5:12 a.m.
Hi,
I'd like to share a single SSS cache database between several node. Therefore, I'd
like to know whether or not it's safe to simply symlink /var/lib/sss/db to a
single/shared network directory?
Best regards,
Lukas
5:31 a.m.
On Thu, Dec 04, 2014 at 11:12:00AM +0000, Lukas Koschmieder wrote:
Hi,
I'd like to share a single SSS cache database between several node. Therefore,
I'd like to know whether or not it's safe to simply symlink /var/lib/sss/db to a
single/shared network directory?
Best regards,
Lukas
I don't think it is. Even though we use transaction locks around write
transactions, also various timestamps (time of last enumeration, time of
last cleanup, ...) are stored in the sysdb. These are specific to a
particular sssd_be process running on that machine.
What is your use-case? Why do you need this?
This use-case might be better covered in the next upstream release
(1.13) where we aim at making SSSD work better in containerized
environments, but we still haven't designed the feature well.
9:03 a.m.
On 12/04/2014 06:31 AM, Jakub Hrozek wrote:
On Thu, Dec 04, 2014 at 11:12:00AM +0000, Lukas Koschmieder wrote:
> Hi,
>
> I'd like to share a single SSS cache database between several node. Therefore,
I'd like to know whether or not it's safe to simply symlink /var/lib/sss/db to a
single/shared network directory?
>
> Best regards,
> Lukas
I don't think it is. Even though we use transaction locks around write
transactions, also various timestamps (time of last enumeration, time of
last cleanup, ...) are stored in the sysdb. These are specific to a
particular sssd_be process running on that machine.
What is your use-case? Why do you need this?
This use-case might be better covered in the next upstream release
(1.13) where we aim at making SSSD work better in containerized
environments, but we still haven't designed the feature well.
_______________________________________________
sssd-users mailing list
sssd-users(a)lists.fedorahosted.org
https://lists.fedorahosted.org/mailman/listinfo/sssd-users
Actually for the
container case it is already possible.
You can have several containers sharing one SSSD instance running in
another container.
What is missing is any kind of checks that the consuming container is
actually a valid container to use this instance of SSSD. There are also
some unresolved issues with HBAC in general case.
But if you trust your orchestration and assume that HBAC will use the
SSSD host name rather than host name associated with a consuming
container you can use it even now.
--
Thank you,
Dmitri Pal
Sr. Engineering Manager IdM portfolio
Red Hat, Inc.
10:04 a.m.
On Thu, 4 Dec 2014 11:12:00 +0000
Lukas Koschmieder <Lukas.Koschmieder(a)iehk.rwth-aachen.de> wrote:
Hi,
I'd like to share a single SSS cache database between several node.
Therefore, I'd like to know whether or not it's safe to simply
symlink /var/lib/sss/db to a single/shared network directory? Best
regards, Lukas
Our cache, use LDB, based on TDB, which uses fcntl locks for
consistency. Most network file systems do not properly handle locks,
and when they do they are *extremely* slow.
You'd probably end up with an unusable system or a corrupted cache.
Simo.
--
Simo Sorce * Red Hat, Inc * New York
3428
days inactive
3428
days old
sssd-users@lists.fedorahosted.org
3 comments
4 participants
participants (4)
-
Dmitri Pal -
Jakub Hrozek -
Lukas Koschmieder -
Simo Sorce