sssd/0057-PROXY-Adding-proxy_max_children-option.patch

From a700cdddcc989d1820cbd71bc9a378772c3f87ed Mon Sep 17 00:00:00 2001
From: Petr Cech <pcech@redhat.com>
Date: Wed, 24 Aug 2016 14:41:09 +0200
Subject: [PATCH 57/79] PROXY: Adding proxy_max_children option
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

The new option 'proxy_max_children' is applicable
in domain section. Default value is 10.

Resolves:
https://fedorahosted.org/sssd/ticket/3153

Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
(cherry picked from commit aef0171e0bdc9a683958d69c7ee984fb10cd5de7)
---
 src/confdb/confdb.h                       |  1 +
 src/config/SSSDConfig/__init__.py.in      |  3 +++
 src/config/cfg_rules.ini                  |  1 +
 src/config/etc/sssd.api.d/sssd-proxy.conf |  1 +
 src/man/sssd.conf.5.xml                   | 16 ++++++++++++++++
 src/providers/proxy/proxy_init.c          | 22 ++++++++++++++++++++--
 6 files changed, 42 insertions(+), 2 deletions(-)

diff --git a/src/confdb/confdb.h b/src/confdb/confdb.h
index 2d650900170d5f2214aa56f00fc749980e53f516..36a2f21a0ff07ac4ae94ffdbb47087de05907505 100644
--- a/src/confdb/confdb.h
+++ b/src/confdb/confdb.h
@@ -219,6 +219,7 @@
 #define CONFDB_PROXY_LIBNAME "proxy_lib_name"
 #define CONFDB_PROXY_PAM_TARGET "proxy_pam_target"
 #define CONFDB_PROXY_FAST_ALIAS "proxy_fast_alias"
+#define CONFDB_PROXY_MAX_CHILDREN "proxy_max_children"
 
 /* Secrets Service */
 #define CONFDB_SEC_CONF_ENTRY "config/secrets"
diff --git a/src/config/SSSDConfig/__init__.py.in b/src/config/SSSDConfig/__init__.py.in
index 2027028f7b4e972c7bc0dd5156fd85157ae192f4..0acb751e234ee0c3e6fee332a2ba22f9ac353221 100644
--- a/src/config/SSSDConfig/__init__.py.in
+++ b/src/config/SSSDConfig/__init__.py.in
@@ -429,6 +429,9 @@ option_strings = {
     'default_shell' : _('Default shell, /bin/bash'),
     'base_directory' : _('Base for home directories'),
 
+    # [provider/proxy]
+    'proxy_max_children' : _('The number of preforked proxy children.'),
+
     # [provider/proxy/id]
     'proxy_lib_name' : _('The name of the NSS library to use'),
     'proxy_fast_alias' : _('Whether to look up canonical group name from cache if possible'),
diff --git a/src/config/cfg_rules.ini b/src/config/cfg_rules.ini
index 93c10e2b7892027f0ee7a7af096814fb7cac333a..01be0c6e610161b64897e3974cefe1ccdc317fd3 100644
--- a/src/config/cfg_rules.ini
+++ b/src/config/cfg_rules.ini
@@ -305,6 +305,7 @@ option = base_directory
 option = proxy_lib_name
 option = proxy_fast_alias
 option = proxy_pam_target
+option = proxy_max_children
 
 # simple access provider specific options
 option = simple_allow_users
diff --git a/src/config/etc/sssd.api.d/sssd-proxy.conf b/src/config/etc/sssd.api.d/sssd-proxy.conf
index 89a6503f9b84b7eab5fb3b0dd591dea905b43adb..09bf82affcb4263de3abbb67d1d484f6b01a1824 100644
--- a/src/config/etc/sssd.api.d/sssd-proxy.conf
+++ b/src/config/etc/sssd.api.d/sssd-proxy.conf
@@ -1,4 +1,5 @@
 [provider/proxy]
+proxy_max_children = int, None, false
 
 [provider/proxy/id]
 proxy_lib_name = str, None, true
diff --git a/src/man/sssd.conf.5.xml b/src/man/sssd.conf.5.xml
index 6f231b8ab8fc078d83331bb7ef5b980528a30bd6..8b862eb0cef7cb35215c4aba7a77a553f31e47c8 100644
--- a/src/man/sssd.conf.5.xml
+++ b/src/man/sssd.conf.5.xml
@@ -2482,6 +2482,22 @@ subdomain_inherit = ldap_purge_cache_timeout
                     </listitem>
                 </varlistentry>
 
+                <varlistentry>
+                    <term>proxy_max_children (integer)</term>
+                    <listitem>
+                        <para>
+                            This option specifies the number of pre-forked
+                            proxy children. It is useful for high-load SSSD
+                            environments where sssd may run out of available
+                            child slots, which would cause some issues due to
+                            the requests being queued.
+                        </para>
+                        <para>
+                            Default: 10
+                        </para>
+                    </listitem>
+                </varlistentry>
+
             </variablelist>
         </para>
 
diff --git a/src/providers/proxy/proxy_init.c b/src/providers/proxy/proxy_init.c
index 1edf4fd64e54f4f0df7a78a9e56eb232a1d3e948..2241dafb8e21bbc0b904df3fa548c906877a5194 100644
--- a/src/providers/proxy/proxy_init.c
+++ b/src/providers/proxy/proxy_init.c
@@ -29,6 +29,8 @@
 
 #define NSS_FN_NAME "_nss_%s_%s"
 
+#define OPT_MAX_CHILDREN_DEFAULT 10
+
 #define ERROR_INITGR "The '%s' library does not provides the " \
                          "_nss_XXX_initgroups_dyn function!\n" \
                          "initgroups will be slow as it will require " \
@@ -220,6 +222,7 @@ static errno_t proxy_init_auth_ctx(TALLOC_CTX *mem_ctx,
     struct proxy_auth_ctx *auth_ctx;
     errno_t ret;
     int hret;
+    int max_children;
 
     auth_ctx = talloc_zero(mem_ctx, struct proxy_auth_ctx);
     if (auth_ctx == NULL) {
@@ -241,8 +244,23 @@ static errno_t proxy_init_auth_ctx(TALLOC_CTX *mem_ctx,
     }
 
     /* Set up request hash table */
-    /* FIXME: get max_children from configuration file */
-    auth_ctx->max_children = 10;
+    ret = confdb_get_int(be_ctx->cdb, be_ctx->conf_path,
+                         CONFDB_PROXY_MAX_CHILDREN,
+                         OPT_MAX_CHILDREN_DEFAULT,
+                         &max_children);
+    if (ret != EOK) {
+        DEBUG(SSSDBG_CRIT_FAILURE,
+              "Unable to read confdb [%d]: %s\n", ret, sss_strerror(ret));
+        goto done;
+    }
+
+    if (max_children < 1) {
+        DEBUG(SSSDBG_CRIT_FAILURE,
+              "Option " CONFDB_PROXY_MAX_CHILDREN " must be higher then 0\n");
+        ret = EINVAL;
+        goto done;
+    }
+    auth_ctx->max_children = max_children;
 
     hret = hash_create(auth_ctx->max_children * 2, &auth_ctx->request_table,
                        NULL, NULL);
-- 
2.9.3