Greetings, we run some podman containers that come with their own local users, such as this one: ironic-inspector:x:42461:42461::/var/lib/ironic-inspector:/usr/sbin/nologin
when running a top on the server, top tries to resolve the user name for that id and fails, however there is still a BE_REQ_USER request sent: (2022-12-30 22:42:33): [be[MY.DOMAIN.NET]] [dp_get_account_info_send] (0x0200): Got request for [0x1][BE_REQ_USER][idnumber=42461]
I would hope to get rid of these requests against the domain. unfortunately in MY.DOMAIN.NET there are uids below and above this number, so I cannot rely on the "min_id" parameter to filter users. I would like to know if it is possible to support using user ids in the [nss] filter_users to prevent those user requests to the domain, or if anyone has any other suggestion.
I increased the entry_negative_timeout to reduce the number of queries, but filtering them out entirely would be even better. Thank you!
This is not exactly what you want, but did you consider changing the uid used in the container?
Tomas
On Fri, Dec 30, 2022 at 11:56 PM Francois Rigault < rigault.francois@gmail.com> wrote:
Greetings, we run some podman containers that come with their own local users, such as this one: ironic-inspector:x:42461:42461::/var/lib/ironic-inspector:/usr/sbin/nologin
when running a top on the server, top tries to resolve the user name for that id and fails, however there is still a BE_REQ_USER request sent: (2022-12-30 22:42:33): [be[MY.DOMAIN.NET]] [dp_get_account_info_send] (0x0200): Got request for [0x1][BE_REQ_USER][idnumber=42461]
I would hope to get rid of these requests against the domain. unfortunately in MY.DOMAIN.NET there are uids below and above this number, so I cannot rely on the "min_id" parameter to filter users. I would like to know if it is possible to support using user ids in the [nss] filter_users to prevent those user requests to the domain, or if anyone has any other suggestion.
I increased the entry_negative_timeout to reduce the number of queries, but filtering them out entirely would be even better. Thank you! _______________________________________________ sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.o... Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
This is not exactly what you want, but did you consider changing the uid used in the container?
so, we run images that are supported and built by the vendor, who recommend against this (ticket: https://bugzilla.redhat.com/show_bug.cgi?id=1565929#c12).
maybe tools like top should not try to resolve user names for processes running within a user namespace to start with.
I poke around and it should nevertheless be quite straightforward (for a prototype at least) to filter users by uid with something like https://github.com/freedge/sssd/commit/576340edf8e041bd1a17da52880fe84695e25...
Thank you!
On (02/01/23 21:21), François Rigault wrote:
This is not exactly what you want, but did you consider changing the uid used in the container?
so, we run images that are supported and built by the vendor, who recommend against this (ticket: https://bugzilla.redhat.com/show_bug.cgi?id=1565929#c12).
maybe tools like top should not try to resolve user names for processes running within a user namespace to start with.
I poke around and it should nevertheless be quite straightforward (for a prototype at least) to filter users by uid with something like https://github.com/freedge/sssd/commit/576340edf8e041bd1a17da52880fe84695e25...
IMHO the new option `filter_uids` would be a bit more clear approach.
But one might still try to use current features for negative cache of local users.
man sssd.conf -> local_negative_timeout ``` local_negative_timeout (integer) Specifies for how many seconds nss_sss should keep local users and groups in negative cache before trying to look it up in the back end again. Setting the option to 0 disables this feature.
Default: 14400 (4 hours) ```
One just would need to add dummy user with that UID.
LS
Thank you! _______________________________________________ sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.o... Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
One just would need to add dummy user with that UID.
note this does not work when using DynamicUser (https://systemd.io/UIDS-GIDS/#special-systemd-uid-ranges)
``` $ systemd-run -p DynamicUser=yes --pipe -- ps -o uid,cmd Running as unit: run-p20670-i20970.service UID CMD 64283 /bin/ps -o uid,cmd
$ grep 64283 /var/log/sssd/sssd_DOM.log (2025-03-22 11:58:38): [be[DOM]] [dp_get_account_info_send] (0x0200): Got request for [0x1][BE_REQ_USER][idnumber=64283] (2025-03-22 11:58:39): [be[DOM]] [dp_get_account_info_send] (0x0200): Got request for [0x2][BE_REQ_GROUP][idnumber=64283] ```
sssd-users@lists.fedorahosted.org
-
Francois Rigault -
François Rigault
-
Lukas Slebodnik -
Tomas Halman