Red Hat Bugzilla – Bug 617623
SSSD suffers from serious performance issues on initgroups calls
Last modified: 2015-01-04 18:43:21 EST
Description of problem: Users who are a member of one or more groups containing large numbers of members end up with unacceptable wait times (or timeouts) performing initgroups calls. Since initgroups calls are always performed on login, this is causing unacceptably long login waits. Version-Release number of selected component (if applicable): sssd-1.2.1-21.el6 How reproducible: Every time Steps to Reproduce: 1. Create 10,000 users in LDAP. 2. Create a group that contains all of these users 3. Attempt to log in as one of these users. Actual results: There is a very long wait time to log in (measured in seconds, if not tens of seconds depending on system I/O performance) Expected results: Login time should be reasonable ( < 5 seconds) Additional info: This is happening because we tried to be too clever with the initgroups calls. When a user logs in, we attempt to completely refresh all entries associated with all groups the user is a member of. This worked fine in our small test environments, but we didn't adequately test this for scalability. Our customers are now doing this for us and are not pleased with the results.
Testers: you can compile and run the following C program and run it with the 'time' command getgroups.c: #include <sys/types.h> #include <unistd.h> #include <grp.h> int main(int argc, char **argv) { initgroups(argv[1], 0); return 0; } Compile and run: gcc -o initgroups.test getgroups.c time ./initgroups.test <username> Prior to this patch, time would have reported 3-5s for users in groups of ~300-500 users. After this patch it will average < 1s. Please test this on users of varying sized groups and numbers of groups.
Setup: 1. Created a group bosgroup with 500 users, Group1 with 5000 users and mumgroup with 10000 users. 2. bos 500 is a member of Group1 and mumgroup. 3. pnq5000 is a member of mumgroup. 4. mum9999 is a member on mumgroup. [root@rhel6snap11 ~]# time ./initgroups.test bos500 real 0m0.173s user 0m0.000s sys 0m0.001s [root@rhel6snap11 ~]# time ./initgroups.test pnq5000 real 0m0.226s user 0m0.001s sys 0m0.000s [root@rhel6snap11 ~]# time ./initgroups.test mum9999 real 0m0.272s user 0m0.000s sys 0m0.001s Verified: sssd-1.2.1-26.el6.
Where can I find the patch used to fix this issue?
(In reply to comment #4) > Where can I find the patch used to fix this issue? http://git.fedorahosted.org/git/?p=sssd.git;a=commit;h=24a5809cbc96d10001535999a292cb26242ad01d However, as is being discussed right now at https://fedorahosted.org/pipermail/sssd-devel/2010-September/004540.html we've discovered that this patch has introduced some issues with group resolution under certain circumstances.
Red Hat Enterprise Linux 6.0 is now available and should resolve the problem described in this bug report. This report is therefore being closed with a resolution of CURRENTRELEASE. You may reopen this bug report if the solution does not work for you.