#4002 NSS responder should clear negative cache alongside with memcache
Closed: cloned-to-github a year ago by pbrezina. Opened 2 years ago by atikhonov.

Currently NSS responder doesn't clear negative cache as the result of SIGHUP signal sent from 'sss_cache' to sssd.

This renders shadows-utils patch to be not fully functional. E.g. example given in the PR description is NOT fixed: "combination of commands like this: getent passwd user || useradd user; getent passwd user can result in the second getent passwd not finding the newly added user as the racy behaviour might still return the cached negative hit from the first getent passwd."

Also in the comments to this ticket @sbose wrote: "I wonder if an easy solution might be to completely remove the negative cache e.g. during a clearMemcache SBUS request."

So I think it is a good idea to clear negative cache at the same time as memcache is cleared.
@jhrozek agreed but told it would be good to hear other opinions.

Take a note, this issue might be blocked by #3637 as negative cache impl and its API may change as a result.


Metadata Update from @atikhonov:
- Issue marked as depending on: #3637

2 years ago

Take a note, this issue might be blocked by #3637 as negative cache impl and its API may change as a result.

I would see it the other way round. Clearing the negative after SIGHUP would free they stale entries in the negative cache as well. So even this is still only a mitigation, it is better than having to do a full restart.

I would see it the other way round. Clearing the negative after SIGHUP would free they stale entries in the negative cache as well. So even this is still only a mitigation, it is better than having to do a full restart.

What I meant: I know Michal is working on a new negative cache implementation (not libtdb based). So, from my point of view, it doesn't worth an effort to figure out how to clear libtdb properly (you wrote earlier it can be tricky).

I would see it the other way round. Clearing the negative after SIGHUP would free they stale entries in the negative cache as well. So even this is still only a mitigation, it is better than having to do a full restart.

What I meant: I know Michal is working on a new negative cache implementation (not libtdb based). So, from my point of view, it doesn't worth an effort to figure out how to clear libtdb properly (you wrote earlier it can be tricky).

Hi,

you should check with @mzidek about his plans.

About the tricky part, the memory used by the in-memory tdb is not freed if individual entries are removed so you have to close and open the tbd to get back the memory. Now you should not forget to add the permanent entries again, but calling sss_ncache_reset_repopulate_permanent() should be sufficient here.

HTH

bye,
Sumit

Metadata Update from @pbrezina:
- Issue tagged with: Future milestone

a year ago

Hm, at the very least we should not clear permanent entries in negative cache
(see https://bugzilla.redhat.com/show_bug.cgi?id=1824323)

SSSD is moving from Pagure to Github. This means that new issues and pull requests
will be accepted only in SSSD's github repository.

This issue has been cloned to Github and is available here:
- https://github.com/SSSD/sssd/issues/4973

If you want to receive further updates on the issue, please navigate to the github issue
and click on subscribe button.

Thank you for understanding. We apologize for all inconvenience.

Metadata Update from @pbrezina:
- Issue close_status updated to: cloned-to-github
- Issue status updated to: Closed (was: Open)

a year ago

Login to comment on this ticket.

Metadata