER, { .number = 6 }, NULL_NUMBER },
{ "ldap_network_timeout", DP_OPT_NUMBER, { .number = 6 }, NULL_NUMBER },
- { "ldap_opt_timeout", DP_OPT_NUMBER, { .number = 6 }, NULL_NUMBER },
+ { "ldap_opt_timeout", DP_OPT_NUMBER, { .number = 8 }, NULL_NUMBER },
{ "ldap_tls_reqcert", DP_OPT_STRING, { "hard" }, NULL_STRING },
{ "ldap_user_search_base", DP_OPT_STRING, NULL_STRING, NULL_STRING },
{ "ldap_user_search_scope", DP_OPT_STRING, { "sub" }, NULL_STRING },
diff --git a/src/providers/ldap/ldap_opts.c b/src/providers/ldap/ldap_opts.c
index dc56f07125..616934a21e 100644
--- a/src/providers/ldap/ldap_opts.c
+++ b/src/providers/ldap/ldap_opts.c
@@ -36,7 +36,7 @@ struct dp_option default_basic_opts[] = {
{ "ldap_default_authtok", DP_OPT_BLOB, NULL_BLOB, NULL_BLOB },
{ "ldap_search_timeout", DP_OPT_NUMBER, { .number = 6 }, NULL_NUMBER },
{ "ldap_network_timeout", DP_OPT_NUMBER, { .number = 6 }, NULL_NUMBER },
- { "ldap_opt_timeout", DP_OPT_NUMBER, { .number = 6 }, NULL_NUMBER },
+ { "ldap_opt_timeout", DP_OPT_NUMBER, { .number = 8 }, NULL_NUMBER },
{ "ldap_tls_reqcert", DP_OPT_STRING, { "hard" }, NULL_STRING },
{ "ldap_user_search_base", DP_OPT_STRING, NULL_STRING, NULL_STRING },
{ "ldap_user_search_scope", DP_OPT_STRING, { "sub" }, NULL_STRING },
From 4e1eb8ac52dc3d9734e992b82c6c4519687f68eb Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Pavel=20B=C5=99ezina?= <pbrez...@redhat.com>
Date: Mon, 8 Jul 2019 11:35:28 +0200
Subject: [PATCH 5/5] config: add dns_resolver_op_timeout to option list
---
src/config/SSSDConfig/__init__.py.in | 1 +
src/config/SSSDConfigTest.py | 1 +
src/config/cfg_rules.ini | 1 +
src/config/etc/sssd.api.conf | 1 +
4 files changed, 4 insertions(+)
diff --git a/src/config/SSSDConfig/__init__.py.in b/src/config/SSSDConfig/__init__.py.in
index 2d1214e16b..ea79954104 100644
--- a/src/config/SSSDConfig/__init__.py.in
+++ b/src/config/SSSDConfig/__init__.py.in
@@ -172,6 +172,7 @@ option_strings = {
'lookup_family_order' : _('Restrict or prefer a specific address family when performing DNS lookups'),
'account_cache_expiration' : _('How long to keep cached entries after last successful login (days)'),
'dns_resolver_server_timeout' : _('How long should SSSD talk to single DNS server before trying next server (miliseconds)'),
+ 'dns_resolver_op_timeout' : _('How long should keep trying to resolve single DNS query (seconds)'),
'dns_resolver_timeout' : _('How long to wait for replies from DNS when resolving servers (seconds)'),
'dns_discovery_domain' : _('The domain part of service discovery DNS query'),
'override_gid' : _('Override GID value from the identity provider with this value'),
diff --git a/src/config/SSSDConfigTest.py b/src/config/SSSDConfigTest.py
index 2ffa5a0f28..8b49abb0da 100755
--- a/src/config/SSSDConfigTest.py
+++ b/src/config/SSSDConfigTest.py
@@ -607,6 +607,7 @@ def testListOptions(self):
'lookup_family_order',
'account_cache_expiration',
'dns_resolver_server_timeout',
+ 'dns_resolver_op_timeout',
'dns_resolver_timeout',
'dns_discovery_domain',
'dyndns_update',
diff --git a/src/config/cfg_rules.ini b/src/config/cfg_rules.ini
index a2efb3a677..30040b5950 100644
--- a/src/config/cfg_rules.ini
+++ b/src/config/cfg_rules.ini
@@ -368,6 +368,7 @@ option = pwd_expiration_warning
option = filter_users
option = filter_groups
option = dns_resolver_server_timeout
+option = dns_resolver_op_timeout
option = dns_resolver_timeout
option = dns_discovery_domain
option = override_gid
diff --git a/src/config/etc/sssd.api.conf b/src/config/etc/sssd.api.conf
index 288b1cfe75..4a069f2db2 100644
--- a/src/config/etc/sssd.api.conf
+++ b/src/config/etc/sssd.api.conf
@@ -171,6 +171,7 @@ pwd_expiration_warning = int, None, false
filter_users = list, str, false
filter_groups = list, str, false
dns_resolver_server_timeout = int, None, false
+dns_resolver_op_timeout = int, None, false
dns_resolver_timeout = int, None, false
dns_discovery_domain = str, None, false
override_gid = int, None, false
_______________________________________________
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/sssd-devel@lists.fedorahosted.org
