Resolves: upstream#3550 - refresh_expired_interval does not work with netgrous in 1.15

Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>
This commit is contained in:
Fabiano Fidêncio 2018-04-27 21:26:30 +02:00
parent ab53ba849a
commit a7d4f0b3f4
2 changed files with 59 additions and 0 deletions

View File

@ -0,0 +1,56 @@
From d0801ecbac1300978fc864ae394e6ff43dda2781 Mon Sep 17 00:00:00 2001
From: Jakub Hrozek <jhrozek@redhat.com>
Date: Mon, 5 Mar 2018 21:00:30 +0100
Subject: [PATCH] NSS: Adjust netgroup setnetgrent cache lifetime if midpoint
refresh is used
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
This is a minor regression compared to the state of the code before we
converted the responders to cache_req. The NSS responder keeps a has
table of netgroup objects in memory for either the lifetime of the
netgroup, or, in case midpoint refresh is used, up to the midpoint
refresh time. The case with the midpoint refresh was removed in the
cache_req enabled code, which means that even if the netgroup was
updated in the cache with the background refresh task, the object was
never read from cache, but always still returned from the in-memory
enumeration hash.
Resolves:
https://pagure.io/SSSD/sssd/issue/3550
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>
(cherry picked from commit f22528922c065f37ca928f95fd86ed2ea79e0d51)
---
src/responder/nss/nss_enum.c | 13 ++++++++++++-
1 file changed, 12 insertions(+), 1 deletion(-)
diff --git a/src/responder/nss/nss_enum.c b/src/responder/nss/nss_enum.c
index da844fbce..031db9f2e 100644
--- a/src/responder/nss/nss_enum.c
+++ b/src/responder/nss/nss_enum.c
@@ -280,7 +280,18 @@ nss_setnetgrent_set_timeout(struct tevent_context *ev,
struct timeval tv;
uint32_t timeout;
- timeout = enum_ctx->result[0]->domain->netgroup_timeout;
+ if (nss_ctx->cache_refresh_percent) {
+ timeout = enum_ctx->result[0]->domain->netgroup_timeout *
+ (nss_ctx->cache_refresh_percent / 100.0);
+ } else {
+ timeout = enum_ctx->result[0]->domain->netgroup_timeout;
+ }
+
+ /* In order to not trash the cache between setnetgrent()/getnetgrent()
+ * calls with too low timeout values, we only allow 10 seconds as
+ * the minimal timeout
+ */
+ if (timeout < 10) timeout = 10;
tv = tevent_timeval_current_ofs(timeout, 0);
te = tevent_add_timer(ev, enum_ctx, tv, nss_setnetgrent_timeout, enum_ctx);
--
2.14.3

View File

@ -62,6 +62,7 @@ Patch0017: 0017-sudo-ldap-do-not-store-rules-without-sudoHost-attrib.patch
Patch0018: 0018-sysdb-custom-completely-replace-old-object-instead-o.patch Patch0018: 0018-sysdb-custom-completely-replace-old-object-instead-o.patch
Patch0019: 0019-SERVER-Tone-down-shutdown-messages-for-socket-activa.patch Patch0019: 0019-SERVER-Tone-down-shutdown-messages-for-socket-activa.patch
Patch0020: 0020-IPA-Qualify-the-externalUser-sudo-attribute.patch Patch0020: 0020-IPA-Qualify-the-externalUser-sudo-attribute.patch
Patch0021: 0021-NSS-Adjust-netgroup-setnetgrent-cache-lifetime-if-mi.patch
Patch0502: 0502-SYSTEMD-Use-capabilities.patch Patch0502: 0502-SYSTEMD-Use-capabilities.patch
Patch0503: 0503-Disable-stopping-idle-socket-activated-responders.patch Patch0503: 0503-Disable-stopping-idle-socket-activated-responders.patch
@ -1269,6 +1270,8 @@ fi
- Resolves: upstream#3558 - sudo: report error when two rules share cn - Resolves: upstream#3558 - sudo: report error when two rules share cn
- Tone down shutdown messages for socket activated responders - Tone down shutdown messages for socket activated responders
- IPA: Qualify the externalUser sudo attribute - IPA: Qualify the externalUser sudo attribute
- Resolves: upstream#3550 - refresh_expired_interval does not work with
netgrous in 1.15
* Fri Mar 30 2018 Fabiano Fidêncio <fidencio@fedoraproject.org> - 1.16.1-2 * Fri Mar 30 2018 Fabiano Fidêncio <fidencio@fedoraproject.org> - 1.16.1-2
- Resolves: upstream#3573 - sssd won't show netgroups with blank domain - Resolves: upstream#3573 - sssd won't show netgroups with blank domain