diff options
-rw-r--r-- | server/confdb/confdb.h | 2 | ||||
-rw-r--r-- | server/config/etc/sssd.api.conf | 2 | ||||
-rw-r--r-- | server/man/sssd.conf.5.xml | 27 | ||||
-rw-r--r-- | server/responder/nss/nsssrv.c | 11 | ||||
-rw-r--r-- | server/responder/nss/nsssrv.h | 2 | ||||
-rw-r--r-- | server/responder/nss/nsssrv_cmd.c | 20 |
6 files changed, 49 insertions, 15 deletions
diff --git a/server/confdb/confdb.h b/server/confdb/confdb.h index 8729aad3..ef8a787c 100644 --- a/server/confdb/confdb.h +++ b/server/confdb/confdb.h @@ -55,7 +55,7 @@ /* NSS */ #define CONFDB_NSS_CONF_ENTRY "config/nss" #define CONFDB_NSS_ENUM_CACHE_TIMEOUT "enum_cache_timeout" -#define CONFDB_NSS_ENTRY_CACHE_NOWAIT_TIMEOUT "entry_cache_nowait_timeout" +#define CONFDB_NSS_ENTRY_CACHE_NOWAIT_PERCENTAGE "entry_cache_nowait_percentage" #define CONFDB_NSS_ENTRY_NEG_TIMEOUT "entry_negative_timeout" #define CONFDB_NSS_FILTER_USERS_IN_GROUPS "filter_users_in_groups" #define CONFDB_NSS_FILTER_USERS "filter_users" diff --git a/server/config/etc/sssd.api.conf b/server/config/etc/sssd.api.conf index 8177a77e..e8b266bd 100644 --- a/server/config/etc/sssd.api.conf +++ b/server/config/etc/sssd.api.conf @@ -21,7 +21,7 @@ full_name_format = str, None [nss] # Name service enum_cache_timeout = int, None -entry_cache_no_wait_timeout = int, None +entry_cache_no_wait_percentage = int, None entry_negative_timeout = int, None filter_users = list, str, root filter_groups = list, str, root diff --git a/server/man/sssd.conf.5.xml b/server/man/sssd.conf.5.xml index 42bda484..c928f0ba 100644 --- a/server/man/sssd.conf.5.xml +++ b/server/man/sssd.conf.5.xml @@ -257,12 +257,31 @@ </listitem> </varlistentry> <varlistentry> - <term>entry_cache_nowait_timeout (integer)</term> + <term>entry_cache_nowait_percentage (integer)</term> <listitem> <para> - How long should nss_sss return cached entries before - initiating an out-of-band cache refresh (0 disables - this feature) + The entry cache can be set to automatically update + entries in the background if they are requested + beyond a percentage of the entry_cache_timeout + value for the domain. + </para> + <para> + For example, if the domain's entry_cache_timeout + is set to 30s and entry_cache_nowait_percentage is + set to 50 (percent), entries that come in after 15 + seconds past the last cache update will be + returned immediately, but the SSSD will go and + update the cache on its own, so that future + requests will not need to block waiting for a + cache update. + </para> + <para> + Valid values for this option are 0-99 and + represent a percentage of the entry_cache_timeout + for each domain. For performance reasons, this + percentage will never reduce the nowait timeout to + less than 10 seconds. + (0 disables this feature) </para> <para> Default: 0 diff --git a/server/responder/nss/nsssrv.c b/server/responder/nss/nsssrv.c index 272cd38b..dad1c7c1 100644 --- a/server/responder/nss/nsssrv.c +++ b/server/responder/nss/nsssrv.c @@ -103,13 +103,14 @@ static int nss_get_config(struct nss_ctx *nctx, ret = confdb_get_int(cdb, nctx, CONFDB_NSS_CONF_ENTRY, - CONFDB_NSS_ENTRY_CACHE_NOWAIT_TIMEOUT, 0, - &nctx->cache_refresh_timeout); + CONFDB_NSS_ENTRY_CACHE_NOWAIT_PERCENTAGE, 0, + &nctx->cache_refresh_percent); if (ret != EOK) goto done; - if (nctx->cache_refresh_timeout < 0) { - DEBUG(0,("Configuration error: EntryCacheNoWaitRefreshTimeout is" + if (nctx->cache_refresh_percent < 0 || + nctx->cache_refresh_percent > 99) { + DEBUG(0,("Configuration error: entry_cache_nowait_percentage is" "invalid. Disabling feature.\n")); - nctx->cache_refresh_timeout = 0; + nctx->cache_refresh_percent = 0; } ret = confdb_get_string_as_list(cdb, tmpctx, CONFDB_NSS_CONF_ENTRY, diff --git a/server/responder/nss/nsssrv.h b/server/responder/nss/nsssrv.h index 0c2ea487..464481d7 100644 --- a/server/responder/nss/nsssrv.h +++ b/server/responder/nss/nsssrv.h @@ -47,7 +47,7 @@ struct nss_ctx { int neg_timeout; struct nss_nc_ctx *ncache; - int cache_refresh_timeout; + int cache_refresh_percent; int enum_cache_timeout; time_t last_user_enum; diff --git a/server/responder/nss/nsssrv_cmd.c b/server/responder/nss/nsssrv_cmd.c index 3d4226fb..8f4f5db8 100644 --- a/server/responder/nss/nsssrv_cmd.c +++ b/server/responder/nss/nsssrv_cmd.c @@ -278,10 +278,10 @@ static errno_t check_cache(struct nss_dom_ctx *dctx, { errno_t ret; int timeout; - int refresh_timeout; time_t now; uint64_t lastUpdate; uint64_t cacheExpire; + uint64_t midpoint_refresh; struct nss_cmd_ctx *cmdctx = dctx->cmdctx; struct cli_ctx *cctx = cmdctx->cctx; bool call_provider = false; @@ -298,13 +298,26 @@ static errno_t check_cache(struct nss_dom_ctx *dctx, } else if ((req_type == SSS_DP_GROUP) || ((req_type == SSS_DP_USER) && (res->count == 1))) { - refresh_timeout = nctx->cache_refresh_timeout; now = time(NULL); lastUpdate = ldb_msg_find_attr_as_uint64(res->msgs[0], SYSDB_LAST_UPDATE, 0); cacheExpire = ldb_msg_find_attr_as_uint64(res->msgs[0], SYSDB_CACHE_EXPIRE, 0); + + midpoint_refresh = 0; + if(nctx->cache_refresh_percent) { + midpoint_refresh = lastUpdate + + (cacheExpire - lastUpdate)*nctx->cache_refresh_percent/100; + if (midpoint_refresh - lastUpdate < 10) { + /* If the percentage results in an expiration + * less than ten seconds after the lastUpdate time, + * that's too often we will simply set it to 10s + */ + midpoint_refresh = lastUpdate+10; + } + } + if (cacheExpire < now) { /* This is a cache miss. We need to get the updated user * information before returning it. @@ -312,11 +325,12 @@ static errno_t check_cache(struct nss_dom_ctx *dctx, call_provider = true; cb = callback; } - else if (refresh_timeout && (lastUpdate + refresh_timeout < now)) { + else if (midpoint_refresh && midpoint_refresh < now) { /* We're past the the cache refresh timeout * We'll return the value from the cache, but we'll also * queue the cache entry for update out-of-band. */ + DEBUG(6, ("Performing midpoint cache update on [%s]\n", opt_name)); call_provider = true; cb = NULL; } |