Hi, I found following article. and we think we are running into same issue. We are running sssd with RHEL 7.9. I have following questions - 1. Is this issue fixed with RHEL 7.9 ? 2. Is it possible to disable periodic run of purge. We basically dont want to purge in favor of performance improvement. 3. If so what is the downside of it. 4. How do I verify is this is impacting us. I see very high cpu every 3 hours. I thought this may be the cause.
1430415 – ldap_purge_cache_timeout in RHEL7.3 invalidate most of the entries once the cleanup task kicks in
Thanks,Sanjay Agrawal
On Thu, Dec 17, 2020 at 09:53:39PM +0000, Sanjay Agrawal wrote:
Hi, I found following article. and we think we are running into same issue. We are running sssd with RHEL 7.9. I have following questions -
Hi,
- Is this issue fixed with RHEL 7.9 ?
Yes, the issue as described in the bugzilla ticket is fixed.
2. Is it possible to disable periodic run of purge. We basically dont want to purge in favor of performance improvement.
If you have enumeration enabled the purge is not enabled to improve performance but to make sure objects which are deleted on the LDAP server are deleted in SSSD's cache as well. So it is part of the enumeration functionality and cannot be disabled.
In general we do not recommend to enable enumeration only if there are specific reason, e.g. legacy applications. May I ask if you have enumeration enable and if yes, why?
3. If so what is the downside of it.
see above
- How do I verify is this is impacting us. I see very high cpu every 3 hours. I thought this may be the cause.
You can increase the debug_level and inspect the logs covering the time of the high CPU load. For this you can add 'debug_level = 9' to the [domain/...] section, restart SSSD and let it run for a couple of hours. Then remove the 'debug_level' option and restart SSSD to avoid further logging.
bye, Sumit
1430415 – ldap_purge_cache_timeout in RHEL7.3 invalidate most of the entries once the cleanup task kicks in
Thanks,Sanjay Agrawal
sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.o...
Thanks for the reply.
1. Yes we have enumeration enabled due to legacy applications. 2. If some objects are removed from LDAP/AD server, but they would expire in local persistent cache based on timeout value. What is downside of leaving expired entries in persistent cache besides just space. I am assuming that enumeration look up and lookup of those objects would not return them since they are expired. 3. What is downside if we increase ldap_purge_cache_timeout to a large value, so it does not get run.4. is cleanup_users/cleanup_groups are debug_level 9 entries, which corresponds to this cleanup ? Thanks,Sanjay Agrawal
On Friday, December 18, 2020, 05:08:20 AM EST, Sumit Bose sbose@redhat.com wrote:
On Thu, Dec 17, 2020 at 09:53:39PM +0000, Sanjay Agrawal wrote:
Hi, I found following article. and we think we are running into same issue. We are running sssd with RHEL 7.9. I have following questions -
Hi,
- Is this issue fixed with RHEL 7.9 ?
Yes, the issue as described in the bugzilla ticket is fixed.
2. Is it possible to disable periodic run of purge. We basically dont want to purge in favor of performance improvement.
If you have enumeration enabled the purge is not enabled to improve performance but to make sure objects which are deleted on the LDAP server are deleted in SSSD's cache as well. So it is part of the enumeration functionality and cannot be disabled.
In general we do not recommend to enable enumeration only if there are specific reason, e.g. legacy applications. May I ask if you have enumeration enable and if yes, why?
3. If so what is the downside of it.
see above
4. How do I verify is this is impacting us. I see very high cpu every 3 hours. I thought this may be the cause.
You can increase the debug_level and inspect the logs covering the time of the high CPU load. For this you can add 'debug_level = 9' to the [domain/...] section, restart SSSD and let it run for a couple of hours. Then remove the 'debug_level' option and restart SSSD to avoid further logging.
bye, Sumit
1430415 – ldap_purge_cache_timeout in RHEL7.3 invalidate most of the entries once the cleanup task kicks in
Thanks,Sanjay Agrawal
sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.o...
_______________________________________________ sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.o...
On Fri, Dec 18, 2020 at 02:51:40PM +0000, Sanjay Agrawal wrote:
Thanks for the reply.
- Yes we have enumeration enabled due to legacy applications.
- If some objects are removed from LDAP/AD server, but they would
expire in local persistent cache based on timeout value. What is downside of leaving expired entries in persistent cache besides just space. I am assuming that enumeration look up and lookup of those objects would not return them since they are expired.
No, expired objects are typically returned to allow offline operation. That's why the purge task is important.
- What is downside if we increase ldap_purge_cache_timeout to a large
value, so it does not get run.
This might be a workaround but I'd suggest to run it at least once a week to delete entries from the cache which are removed on the server (see above).
- is cleanup_users/cleanup_groups are debug_level 9 entries, which
corresponds to this cleanup ?
Yes, those are the functions run by the cleanup task.
bye, Sumit
Thanks,Sanjay Agrawal
On Friday, December 18, 2020, 05:08:20 AM EST, Sumit Bose <sbose@redhat.com> wrote:On Thu, Dec 17, 2020 at 09:53:39PM +0000, Sanjay Agrawal wrote:
Hi, I found following article. and we think we are running into same issue. We are running sssd with RHEL 7.9. I have following questions -
Hi,
- Is this issue fixed with RHEL 7.9 ?
Yes, the issue as described in the bugzilla ticket is fixed.
2. Is it possible to disable periodic run of purge. We basically dont want to purge in favor of performance improvement.
If you have enumeration enabled the purge is not enabled to improve performance but to make sure objects which are deleted on the LDAP server are deleted in SSSD's cache as well. So it is part of the enumeration functionality and cannot be disabled.
In general we do not recommend to enable enumeration only if there are specific reason, e.g. legacy applications. May I ask if you have enumeration enable and if yes, why?
3. If so what is the downside of it.
see above
4. How do I verify is this is impacting us. I see very high cpu every 3 hours. I thought this may be the cause.
You can increase the debug_level and inspect the logs covering the time of the high CPU load. For this you can add 'debug_level = 9' to the [domain/...] section, restart SSSD and let it run for a couple of hours. Then remove the 'debug_level' option and restart SSSD to avoid further logging.
bye, Sumit
1430415 – ldap_purge_cache_timeout in RHEL7.3 invalidate most of the entries once the cleanup task kicks in
Thanks,Sanjay Agrawal
sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.o...
sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.o...
sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.o...
sssd-users@lists.fedorahosted.org
-
Sanjay Agrawal -
Sumit Bose