Bug 1060227
| Summary: | libcgroup-pam-0.40.rc1-5.el6_5.1 is completely broken | ||
|---|---|---|---|
| Product: | Red Hat Enterprise Linux 6 | Reporter: | Pär Lindfors <paran+rhbugzilla> |
| Component: | libcgroup | Assignee: | Jan Chaloupka <jchaloup> |
| Status: | CLOSED ERRATA | QA Contact: | Cui Chun <ccui> |
| Severity: | unspecified | Docs Contact: | |
| Priority: | unspecified | ||
| Version: | 6.5 | CC: | agrimm, caguado, ccui, jsafrane, lampe, ovasik, pasteur, riehecky, toracat, twiest, varekova |
| Target Milestone: | rc | ||
| Target Release: | --- | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | Bug Fix | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2014-10-14 06:45:04 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
|
Description
Pär Lindfors
2014-01-31 14:00:32 UTC
As you proposed to change: cgroup_change_cgroup_uid_gid_flags(pwd->pw_uid, pwd->pw_gid, pid, CGFLAG_USECACHE); to cgroup_change_cgroup_uid_gid_flags(pwd->pw_uid, pwd->pw_gid, pid, 0); But I am afraid this returns the performance back to the slow one. Even if right now PAM module is not working. Thomas, have you noticed this behaviour (no process moved to its right group based on cgrules)? Thomas, what rules does the OpenShift use? As Pär Lindfors stated, it is not deamon so the cache is useless. The only possible solution is to replace CGFLAG_USECACHE with 0 and change rules to templates. Or somehow run the pam_module as a daemon. Then the cache is usefull. Andy Grimm knows this situation better than I do. Andy, can you answer Jan's questions in comments 2 and 3 please? The short answer is: correct functionality is 99% more important than performance here. The patch was bad and should be reverted. Longer answer: My thinking was that since sshd is a daemon, it would load the module (and the cache) once, and then logins after the first one would be able to use the cache and thus perform better. There are two problems: 1) the cache is not being initialized, and 2) I think the pam modules are actually loaded separately in each forked sshd[priv] process, in which case there would be no performance benefit, anyway. Also related: our primary concern was on systems with thousands of users/cgroups, and we no longer have systems with this density. So while I'm not happy about the poor performance, it's less of an issue than it had been. If you have ideas on how to optimize the parsing of the cgconfig file (e.g., cache the password entries instead of re-reading /etc/passwd for every row), I would welcome that, but right now the important thing is to make the module functional. >If you have ideas on how to optimize the parsing of the cgconfig file (e.g., >cache the password entries instead of re-reading /etc/passwd for every row), I >would welcome that, but right now the important thing is to make the module >functional.
Decompose cgrules.conf into more files and read only the needed file. Something like cgrules<hashid>.conf. Hash username and use it to find the correct cgrules file. But this is rather pam/sshd specific implementation, not for upstream, only RHEL.
Looking at libcgroup sources there is no template reading. So this won't work:
template test/%u {
cpu {}
}
For the moment, I will turn off the cache as it is not working at the moment.
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. http://rhn.redhat.com/errata/RHBA-2014-1480.html |