#1354 Add support for terminating idle connections in sssd_nss
Closed: Fixed None Opened 8 years ago by sgoel.

The attached patch adds support for a connection idle timer in sssd_nss which upon firing will check for and terminate idle connections. The motivation for this is to prevent sssd_nss from running out of file descriptors when a large number of long lived processes keep open connections to sssd_nss. The symptom can readily observed by running lsof on sssd_nss and counting the number instances of
/var/lib/sssd/pipes/nss. Without the patch, we found sssd_nss becomes unresponsive on a number of our hosts with long lived connections such as imap servers. We have encountered the problem in both RHEL 5 & 6 running sssd 1.5.1.

The patch adds an idle_timeout parameter to sssd.conf with a default value of zero that preserves the current behavior of not expiring any connections. Expiry is only done when this parameter is set to a value greater than zero.

Please see review comments on https://fedorahosted.org/pipermail/sssd-devel/2012-May/009941.html

Please subscribe there and send updated patches to the sssd-devel list. You can subscribe at https://fedorahosted.org/mailman/listinfo/sssd-devel

Also, it's preferred to have you send git-formatted patches. Please take a look at https://fedorahosted.org/sssd/wiki/DevelTutorials for tips on how to get started.

Thank you very much for your contribution, we just need to massage it a bit before we get it included.

Fields changed

milestone: NEEDS_TRIAGE => SSSD 1.9.0 beta 3


Attached are 3 patches which address the concerns raised with our original patch. Please note these patches have only received basic testing so far and are undergoing further validation. The patch breakdown is as follows.

  1. sssd-1.5.1-01-return-correct-errno.patch

This patch fixes a bug where the returned errno value was that of close(2)
instead of the previous operation's.

  1. sssd-1.5.1-02-log-close-error.patch

This patch modifies the client destructor to log a message on close(2) failure.

  1. sssd-1.5.1-03-expire-idle-connections.patch

This is the core idle connection expiry patch. The major change of note is the elimination of
signal mask manipulation to deal with SIGPIPE. We now use send(2) with MSG_NOSIGNAL instead of
write(2) as in the original code to prevent SIGPIPE from being raised. SIGPIPE has to be dealt with
because we found in our testing on RHEL 6 for instance, `crond' would die due to SIGPIPE if we did
not protect against it.

We have also incorporated all your other coding as well as style suggestions in the patch.


Fixed by:
- master
- ffe862e
- 3adb3a4
- 2a97305
- dd94e9c
- bb79e75
- sssd-1-8
- f11c6ce
- 2494f36
- de4ad02
- ce1ce19
- c041c67
- sssd-1-5
- f415f0a
- 0664e45
- fa8ddad
- 9d2b16c
- 2aa1252

owner: somebody => sgallagh
status: new => assigned

Fields changed

milestone: SSSD 1.9.0 beta 5 => SSSD 1.9.0 beta 3
patch: 0 => 1
resolution: => fixed
status: assigned => closed

Metadata Update from @sgoel:
- Issue assigned to sgallagh
- Issue set to the milestone: SSSD 1.9.0 beta 3

3 years ago

SSSD is moving from Pagure to Github. This means that new issues and pull requests
will be accepted only in SSSD's github repository.

This issue has been cloned to Github and is available here:
- https://github.com/SSSD/sssd/issues/2396

If you want to receive further updates on the issue, please navigate to the github issue
and click on subscribe button.

Thank you for understanding. We apologize for all inconvenience.

Login to comment on this ticket.