Hi,
I'd like to share a single SSS cache database between several node. Therefore, I'd like to know whether or not it's safe to simply symlink /var/lib/sss/db to a single/shared network directory?
Best regards, Lukas
On Thu, Dec 04, 2014 at 11:12:00AM +0000, Lukas Koschmieder wrote:
Hi,
I'd like to share a single SSS cache database between several node. Therefore, I'd like to know whether or not it's safe to simply symlink /var/lib/sss/db to a single/shared network directory?
Best regards, Lukas
I don't think it is. Even though we use transaction locks around write transactions, also various timestamps (time of last enumeration, time of last cleanup, ...) are stored in the sysdb. These are specific to a particular sssd_be process running on that machine.
What is your use-case? Why do you need this?
This use-case might be better covered in the next upstream release (1.13) where we aim at making SSSD work better in containerized environments, but we still haven't designed the feature well.
On 12/04/2014 06:31 AM, Jakub Hrozek wrote:
On Thu, Dec 04, 2014 at 11:12:00AM +0000, Lukas Koschmieder wrote:
Hi,
I'd like to share a single SSS cache database between several node. Therefore, I'd like to know whether or not it's safe to simply symlink /var/lib/sss/db to a single/shared network directory?
Best regards, Lukas
I don't think it is. Even though we use transaction locks around write transactions, also various timestamps (time of last enumeration, time of last cleanup, ...) are stored in the sysdb. These are specific to a particular sssd_be process running on that machine.
What is your use-case? Why do you need this?
This use-case might be better covered in the next upstream release (1.13) where we aim at making SSSD work better in containerized environments, but we still haven't designed the feature well. _______________________________________________ sssd-users mailing list sssd-users@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/sssd-users
Actually for the container case it is already possible. You can have several containers sharing one SSSD instance running in another container. What is missing is any kind of checks that the consuming container is actually a valid container to use this instance of SSSD. There are also some unresolved issues with HBAC in general case. But if you trust your orchestration and assume that HBAC will use the SSSD host name rather than host name associated with a consuming container you can use it even now.
On Thu, 4 Dec 2014 11:12:00 +0000 Lukas Koschmieder Lukas.Koschmieder@iehk.rwth-aachen.de wrote:
Hi,
I'd like to share a single SSS cache database between several node. Therefore, I'd like to know whether or not it's safe to simply symlink /var/lib/sss/db to a single/shared network directory? Best regards, Lukas
Our cache, use LDB, based on TDB, which uses fcntl locks for consistency. Most network file systems do not properly handle locks, and when they do they are *extremely* slow.
You'd probably end up with an unusable system or a corrupted cache.
Simo.
sssd-users@lists.fedorahosted.org