Bug 972893

Summary: pam_cgroup is slow when cgrules.conf and /etc/passwd are large
Product: Red Hat Enterprise Linux 6 Reporter: Andy Grimm <agrimm>
Component: libcgroupAssignee: Peter Schiffer <pschiffe>
Status: CLOSED ERRATA QA Contact: Red Hat Kernel QE team <kernel-qe>
Severity: high Docs Contact:
Priority: urgent    
Version: 6.4CC: jeder, jgoulding, jkurik, jsafrane, jwest, mfisher, mmahut, paran+rhbugzilla, twiest, varekova, wduffee
Target Milestone: rcKeywords: ZStream
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Previously, the pam_cgoup PAM module did not use cache. Consequently, when a system had several thousand users and the cgrules.conf file contained several thousand lines of configuration settings, the login time could take several seconds. This was because the libcgroup code read /etc/passwd once for every line in cgrules.conf, unless the CGFLAG_USECACHE flag was used. With this update, the libcgroup code no longer reads the /etc/passwd file once for every line in cgrules.conf, and the login time is no longer affected in the described scenario.
 Story Points: ---
Clone Of:
: 973353 (view as bug list) Environment:
Last Closed: 2013-11-21 22:34:04 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 973353, 974471    
Attachments:
Description Flags
Patch to use CGFLAG_USECACHE flag none

Description Andy Grimm 2013-06-10 18:34:45 UTC 
Description of problem:

When a system has thousands of users and cgrules.conf has thousands of lines, this can add several seconds to login times.

Version-Release number of selected component (if applicable):

libcgroup-0.37-7.1.el6_4.x86_64

How reproducible:

Always

Steps to Reproduce:
1. Create 5000 users on a system
2. Create one or more lines per user in /etc/cgrules.conf ; for example:

513ac93f500446a08a000091	cpu,cpuacct,memory,net_cls,freezer	/openshift/513ac93f500446a08a000091

3. Add "session    optional     pam_cgroup.so" to /etc/pam.d/sshd


Actual results:

Logins will take several seconds.

Expected results:

Login should take less than one second.

Additional info:

The root cause of this seems to be that the libcgroup code reads /etc/passwd once for every line in cgrules.conf , unless CGFLAG_USECACHE is used.
Comment 1 Andy Grimm 2013-06-10 18:36:04 UTC 
Created attachment 759312 [details]
Patch to use CGFLAG_USECACHE flag
Comment 3 Thomas Wiest 2013-06-10 18:55:15 UTC 
This is currently affecting OpenShift Online. It would be great if it could be fixed quickly.

Thanks!
Comment 7 Chris Williams 2013-06-11 19:16:45 UTC 
*** Bug 973353 has been marked as a duplicate of this bug. ***
Comment 14 Mike Gahagan 2013-09-19 18:35:50 UTC 
confirmed this is fixed in  libcgroup-pam-0.40.rc1-3, reproduced with libcgroup-pam-0.37-7.1.el6_4.
Comment 15 errata-xmlrpc 2013-11-21 22:34:04 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHBA-2013-1685.html
Comment 16 Pär Lindfors 2014-02-24 21:19:45 UTC 
FYI: The released errata fix for this bug completely disables all
functionality of pam_cgroup. This makes the reported slow
performance go away, since doing nothing is a very fast
operation.

I have reported this as bug 1060227.


Personally I don't think libcgroup have been designed for the
reported use case. If you have thousands of users you probably
need to avoid having thousands of rules in cgrules.conf, for
example by using templates in that config file.