URL: https://github.com/SSSD/sssd/pull/951 Author: thalman Title: #951: sdap: Add randomness to ldap connection timeout Action: opened
PR body: """ In case of mass deployment, mass registration of IPA clients roughly on the same time leads to regular CPU load spikes on IPA servers, the load spikes are caused by all/most clients refreshing their LDAP connections (ldap_connection_expire_timeout) every 15 minutes. This patch introduces new random value (from 0 up to ldap_connection_expire_offset) that is added to the timeout. Resolves: https://pagure.io/SSSD/sssd/issue/3630 """ To pull the PR as Git branch: git remote add ghsssd https://github.com/SSSD/sssd git fetch ghsssd pull/951/head:pr951 git checkout pr951
From 5ab431382cb15dea315d9d24ccd7369818094b31 Mon Sep 17 00:00:00 2001 From: Tomas Halman <[email protected]> Date: Mon, 2 Dec 2019 11:11:52 +0100 Subject: [PATCH] sdap: Add randomness to ldap connection timeout In case of mass deployment, mass registration of IPA clients roughly on the same time leads to regular CPU load spikes on IPA servers, the load spikes are caused by all/most clients refreshing their LDAP connections (ldap_connection_expire_timeout) every 15 minutes. This patch introduces new random value (from 0 up to ldap_connection_expire_offset) that is added to the timeout. Resolves: https://pagure.io/SSSD/sssd/issue/3630 --- src/config/cfg_rules.ini | 1 + src/man/sssd-ldap.5.xml | 19 +++++++++++++++++++ src/providers/ad/ad_opts.c | 1 + src/providers/ipa/ipa_opts.c | 1 + src/providers/ldap/ldap_opts.c | 1 + src/providers/ldap/sdap.h | 1 + src/providers/ldap/sdap_async_connection.c | 7 +++++++ 7 files changed, 31 insertions(+) diff --git a/src/config/cfg_rules.ini b/src/config/cfg_rules.ini index 8c73c89ac2..c56d5a6682 100644 --- a/src/config/cfg_rules.ini +++ b/src/config/cfg_rules.ini @@ -600,6 +600,7 @@ option = ldap_chpass_dns_service_name option = ldap_chpass_update_last_change option = ldap_chpass_uri option = ldap_connection_expire_timeout +option = ldap_connection_expire_offset option = ldap_default_authtok option = ldap_default_authtok_type option = ldap_default_bind_dn diff --git a/src/man/sssd-ldap.5.xml b/src/man/sssd-ldap.5.xml index 6d1ae23ecb..b2349b5b36 100644 --- a/src/man/sssd-ldap.5.xml +++ b/src/man/sssd-ldap.5.xml @@ -509,12 +509,31 @@ the two values (this value vs. the TGT lifetime) will be used. </para> + <para> + This timeout can be extended of a random + value specified by + <emphasis>ldap_connection_expire_offset</emphasis> + </para> <para> Default: 900 (15 minutes) </para> </listitem> </varlistentry> + <varlistentry> + <term>ldap_connection_expire_offset (integer)</term> + <listitem> + <para> + Random offset between 0 and configured value + is added to + <emphasis>ldap_connection_expire_timeout</emphasis>. + </para> + <para> + Default: 0 + </para> + </listitem> + </varlistentry> + <varlistentry> <term>ldap_page_size (integer)</term> <listitem> diff --git a/src/providers/ad/ad_opts.c b/src/providers/ad/ad_opts.c index cd568e4663..1293219ee1 100644 --- a/src/providers/ad/ad_opts.c +++ b/src/providers/ad/ad_opts.c @@ -137,6 +137,7 @@ struct dp_option ad_def_ldap_opts[] = { { "ldap_deref_threshold", DP_OPT_NUMBER, { .number = 10 }, NULL_NUMBER }, { "ldap_sasl_canonicalize", DP_OPT_BOOL, BOOL_FALSE, BOOL_FALSE }, { "ldap_connection_expire_timeout", DP_OPT_NUMBER, { .number = 900 }, NULL_NUMBER }, + { "ldap_connection_expire_offset", DP_OPT_NUMBER, { .number = 0 }, NULL_NUMBER }, { "ldap_disable_paging", DP_OPT_BOOL, BOOL_FALSE, BOOL_FALSE }, { "ldap_idmap_range_min", DP_OPT_NUMBER, { .number = 200000 }, NULL_NUMBER }, { "ldap_idmap_range_max", DP_OPT_NUMBER, { .number = 2000200000LL }, NULL_NUMBER }, diff --git a/src/providers/ipa/ipa_opts.c b/src/providers/ipa/ipa_opts.c index 7974cb8ea0..4fafa073da 100644 --- a/src/providers/ipa/ipa_opts.c +++ b/src/providers/ipa/ipa_opts.c @@ -147,6 +147,7 @@ struct dp_option ipa_def_ldap_opts[] = { { "ldap_deref_threshold", DP_OPT_NUMBER, { .number = 10 }, NULL_NUMBER }, { "ldap_sasl_canonicalize", DP_OPT_BOOL, BOOL_FALSE, BOOL_FALSE }, { "ldap_connection_expire_timeout", DP_OPT_NUMBER, { .number = 900 }, NULL_NUMBER }, + { "ldap_connection_expire_offset", DP_OPT_NUMBER, { .number = 0 }, NULL_NUMBER }, { "ldap_disable_paging", DP_OPT_BOOL, BOOL_FALSE, BOOL_FALSE }, { "ldap_idmap_range_min", DP_OPT_NUMBER, { .number = 200000 }, NULL_NUMBER }, { "ldap_idmap_range_max", DP_OPT_NUMBER, { .number = 2000200000LL }, NULL_NUMBER }, diff --git a/src/providers/ldap/ldap_opts.c b/src/providers/ldap/ldap_opts.c index a20ec0d86b..ffd0c6baa2 100644 --- a/src/providers/ldap/ldap_opts.c +++ b/src/providers/ldap/ldap_opts.c @@ -107,6 +107,7 @@ struct dp_option default_basic_opts[] = { { "ldap_deref_threshold", DP_OPT_NUMBER, { .number = 10 }, NULL_NUMBER }, { "ldap_sasl_canonicalize", DP_OPT_BOOL, BOOL_FALSE, BOOL_FALSE }, { "ldap_connection_expire_timeout", DP_OPT_NUMBER, { .number = 900 }, NULL_NUMBER }, + { "ldap_connection_expire_offset", DP_OPT_NUMBER, { .number = 0 }, NULL_NUMBER }, { "ldap_disable_paging", DP_OPT_BOOL, BOOL_FALSE, BOOL_FALSE }, { "ldap_idmap_range_min", DP_OPT_NUMBER, { .number = 200000 }, NULL_NUMBER }, { "ldap_idmap_range_max", DP_OPT_NUMBER, { .number = 2000200000LL }, NULL_NUMBER }, diff --git a/src/providers/ldap/sdap.h b/src/providers/ldap/sdap.h index d0a19a660c..f27b3c4806 100644 --- a/src/providers/ldap/sdap.h +++ b/src/providers/ldap/sdap.h @@ -221,6 +221,7 @@ enum sdap_basic_opt { SDAP_DEREF_THRESHOLD, SDAP_SASL_CANONICALIZE, SDAP_EXPIRE_TIMEOUT, + SDAP_EXPIRE_OFFSET, SDAP_DISABLE_PAGING, SDAP_IDMAP_LOWER, SDAP_IDMAP_UPPER, diff --git a/src/providers/ldap/sdap_async_connection.c b/src/providers/ldap/sdap_async_connection.c index 0260cba6fd..47b4aace63 100644 --- a/src/providers/ldap/sdap_async_connection.c +++ b/src/providers/ldap/sdap_async_connection.c @@ -1803,6 +1803,8 @@ static void sdap_cli_auth_step(struct tevent_req *req) struct tevent_req *subreq; time_t now; int expire_timeout; + int expire_offset; + const char *sasl_mech = dp_opt_get_string(state->opts->basic, SDAP_SASL_MECH); const char *user_dn = dp_opt_get_string(state->opts->basic, @@ -1832,6 +1834,11 @@ static void sdap_cli_auth_step(struct tevent_req *req) */ now = time(NULL); expire_timeout = dp_opt_get_int(state->opts->basic, SDAP_EXPIRE_TIMEOUT); + expire_offset = dp_opt_get_int(state->opts->basic, SDAP_EXPIRE_OFFSET); + if (expire_offset > 0) { + expire_timeout += sss_rand() % (expire_offset + 1); + } + DEBUG(SSSDBG_CONF_SETTINGS, "expire timeout is %d\n", expire_timeout); if (!state->sh->expire_time || (state->sh->expire_time > (now + expire_timeout))) {
_______________________________________________ sssd-devel mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected]
