Bug 1900086
| Summary: | Enable file caching by default in opensc configuration | ||
|---|---|---|---|
| Product: | Red Hat Enterprise Linux 8 | Reporter: | Jakub Jelen <jjelen> |
| Component: | esc | Assignee: | Jack Magne <jmagne> |
| Status: | CLOSED ERRATA | QA Contact: | PKI QE <bugzilla-pkiqe> |
| Severity: | unspecified | Docs Contact: | |
| Priority: | medium | ||
| Version: | 8.4 | CC: | aakkiang, bugzilla-pkiqe, mharmsen, sveerank |
| Target Milestone: | rc | Keywords: | Triaged |
| Target Release: | 8.0 | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| Whiteboard: | |||
| Fixed In Version: | esc-1.1.2-15.el8 | Doc Type: | If docs needed, set a value |
| Doc Text: | Story Points: | --- | |
| Clone Of: | 1892810 | Environment: | |
| Last Closed: | 2021-05-18 15:52:54 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | 1892810, 2000626 | ||
| Bug Blocks: | |||
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (esc bug fix and enhancement update), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2021:1873 |
In RHEL 8.4 we are enabling file caching in default opensc configuration. ESC ships its own configuration file so it would be nice to add this to the ESC configuration too to make use of the performance improvements too. The only change needed should be the following: --- esc-1.1.2/esc/src/app/opensc.esc.conf.old 2020-11-20 19:45:34.483521216 +0100 +++ esc-1.1.2/esc/src/app/opensc.esc.conf 2020-11-20 19:45:53.200800929 +0100 @@ -94,6 +94,7 @@ module_path = /usr/lib64; } framework pkcs15 { + use_file_caching = true; builtin_emulators = coolkey, cac, cac1, PIV-II; } } +++ This bug was initially created as a clone of Bug #1892810 +++ Description of problem: Some PIV cards have very poor performance, taking up to 20 seconds to detect as reported by customers. This is a combination of slow Oberthur (PIV Test 4) smart card and large amount of certificates that are read from the card with every detection. We ran some simple tests to verify that enabling file caching improves the performance significantly for these cards and does not break performance of others with this configuration snippet: framework pkcs15 { use_file_caching = true; file_cache_dir = /var/cache/opensc/; } Version-Release number of selected component (if applicable): all opensc versions How reproducible: always Steps to Reproduce: 1. Insert a PIV Test card 4 2. Run "time pkcs11-tool -L" to show card information Actual results: The card detection takes 20 s before the output is shown Expected results: The card detection is faster Additional info: We need to figure out a best location for this cache, which will be accessible by most of the use cases, where we can count the following use cases: * Desktop login: * sssd_p11_child (the actual use of smart card -- running as privileged user?) * gsd-smartcard (gnome side for detection of insert/removal running as local user) * User processes: * firefox * esc (uses different configuration - if needed, we need different bug) * ssh and other terminal applications (wget, curl ...) The good thing is that if an application does not have access to write the cache directory, caching it is silently skipped, but if the cache is found (could be read-only, it should work). The proposed location /var/cache/opensc/ will be probably writable only for superuser (sssd_p11_child process ?), but the first process that needs to detect the card is probably gsd-smartcard, which can cause the first login take a bit longer. This would require tmpfiles entry for opensc. Other possibility can be using per-user cache in /run/user/UID/opensc/ or permanent in ~/.cache/opensc/ to provide the speedup also for non-root processes. This might help to keep the cache per-user isolated. Last possibility can be updating sssd to pass OpenSC yet another configuration file, but I am affraid that it would cause more trouble than gain. This might need also tweaking selinux policy and labels to make sure processes will have to access to the cache. --- Additional comment from Jakub Jelen on 2020-11-10 15:14:39 CET --- Update from the ongoing email discussion: * We need to decide if the cache is supposed to be permanent (under home dir) or per-boot (under /run/), where the first one should give better performance on the first run after boot, while the second easier troubleshooting of stale caches (just reboot). * opensc does not support any environment variable expansion [1] in the path at this moment so we are off to use either hardcoded default "~/.eid/cache" or implement something new. * Sumit suggested $XDG_CACHE_HOME (~/.cache/) and $XDG_RUNTIME_DIR (/run/user/UID/) with possible fallback to $HOME/.cache [2] as a sensible defaults I think the easiest solution would be to set just `use_file_caching = true;` in the shipped configuration file and implement default location to use `$XDG_CACHE_HOME` with fallback to `$HOME/.cache/opensc` by default, rather than the `~/.eid/cache` as for now. I played around with this and noticed that the $XDG_CACHE_HOME is not set at all in my environment (Fedora 32). I created the following PR with to use the new location of the cache: https://github.com/OpenSC/OpenSC/pull/2148 The change for RHEL would consist also of adding the `use_file_caching = true;` to the default configuration file. [1] https://github.com/OpenSC/OpenSC/blob/master/src/libopensc/ctx.c#L1004 [2] https://specifications.freedesktop.org/basedir-spec/basedir-spec-latest.html