Red Hat Bugzilla – Bug 972893
pam_cgroup is slow when cgrules.conf and /etc/passwd are large
Last modified: 2016-11-07 22:47:00 EST
Description of problem:
When a system has thousands of users and cgrules.conf has thousands of lines, this can add several seconds to login times.
Version-Release number of selected component (if applicable):
Steps to Reproduce:
1. Create 5000 users on a system
2. Create one or more lines per user in /etc/cgrules.conf ; for example:
513ac93f500446a08a000091 cpu,cpuacct,memory,net_cls,freezer /openshift/513ac93f500446a08a000091
3. Add "session optional pam_cgroup.so" to /etc/pam.d/sshd
Logins will take several seconds.
Login should take less than one second.
The root cause of this seems to be that the libcgroup code reads /etc/passwd once for every line in cgrules.conf , unless CGFLAG_USECACHE is used.
Created attachment 759312 [details]
Patch to use CGFLAG_USECACHE flag
This is currently affecting OpenShift Online. It would be great if it could be fixed quickly.
*** Bug 973353 has been marked as a duplicate of this bug. ***
confirmed this is fixed in libcgroup-pam-0.40.rc1-3, reproduced with libcgroup-pam-0.37-7.1.el6_4.
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.
For information on the advisory, and where to find the updated
files, follow the link below.
If the solution does not work for you, open a new bug report.
FYI: The released errata fix for this bug completely disables all
functionality of pam_cgroup. This makes the reported slow
performance go away, since doing nothing is a very fast
I have reported this as bug 1060227.
Personally I don't think libcgroup have been designed for the
reported use case. If you have thousands of users you probably
need to avoid having thousands of rules in cgrules.conf, for
example by using templates in that config file.