From Fedora Project Wiki


More flexible use of SSSD fast cache for local users

Summary

Allow to switch SSSD’s fast cache for local users on and off at runtime and do not start it by default anymore.

Owner


Current status

Detailed Description

In Fedora 26 SSSD’s fast cache for local users was introduced by SSSDCacheForLocalUsers. It is currently enabled by default which means that sss is the first module listed for the passwd and group databases in /etc/nsswitch.conf and that the sssd monitor process, the sssd_nss responder and the sssd_be backend process are running by default. Those defaults made sense because at this time changes to /etc/nsswitch.conf required a reboot because long running processes were not aware of the changes because /etc/nsswitch.conf was read only once during the first lookup (it might be sufficient to restart all long running processes but a reboot is typically easier). With glibc version 2.33, available since Fedora 34, /etc/nsswitch.conf will be reread automatically for the next lookup if it was modified (timestamp changed). This allows to enable or disable SSSD’s fast cache for local users and update /etc/nsswitch.conf accordingly at runtime as it e.g. was possible with nscd (nscd is deprecated in Fedora 34 by DeprecateNSCD because SSSD can provide the caching as well, this Change is not in conflict with deprecating nscd since SSSD can still provide the caching of local users and groups but can now also be switched on and off at runtime without potential impacts on local user lookups). Given that SSSD will not be started by default anymore to provide the cached local users it should not be the first entry in /etc/nsswitch.conf anymore. It would even be possible to not have the sss entry in the default /etc/nsswitch.conf and let authselect add it if a SSSD related profile is selected. The following components will be affected by the change:

https://github.com/pbrezina/authselect/commit/cc1d6b15310d8c9616d2ae1c8879baf3ed0f70ab

  • the default order in nsswitch.conf in glibc should be updated so that files is the first.

https://src.fedoraproject.org/rpms/glibc/blob/rawhide/f/glibc-fedora-nsswitch.patch


Benefit to Fedora

With this change fewer processes will run in a default or minimal Fedora installation. The runtime enable and disablement will allow to switch on caching of local users and groups when needed but keep the number of processes small when the benefit would be neglectable. The changes to /etc/nsswitch.conf will be beneficial for environments where the SSSD client libraries are not installed at all as proposed by F35 Change proposal: Smaller Container Base Image.

Scope

  • Proposal owners:

The SSSD maintainers will enable the needed changes to the SSSD packages and create pull-requests for the changes to authselect and the modified default /etc/nsswitch.conf file where the files will be the first entry for the passwd and group maps.

  • Other developers:

authselect and glibc maintainers have to accept the pull-requests for their components.

No action from Release engineering is needed.

  • Policies and guidelines: N/A (not needed for this Change)
  • Trademark approval: N/A (not needed for this Change)
  • Alignment with Objectives:

Upgrade/compatibility impact

Caching of local users and groups by SSSD is not enabled by default anymore and must be enabled manually if needed.


How To Test

SSSD will not be run by default anymore. Caching of local users and groups can be enabled manually if needed as it was with nscd. The manual steps are

   authselect select sssd with-files-domain
   echo -e '[sssd]\nenable_files_domain = True'  > /etc/sssd/conf.d/files_domain.conf
   chmod 600 /etc/sssd/conf.d/files_domain.conf
   systemctl start sssd


User Experience

A default installation will have less running processing since the SSSD components are not running by default anymore.

Dependencies

The glibc maintainers have to accept a pull-request to modify the default /etc/nsswitch.conf file.


Contingency Plan

  • Contingency mechanism: Revert SSSD spec file changes and order changes in /etc/nsswitch.conf
  • Contingency deadline: Fedora 35 beta freeze
  • Blocks release? No


Documentation

Enabling and disabling SSSD's cache for local users and groups with the enable_files_domain option is documented in the sssd.conf man page. The new authselect option will be documented in the authselect runtime documentation.


Release Notes