[SSSD] Re: Removing nscd from Fedora
On 8/14/19 11:02 AM, Florian Weimer wrote: * Jakub Hrozek: On Thu, Aug 08, 2019 at 09:09:12PM +0200, Florian Weimer wrote: We'd like to propose removing nscd from Fedora, for Fedora 32. (The goal is to make this change downstream, too.) Carlos told me that in the past, sssd couldn't do full caching for nss_files, and that was still a concern at the time. Has this changed? This has not changed. SSSD does not have support for some nss_files-type maps at all, like networks or hosts, meaning that even if you had those objects stored in LDAP, SSSD wouldn't even be able to resolve them (although some friendly Suse developers are adding support for more maps). But even when this is implemented, then the request still has to go from the client application over a socket to the deamon and back. We'd still be missing the fast in-memory cache support like we do have for passwd,group and initgroups. (the memory cache design is described at https://docs.pagure.org/SSSD.sssd/developers/mmap_cache_1.15.html#how-does-the-memory-mapped-cache-work) I see. The shared mapping is what seems to cause most of the issues in nscd unfortunately. So this leads to the question if removal of nscd is actually feasible. There are already tickets to implement rest of the maps: https://pagure.io/SSSD/sssd/issue/901 https://pagure.io/SSSD/sssd/issue/359 Some of them are already implemented (services, protocols). So far it was not our priority, but perhaps we can allocate some time to work on it so nscd can be removed. But I do not think it is doable for F32. >>> What about WINS/winbind? Sorry, what about it? Are you asking if winbind has support for some sort of nss_files caching or the other way around if sssd can wrap wibind using its cache? The latter. btw I've seen people using nscd mostly with maps that sssd does not support at all, together with nslcd (nss-pam-ldap) We see a lot of nscd bugs related to DNS caching. Thanks, Florian ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-devel@lists.fedorahosted.org ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-devel@lists.fedorahosted.org
[SSSD] Re: Removing nscd from Fedora
* Jakub Hrozek: > On Thu, Aug 08, 2019 at 09:09:12PM +0200, Florian Weimer wrote: >> We'd like to propose removing nscd from Fedora, for Fedora 32. >> (The goal is to make this change downstream, too.) >> >> Carlos told me that in the past, sssd couldn't do full caching for >> nss_files, and that was still a concern at the time. Has this changed? > > This has not changed. SSSD does not have support for some nss_files-type > maps at all, like networks or hosts, meaning that even if you had those > objects stored in LDAP, SSSD wouldn't even be able to resolve them > (although some friendly Suse developers are adding support for more > maps). > > But even when this is implemented, then the request still has to go from > the client application over a socket to the deamon and back. We'd still > be missing the fast in-memory cache support like we do have for > passwd,group and initgroups. (the memory cache design is described > at > https://docs.pagure.org/SSSD.sssd/developers/mmap_cache_1.15.html#how-does-the-memory-mapped-cache-work) I see. The shared mapping is what seems to cause most of the issues in nscd unfortunately. So this leads to the question if removal of nscd is actually feasible. >> What about WINS/winbind? > > Sorry, what about it? Are you asking if winbind has support for some > sort of nss_files caching or the other way around if sssd can wrap > wibind using its cache? The latter. > btw I've seen people using nscd mostly with maps that sssd does not > support at all, together with nslcd (nss-pam-ldap) We see a lot of nscd bugs related to DNS caching. Thanks, Florian ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-devel@lists.fedorahosted.org
[SSSD] Re: Removing nscd from Fedora
Hi folks, On 8/8/19 9:09 PM, Florian Weimer wrote: We'd like to propose removing nscd from Fedora, for Fedora 32. (The goal is to make this change downstream, too.) I am using nscd for caching hosts lookups, even if sssd is installed. Is sssd capable of taking over this part? Regards Harri ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-devel@lists.fedorahosted.org
[SSSD] Re: Removing nscd from Fedora
On Thu, Aug 08, 2019 at 09:09:12PM +0200, Florian Weimer wrote: > We'd like to propose removing nscd from Fedora, for Fedora 32. > (The goal is to make this change downstream, too.) > > Carlos told me that in the past, sssd couldn't do full caching for > nss_files, and that was still a concern at the time. Has this changed? This has not changed. SSSD does not have support for some nss_files-type maps at all, like networks or hosts, meaning that even if you had those objects stored in LDAP, SSSD wouldn't even be able to resolve them (although some friendly Suse developers are adding support for more maps). But even when this is implemented, then the request still has to go from the client application over a socket to the deamon and back. We'd still be missing the fast in-memory cache support like we do have for passwd,group and initgroups. (the memory cache design is described at https://docs.pagure.org/SSSD.sssd/developers/mmap_cache_1.15.html#how-does-the-memory-mapped-cache-work) > > What about WINS/winbind? Sorry, what about it? Are you asking if winbind has support for some sort of nss_files caching or the other way around if sssd can wrap wibind using its cache? btw I've seen people using nscd mostly with maps that sssd does not support at all, together with nslcd (nss-pam-ldap) ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-devel@lists.fedorahosted.org
