On 12/04/2014 06:31 AM, Jakub Hrozek wrote:
On Thu, Dec 04, 2014 at 11:12:00AM +0000, Lukas Koschmieder wrote:
> Hi,
>
> I'd like to share a single SSS cache database between several node. Therefore,
I'd like to know whether or not it's safe to simply symlink /var/lib/sss/db to a
single/shared network directory?
>
> Best regards,
> Lukas
I don't think it is. Even though we use transaction locks around write
transactions, also various timestamps (time of last enumeration, time of
last cleanup, ...) are stored in the sysdb. These are specific to a
particular sssd_be process running on that machine.
What is your use-case? Why do you need this?
This use-case might be better covered in the next upstream release
(1.13) where we aim at making SSSD work better in containerized
environments, but we still haven't designed the feature well.
_______________________________________________
sssd-users mailing list
sssd-users(a)lists.fedorahosted.org
https://lists.fedorahosted.org/mailman/listinfo/sssd-users Actually for the
container case it is already possible.
You can have several containers sharing one SSSD instance running in
another container.
What is missing is any kind of checks that the consuming container is
actually a valid container to use this instance of SSSD. There are also
some unresolved issues with HBAC in general case.
But if you trust your orchestration and assume that HBAC will use the
SSSD host name rather than host name associated with a consuming
container you can use it even now.
--
Thank you,
Dmitri Pal
Sr. Engineering Manager IdM portfolio
Red Hat, Inc.