More flexible use of SSSD fast cache for local users
Summary
Allow to switch SSSD’s fast cache for local users on and off at runtime and do not start it by default anymore.
Owner
- Name: Sumit Bose
- Email: sbose@redhat.com
Current status
- Targeted release: Fedora Linux 35
- Last updated: 2021-05-19
- FESCo issue: #2608
- Tracker bug: #1962086
- Release notes tracker: #699
Detailed Description
In Fedora 26 SSSD’s fast cache for local users was introduced by SSSDCacheForLocalUsers. It is currently enabled by default which means that sss is the first module listed for the passwd and group databases in /etc/nsswitch.conf and that the sssd monitor process, the sssd_nss responder and the sssd_be backend process are running by default. Those defaults made sense because at this time changes to /etc/nsswitch.conf required a reboot because long running processes were not aware of the changes because /etc/nsswitch.conf was read only once during the first lookup (it might be sufficient to restart all long running processes but a reboot is typically easier). With glibc version 2.33, available since Fedora 34, /etc/nsswitch.conf will be reread automatically for the next lookup if it was modified (timestamp changed). This allows to enable or disable SSSD’s fast cache for local users and update /etc/nsswitch.conf accordingly at runtime as it e.g. was possible with nscd (nscd is deprecated in Fedora 34 by DeprecateNSCD because SSSD can provide the caching as well, this Change is not in conflict with deprecating nscd since SSSD can still provide the caching of local users and groups but can now also be switched on and off at runtime without potential impacts on local user lookups). Given that SSSD will not be started by default anymore to provide the cached local users it should not be the first entry in /etc/nsswitch.conf anymore. It would even be possible to not have the sss entry in the default /etc/nsswitch.conf and let authselect add it if a SSSD related profile is selected. The following components will be affected by the change:
- the SSSD package will be built without the --enable-files-domain and the service file will be extended so that SSSD will not be started if no configuration is present
- --enable-files-domain is already dropped for non-Fedora builds https://src.fedoraproject.org/rpms/sssd/blob/rawhide/f/sssd.spec#_506
- changes to the service file are already available https://github.com/SSSD/sssd/commit/a25256fe22dd0b976093d15a5c7c73e1dc64bbcc and are added already on non-Fedora build where --enable-files-domain is not set
- in authselect the sssd profile will have a new feature, e.g. with-files-domain to set the order in nsswitch.conf at runtime
https://github.com/pbrezina/authselect/commit/cc1d6b15310d8c9616d2ae1c8879baf3ed0f70ab
- the default order in nsswitch.conf in glibc should be updated so that files is the first.
https://src.fedoraproject.org/rpms/glibc/blob/rawhide/f/glibc-fedora-nsswitch.patch
Benefit to Fedora
With this change fewer processes will run in a default or minimal Fedora installation. The runtime enable and disablement will allow to switch on caching of local users and groups when needed but keep the number of processes small when the benefit would be neglectable. The changes to /etc/nsswitch.conf will be beneficial for environments where the SSSD client libraries are not installed at all as proposed by F35 Change proposal: Smaller Container Base Image.
Scope
- Proposal owners:
The SSSD maintainers will enable the needed changes to the SSSD packages and create pull-requests for the changes to authselect and the modified default /etc/nsswitch.conf file where the files will be the first entry for the passwd and group maps.
- Other developers:
authselect and glibc maintainers have to accept the pull-requests for their components.
- Release engineering: #Releng issue number
No action from Release engineering is needed.
- Policies and guidelines: N/A (not needed for this Change)
- Trademark approval: N/A (not needed for this Change)
- Alignment with Objectives:
Upgrade/compatibility impact
Caching of local users and groups by SSSD is not enabled by default anymore and must be enabled manually if needed.
How To Test
SSSD will not be run by default anymore. Caching of local users and groups can be enabled manually if needed as it was with nscd. The manual steps are
authselect select sssd with-files-domain echo -e '[sssd]\nenable_files_domain = True' > /etc/sssd/conf.d/files_domain.conf chmod 600 /etc/sssd/conf.d/files_domain.conf systemctl start sssd
User Experience
A default installation will have less running processing since the SSSD components are not running by default anymore.
Dependencies
The glibc maintainers have to accept a pull-request to modify the default /etc/nsswitch.conf file.
Contingency Plan
- Contingency mechanism: Revert SSSD spec file changes and order changes in /etc/nsswitch.conf
- Contingency deadline: Fedora 35 beta freeze
- Blocks release? No
Documentation
Enabling and disabling SSSD's cache for local users and groups with the enable_files_domain option is documented in the sssd.conf man page. The new authselect option will be documented in the authselect runtime documentation.