Bug 972893 - pam_cgroup is slow when cgrules.conf and /etc/passwd are large
pam_cgroup is slow when cgrules.conf and /etc/passwd are large
Status: CLOSED ERRATA
Product: Red Hat Enterprise Linux 6
Classification: Red Hat
Component: libcgroup (Show other bugs)
6.4
Unspecified Unspecified
urgent Severity high
: rc
: ---
Assigned To: Peter Schiffer
Red Hat Kernel QE team
: ZStream
: 973353 (view as bug list)
Depends On:
Blocks: 973353 974471
  Show dependency treegraph
 
Reported: 2013-06-10 14:34 EDT by Andy Grimm
Modified: 2016-11-07 22:47 EST (History)
11 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Previously, the pam_cgoup PAM module did not use cache. Consequently, when a system had several thousand users and the cgrules.conf file contained several thousand lines of configuration settings, the login time could take several seconds. This was because the libcgroup code read /etc/passwd once for every line in cgrules.conf, unless the CGFLAG_USECACHE flag was used. With this update, the libcgroup code no longer reads the /etc/passwd file once for every line in cgrules.conf, and the login time is no longer affected in the described scenario.
Story Points: ---
Clone Of:
: 973353 (view as bug list)
Environment:
Last Closed: 2013-11-21 17:34:04 EST
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
Patch to use CGFLAG_USECACHE flag (564 bytes, patch)
2013-06-10 14:36 EDT, Andy Grimm
no flags Details | Diff

  None (edit)
Description Andy Grimm 2013-06-10 14:34:45 EDT
Description of problem:

When a system has thousands of users and cgrules.conf has thousands of lines, this can add several seconds to login times.

Version-Release number of selected component (if applicable):

libcgroup-0.37-7.1.el6_4.x86_64

How reproducible:

Always

Steps to Reproduce:
1. Create 5000 users on a system
2. Create one or more lines per user in /etc/cgrules.conf ; for example:

513ac93f500446a08a000091	cpu,cpuacct,memory,net_cls,freezer	/openshift/513ac93f500446a08a000091

3. Add "session    optional     pam_cgroup.so" to /etc/pam.d/sshd


Actual results:

Logins will take several seconds.

Expected results:

Login should take less than one second.

Additional info:

The root cause of this seems to be that the libcgroup code reads /etc/passwd once for every line in cgrules.conf , unless CGFLAG_USECACHE is used.
Comment 1 Andy Grimm 2013-06-10 14:36:04 EDT
Created attachment 759312 [details]
Patch to use CGFLAG_USECACHE flag
Comment 3 Thomas Wiest 2013-06-10 14:55:15 EDT
This is currently affecting OpenShift Online. It would be great if it could be fixed quickly.

Thanks!
Comment 7 Chris Williams 2013-06-11 15:16:45 EDT
*** Bug 973353 has been marked as a duplicate of this bug. ***
Comment 14 Mike Gahagan 2013-09-19 14:35:50 EDT
confirmed this is fixed in  libcgroup-pam-0.40.rc1-3, reproduced with libcgroup-pam-0.37-7.1.el6_4.
Comment 15 errata-xmlrpc 2013-11-21 17:34:04 EST
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHBA-2013-1685.html
Comment 16 Pär Lindfors 2014-02-24 16:19:45 EST
FYI: The released errata fix for this bug completely disables all
functionality of pam_cgroup. This makes the reported slow
performance go away, since doing nothing is a very fast
operation.

I have reported this as bug 1060227.


Personally I don't think libcgroup have been designed for the
reported use case. If you have thousands of users you probably
need to avoid having thousands of rules in cgrules.conf, for
example by using templates in that config file.

Note You need to log in before you can comment on or make changes to this bug.