diff options
author | Justin Stephenson <jstephen@redhat.com> | 2016-08-26 17:43:25 -0400 |
---|---|---|
committer | Jakub Hrozek <jhrozek@redhat.com> | 2016-09-12 10:23:41 +0200 |
commit | 081c6d8c7c8e75487d1c4e42862964be1e85b575 (patch) | |
tree | 552c099c5a4dca4cd49aefab5dd6e9b14bff64b1 | |
parent | 632fc5d8991d167eea20769c823163551c3f1d8c (diff) | |
download | sssd-081c6d8c7c8e75487d1c4e42862964be1e85b575.tar.gz sssd-081c6d8c7c8e75487d1c4e42862964be1e85b575.tar.xz sssd-081c6d8c7c8e75487d1c4e42862964be1e85b575.zip |
MONITOR: Add disable_netlink option
Adding a new monitor boolean option to disable netlink support.
This will give users more control over sssd state changes without
having to modify systemd unit files.
Resolves:
https://fedorahosted.org/sssd/ticket/3142
Reviewed-by: Petr Cech <pcech@redhat.com>
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
-rw-r--r-- | src/confdb/confdb.h | 1 | ||||
-rw-r--r-- | src/config/SSSDConfig/__init__.py.in | 1 | ||||
-rwxr-xr-x | src/config/SSSDConfigTest.py | 3 | ||||
-rw-r--r-- | src/config/cfg_rules.ini | 1 | ||||
-rw-r--r-- | src/config/etc/sssd.api.conf | 1 | ||||
-rw-r--r-- | src/man/sssd.conf.5.xml | 18 | ||||
-rw-r--r-- | src/monitor/monitor.c | 21 |
7 files changed, 42 insertions, 4 deletions
diff --git a/src/confdb/confdb.h b/src/confdb/confdb.h index 401e5fbf7..2d6509001 100644 --- a/src/confdb/confdb.h +++ b/src/confdb/confdb.h @@ -73,6 +73,7 @@ #define CONFDB_MONITOR_OVERRIDE_SPACE "override_space" #define CONFDB_MONITOR_USER_RUNAS "user" #define CONFDB_MONITOR_CERT_VERIFICATION "certificate_verification" +#define CONFDB_MONITOR_DISABLE_NETLINK "disable_netlink" /* Both monitor and domains */ #define CONFDB_NAME_REGEX "re_expression" diff --git a/src/config/SSSDConfig/__init__.py.in b/src/config/SSSDConfig/__init__.py.in index 0191920f9..2027028f7 100644 --- a/src/config/SSSDConfig/__init__.py.in +++ b/src/config/SSSDConfig/__init__.py.in @@ -62,6 +62,7 @@ option_strings = { 'user' : _('The user to drop privileges to'), 'certificate_verification' : _('Tune certificate verification'), 'override_space': _('All spaces in group or user names will be replaced with this character'), + 'disable_netlink' : _('Tune sssd to honor or ignore netlink state changes'), # [nss] 'enum_cache_timeout' : _('Enumeration cache timeout length (seconds)'), diff --git a/src/config/SSSDConfigTest.py b/src/config/SSSDConfigTest.py index 6a0fdf0ea..8a64a257a 100755 --- a/src/config/SSSDConfigTest.py +++ b/src/config/SSSDConfigTest.py @@ -310,7 +310,8 @@ class SSSDConfigTestSSSDService(unittest.TestCase): 'client_idle_timeout', 'description', 'certificate_verification', - 'override_space'] + 'override_space', + 'disable_netlink'] self.assertTrue(type(options) == dict, "Options should be a dictionary") diff --git a/src/config/cfg_rules.ini b/src/config/cfg_rules.ini index 5e248066b..93c10e2b7 100644 --- a/src/config/cfg_rules.ini +++ b/src/config/cfg_rules.ini @@ -38,6 +38,7 @@ option = default_domain_suffix option = certificate_verification option = override_space option = config_file_version +option = disable_netlink [rule/allowed_nss_options] validator = ini_allowed_options diff --git a/src/config/etc/sssd.api.conf b/src/config/etc/sssd.api.conf index 525f939cd..9e4bf2f6e 100644 --- a/src/config/etc/sssd.api.conf +++ b/src/config/etc/sssd.api.conf @@ -28,6 +28,7 @@ user = str, None, false default_domain_suffix = str, None, false certificate_verification = str, None, false override_space = str, None, false +disable_netlink = bool, None, false [nss] # Name service diff --git a/src/man/sssd.conf.5.xml b/src/man/sssd.conf.5.xml index ae291e0fc..6f231b8ab 100644 --- a/src/man/sssd.conf.5.xml +++ b/src/man/sssd.conf.5.xml @@ -482,6 +482,24 @@ </para> </listitem> </varlistentry> + <varlistentry> + <term>disable_netlink (boolean)</term> + <listitem> + <para> + SSSD hooks into the netlink interface to + monitor changes to routes, addresses, links + and trigger certain actions. + </para> + <para> + The SSSD state changes caused by netlink + events may be undesirable and can be disabled + by setting this option to 'true' + </para> + <para> + Default: false (netlink changes are detected) + </para> + </listitem> + </varlistentry> </variablelist> </para> </refsect2> diff --git a/src/monitor/monitor.c b/src/monitor/monitor.c index 442bdbc42..84a144e56 100644 --- a/src/monitor/monitor.c +++ b/src/monitor/monitor.c @@ -2052,6 +2052,7 @@ static int monitor_process_init(struct mt_ctx *ctx, int num_providers; int ret; int error; + bool disable_netlink; struct sysdb_upgrade_ctx db_up_ctx; /* Set up the environment variable for the Kerberos Replay Cache */ @@ -2172,14 +2173,28 @@ static int monitor_process_init(struct mt_ctx *ctx, return ret; } - ret = setup_netlink(ctx, ctx->ev, network_status_change_cb, - ctx, &ctx->nlctx); + ret = confdb_get_bool(ctx->cdb, + CONFDB_MONITOR_CONF_ENTRY, + CONFDB_MONITOR_DISABLE_NETLINK, + false, &disable_netlink); + if (ret != EOK) { DEBUG(SSSDBG_OP_FAILURE, - "Cannot set up listening for network notifications\n"); + "Failed to read disable_netlink from confdb: [%d] %s\n", + ret, sss_strerror(ret)); return ret; } + if (disable_netlink == false) { + ret = setup_netlink(ctx, ctx->ev, network_status_change_cb, + ctx, &ctx->nlctx); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, + "Cannot set up listening for network notifications\n"); + return ret; + } + } + /* start providers */ num_providers = 0; for (dom = ctx->domains; dom; dom = get_next_domain(dom, 0)) { |