https://fedorahosted.org/sssd/ticket/1966 (SSSD failover doesn't work if
the first DNS server in resolv.conf is unavailable).
The problem here is, that if first nameserver in resolv.conf is down,
the resolution is too slow and SSSD will not wait for the result of
ares_search and go offline. In my case the resolution was sometimes more
than a minute, because all search domains in resolv.conf were searched
inside ares_search() call using the first (not working) nameserver in
the first place and then with the working nameserver (and before that,
SSSD tried to figure out the domain name from my incorrectly set
hostname, which added more unnecessary DNS lookups).
To avoid this problem, the option dns_discovery_domain must be set
properly, so that only the correct domain is searched, but even that is
not enough, because the default timeout for dns resolver operation in
sssd is too low. This patch rises the default value to 15 seconds
(instead of 5 seconds).
Another option might be to lower the amount of time ares waits for a
nameserver to respond (currently it is 5 seconds, that is why 5 second
for the entire dns resolution is not sufficient), but I do not want to
do this.
These patches also change man pages, so probably master only (string
freeze)? Even if this is a really small change.
I was also thinking, would it make sense to write a warning to the logs
if the dns_discovery_domain option is not set? It seem to be important
to set it properly for cases like this one.
Thanks
Michal
>From 1bb9dc2d17ec10c48860578ebec4dbe19cb166e6 Mon Sep 17 00:00:00 2001
From: Michal Zidek <mzi...@redhat.com>
Date: Thu, 4 Jul 2013 13:32:07 +0200
Subject: [PATCH 1/2] Set default DNS resolution timeout to 15 seconds.
Partially solves ticket:
https://fedorahosted.org/sssd/ticket/1966
To avoid the problem mentioned in the ticket above, option
dns_discovery_domain must be set properly.
---
src/providers/data_provider_fo.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/src/providers/data_provider_fo.c b/src/providers/data_provider_fo.c
index 83294b5..3d1de26 100644
--- a/src/providers/data_provider_fo.c
+++ b/src/providers/data_provider_fo.c
@@ -774,8 +774,8 @@ void be_fo_set_port_status(struct be_ctx *ctx,
/* Resolver back end interface */
static struct dp_option dp_res_default_opts[] = {
{ "lookup_family_order", DP_OPT_STRING, { "ipv4_first" }, NULL_STRING },
- { "dns_resolver_timeout", DP_OPT_NUMBER, { .number = 5 }, NULL_NUMBER },
- { "dns_resolver_op_timeout", DP_OPT_NUMBER, { .number = 5 }, NULL_NUMBER },
+ { "dns_resolver_timeout", DP_OPT_NUMBER, { .number = 15 }, NULL_NUMBER },
+ { "dns_resolver_op_timeout", DP_OPT_NUMBER, { .number = 15 }, NULL_NUMBER },
{ "dns_discovery_domain", DP_OPT_STRING, NULL_STRING, NULL_STRING },
DP_OPTION_TERMINATOR
};
--
1.7.11.2
>From 97cf4e830d59ee04c1bd77cb73241d846144c681 Mon Sep 17 00:00:00 2001
From: Michal Zidek <mzi...@redhat.com>
Date: Thu, 4 Jul 2013 14:51:52 +0200
Subject: [PATCH 2/2] MAN: Changed default for dns_resolver_timeout
Changed default value of dns_resolver_timeout
from 5 to 15 seconds.
---
src/man/sssd.conf.5.xml | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/src/man/sssd.conf.5.xml b/src/man/sssd.conf.5.xml
index 8df2bd9..a8b71ae 100644
--- a/src/man/sssd.conf.5.xml
+++ b/src/man/sssd.conf.5.xml
@@ -1656,7 +1656,7 @@ override_homedir = /home/%u
offline mode.
</para>
<para>
- Default: 5
+ Default: 15
</para>
</listitem>
</varlistentry>
--
1.7.11.2
_______________________________________________
sssd-devel mailing list
sssd-devel@lists.fedorahosted.org
https://lists.fedorahosted.org/mailman/listinfo/sssd-devel
