Hi,
even though RHEL-6.4 is still brewing, I think there might be some interest in trying out the 1.9.x series of the SSSD on RHEL-6.3.
So I went ahead and built the SSSD 1.9.2 in a RHEL-6.3 buildroot: http://repos.fedorapeople.org/repos/jhrozek/sssd/epel-6/
The NVR of these test packages will be lower than those in 6.4 to keep the upgrade path clean. The only missing functionality is the PAC responder, which means this SSSD version won't be able to work with an AD domain that is in a trust relationship with an IPA 3.x domain. I had to disable the PAC responder as it requires Kerberos 1.10.
Because some new functionality required tweaking the SELinux policy, you will encounter AVC denials when the new fast cache is accessed. That said, my quick smoke testing went fine and we will be glad to hear test results or bug reports.
Using the repository comes with a warning - this is NOT an official Red Hat supported repository. The packages have NOT gone through formal QA. If it breaks your RHEL-6.3 installation, you get to keep the pieces.
This is the repo configuration I used: -------------------------- [sssd-1.9-RHEL6.3] name=SSSD 1.9.x built for latest stable RHEL baseurl=http://repos.fedorapeople.org/repos/jhrozek/sssd/epel-6/$basearch/ enabled=1 skip_if_unavailable=1 gpgcheck=0
[sssd-1.9-RHEL6.3-source] name=SSSD 1.9.x built for latest stable RHEL - Source baseurl=http://repos.fedorapeople.org/repos/jhrozek/sssd/epel-6/SRPMS enabled=0 skip_if_unavailable=1 gpgcheck=0 --------------------------
Happy testing!
Jakub Hrozek jhrozek@redhat.com writes:
even though RHEL-6.4 is still brewing, I think there might be some interest in trying out the 1.9.x series of the SSSD on RHEL-6.3.
So I went ahead and built the SSSD 1.9.2 in a RHEL-6.3 buildroot: http://repos.fedorapeople.org/repos/jhrozek/sssd/epel-6/
The NVR of these test packages will be lower than those in 6.4 to keep the upgrade path clean. The only missing functionality is the PAC responder, which means this SSSD version won't be able to work with an AD domain that is in a trust relationship with an IPA 3.x domain. I had to disable the PAC responder as it requires Kerberos 1.10.
Because some new functionality required tweaking the SELinux policy, you will encounter AVC denials when the new fast cache is accessed. That said, my quick smoke testing went fine and we will be glad to hear test results or bug reports.
Hello Jakub and the SSSD team,
My interest in the 1.9 version is first and foremost the performance enhancements related to large groups. At our site, we have lots of fairly large file groups and a few enormous ones (which we're getting rid of but it takes some time). I installed sssd-1.9 from your test repo on a rhel6.3 VM, ran a couple of quick tests and compared it to an identical VM with the stock sssd-1.8 from rhel6.3. The results are astonishing:
Test 1: time getent group <group with 7k members>
sssd-1.9.2-1.el6_3.x86_64: 0m1.087s sssd-1.8.0-32.el6.x86_64: 0m5.937s
Test 2: time id <member of several large groups>
sssd-1.9.2-1.el6_3.x86_64: 0m9.669s sssd-1.8.0-32.el6.x86_64: 1m28.578s
Both tests were done without a preexisting cache, i.e. 'service sssd stop; rm /var/lib/sss/db/*; service sssd start', then run test. We're using plain LDAP (rfc3207) as id provider and auth provider.
This is a remarkable performance boost, and I can't wait to see an official sssd-1.9 package in rhel6. Thanks for all your hard work and have a nice weekend! :)
PS. Will we see sssd-1.9 in Fedora 17?
Cheers,
On Fri, Oct 19, 2012 at 08:48:56PM +0200, Trond Hasle Amundsen wrote:
Jakub Hrozek jhrozek@redhat.com writes:
even though RHEL-6.4 is still brewing, I think there might be some interest in trying out the 1.9.x series of the SSSD on RHEL-6.3.
So I went ahead and built the SSSD 1.9.2 in a RHEL-6.3 buildroot: http://repos.fedorapeople.org/repos/jhrozek/sssd/epel-6/
The NVR of these test packages will be lower than those in 6.4 to keep the upgrade path clean. The only missing functionality is the PAC responder, which means this SSSD version won't be able to work with an AD domain that is in a trust relationship with an IPA 3.x domain. I had to disable the PAC responder as it requires Kerberos 1.10.
Because some new functionality required tweaking the SELinux policy, you will encounter AVC denials when the new fast cache is accessed. That said, my quick smoke testing went fine and we will be glad to hear test results or bug reports.
Hello Jakub and the SSSD team,
My interest in the 1.9 version is first and foremost the performance enhancements related to large groups. At our site, we have lots of fairly large file groups and a few enormous ones (which we're getting rid of but it takes some time). I installed sssd-1.9 from your test repo on a rhel6.3 VM, ran a couple of quick tests and compared it to an identical VM with the stock sssd-1.8 from rhel6.3. The results are astonishing:
Test 1: time getent group <group with 7k members>
sssd-1.9.2-1.el6_3.x86_64: 0m1.087s sssd-1.8.0-32.el6.x86_64: 0m5.937s
Test 2: time id <member of several large groups>
sssd-1.9.2-1.el6_3.x86_64: 0m9.669s sssd-1.8.0-32.el6.x86_64: 1m28.578s
Both tests were done without a preexisting cache, i.e. 'service sssd stop; rm /var/lib/sss/db/*; service sssd start', then run test. We're using plain LDAP (rfc3207) as id provider and auth provider.
This is a remarkable performance boost, and I can't wait to see an official sssd-1.9 package in rhel6. Thanks for all your hard work and have a nice weekend! :)
This is great to hear, Trond. Thank you for taking the time to test the pre-release packages. I'm glad the performance has improved for you! I believe that the in-memory fast cache would provide even bigger boost for groups and users that are being accessed regularly.
PS. Will we see sssd-1.9 in Fedora 17?
Yes, as a matter of fact it might be the time to put 1.9 into updates-testing.
On Thu, Oct 18, 2012 at 11:23:53AM +0200, Jakub Hrozek wrote:
Hi,
even though RHEL-6.4 is still brewing, I think there might be some interest in trying out the 1.9.x series of the SSSD on RHEL-6.3.
So I went ahead and built the SSSD 1.9.2 in a RHEL-6.3 buildroot: http://repos.fedorapeople.org/repos/jhrozek/sssd/epel-6/
The NVR of these test packages will be lower than those in 6.4 to keep the upgrade path clean. The only missing functionality is the PAC responder, which means this SSSD version won't be able to work with an AD domain that is in a trust relationship with an IPA 3.x domain. I had to disable the PAC responder as it requires Kerberos 1.10.
Because some new functionality required tweaking the SELinux policy, you will encounter AVC denials when the new fast cache is accessed. That said, my quick smoke testing went fine and we will be glad to hear test results or bug reports.
Using the repository comes with a warning - this is NOT an official Red Hat supported repository. The packages have NOT gone through formal QA. If it breaks your RHEL-6.3 installation, you get to keep the pieces.
This is the repo configuration I used:
[sssd-1.9-RHEL6.3] name=SSSD 1.9.x built for latest stable RHEL baseurl=http://repos.fedorapeople.org/repos/jhrozek/sssd/epel-6/$basearch/ enabled=1 skip_if_unavailable=1 gpgcheck=0
[sssd-1.9-RHEL6.3-source] name=SSSD 1.9.x built for latest stable RHEL - Source baseurl=http://repos.fedorapeople.org/repos/jhrozek/sssd/epel-6/SRPMS enabled=0 skip_if_unavailable=1 gpgcheck=0
Happy testing!
Hi,
First and foremost I wanted to thank all the users who have submitted their bug reports, test results or any other form of feedback. We've managed to identify several critical bugs in the 1.9.2 release we haven't seen during our testing, in particular related to database upgrade or nested group memberships. Thank you!
I have refreshed the repository with bits that are equivalent to upstream 1.9.3 release and are quite close to what RHEL6.4 would be shipping with.
Because RHEL6.4 is going to ship 1.9.2 + patches, we needed to maintain a clean upgrade path from this repository to 6.4 final. So we chose quite nonstandard release tag that contains upstream_1_9_3 to make it clear you're running upstream 1.9.3 just with a funny name.
Upgrading from the previous builds in the same repo should be smooth as well.
Fixing the nested group memberships required a little more processing when saving the groups. So I wanted to ask the users who have reported performance enhancements as compared with 1.8 to kindly check if the new packages are still doing good performance wise.
Using the repository comes with a warning - this is NOT an official Red Hat supported repository. The packages have NOT gone through formal QA. Please proceed with caution.
Happy testing!
On Mon, Dec 10, 2012 at 02:16:50PM +0100, Jakub Hrozek wrote:
I have refreshed the repository with bits that are equivalent to upstream 1.9.3 release and are quite close to what RHEL6.4 would be shipping with.
I refreshed the repo again, the previous packages in uploaded this morning had a packaging bug that caused the 1.9.2 tarball to be included. I didn't realize at first that the %setup macro looks for %{name}-%{version} by default and I forgot to override that with -n.
I fixed the packages (and verified that it's really 1.9.3 code this time) and uploaded them to the repo. Please upgrade to 1.9.2-5.upstream_1_9_3.el6_3 or later.
Sorry for the inconvenience.
On Mon, Dec 10, 2012 at 05:58:09PM +0100, Jakub Hrozek wrote:
On Mon, Dec 10, 2012 at 02:16:50PM +0100, Jakub Hrozek wrote:
I have refreshed the repository with bits that are equivalent to upstream 1.9.3 release and are quite close to what RHEL6.4 would be shipping with.
I refreshed the repo again, the previous packages in uploaded this morning had a packaging bug that caused the 1.9.2 tarball to be included. I didn't realize at first that the %setup macro looks for %{name}-%{version} by default and I forgot to override that with -n.
I fixed the packages (and verified that it's really 1.9.3 code this time) and uploaded them to the repo. Please upgrade to 1.9.2-5.upstream_1_9_3.el6_3 or later.
Sorry for the inconvenience.
One more refresh - I've built 1.9.2-5.upstream_1_9_3.el6_3 that includes all the fixes since 1.9.3, in particular the memory leaks and nss crash John Hodrien reported and the ldap_sasl_authid regression reported by Ondrej Valousek. We plan on including the additional fixes as per the 1.9.4 milestone in the SSSD Trac.
Once again, thank you very much for testing.
Happy holidays!
sssd-devel@lists.fedorahosted.org
-
Jakub Hrozek -
Trond Hasle Amundsen