On Mon, May 3, 2021 at 10:48 AM Ben Cotton <bcotton@xxxxxxxxxx> wrote: > > https://fedoraproject.org/wiki/Changes/FlexibleLocalUserCache > > == Summary == > Allow to switch SSSD’s fast cache for local users on and off at runtime. > > == Owner == > * Name: [[User:sbose| Sumit Bose]] > * Email: sbose@xxxxxxxxxx > > > == Detailed Description == > In Fedora 26 SSSD’s fast cache for local users was introduced by > [[Changes/SSSDCacheForLocalUsers|SSSDCacheForLocalUsers]]. It is > currently enabled by default which means that ''sss'' is the first > module listed for the ''passwd'' and ''group'' databases in > ''/etc/nsswitch.conf'' and that the ''sssd'' monitor process, the > ''sssd_nss'' responder and the ''sssd_be'' backend process are running > by default. Those defaults made sense because at this time changes to > ''/etc/nsswitch.conf'' required a reboot because long running > processes were not aware of the changes because ''/etc/nsswitch.conf'' > was read only once during the first lookup (it might be sufficient to > restart all long running processes but a reboot is typically easier). > With ''glibc'' version 2.33, available since Fedora 34, > ''/etc/nsswitch.conf'' will be reread automatically for the next > lookup if it was modified (timestamp changed). This allows to enable > or disable SSSD’s fast cache for local users and update > ''/etc/nsswitch.conf'' accordingly at runtime as it e.g. was possible > with ''nscd'' (''nscd'' is deprecated in Fedora 34 by > [[Changes/DeprecateNSCD|DeprecateNSCD]] because SSSD can provide the > caching as well, this Change is not in conflict with deprecating > ''nscd'' since SSSD can still provide the caching of local users and > groups but can now also be switched on and off at runtime without > potential impacts on local user lookups). > Given that SSSD will not be started by default anymore to provide the > cached local users it should not be the first entry in > ''/etc/nsswitch.conf'' anymore. It would even be possible to not have > the ''sss'' entry in the default ''/etc/nsswitch.conf'' and let > ''authselect'' add it if a SSSD related profile is selected. > The following components will be affected by the change: > * the SSSD package will be built without the ''--enable-files-domain'' > and the service file will be extended so that SSSD will not be started > if no configuration is present > ** ''--enable-files-domain'' is already dropped for non-Fedora builds > https://src.fedoraproject.org/rpms/sssd/blob/rawhide/f/sssd.spec#_506 > ** changes to the service file are already available > https://github.com/SSSD/sssd/commit/a25256fe22dd0b976093d15a5c7c73e1dc64bbcc > and are added already on non-Fedora build where > ''--enable-files-domain'' is not set > * in ''authselect'' the ''sssd'' profile will have a new feature, e.g. > ''with-files-domain'' to set the order in ''nsswitch.conf'' at runtime > https://github.com/pbrezina/authselect/commit/cc1d6b15310d8c9616d2ae1c8879baf3ed0f70ab > * the default order in ''nsswitch.conf'' in glibc should be updated so > that ''files'' is the first. > https://src.fedoraproject.org/rpms/glibc/blob/rawhide/f/glibc-fedora-nsswitch.patch > > > == Benefit to Fedora == > With this change fewer processes will run in a default or minimal > Fedora installation. The runtime enable and disablement will allow to > switch on caching of local users and groups when needed but keep the > number of processes small when the benefit would be neglectable. > The changes to ''/etc/nsswitch.conf'' will be beneficial for > environments where the SSSD client libraries are not installed at all > as proposed by F35 Change proposal: > [[Changes/SmallerContainerBase|Smaller Container Base Image]]. > > == Scope == > * Proposal owners: The SSSD maintainers will enable the needed changes > to the SSSD packages and create pull-requests for the changes to > ''authselect'' and the modified default ''/etc/nsswitch.conf'' file. > * Other developers: ''authselect'' and ''glibc'' maintainers have to > accept the pull-requests for their components. > * Release engineering: No action from Release engineering is needed. > * Policies and guidelines: N/A (not needed for this Change) > * Trademark approval: N/A (not needed for this Change) > * Alignment with Objectives: > > > == Upgrade/compatibility impact == > Caching of local users and groups by SSSD is not enabled by default > anymore and must be enabled manually if needed. > > > == How To Test == > SSSD will not be run by default anymore. Caching of local users and > groups can be enabled manually if needed as it was with ''nscd''. The > manual steps are > > authselect select sssd with-files-domain > echo -e '[sssd]\nenable_files_domain = True' > > /etc/sssd/conf.d/files_domain.conf > chmod 600 /etc/sssd/conf.d/files_domain.conf > systemctl start sssd > > > > == User Experience == > A default installation will have less running processing since the > SSSD components are not running by default anymore. > > == Dependencies == > The ''glibc'' maintainers have to accept a pull-request to modify the > default ''/etc/nsswitch.conf'' file. > > > > == Contingency Plan == > * Contingency mechanism: Revert SSSD spec file changes and order > changes in ''/etc/nsswitch.conf'' > > * Contingency deadline: beta freeze > * Blocks release? No > > > == Documentation == > N/A > We rely on SSSD for our enterprise login features in both GNOME and KDE Plasma. If SSSD isn't running by default and glibc's nsswitch doesn't go to it anymore, how is this going to work? The desktops can't modify these files and reach in to configure system services. -- 真実はいつも一つ!/ Always, there's only one truth! _______________________________________________ devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure