Bug 1471808
| Summary: | ldap_purge_cache_timeout in RHEL7.3 invalidate most of the entries once the cleanup task kicks in | ||
|---|---|---|---|
| Product: | Red Hat Enterprise Linux 7 | Reporter: | Oneata Mircea Teodor <toneata> |
| Component: | sssd | Assignee: | SSSD Maintainers <sssd-maint> |
| Status: | CLOSED ERRATA | QA Contact: | sssd-qe <sssd-qe> |
| Severity: | high | Docs Contact: | |
| Priority: | high | ||
| Version: | 7.3 | CC: | apeddire, atikhono, dmoessne, grajaiya, jhrozek, lslebodn, minyu, mkosek, mzidek, pbrezina, sgadekar, sgoveas, sssd-maint, striker, tscherf |
| Target Milestone: | rc | Keywords: | Regression, Reopened, ZStream |
| Target Release: | --- | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| Whiteboard: | sync-to-jira | ||
| Fixed In Version: | sssd-1.14.0-43.el7_3.19 | Doc Type: | If docs needed, set a value |
| Doc Text: | Story Points: | --- | |
| Clone Of: | 1430415 | Environment: | |
| Last Closed: | 2020-04-14 14:52:20 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | 1430415 | ||
| Bug Blocks: | |||
|
Description
Oneata Mircea Teodor
2017-07-17 13:26:50 UTC
I cannot see patches from ticket https://pagure.io/SSSD/sssd/issue/3369 in 1.14 branch and sssd in rhel7.3 is based on sssd-1.14.x Please create pull request to upstream 1.14 branch and then we can backport patches to rhel. Upstream first approach. Patches are there, just waiting for review: https://github.com/SSSD/sssd/pull/329 sssd-1-14: * 3c7e9fb3129c3b4398f5e407c5bea99e4e693a52 * 83f0231ce5dcf7bc9c1a43fcc3f79d7af6ab6d1a * b783fbf7614afb4d9e882a70ac63f560f28b8a29 * 17f4825ff0a77f08e7f761686f8d57206ca025ed * 7db486af2b45eac0847bcc78c1a23164bacd8d7f * 70807879c27b217057b0ff0e0890dd4d9e3113a2 * 281ec8da6dd9c93f026e617dc35073dbffb6e0e2 * 8f6b72385150ed2dba3463e13836def7d8a4383b This was released a long time ago and we don't anticipate a 7.3.z errata, closing Tested with following data: 11 ~]# rpm -q sssd sssd-1.16.5-1.el7.x86_64 [root@qe-blade-11 ~]# cat /etc/sssd/sssd.conf [sssd] config_file_version = 2 sbus_timeout = 30 services = nss, pam domains = LDAP [nss] filter_groups = root filter_users = root [pam] [domain/LDAP] debug_level = 9 id_provider = ldap auth_provider = ldap cache_credentials = TRUE ldap_uri = ldap://ipaqavmc.idmqe.lab.eng.bos.redhat.com ldap_search_base = dc=example,dc=com ldap_schema = rfc2307bis ldap_group_object_class = groupOfNames ldap_purge_cache_timeout = 0 enumberate = True ldap_enumeration_refresh_timeout = 30 ldap_purge_cache_timeout = 60 entry_cache_timeout = 20 11 ~]# systemctl stop sssd ; rm -rf /var/lib/sss/db/* ; rm -rf /var/log/sssd/* ; systemctl start sssd [root@qe-blade-11 ~]# ldbsearch -H /var/lib/sss/db/cache_LDAP.ldb 2> /dev/null | tail -5 distinguishedName: name=sudorule1,cn=sudorules,cn=custom,cn=LDAP,cn=sysdb # returned 9 records # 9 entries # 0 referrals [root@qe-blade-11 ~]# sleep 60 [root@qe-blade-11 ~]# egrep cleanup_user /var/log/sssd/sssd_LDAP.log (Wed Apr 8 13:48:24 2020) [sssd[be[LDAP]]] [cleanup_users] (0x4000): Cache expiration is set to 0 days (Wed Apr 8 13:48:24 2020) [sssd[be[LDAP]]] [cleanup_users] (0x0200): Found 0 expired user entries! (Wed Apr 8 13:49:24 2020) [sssd[be[LDAP]]] [cleanup_users] (0x4000): Cache expiration is set to 0 days (Wed Apr 8 13:49:24 2020) [sssd[be[LDAP]]] [cleanup_users] (0x0200): Found 0 expired user entries! (Wed Apr 8 13:50:24 2020) [sssd[be[LDAP]]] [cleanup_users] (0x4000): Cache expiration is set to 0 days (Wed Apr 8 13:50:24 2020) [sssd[be[LDAP]]] [cleanup_users] (0x0200): Found 0 expired user entries! [root@qe-blade-11 ~]# sleep 60 [root@qe-blade-11 ~]# egrep cleanup_user /var/log/sssd/sssd_LDAP.log (Wed Apr 8 13:48:24 2020) [sssd[be[LDAP]]] [cleanup_users] (0x4000): Cache expiration is set to 0 days (Wed Apr 8 13:48:24 2020) [sssd[be[LDAP]]] [cleanup_users] (0x0200): Found 0 expired user entries! (Wed Apr 8 13:49:24 2020) [sssd[be[LDAP]]] [cleanup_users] (0x4000): Cache expiration is set to 0 days (Wed Apr 8 13:49:24 2020) [sssd[be[LDAP]]] [cleanup_users] (0x0200): Found 0 expired user entries! (Wed Apr 8 13:50:24 2020) [sssd[be[LDAP]]] [cleanup_users] (0x4000): Cache expiration is set to 0 days (Wed Apr 8 13:50:24 2020) [sssd[be[LDAP]]] [cleanup_users] (0x0200): Found 0 expired user entries! (Wed Apr 8 13:51:24 2020) [sssd[be[LDAP]]] [cleanup_users] (0x4000): Cache expiration is set to 0 days (Wed Apr 8 13:51:24 2020) [sssd[be[LDAP]]] [cleanup_users] (0x0200): Found 0 expired user entries! (Wed Apr 8 13:52:24 2020) [sssd[be[LDAP]]] [cleanup_users] (0x4000): Cache expiration is set to 0 days (Wed Apr 8 13:52:24 2020) [sssd[be[LDAP]]] [cleanup_users] (0x0200): Found 0 expired user entries! [root@qe-blade-11 ~]# id cachetestuser1 uid=121299(cachetestuser1) gid=10000(Group_1) groups=10000(Group_1),20000(Group_2),110000(Group_11),220000(Group_22),444000(Group_444),333000(Group_333),222000(Group_222),111000(Group_111) [root@qe-blade-11 ~]# egrep cleanup_user /var/log/sssd/sssd_LDAP.log (Wed Apr 8 13:48:24 2020) [sssd[be[LDAP]]] [cleanup_users] (0x4000): Cache expiration is set to 0 days (Wed Apr 8 13:48:24 2020) [sssd[be[LDAP]]] [cleanup_users] (0x0200): Found 0 expired user entries! (Wed Apr 8 13:49:24 2020) [sssd[be[LDAP]]] [cleanup_users] (0x4000): Cache expiration is set to 0 days (Wed Apr 8 13:49:24 2020) [sssd[be[LDAP]]] [cleanup_users] (0x0200): Found 0 expired user entries! (Wed Apr 8 13:50:24 2020) [sssd[be[LDAP]]] [cleanup_users] (0x4000): Cache expiration is set to 0 days (Wed Apr 8 13:50:24 2020) [sssd[be[LDAP]]] [cleanup_users] (0x0200): Found 0 expired user entries! (Wed Apr 8 13:51:24 2020) [sssd[be[LDAP]]] [cleanup_users] (0x4000): Cache expiration is set to 0 days (Wed Apr 8 13:51:24 2020) [sssd[be[LDAP]]] [cleanup_users] (0x0200): Found 0 expired user entries! (Wed Apr 8 13:52:24 2020) [sssd[be[LDAP]]] [cleanup_users] (0x4000): Cache expiration is set to 0 days (Wed Apr 8 13:52:24 2020) [sssd[be[LDAP]]] [cleanup_users] (0x0200): Found 0 expired user entries! (Wed Apr 8 13:53:24 2020) [sssd[be[LDAP]]] [cleanup_users] (0x4000): Cache expiration is set to 0 days (Wed Apr 8 13:53:24 2020) [sssd[be[LDAP]]] [cleanup_users] (0x0200): Found 0 expired user entries! [root@qe-blade-11 ~]# [root@qe-blade-11 ~]# ldbsearch -H /var/lib/sss/db/cache_LDAP.ldb 2> /dev/null | tail -5 distinguishedName: name=sudorule1,cn=sudorules,cn=custom,cn=LDAP,cn=sysdb # returned 9 records # 9 entries # 0 referrals Marking verified. Tested with following data: Before update: ~]# rpm -q sssd sssd-1.14.0-43.el7_3.18.x86_64 After update: ]# rpm -q sssd sssd-1.14.0-43.el7_3.20.x86_64 repos.d]# cat /etc/sssd/sssd.conf [sssd] config_file_version = 2 sbus_timeout = 30 services = nss, pam domains = LDAP [nss] filter_groups = root filter_users = root [pam] [domain/LDAP] debug_level = 9 id_provider = ldap auth_provider = ldap cache_credentials = TRUE ldap_uri = ldap://ipaqavmc.idmqe.lab.eng.bos.redhat.com ldap_search_base = dc=example,dc=com ldap_schema = rfc2307bis ldap_group_object_class = groupOfNames ldap_purge_cache_timeout = 0 enumerate = True ldap_enumeration_refresh_timeout = 30 ldap_purge_cache_timeout = 60 entry_cache_timeout = 20 [root@ipaqavme yum.repos.d]# systemctl stop sssd ; rm -rf /var/lib/sss/db/* ; rm -rf /var/log/sssd/* ; systemctl start sssd [root@ipaqavme yum.repos.d]# sleep 60 yum.repos.d]# egrep cleanup_user /var/log/sssd/sssd_LDAP.log (Thu Apr 9 09:23:24 2020) [sssd[be[LDAP]]] [cleanup_users] (0x4000): Cache expiration is set to 0 days (Thu Apr 9 09:23:24 2020) [sssd[be[LDAP]]] [cleanup_users] (0x0200): Found 0 expired user entries! (Thu Apr 9 09:24:54 2020) [sssd[be[LDAP]]] [cleanup_users] (0x4000): Cache expiration is set to 0 days (Thu Apr 9 09:24:54 2020) [sssd[be[LDAP]]] [cleanup_users] (0x0200): Found 3 expired user entries! (Thu Apr 9 09:24:54 2020) [sssd[be[LDAP]]] [cleanup_users] (0x4000): Processing user cachetestuser1@ldap (Thu Apr 9 09:24:54 2020) [sssd[be[LDAP]]] [cleanup_users] (0x4000): About to delete user cachetestuser1@ldap (Thu Apr 9 09:24:54 2020) [sssd[be[LDAP]]] [cleanup_users] (0x4000): Processing user cachetestuser2@ldap (Thu Apr 9 09:24:54 2020) [sssd[be[LDAP]]] [cleanup_users] (0x4000): About to delete user cachetestuser2@ldap (Thu Apr 9 09:24:54 2020) [sssd[be[LDAP]]] [cleanup_users] (0x4000): Processing user cachetestuser3@ldap (Thu Apr 9 09:24:54 2020) [sssd[be[LDAP]]] [cleanup_users] (0x4000): About to delete user cachetestuser3@ldap (Thu Apr 9 09:26:24 2020) [sssd[be[LDAP]]] [cleanup_users] (0x4000): Cache expiration is set to 0 days (Thu Apr 9 09:26:24 2020) [sssd[be[LDAP]]] [cleanup_users] (0x0200): Found 0 expired user entries! (Thu Apr 9 09:27:54 2020) [sssd[be[LDAP]]] [cleanup_users] (0x4000): Cache expiration is set to 0 days (Thu Apr 9 09:27:54 2020) [sssd[be[LDAP]]] [cleanup_users] (0x0200): Found 3 expired user entries! (Thu Apr 9 09:27:54 2020) [sssd[be[LDAP]]] [cleanup_users] (0x4000): Processing user cachetestuser1@ldap (Thu Apr 9 09:27:54 2020) [sssd[be[LDAP]]] [cleanup_users] (0x4000): About to delete user cachetestuser1@ldap yum.repos.d]# yum update sssd Loaded plugins: auto-update-debuginfo, product-id, search-disabled-repos, subscription-manager This system is not registered to Red Hat Subscription Management. You can use subscription-manager to register. test | 2.6 kB 00:00:00 test/primary_db | 26 kB 00:00:00 Resolving Dependencies --> Running transaction check ---> Package sssd.x86_64 0:1.14.0-43.el7_3.18 will be updated ---> Package sssd.x86_64 0:1.14.0-43.el7_3.20 will be an update Updated: sssd.x86_64 0:1.14.0-43.el7_3.20 Dependency Updated: libipa_hbac.x86_64 0:1.14.0-43.el7_3.20 libsss_autofs.x86_64 0:1.14.0-43.el7_3.20 libsss_idmap.x86_64 0:1.14.0-43.el7_3.20 libsss_simpleifp.x86_64 0:1.14.0-43.el7_3.20 libsss_sudo.x86_64 0:1.14.0-43.el7_3.20 python-sss.x86_64 0:1.14.0-43.el7_3.20 python-sssdconfig.noarch 0:1.14.0-43.el7_3.20 sssd-ad.x86_64 0:1.14.0-43.el7_3.20 sssd-client.x86_64 0:1.14.0-43.el7_3.20 sssd-common.x86_64 0:1.14.0-43.el7_3.20 sssd-common-pac.x86_64 0:1.14.0-43.el7_3.20 sssd-dbus.x86_64 0:1.14.0-43.el7_3.20 sssd-ipa.x86_64 0:1.14.0-43.el7_3.20 sssd-krb5.x86_64 0:1.14.0-43.el7_3.20 sssd-krb5-common.x86_64 0:1.14.0-43.el7_3.20 sssd-ldap.x86_64 0:1.14.0-43.el7_3.20 sssd-proxy.x86_64 0:1.14.0-43.el7_3.20 sssd-tools.x86_64 0:1.14.0-43.el7_3.20 Complete! # record 15 dn: cn=users,cn=LDAP,cn=sysdb cn: Users distinguishedName: cn=users,cn=LDAP,cn=sysdb # record 16 dn: cn=groups,cn=LDAP,cn=sysdb cn: Groups distinguishedName: cn=groups,cn=LDAP,cn=sysdb # returned 16 records # 16 entries # 0 referrals [root@ipaqavme yum.repos.d]# egrep cleanup_user /var/log/sssd/sssd_LDAP.log (Thu Apr 9 09:31:21 2020) [sssd[be[LDAP]]] [cleanup_users] (0x4000): Cache expiration is set to 0 days (Thu Apr 9 09:31:21 2020) [sssd[be[LDAP]]] [cleanup_users] (0x0200): Found 0 expired user entries! (Thu Apr 9 09:32:51 2020) [sssd[be[LDAP]]] [cleanup_users] (0x4000): Cache expiration is set to 0 days (Thu Apr 9 09:32:51 2020) [sssd[be[LDAP]]] [cleanup_users] (0x0200): Found 0 expired user entries! [root@ipaqavme yum.repos.d]# sleep 60 [root@ipaqavme yum.repos.d]# egrep cleanup_user /var/log/sssd/sssd_LDAP.log (Thu Apr 9 09:31:21 2020) [sssd[be[LDAP]]] [cleanup_users] (0x4000): Cache expiration is set to 0 days (Thu Apr 9 09:31:21 2020) [sssd[be[LDAP]]] [cleanup_users] (0x0200): Found 0 expired user entries! (Thu Apr 9 09:32:51 2020) [sssd[be[LDAP]]] [cleanup_users] (0x4000): Cache expiration is set to 0 days (Thu Apr 9 09:32:51 2020) [sssd[be[LDAP]]] [cleanup_users] (0x0200): Found 0 expired user entries! (Thu Apr 9 09:34:21 2020) [sssd[be[LDAP]]] [cleanup_users] (0x4000): Cache expiration is set to 0 days (Thu Apr 9 09:34:21 2020) [sssd[be[LDAP]]] [cleanup_users] (0x0200): Found 0 expired user entries! [root@ipaqavme yum.repos.d]# Marking verified Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2020:1474 |