diff options
| author | Daniel Baumann <daniel.baumann@progress-linux.org> | 2024-04-19 05:31:45 +0000 |
|---|---|---|
| committer | Daniel Baumann <daniel.baumann@progress-linux.org> | 2024-04-19 05:31:45 +0000 |
| commit | 74aa0bc6779af38018a03fd2cf4419fe85917904 (patch) | |
| tree | 9cb0681aac9a94a49c153d5823e7a55d1513d91f /contrib | |
| parent | Initial commit. (diff) | |
| download | sssd-74aa0bc6779af38018a03fd2cf4419fe85917904.tar.xz sssd-74aa0bc6779af38018a03fd2cf4419fe85917904.zip | |
Adding upstream version 2.9.4.upstream/2.9.4
Signed-off-by: Daniel Baumann <daniel.baumann@progress-linux.org>
Diffstat (limited to 'contrib')
| -rw-r--r-- | contrib/ci/README.md | 58 | ||||
| -rwxr-xr-x | contrib/ci/clean | 25 | ||||
| -rw-r--r-- | contrib/ci/configure.sh | 77 | ||||
| -rw-r--r-- | contrib/ci/deps.sh | 202 | ||||
| -rw-r--r-- | contrib/ci/distro.sh | 94 | ||||
| -rw-r--r-- | contrib/ci/misc.sh | 73 | ||||
| -rwxr-xr-x | contrib/ci/rpm-spec-builddeps | 38 | ||||
| -rwxr-xr-x | contrib/ci/run | 253 | ||||
| -rw-r--r-- | contrib/ci/sssd.supp | 270 | ||||
| -rwxr-xr-x | contrib/ci/valgrind-condense | 135 | ||||
| -rw-r--r-- | contrib/enable_sssd_conf_dir | 5 | ||||
| -rw-r--r-- | contrib/fedora/bashrc_sssd | 124 | ||||
| -rwxr-xr-x | contrib/fedora/make_srpm.sh | 186 | ||||
| -rw-r--r-- | contrib/kcm_default_ccache | 12 | ||||
| -rw-r--r-- | contrib/sssd-pcsc.rules | 15 | ||||
| -rw-r--r-- | contrib/sssd-pcsc.rules.in | 15 | ||||
| -rw-r--r-- | contrib/sssd.spec.in | 1082 | ||||
| -rw-r--r-- | contrib/systemtap/dp_request.stp | 85 | ||||
| -rw-r--r-- | contrib/systemtap/id_perf.stp | 167 | ||||
| -rw-r--r-- | contrib/systemtap/ldap_perf.stp | 114 | ||||
| -rw-r--r-- | contrib/systemtap/nested_group_perf.stp | 333 |
21 files changed, 3363 insertions, 0 deletions
diff --git a/contrib/ci/README.md b/contrib/ci/README.md new file mode 100644 index 0000000..d2744a1 --- /dev/null +++ b/contrib/ci/README.md @@ -0,0 +1,58 @@ +Continuous integration +====================== + +The executables and modules in this directory implement continuous integration +(CI) tests, which can be run to verify SSSD code quality and validity. + +Supported host distros are Fedora 20 and later, RHEL 6.5 and later, and Debian +Testing. + +The tests are executed by running `contrib/ci/run` from the source tree root. +It accepts options to choose from two test sets: "essential", "moderate" +(-e/-m), with the essential set selected by default. + +Essential tests include building everything and running the built-in test +suite under Valgrind, completing in under 5 minutes. + +Moderate tests include essential tests, plus a distcheck target build. They +complete in about 15 minutes. + +Use `contrib/ci/clean` to remove test results from the source tree. + + +Setup +----- + +CI requires `lsb_release` command to be available in order to determine host +distro version. On Red Hat distros it is contained in the `redhat-lsb-core` +package and on Debian in `lsb-release`. + +The rest of the required packages CI will attempt to install itself, using +the distribution's package manager invoked through sudo. + +A sudo rule can be employed to selectively avoid password prompts on RHEL +distros: + + <USER> ALL=(ALL:ALL) NOPASSWD: /usr/bin/yum --assumeyes install -- * + +on Fedora distros: + + # With dnf >= 2.0 + <USER> ALL=(ALL:ALL) NOPASSWD: /usr/bin/dnf --assumeyes --best --setopt=install_weak_deps=False install -- * + # We need to use yum-deprecated on Fedora because of BZ1215208. + <USER> ALL=(ALL:ALL) NOPASSWD: /usr/bin/yum-deprecated --assumeyes install -- * + +and Debian-based distros: + + <USER> ALL=(ALL:ALL) NOPASSWD: /usr/bin/apt-get --yes install -- * + +Where `<USER>` is the user invoking CI. + +You may also want to allow passing DEBIAN_FRONTEND environment variable to +apt-get on Debian, so CI can request non-interactive package installation: + + Defaults!/usr/bin/apt-get env_keep += "DEBIAN_FRONTEND" + +Package installation can be disabled with the -n/--no-deps option, e.g. for +manual dependency management, or for shaving off a few seconds of execution +time, when dependency changes are not expected. diff --git a/contrib/ci/clean b/contrib/ci/clean new file mode 100755 index 0000000..ee18c10 --- /dev/null +++ b/contrib/ci/clean @@ -0,0 +1,25 @@ +#!/bin/bash +# +# Clean source tree after a run of integration tests. +# +# Copyright (C) 2014 Red Hat +# +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation; either version 3 of the License, or +# (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see <http://www.gnu.org/licenses/>. + +set -o nounset -o pipefail -o errexit +export PATH=`dirname "\`readlink -f \"\$0\"\`"`:$PATH + +. misc.sh + +rm_rf_ro ci-* diff --git a/contrib/ci/configure.sh b/contrib/ci/configure.sh new file mode 100644 index 0000000..e61351c --- /dev/null +++ b/contrib/ci/configure.sh @@ -0,0 +1,77 @@ +# +# Configure argument management. +# +# Copyright (C) 2014 Red Hat +# +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation; either version 3 of the License, or +# (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see <http://www.gnu.org/licenses/>. + +if [ -z ${_CONFIGURE_SH+set} ]; then +declare -r _CONFIGURE_SH= + +. distro.sh + +# List of "configure" arguments. +declare -a CONFIGURE_ARG_LIST=( + "--disable-dependency-tracking" + "--disable-rpath" + "--disable-static" + "--enable-ldb-version-check" + "--with-syslog=journald" + "--enable-systemtap" +) + + +if [[ "$DISTRO_BRANCH" == -redhat-centos-8*- || + "$DISTRO_BRANCH" == -redhat-redhatenterprise*-8.*- ]]; then + CONFIGURE_ARG_LIST+=( + "--with-python2-bindings" + ) +else + CONFIGURE_ARG_LIST+=( + "--without-python2-bindings" + ) +fi + + +# Different versions of Debian might need different versions here but this is +# sufficient to make the CI work +if [[ "$DISTRO_BRANCH" == -debian-* ]]; then + CONFIGURE_ARG_LIST+=( + "--with-smb-idmap-interface-version=5" + ) +fi + +if [[ "$DISTRO_BRANCH" == -redhat-fedora-* || + "$DISTRO_BRANCH" == -redhat-centos-9*- || + "$DISTRO_BRANCH" == -redhat-centos-10*- || + "$DISTRO_BRANCH" == -redhat-redhatenterprise*-9.*- || + "$DISTRO_BRANCH" == -redhat-redhatenterprise*-10.*- ]]; then + CONFIGURE_ARG_LIST+=( + "--with-subid" + ) +fi + +if [[ "$DISTRO_BRANCH" == -redhat-fedora-* || + "$DISTRO_BRANCH" == -redhat-centos-9*- || + "$DISTRO_BRANCH" == -redhat-centos-10*- || + "$DISTRO_BRANCH" == -redhat-redhatenterprise*-9.*- || + "$DISTRO_BRANCH" == -redhat-redhatenterprise*-10.*- ]]; then + CONFIGURE_ARG_LIST+=( + "--with-passkey" + ) +fi + +declare -r -a CONFIGURE_ARG_LIST + +fi # _CONFIGURE_SH diff --git a/contrib/ci/deps.sh b/contrib/ci/deps.sh new file mode 100644 index 0000000..f6f5018 --- /dev/null +++ b/contrib/ci/deps.sh @@ -0,0 +1,202 @@ +# +# Dependency management. +# +# Copyright (C) 2014 Red Hat +# +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation; either version 3 of the License, or +# (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see <http://www.gnu.org/licenses/>. + +if [ -z ${_DEPS_SH+set} ]; then +declare -r _DEPS_SH= + +. distro.sh + +# Dependency list +declare -a DEPS_LIST=( + lcov + valgrind +) + +# "Integration tests dependencies satisfied" flag +declare DEPS_INTGCHECK_SATISFIED=true + +if [[ "$DISTRO_BRANCH" == -redhat-* ]]; then + declare _DEPS_LIST_SPEC + DEPS_LIST+=( + fakeroot + libfaketime + libcmocka-devel + nss_wrapper + openldap-clients + openldap-servers + rpm-build + uid_wrapper + pam_wrapper + curl-devel + krb5-server + krb5-workstation + libunistring-devel + ) + + if [[ "$DISTRO_BRANCH" == -redhat-redhatenterprise*-8.*- || + "$DISTRO_BRANCH" == -redhat-centos*-8*- ]]; then + DEPS_LIST+=( + python2 + python2-devel + python2-requests + ) + fi + + if [[ "$DISTRO_BRANCH" == -redhat-fedora-4[0-9]* || + "$DISTRO_BRANCH" == -redhat-fedora-3[7-9]* || + "$DISTRO_BRANCH" == -redhat-redhatenterprise*-8.*- || + "$DISTRO_BRANCH" == -redhat-redhatenterprise*-9.*- || + "$DISTRO_BRANCH" == -redhat-centos*-8*- || + "$DISTRO_BRANCH" == -redhat-centos*-9*- ]]; then + DEPS_LIST+=( + python3-dbus + python3-ldap + python3-ldb + python3-psutil + python3-pycodestyle + python3-pytest + python3-requests + ) + else + DEPS_LIST+=( + dbus-python + pyldb + pytest + python-ldap + python-pep8 + python-psutil + python-requests + ) + fi + + if [[ "$DISTRO_BRANCH" == -redhat-fedora-* ]]; then + DEPS_LIST+=( + http-parser-devel + libfido2-devel + ) + fi + + _DEPS_LIST_SPEC=` + sed -e 's/@PACKAGE_VERSION@/0/g' \ + -e 's/@PACKAGE_NAME@/package-name/g' \ + -e 's/@PRERELEASE_VERSION@//g' contrib/sssd.spec.in | + rpm-spec-builddeps /dev/stdin` + readarray -t -O "${#DEPS_LIST[@]}" DEPS_LIST <<<"$_DEPS_LIST_SPEC" +fi + +if [[ "$DISTRO_BRANCH" == -debian-* ]]; then + DEPS_LIST+=( + autoconf + automake + autopoint + check + cifs-utils + dh-apparmor + dnsutils + docbook-xml + docbook-xsl + gettext + krb5-config + libc-ares-dev + libcmocka-dev + libcollection-dev + libdbus-1-dev + libdhash-dev + libfido2-dev + libglib2.0-dev + libini-config-dev + libkeyutils-dev + libkrad-dev + libkrb5-dev + libldap2-dev + libldb-dev + libltdl-dev + libnfsidmap-dev + libnl-3-dev + libnl-route-3-dev + libpam0g-dev + libpcre2-dev + libpopt-dev + libsasl2-dev + libselinux1-dev + libsemanage-dev + libsmbclient-dev + libsystemd-dev + libtalloc-dev + libtdb-dev + libtevent-dev + libtool + libtool-bin + libxml2-utils + make + pycodestyle + python3-dbus + python3-dev + python3-ldap + python3-ldb + python3-psutil + python3-pytest + python3-requests + samba-dev + systemd + xml-core + xsltproc + libssl-dev + fakeroot + faketime + libnss-wrapper + libuid-wrapper + libpam-wrapper + ldap-utils + slapd + systemtap-sdt-dev + libhttp-parser-dev + libjansson-dev + libjose-dev + libcurl4-openssl-dev + krb5-kdc + krb5-admin-server + krb5-user + uuid-dev + dbus + libssl-dev + gnutls-bin + softhsm2 + libp11-kit-dev + bc + libunistring-dev + ) + + DEPS_INTGCHECK_SATISFIED=true +fi + +declare -a -r DEPS_LIST + +# Install dependencies. +function deps_install() +{ + distro_pkg_install "${DEPS_LIST[@]}" +} + +# Remove dependencies. +function deps_remove() +{ + distro_pkg_remove "${DEPS_LIST[@]}" +} + +fi # _DEPS_SH diff --git a/contrib/ci/distro.sh b/contrib/ci/distro.sh new file mode 100644 index 0000000..3ac2611 --- /dev/null +++ b/contrib/ci/distro.sh @@ -0,0 +1,94 @@ +# +# Distribution version discovery +# +# Copyright (C) 2014 Red Hat +# +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation; either version 3 of the License, or +# (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see <http://www.gnu.org/licenses/>. + +if [ -z ${_DISTRO_SH+set} ]; then +declare -r _DISTRO_SH= + +# Distribution family (lowercase) +declare DISTRO_FAMILY= +# Distribution ID (lowercase) +declare DISTRO_ID= +# Distribution release (lowercase) +declare DISTRO_RELEASE= + +if [ -e /etc/redhat-release ]; then + DISTRO_FAMILY=redhat +elif [ -e /etc/debian_version ]; then + DISTRO_FAMILY=debian +else + DISTRO_FAMILY=unknown +fi +declare -r DISTRO_FAMILY + +. /etc/os-release +DISTRO_ID=$ID +declare -r DISTRO_ID +DISTRO_RELEASE=$VERSION_ID +declare -r DISTRO_RELEASE + +# Distribution branch (lowercase) +declare -r DISTRO_BRANCH="-$DISTRO_FAMILY-$DISTRO_ID-$DISTRO_RELEASE-" + + +# Install packages. +# Args: [pkg_name...] +function distro_pkg_install() +{ + declare prompt=$'Need root permissions to install packages.\n' + prompt+="Enter sudo password for $USER: " + if [[ "$DISTRO_BRANCH" == -redhat-fedora-* ]]; then + [ $# != 0 ] && sudo -p "$prompt" \ + /usr/bin/dnf --assumeyes --best \ + --setopt=install_weak_deps=False \ + install -- "$@" + elif [[ "$DISTRO_BRANCH" == -redhat-* ]]; then + [ $# != 0 ] && sudo -p "$prompt" yum --assumeyes install -- "$@" |& + # Pass input to output, fail if a missing package is reported + awk 'BEGIN {s=0} + /^No package .* available.$/ {s=1} + {print} + END {exit s}' + elif [[ "$DISTRO_BRANCH" == -debian-* ]]; then + [ $# != 0 ] && DEBIAN_FRONTEND=noninteractive \ + # Ensure updated apt cache + sudo -p "$prompt" apt-get --yes update \ + && DEBIAN_FRONTEND=noninteractive \ + sudo -p "$prompt" apt-get --yes install -- "$@" + else + echo "Cannot install packages on $DISTRO_BRANCH" >&2 + exit 1 + fi +} + +# Remove packages. +# Args: [pkg_name...] +function distro_pkg_remove() +{ + declare prompt=$'Need root permissions to remove packages.\n' + prompt+="Enter sudo password for $USER: " + if [[ "$DISTRO_BRANCH" == -redhat-* ]]; then + [ $# != 0 ] && sudo -p "$prompt" yum --assumeyes remove -- "$@" + elif [[ "$DISTRO_BRANCH" == -debian-* ]]; then + [ $# != 0 ] && sudo -p "$prompt" apt-get --yes remove -- "$@" + else + echo "Cannot remove packages on $DISTRO_BRANCH" >&2 + exit 1 + fi +} + +fi # _DISTRO_SH diff --git a/contrib/ci/misc.sh b/contrib/ci/misc.sh new file mode 100644 index 0000000..642e437 --- /dev/null +++ b/contrib/ci/misc.sh @@ -0,0 +1,73 @@ +# +# Miscellaneous routines. +# +# Copyright (C) 2014 Red Hat +# +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation; either version 3 of the License, or +# (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see <http://www.gnu.org/licenses/>. + +if [ -z ${_MISC_SH+set} ]; then +declare -r _MISC_SH= + +# Remove files and directories recursively, forcing write permissions on +# directories. +# Args: path... +function rm_rf_ro() +{ + chmod -Rf u+w -- "$@" || true + rm -Rf -- "$@" +} + +# Extract line and function coverage percentage from a "genhtml" or "lcov +# --summary" output. +# Input: "genhtml" or "lcov --summary" output +# Output: lines funcs +function lcov_summary() +{ + sed -ne 's/^ *\(lines\|functions\)\.*: \([0-9]\+\).*$/ \2/p' | + tr -d '\n' + echo +} + +# Check if a "genhtml" or "lcov --summary" output has a minimum coverage +# percentage of lines and functions. +# Input: "genhtml" or "lcov --summary" output +# Args: min_lines min_funcs +function lcov_check() +{ + declare -r min_lines="$1"; shift + declare -r min_funcs="$1"; shift + declare lines + declare funcs + + read -r lines funcs < <(lcov_summary) + ((lines >= min_lines && funcs >= min_funcs)) && return 0 || return 1 +} + +# Check if the current user belongs to a group. +# Args: group_name +function memberof() +{ + declare -r group_name="$1" + declare group_id + declare id + group_id=`getent group "$group_name" | cut -d: -f3` || return 1 + for id in "${GROUPS[@]}"; do + if [ "$id" == "$group_id" ]; then + return 0 + fi + done + return 1 +} + +fi # _MISC_SH diff --git a/contrib/ci/rpm-spec-builddeps b/contrib/ci/rpm-spec-builddeps new file mode 100755 index 0000000..9f884fd --- /dev/null +++ b/contrib/ci/rpm-spec-builddeps @@ -0,0 +1,38 @@ +#!/usr/bin/env python3 +# +# Extract build dependencies from an RPM .spec file. +# +# Copyright (C) 2014 Red Hat +# +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation; either version 3 of the License, or +# (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see <http://www.gnu.org/licenses/>. + +from __future__ import print_function + +import sys +import re +import rpm + + +def usage(file): + file.write(("Usage: %s SPEC\n" + + "Extract build dependencies from an RPM .spec file.\n") % + re.match(".*?([^/]+)$", sys.argv[0]).group(1)) + +if len(sys.argv) != 2: + usage(sys.stderr) + sys.exit(1) + +spec = rpm.spec(sys.argv[1]) +for d in rpm.ds(spec.sourceHeader, 'requires'): + print(d.DNEVR()[2:]) diff --git a/contrib/ci/run b/contrib/ci/run new file mode 100755 index 0000000..43fb60a --- /dev/null +++ b/contrib/ci/run @@ -0,0 +1,253 @@ +#!/bin/bash +# +# Run continuous integration tests. +# +# Copyright (C) 2014 Red Hat +# +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation; either version 3 of the License, or +# (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see <http://www.gnu.org/licenses/>. + +# USER does not have to be defined in containers +if [ -z $USER ]; then + declare -r USER=`id -nu $UID` + echo "\$USER is not set, using: $USER" +fi + +set -o nounset -o pipefail -o errexit +declare -r CI_DIR=`dirname "\`readlink -f \"\$0\"\`"` +export PATH=$CI_DIR:$PATH +export LC_ALL=C + +. deps.sh +. distro.sh +. configure.sh +. misc.sh + +declare -r DEBUG_CFLAGS="-g3 -O2" +declare -r ARCH=`uname -m` +declare -r CPU_NUM=`getconf _NPROCESSORS_ONLN` +declare -r TITLE_WIDTH=24 +declare -r RESULT_WIDTH=18 + +declare BASE_PFX="" +declare DEPS=true +declare DEPS_ONLY=false +declare BASE_DIR=`pwd` +declare MODERATE=false + +# Additional valgrind flags +declare VALGRIND_FLAGS="" +if [ -e "$CI_DIR/sssd.$DISTRO_ID.supp" ]; then + VALGRIND_FLAGS+=" --suppressions=\"$CI_DIR/sssd.$DISTRO_ID.supp\"" +fi + +# Output program usage information. +function usage() +{ + cat <<EOF +Usage: `basename "$0"` [OPTION...] +Run continuous integration tests. + +Options: + -h, --help Output this help message and exit. + -p, --prefix=STRING Use STRING as the prefix to prepend to file and + directory paths in output. + -n, --no-deps Don't attempt to install dependencies. + -d, --deps-only Only install dependencies, don't run tests. + -e, --essential Run the essential subset of tests. + -m, --moderate Run the moderate subset of tests. + +Default options: --essential +EOF +} + +# Output a file display path: a path relocated from base directory (BASE_DIR) +# to base prefix (BASE_PFX). +# Args: path +function disppath() +{ + declare -r path=`readlink -f "$1"` + printf "%s" "$BASE_PFX${path:${#BASE_DIR}+1}" +} + +# Run a stage. +# Args: id cmd [arg...] +function stage() +{ + declare -r id="$1"; shift + declare -r log="ci-$id.log" + declare status + declare start + declare end + declare duration + + printf "%-${TITLE_WIDTH}s" "$id:" + + { + printf "Start: " + start=`date +%s` + date --date="@$start" + set +o errexit + ( + set -o errexit -o xtrace + "$@" + ) + status=$? + set -o errexit + printf "End: " + end=`date +%s` + date --date="@$end" + } &> "$log" + + duration=$((end - start)) + + if [ "$status" == 0 ]; then + printf 'success ' + else + printf 'failure ' + fi + printf "%02u:%02u:%02u " \ + $((duration / (60 * 60))) \ + $((duration / 60 % 60)) \ + $((duration % 60)) + disppath "$log" + printf "\n" + + return "$status" +} + +# Run debug build checks. +function build_debug() +{ + # Extended glob pattern matching tests to run under Valgrind. + # NOTE: The particular pattern below is inverted + declare valgrind_test_pattern="!(*.py|*/whitespace_test|" + declare -r valgrind_test_pattern+="*/double_semicolon_test)" + export CFLAGS="$DEBUG_CFLAGS" + declare test_dir + declare intgcheck_configure_args + declare status + + test_dir=`mktemp --directory /dev/shm/ci-test-dir.XXXXXXXX` + stage configure "$BASE_DIR/configure" \ + "${CONFIGURE_ARG_LIST[@]}" \ + --with-test-dir="$test_dir" + + status=0 + CK_FORK=no \ + DEBUGINFOD_URLS="" \ + stage make-check-valgrind \ + make -j $CPU_NUM check \ + LOG_COMPILER=libtool \ + LOG_FLAGS="--mode=execute \ + valgrind-condense 99 \ + \"$valgrind_test_pattern\" -- \ + --trace-children=yes \ + --trace-children-skip='*/bin/*,*/sbin/*,./dummy-child' \ + --leak-check=full \ + --gen-suppressions=all \ + --suppressions=\"$CI_DIR/sssd.supp\" \ + $VALGRIND_FLAGS \ + --verbose" || + status=$? + mv "$test_dir" ci-test-dir + ((status == 0)) + + if "$MODERATE"; then + if "$DEPS_INTGCHECK_SATISFIED"; then + printf -v intgcheck_configure_args " %q" \ + "${CONFIGURE_ARG_LIST[@]}" + stage make-intgcheck make -j $CPU_NUM intgcheck \ + INTGCHECK_CONFIGURE_FLAGS=" \ + $intgcheck_configure_args" + fi + + ((status == 0)) + fi + + unset CFLAGS +} + +# Run a build inside a sub-directory. +# Args: id cmd [arg...] +function run_build() +{ + declare -r id="$1"; shift + declare -r dir="ci-build-$id" + + mkdir "$dir" + printf "%-$((TITLE_WIDTH + RESULT_WIDTH))s%s\n" \ + "${id^^} BUILD:" "`disppath \"\$dir\"`" + + cd "$dir" + "$@" + cd .. +} + +# +# Main routine +# +declare args_expr +args_expr=`getopt --name \`basename "\$0"\` \ + --options hp:dnemrf \ + --longoptions help,prefix:,no-deps,deps-only \ + --longoptions essential,moderate \ + -- "$@"` +eval set -- "$args_expr" + +while true; do + case "$1" in + -h|--help) + usage; exit 0;; + -p|--prefix) + BASE_PFX="$2"; shift 2;; + -d|--deps-only) + DEPS_ONLY=true; shift;; + -n|--no-deps) + DEPS=false; shift;; + -e|--essential) + MODERATE=false; shift;; + -m|--moderate) + MODERATE=true; shift;; + --) + shift; break;; + *) + echo "Unknown option: $1" >&2 + exit 1;; + esac +done + +if [ $# != 0 ]; then + echo "Positional arguments are not accepted." >&2 + usage >&2 + exit 1 +fi + +trap 'echo FAILURE' EXIT +rm_rf_ro ci-* +export V=1 +if "$DEPS"; then + stage install-deps deps_install +fi + +if "$DEPS_ONLY"; then + unset V + trap - EXIT + exit +fi + +stage autoreconf autoreconf --install --force +run_build debug build_debug +unset V +trap - EXIT +echo SUCCESS diff --git a/contrib/ci/sssd.supp b/contrib/ci/sssd.supp new file mode 100644 index 0000000..5d86049 --- /dev/null +++ b/contrib/ci/sssd.supp @@ -0,0 +1,270 @@ +# +# Valgrind suppression patterns +# +# See an introduction to suppressions in Valgrind manual: +# http://valgrind.org/docs/manual/manual-core.html#manual-core.suppress +# +# Each suppression name here must start with "sssd-" to differentiate it from +# suppressions maintained elsewhere. +# + +# talloc-involved leaks +{ + sssd-leak-talloc + Memcheck:Leak + ... + fun:talloc_* + ... +} +{ + sssd-leak-_talloc + Memcheck:Leak + ... + fun:_talloc_* + ... +} + +# nss3-involved leaks +{ + sssd-leak-nss3 + Memcheck:Leak + ... + obj:*/libnss3.so + ... +} + +# nspr4-involved leaks +{ + sssd-leak-nspr4 + Memcheck:Leak + ... + obj:*/libnspr4.so + ... +} +{ + sssd-leak-nspr4-arena-allocate + Memcheck:Leak + fun:malloc + fun:PL_ArenaAllocate + ... +} + +# dbus-involved leaks +{ + sssd-leak-dbus + Memcheck:Leak + ... + obj:*/libdbus-1.so.* + ... +} + +# False positive - pcre_free is called in sss_names_ctx_destructor +{ + sssd-leak-sss_names_pcre2 + Memcheck:Leak + fun:malloc + fun:pcre2_compile_8 + fun:sss_regexp_pcre2_compile + fun:sss_regexp_new + fun:sss_names_init_from_args + ... +} + +# Ignore tests exiting and abandoning cmocka state, concerns dyndns test +{ + sssd-leak-cmocka-exit + Memcheck:Leak + fun:malloc + fun:_test_malloc + fun:_run_tests + fun:main +} + +# Stpncpy false positive on RHEL6: +# https://lists.fedorahosted.org/pipermail/sssd-devel/2014-September/021417.html +# possibly related to: +# https://www.mail-archive.com/valgrind-users@lists.sourceforge.net/msg03832.html +{ + sssd-value8-stpncpy + Memcheck:Value8 + obj:/lib*/libc-2.12.so + fun:sha512_crypt_r + ... +} +{ + sssd-cond-stpncpy + Memcheck:Cond + obj:/lib*/libc-2.12.so + fun:sha512_crypt_r + ... +} + +# False positive leak involving RHEL6 glib memory slices +{ + sssd-leak-glib-slices + Memcheck:Leak + fun:memalign + fun:posix_memalign + obj:/lib*/libglib-2.0.so* + fun:g_slice_alloc + fun:g_string_sized_new + ... + fun:g_utf8_casefold + fun:sss_utf8_case_eq + ... +} + +# uninitialised value in libselinux (fixed in fedora >= 21) +{ + libselinux-jump-or-move-depends-on-uninitialised-value-in-selabel_close + Memcheck:Cond + obj:/usr/lib64/libselinux.so.1 + fun:selabel_close + obj:/usr/lib64/libkrb5support.so.0.1 + fun:_dl_fini + fun:__run_exit_handlers + fun:exit + fun:(below main) +} + +# long-standing memory leak in popt +{ + popt-memleak-from-poptGetNextOpt-malloc + Memcheck:Leak + fun:malloc + ... + fun:poptGetNextOpt + ... + fun:main +} + +# long-standing memory leak in popt +{ + popt-memleak-from-poptGetNextOpt-realloc + Memcheck:Leak + fun:realloc + ... + fun:poptGetNextOpt + fun:main +} + +# popt was not good with read access either. Applies for popt <= 1.13 +{ + popt-suppress-invalid-read + Memcheck:Addr4 + ... + fun:poptGetNextOpt + fun:main +} + +# Some tests initialize c-ares context, then fork a child that just exits +# without a proper teardown, which means the ares destructor is not called. +# Suppress those errors. +{ + c-ares-suppress-leak-from-init + Memcheck:Leak + ... + fun:ares_init_options + fun:recreate_ares_channel + fun:resolv_init + ... + fun:be_res_init + fun:be_init_failover + fun:test_ipa_server_create_trusts_setup +} + +# Leaks in bash if p11_child returns and error because due to libtool the +# p11_child binary is not called directly during the unit tests but with the +# help of a libtool wrapper +{ + bash-calling-p11-child-returning-error + Memcheck:Leak + ... + fun:malloc + fun:xmalloc + ... + fun:execute_command_internal + ... + fun:execute_command_internal + ... +} + +{ + bash-calling-p11-child-returning-error-debian + Memcheck:Free + fun:free + obj:/usr/bin/bash + fun:run_unwind_frame + fun:parse_and_execute + fun:command_substitute + obj:/usr/bin/bash + obj:/usr/bin/bash + ... +} + +# Leak in sqlite3 used by the softhsm2 PKCS#11 module +{ + sqlite3.error + Memcheck:Leak + ... + fun:malloc + obj:/usr/lib64/libsqlite3.so.0.8.6 + ... +} + +# Leak found on debian +{ + set-default-locale-error-debian + Memcheck:Leak + ... + fun:malloc + fun:xmalloc + fun:set_default_locale + fun:main +} + +# glibc nsswitch (getpwuid) leak +# Seems to be affecting Fedora < F28 +{ + glibc-nss-getpwuid + Memcheck:Leak + fun:malloc + ... + fun:getpwuid_r@@GLIBC_2.2.5 + fun:getpwuid + ... + fun:main +} + +# Suppress https://bugzilla.redhat.com/show_bug.cgi?id=2065675 +{ + dlopen-tests + Memcheck:Leak + match-leak-kinds: definite + fun:malloc + fun:UnknownInlinedFun + fun:_dl_find_object_update + fun:dl_open_worker_begin + fun:_dl_catch_exception + fun:dl_open_worker + fun:_dl_catch_exception + fun:_dl_open + fun:dlopen_doit + fun:_dl_catch_exception + fun:_dl_catch_error + fun:_dlerror_run + fun:dlopen@@GLIBC_2.34 +} + +# sssd debug initialization leak +{ + sss_debug_backtrace_init-malloc + Memcheck:Leak + fun:malloc + ... + fun:sss_debug_backtrace_init + ... + fun:test_parse_*_args + ... + fun:main +} diff --git a/contrib/ci/valgrind-condense b/contrib/ci/valgrind-condense new file mode 100755 index 0000000..eb3f322 --- /dev/null +++ b/contrib/ci/valgrind-condense @@ -0,0 +1,135 @@ +#!/bin/bash +# +# Run Valgrind, condensing logged reports into an exit code. +# +# Copyright (C) 2014 Red Hat +# +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation; either version 3 of the License, or +# (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see <http://www.gnu.org/licenses/>. + +set -o nounset -o pipefail -o errexit +shopt -s extglob + +function usage() +{ + cat <<EOF +Usage: `basename "$0"` ERROR_EXITCODE [PATH_PATTERN...] [-- VALGRIND_ARG...] +Run Valgrind, condensing logged reports into an exit code. + +Arguments: + ERROR_EXITCODE An exit code to return if at least one error is found in + Valgrind log files. + PATH_PATTERN An extended glob pattern matching the (original) path to + the program to execute under Valgrind. If the program path + doesn't match any patterns, the program is executed + directly, without Valgrind. Without patterns any program + path matches. + VALGRIND_ARG An argument to pass to Valgrind after the arguments + specified by `basename "$0"`. + +The first non-option VALGRIND_ARG, or the first VALGRIND_ARG after a "--", +will be considered the path to the program to execute under Valgrind and will +be used in naming Valgrind log files as such: + + PROGRAM_NAME.PID.valgrind.log + +where PROGRAM_NAME is the filename portion of the program path and PID is the +executed process ID. If the last directory of the program path is ".libs" and +the filename begins with "lt-", both are removed to match the name of libtool +frontend script. All files matching PROGRAM_NAME.*.valgrind.log are removed +before invoking Valgrind. + +If an error is found in Valgrind log files, ERROR_EXITCODE is returned, +otherwise Valgrind exit code is returned. +EOF +} + + +if [[ $# == 0 ]]; then + echo "Invalid number of arguments." >&2 + usage >&2 + exit 1 +fi + +declare error_exitcode="$1"; shift +declare -a path_pattern_list=() +declare arg +declare collecting_argv +declare -a program_argv=() +declare program_path +declare program_name +declare path_pattern +declare match +declare status=0 + +# Extract path patterns +while [[ $# != 0 ]]; do + arg="$1" + shift + if [[ "$arg" == "--" ]]; then + break + else + path_pattern_list+=("$arg") + fi +done + +# Find program argv list in Valgrind arguments +collecting_argv=false +for arg in "$@"; do + if ! "$collecting_argv" && [[ "$arg" == "--" ]]; then + collecting_argv=true + elif "$collecting_argv" || [[ "$arg" != -* ]]; then + collecting_argv=true + program_argv+=("$arg") + fi +done + +if [[ ${#program_argv[@]} == 0 ]]; then + echo "Program path not specified." >&2 + usage >&2 + exit 1 +fi +program_path="${program_argv[0]}" + +# Match against path patterns, if any +if [[ ${#path_pattern_list[@]} == 0 ]]; then + match=true +else + match=false + for path_pattern in "${path_pattern_list[@]}"; do + if [[ "$program_path" == $path_pattern ]]; then + match=true + fi + done +fi + +# Run the program +if $match; then + # Generate original path from libtool path + program_path=`sed -e 's/^\(.*\/\)\?\.libs\/lt-\([^\/]\+\)$/\1\2/' \ + <<<"$program_path"` + + program_name=`basename -- "$program_path"` + + rm -f -- "$program_name".*.valgrind.log + valgrind --log-file="$program_name.%p.valgrind.log" "$@" || status=$? + + if grep -q '^==[0-9]\+== *ERROR SUMMARY: *[1-9]' -- \ + "$program_name".*.valgrind.log; then + exit "$error_exitcode" + else + exit "$status" + fi +else + "${program_argv[@]}" +fi diff --git a/contrib/enable_sssd_conf_dir b/contrib/enable_sssd_conf_dir new file mode 100644 index 0000000..4153657 --- /dev/null +++ b/contrib/enable_sssd_conf_dir @@ -0,0 +1,5 @@ +# This file should normally be installed by your distribution into a +# directory that is included from the Kerberos configuration file (/etc/krb5.conf) +# On Fedora/RHEL/CentOS, this is /etc/krb5.conf.d/ + +includedir /var/lib/sss/pubconf/krb5.include.d/ diff --git a/contrib/fedora/bashrc_sssd b/contrib/fedora/bashrc_sssd new file mode 100644 index 0000000..8fb6524 --- /dev/null +++ b/contrib/fedora/bashrc_sssd @@ -0,0 +1,124 @@ +# For best results, add the following lines to ~/.bashrc: +# if [ -f /path/to/sssd-source/contrib/fedora/bashrc_sssd ]; then +# . /path/to/sssd-source/contrib/fedora/bashrc_sssd +# fi + +# Determine the architecture of the platform we're running on +SSS_ARCH=$(uname -m) + +# Determine the lib and libdir locations +SSS_LIB=$(rpm --eval %{_lib}) +SSS_LIBDIR=$(rpm --eval %{_libdir}) + +# Add the following line to your .bashrc if you want SSSD to throw errors on +# compiler warnings (recommended) +# SSS_WERROR=-Werror + +# Determine the number of available processors on the system for parallel make +# invocation. +PROCESSORS=$(/usr/bin/getconf _NPROCESSORS_ONLN) + +# Configure invocation for use on Fedora systems, based on the %configure RPM +# macro from the redhat-rpm-config package. This function assumes you are +# building in a parallel build directory beneath the source directory. All +# other functions in this script will assume that the location is +# /path/to/sssd-source/$SSS_ARCH +fedconfig() +{ + ../configure \ + --build=$SSS_ARCH-unknown-linux-gnu \ + --host=$SSS_ARCH-unknown-linux-gnu \ + --program-prefix= \ + --prefix=/usr \ + --exec-prefix=/usr \ + --bindir=/usr/bin \ + --sbindir=/usr/sbin \ + --sysconfdir=/etc \ + --datadir=/usr/share \ + --includedir=/usr/include \ + --libdir=$SSS_LIBDIR \ + --libexecdir=/usr/libexec \ + --localstatedir=/var \ + --sharedstatedir=/var/lib \ + --mandir=/usr/share/man \ + --infodir=/usr/share/info \ + --enable-nsslibdir=/$SSS_LIB \ + --enable-pammoddir=/$SSS_LIB/security \ + --enable-systemtap \ + --with-krb5-rcache-dir=/var/cache/krb5rcache \ + --with-initscript=systemd \ + --with-syslog=journald \ + --with-test-dir=/dev/shm \ + --cache-file=/tmp/fedconfig.cache \ + --with-passkey \ + ${SSSD_NO_MANPAGES-} \ + "$@" +} + +# Completely purge the current working directory, then recreate +# and reconfigure it. This is best used when you are making changes to the m4 +# macros or the configure scripts. +reconfig() +{ + autoreconf -if \ + && rm -Rf $SSS_ARCH/ \ + && mkdir $SSS_ARCH/ \ + && cd $SSS_ARCH/ \ + && fedconfig "$@" +} + +# Set the list of warnings that you want to detect (and in the case of remake +# and chmake want to treat as errors) +SSS_WARNINGS='-Wall \ + -Wextra \ + -Wno-unused-parameter \ + -Wno-sign-compare \ + -Wshadow \ + -Wunused-variable \ + -Wformat-security' + +# Build (or finish building) all objects and then run the build-tests against +# them. This builds with optimizations turned off and GDB debugging symbols. +chmake() +{ + make V=0 \ + CFLAGS+="-ggdb3 $SSS_WARNINGS ${SSS_WERROR-} -O0 -Wp,-U_FORTIFY_SOURCE" \ + -j$PROCESSORS check "$@" +} + +# Clean the build directory and rebuild all objects, then run the build-tests +# against them. This builds with optimizations turned off and GDB debugging +# symbols. +remake() +{ + make clean > /dev/null && chmake "$@" +} + +# Clean the build directory and rebuild all objects, hiding most of the build +# output except for warnings and errors. This builds with default +# optimization and without debugging symbols. +warn() +{ + make clean >/dev/null \ + && make CFLAGS+="$SSS_WARNINGS" -j$PROCESSORS tests > /dev/null "$@" +} + +# Install the built sources to the current system, cleaning up the LDB modules +# and making sure that the NSS and PAM modules have the right SELinux context. +sssinstall() +{ + # Force single-thread install to workaround concurrency issues + sudo make -j1 install \ + && sudo rm -f $SSS_LIBDIR/ldb/modules/ldb/memberof.la \ + && sudo restorecon -v /$SSS_LIB/libnss_sss.so.2 \ + /$SSS_LIB/security/pam_sss.so +} + +# Alias to generate a patch or series of patches that meet SSSD submission +# guidelines. +# Usage: +# genpatch -N (where N is the number of patches to submit) +genpatch() +{ + git format-patch -M -C --patience --full-index "$@" +} diff --git a/contrib/fedora/make_srpm.sh b/contrib/fedora/make_srpm.sh new file mode 100755 index 0000000..b9c4b17 --- /dev/null +++ b/contrib/fedora/make_srpm.sh @@ -0,0 +1,186 @@ +#!/bin/bash + +# Authors: +# Lukas Slebodnik <lslebodn@redhat.com> +# +# Copyright (C) 2013 Red Hat +# +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation; either version 3 of the License, or +# (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see <http://www.gnu.org/licenses/>. + +PACKAGE_NAME="sssd" + +usage(){ + echo "$(basename $0) [OPTIONS] [-P|--patches <patch>...]" + echo -e "\t-p, --prerelease Create prerelease SRPM" + echo -e "\t-d, --debug Enable debugging." + echo -e "\t-c, --clean Remove directory rpmbuild and exit." + echo -e "\t-P, --patches Requires list of patches for SRPM." + echo -e "\t-o, --output Moves the created srpm to a specific output directory." + echo -e "\t-v, --version Provide package version to set in spec file." + echo -e "\t-h, --help Print this help and exit." + echo -e "\t-?, --usage" + + exit 1 +} + +add_patches(){ + spec_file=$1 + shift + source_dir=$1 + shift + + patches=("${@}") + + # These keep track of our spec file substitutions. + i=1 + prefix="Source0:" + prepprefix="%setup" + + # If no patches exist, just exit. + if [ -z "$patches" ]; then + echo Creating SRPM without extra patches. + return 0 + fi + + # Add the patches to the specfile. + for p in "${patches[@]}"; do + cp "$p" "$source_dir" + p=$(basename $p) + echo "Adding patch to spec file - $p" + sed -i -e "/${prefix}/a Patch${i}: ${p}" \ + -e "/$prepprefix/a %patch${i} -p1" \ + "$spec_file" + + prefix="Patch${i}:" + prepprefix="%patch${i}" + i=$(($i+1)) + done +} + +for i in "$@" +do +case $i in + -p|--prerelease) + PRERELEASE=1 + shift + ;; + -d|--debug) + set -x + shift + ;; + -c|--clean) + CLEAN=1 + shift + ;; + -P|--patches) + shift + patches=("$@") + break + ;; + -o|--output) + shift + OUTPUT=("$@") + break + ;; + -v|--version) + shift + VERSION=("$@") + break + ;; + -h|--help|-\?|--usage) + usage + ;; + *) + # unknown option + ;; +esac +done + +RPMBUILD="$(pwd)/rpmbuild" +if [ -n "$CLEAN" ]; then + rm -rfv "$RPMBUILD" + exit 0 +fi + +SRC_DIR=$(git rev-parse --show-toplevel) +rc=$? +if [ $rc != 0 ]; then + echo "This script must be run from the $PACKAGE_NAME git repository!" + exit 1; +fi + +if [ "x$SRC_DIR" = x ]; then + echo "Fatal: Could not find source directory!" + exit 1; +fi + +VERSION_FILE="$SRC_DIR/version.m4" +SPEC_TEMPLATE="$SRC_DIR/contrib/$PACKAGE_NAME.spec.in" + +if [ ! -f "$VERSION_FILE" ]; then + echo "Fatal: Could not find file version.m4 in source directory!" + exit 1; +fi + +if [ ! -f "$SPEC_TEMPLATE" ]; then + echo "Fatal: Could not find $PACKAGE_NAME.spec.in in contrib subdirectory!" + exit 1; +fi + +PACKAGE_VERSION=$(grep "\[VERSION_NUMBER\]" $VERSION_FILE \ + | sed -e 's/.*\[//' -e 's/\]).*$//') +if [ -n "$VERSION" ]; then + PACKAGE_VERSION="$VERSION" +fi +if [ "x$PACKAGE_VERSION" = x ]; then + echo "Fatal: Could parse version from file:$VERSION_FILE!" + exit 1; +fi + +PRERELEASE_VERSION="" +if [ -n "$PRERELEASE" ]; then + PRERELEASE_VERSION=.$(date +%y%m%d.%H%M%S).git$(git log -1 --pretty=format:%h) +fi + +mkdir -p $RPMBUILD/BUILD +mkdir -p $RPMBUILD/RPMS +mkdir -p $RPMBUILD/SOURCES +mkdir -p $RPMBUILD/SPECS +mkdir -p $RPMBUILD/SRPMS + +sed -e "s/@PACKAGE_NAME@/$PACKAGE_NAME/" \ + -e "s/@PACKAGE_VERSION@/$PACKAGE_VERSION/" \ + -e "s/@PRERELEASE_VERSION@/$PRERELEASE_VERSION/" \ + < "$SPEC_TEMPLATE" \ + > "$RPMBUILD/SPECS/$PACKAGE_NAME.spec" + +NAME="$PACKAGE_NAME-$PACKAGE_VERSION" +git archive --format=tar --prefix="$NAME"/ \ + --remote="file://$SRC_DIR" \ + HEAD \ + | gzip > "$RPMBUILD/SOURCES/$NAME.tar.gz" + +cp "$SRC_DIR"/contrib/*.patch "$RPMBUILD/SOURCES" 2>/dev/null +add_patches "$RPMBUILD/SPECS/$PACKAGE_NAME.spec" \ + "$RPMBUILD/SOURCES" \ + "${patches[@]}" + +cd $RPMBUILD +rpmbuild --define "_topdir $RPMBUILD" \ + -bs SPECS/$PACKAGE_NAME.spec + +if [ -n "$OUTPUT" ]; then + mv "$RPMBUILD/SRPMS/"*.src.rpm "$OUTPUT/" + echo "Package has been moved to the folder: $OUTPUT" +fi diff --git a/contrib/kcm_default_ccache b/contrib/kcm_default_ccache new file mode 100644 index 0000000..996e865 --- /dev/null +++ b/contrib/kcm_default_ccache @@ -0,0 +1,12 @@ +# This file should normally be installed by your distribution into a +# directory that is included from the Kerberos configuration file (/etc/krb5.conf) +# On Fedora/RHEL/CentOS, this is /etc/krb5.conf.d/ +# +# To enable the KCM credential cache enable the KCM socket and the service: +# systemctl enable sssd-kcm.socket +# systemctl start sssd-kcm.socket +# +# To disable the KCM credential cache, comment out the following lines. + +[libdefaults] + default_ccache_name = KCM: diff --git a/contrib/sssd-pcsc.rules b/contrib/sssd-pcsc.rules new file mode 100644 index 0000000..3720a3c --- /dev/null +++ b/contrib/sssd-pcsc.rules @@ -0,0 +1,15 @@ +// Please put this file in /usr/share/polkit-1/rules.d/ if SSSD is running as +// unprivileged user 'root' to allow access to the Smartcard via pcscd. +polkit.addRule(function(action, subject) { + if (action.id == "org.debian.pcsc-lite.access_card" && + subject.user == "root") { + return polkit.Result.YES; + } +}); + +polkit.addRule(function(action, subject) { + if (action.id == "org.debian.pcsc-lite.access_pcsc" && + subject.user == "root") { + return polkit.Result.YES; + } +}); diff --git a/contrib/sssd-pcsc.rules.in b/contrib/sssd-pcsc.rules.in new file mode 100644 index 0000000..31d2dbe --- /dev/null +++ b/contrib/sssd-pcsc.rules.in @@ -0,0 +1,15 @@ +// Please put this file in /usr/share/polkit-1/rules.d/ if SSSD is running as +// unprivileged user '@SSSD_USER@' to allow access to the Smartcard via pcscd. +polkit.addRule(function(action, subject) { + if (action.id == "org.debian.pcsc-lite.access_card" && + subject.user == "@SSSD_USER@") { + return polkit.Result.YES; + } +}); + +polkit.addRule(function(action, subject) { + if (action.id == "org.debian.pcsc-lite.access_pcsc" && + subject.user == "@SSSD_USER@") { + return polkit.Result.YES; + } +}); diff --git a/contrib/sssd.spec.in b/contrib/sssd.spec.in new file mode 100644 index 0000000..03171a8 --- /dev/null +++ b/contrib/sssd.spec.in @@ -0,0 +1,1082 @@ +# SSSD SPEC file for Fedora 34+ and RHEL-9+ + +# define SSSD user +%if 0%{?rhel} +%global sssd_user sssd +%else +%global sssd_user root +%endif + +# Set setuid bit on child helpers if we support non-root user. +%if "%{sssd_user}" == "root" +%global child_attrs 0750 +%else +%global child_attrs 4750 +%endif + +%if 0%{?fedora} >= 35 || 0%{?rhel} >= 9 +%global build_subid 1 +%else +%global build_subid 0 +%endif + +%if 0%{?fedora} >= 34 +%global build_kcm_renewals 1 +%global krb5_version 1.19.1 +%elif 0%{?rhel} >= 8 +%global build_kcm_renewals 1 +%global krb5_version 1.18.2 +%else +%global build_kcm_renewals 0 +%endif + +%if 0%{?fedora} >= 39 || 0%{?rhel} >= 9 +%global build_passkey 1 +%else +%global build_passkey 0 +%endif + +# we don't want to provide private python extension libs +%define __provides_exclude_from %{python3_sitearch}/.*\.so$ + +%define _hardened_build 1 + +# Determine the location of the LDB modules directory +%global ldb_modulesdir %(pkg-config --variable=modulesdir ldb) +%global ldb_version 1.2.0 + +%global samba_package_version %(rpm -q samba-devel --queryformat %{version}-%{release}) + +Name: @PACKAGE_NAME@ +Version: @PACKAGE_VERSION@ +Release: 0@PRERELEASE_VERSION@%{?dist} +Summary: System Security Services Daemon +License: GPLv3+ +URL: https://github.com/SSSD/sssd/ +Source0: %{url}/archive/%{version}/%{name}-%{version}.tar.gz + +### Patches ### +# Place your patches here: +# Patch0001: 0001-patch-file.patch + +### Downstream only patches ### +# Place your downstream only patches here: +# Patch0901: 0901-downstream-only-patch-file.patch + +### Dependencies ### + +Requires: sssd-ad = %{version}-%{release} +Requires: sssd-common = %{version}-%{release} +Requires: sssd-ipa = %{version}-%{release} +Requires: sssd-krb5 = %{version}-%{release} +Requires: sssd-ldap = %{version}-%{release} +Requires: sssd-proxy = %{version}-%{release} +Suggests: logrotate +Suggests: procps-ng +Suggests: python3-sssdconfig = %{version}-%{release} +Suggests: sssd-dbus = %{version}-%{release} + +%global servicename sssd +%global sssdstatedir %{_localstatedir}/lib/sss +%global dbpath %{sssdstatedir}/db +%global keytabdir %{sssdstatedir}/keytabs +%global pipepath %{sssdstatedir}/pipes +%global mcpath %{sssdstatedir}/mc +%global pubconfpath %{sssdstatedir}/pubconf +%global gpocachepath %{sssdstatedir}/gpo_cache +%global secdbpath %{sssdstatedir}/secrets +%global deskprofilepath %{sssdstatedir}/deskprofile + +### Build Dependencies ### + +BuildRequires: autoconf +BuildRequires: automake +BuildRequires: bind-utils +BuildRequires: c-ares-devel +BuildRequires: check-devel +BuildRequires: cifs-utils-devel +BuildRequires: dbus-devel +BuildRequires: docbook-style-xsl +BuildRequires: doxygen +BuildRequires: findutils +BuildRequires: gcc +BuildRequires: gdm-pam-extensions-devel +BuildRequires: gettext-devel +# required for p11_child smartcard tests +BuildRequires: gnutls-utils +BuildRequires: jansson-devel +BuildRequires: libcurl-devel +BuildRequires: libjose-devel +BuildRequires: keyutils-libs-devel +BuildRequires: krb5-devel +BuildRequires: libcmocka-devel >= 1.0.0 +BuildRequires: libdhash-devel >= 0.4.2 +%if %{build_passkey} +BuildRequires: libfido2-devel +%endif +BuildRequires: libini_config-devel >= 1.1 +BuildRequires: libldb-devel >= %{ldb_version} +BuildRequires: libnfsidmap-devel +BuildRequires: libnl3-devel +BuildRequires: libselinux-devel +BuildRequires: libsemanage-devel +BuildRequires: libsmbclient-devel +BuildRequires: libtalloc-devel +BuildRequires: libtdb-devel +BuildRequires: libtevent-devel +BuildRequires: libtool +BuildRequires: libunistring +BuildRequires: libunistring-devel +BuildRequires: libuuid-devel +BuildRequires: libxml2 +BuildRequires: libxslt +BuildRequires: m4 +BuildRequires: make +BuildRequires: nss_wrapper +BuildRequires: openldap-devel +BuildRequires: openssh +# required for p11_child smartcard tests +BuildRequires: openssl +BuildRequires: openssl-devel +BuildRequires: p11-kit-devel +BuildRequires: pam_wrapper +BuildRequires: pam-devel +BuildRequires: pcre2-devel +BuildRequires: pkgconfig +BuildRequires: popt-devel +BuildRequires: python3-devel +BuildRequires: (python3-setuptools if python3 >= 3.12) +BuildRequires: samba-devel +# required for idmap_sss.so +BuildRequires: samba-winbind +BuildRequires: selinux-policy-targeted +# required for p11_child smartcard tests +BuildRequires: softhsm >= 2.1.0 +BuildRequires: bc +BuildRequires: systemd-devel +BuildRequires: systemtap-sdt-devel +BuildRequires: uid_wrapper +BuildRequires: po4a +%if %{build_subid} +BuildRequires: shadow-utils-subid-devel +%endif +%if %{build_kcm_renewals} +BuildRequires: krb5-libs >= %{krb5_version} +%endif + +%description +Provides a set of daemons to manage access to remote directories and +authentication mechanisms. It provides an NSS and PAM interface toward +the system and a pluggable back end system to connect to multiple different +account sources. It is also the basis to provide client auditing and policy +services for projects like FreeIPA. + +The sssd subpackage is a meta-package that contains the daemon as well as all +the existing back ends. + +%package common +Summary: Common files for the SSSD +License: GPLv3+ +# libsss_simpleifp is removed starting 2.9.0 +Obsoletes: libsss_simpleifp < 2.9.0 +Obsoletes: libsss_simpleifp-debuginfo < 2.9.0 +# Requires +# due to ABI changes in 1.1.30/1.2.0 +Requires: libldb >= %{ldb_version} +Requires: sssd-client%{?_isa} = %{version}-%{release} +Requires: (libsss_sudo = %{version}-%{release} if sudo) +Requires: (libsss_autofs%{?_isa} = %{version}-%{release} if autofs) +Requires: (sssd-nfs-idmap = %{version}-%{release} if libnfsidmap) +Requires: libsss_idmap = %{version}-%{release} +Requires: libsss_certmap = %{version}-%{release} +%if 0%{?rhel} +Requires(pre): shadow-utils +%endif +%{?systemd_requires} + +### Provides ### +Provides: libsss_sudo-devel = %{version}-%{release} +Obsoletes: libsss_sudo-devel <= 1.10.0-7%{?dist}.beta1 + +%description common +Common files for the SSSD. The common package includes all the files needed +to run a particular back end, however, the back ends are packaged in separate +subpackages such as sssd-ldap. + +%package client +Summary: SSSD Client libraries for NSS and PAM +License: LGPLv3+ +Requires: libsss_nss_idmap = %{version}-%{release} +Requires: libsss_idmap = %{version}-%{release} +Requires(post): /usr/sbin/alternatives +Requires(preun): /usr/sbin/alternatives + +%description client +Provides the libraries needed by the PAM and NSS stacks to connect to the SSSD +service. + +%package -n libsss_sudo +Summary: A library to allow communication between SUDO and SSSD +License: LGPLv3+ +Conflicts: sssd-common < %{version}-%{release} + +%description -n libsss_sudo +A utility library to allow communication between SUDO and SSSD + +%package -n libsss_autofs +Summary: A library to allow communication between Autofs and SSSD +License: LGPLv3+ +Conflicts: sssd-common < %{version}-%{release} + +%description -n libsss_autofs +A utility library to allow communication between Autofs and SSSD + +%package tools +Summary: Userspace tools for use with the SSSD +License: GPLv3+ +Requires: sssd-common = %{version}-%{release} +# required by sss_obfuscate +Requires: python3-sss = %{version}-%{release} +Requires: python3-sssdconfig = %{version}-%{release} +Requires: libsss_certmap = %{version}-%{release} +# for logger=journald support with sss_analyze +Requires: python3-systemd +Requires: sssd-dbus + +%description tools +Provides several administrative tools: + * sss_debuglevel to change the debug level on the fly + * sss_seed which pre-creates a user entry for use in kickstarts + * sss_obfuscate for generating an obfuscated LDAP password + * sssctl -- an sssd status and control utility + +%package -n python3-sssdconfig +Summary: SSSD and IPA configuration file manipulation classes and functions +License: GPLv3+ +BuildArch: noarch +%{?python_provide:%python_provide python3-sssdconfig} + +%description -n python3-sssdconfig +Provides python3 files for manipulation SSSD and IPA configuration files. + +%package -n python3-sss +Summary: Python3 bindings for sssd +License: LGPLv3+ +Requires: sssd-common = %{version}-%{release} +%{?python_provide:%python_provide python3-sss} + +%description -n python3-sss +Provides python3 bindings: + * function for retrieving list of groups user belongs to + * class for obfuscation of passwords + +%package -n python3-sss-murmur +Summary: Python3 bindings for murmur hash function +License: LGPLv3+ +%{?python_provide:%python_provide python3-sss-murmur} + +%description -n python3-sss-murmur +Provides python3 module for calculating the murmur hash version 3 + +%package ldap +Summary: The LDAP back end of the SSSD +License: GPLv3+ +Requires: sssd-common = %{version}-%{release} +Requires: sssd-krb5-common = %{version}-%{release} +Requires: libsss_idmap = %{version}-%{release} +Requires: libsss_certmap = %{version}-%{release} + +%description ldap +Provides the LDAP back end that the SSSD can utilize to fetch identity data +from and authenticate against an LDAP server. + +%package krb5-common +Summary: SSSD helpers needed for Kerberos and GSSAPI authentication +License: GPLv3+ +Requires: cyrus-sasl-gssapi%{?_isa} +Requires: sssd-common = %{version}-%{release} + +%description krb5-common +Provides helper processes that the LDAP and Kerberos back ends can use for +Kerberos user or host authentication. + +%package krb5 +Summary: The Kerberos authentication back end for the SSSD +License: GPLv3+ +Requires: sssd-common = %{version}-%{release} +Requires: sssd-krb5-common = %{version}-%{release} + +%description krb5 +Provides the Kerberos back end that the SSSD can utilize authenticate +against a Kerberos server. + +%package common-pac +Summary: Common files needed for supporting PAC processing +License: GPLv3+ +Requires: sssd-common = %{version}-%{release} +Requires: libsss_idmap = %{version}-%{release} + +%description common-pac +Provides common files needed by SSSD providers such as IPA and Active Directory +for handling Kerberos PACs. + +%package ipa +Summary: The IPA back end of the SSSD +License: GPLv3+ +Requires: samba-client-libs >= %{samba_package_version} +Requires: sssd-common = %{version}-%{release} +Requires: sssd-krb5-common = %{version}-%{release} +Requires: libipa_hbac%{?_isa} = %{version}-%{release} +Requires: libsss_certmap = %{version}-%{release} +Recommends: bind-utils +Requires: sssd-common-pac = %{version}-%{release} +Requires: libsss_idmap = %{version}-%{release} + +%description ipa +Provides the IPA back end that the SSSD can utilize to fetch identity data +from and authenticate against an IPA server. + +%package ad +Summary: The AD back end of the SSSD +License: GPLv3+ +Requires: samba-client-libs >= %{samba_package_version} +Requires: sssd-common = %{version}-%{release} +Requires: sssd-krb5-common = %{version}-%{release} +Requires: sssd-common-pac = %{version}-%{release} +Requires: libsss_idmap = %{version}-%{release} +Requires: libsss_certmap = %{version}-%{release} +Recommends: bind-utils +Recommends: adcli +Suggests: sssd-winbind-idmap = %{version}-%{release} + +%description ad +Provides the Active Directory back end that the SSSD can utilize to fetch +identity data from and authenticate against an Active Directory server. + +%package proxy +Summary: The proxy back end of the SSSD +License: GPLv3+ +Requires: sssd-common = %{version}-%{release} +Requires: libsss_certmap = %{version}-%{release} + +%description proxy +Provides the proxy back end which can be used to wrap an existing NSS and/or +PAM modules to leverage SSSD caching. + +%package -n libsss_idmap +Summary: FreeIPA Idmap library +License: LGPLv3+ + +%description -n libsss_idmap +Utility library to convert SIDs to Unix uids and gids + +%package -n libsss_idmap-devel +Summary: FreeIPA Idmap library +License: LGPLv3+ +Requires: libsss_idmap = %{version}-%{release} + +%description -n libsss_idmap-devel +Utility library to SIDs to Unix uids and gids + +%package -n libipa_hbac +Summary: FreeIPA HBAC Evaluator library +License: LGPLv3+ + +%description -n libipa_hbac +Utility library to validate FreeIPA HBAC rules for authorization requests + +%package -n libipa_hbac-devel +Summary: FreeIPA HBAC Evaluator library +License: LGPLv3+ +Requires: libipa_hbac = %{version}-%{release} + +%description -n libipa_hbac-devel +Utility library to validate FreeIPA HBAC rules for authorization requests + +%package -n python3-libipa_hbac +Summary: Python3 bindings for the FreeIPA HBAC Evaluator library +License: LGPLv3+ +Requires: libipa_hbac = %{version}-%{release} +%{?python_provide:%python_provide python3-libipa_hbac} + +%description -n python3-libipa_hbac +The python3-libipa_hbac contains the bindings so that libipa_hbac can be +used by Python applications. + +%package -n libsss_nss_idmap +Summary: Library for SID and certificate based lookups +License: LGPLv3+ + +%description -n libsss_nss_idmap +Utility library for SID and certificate based lookups + +%package -n libsss_nss_idmap-devel +Summary: Library for SID and certificate based lookups +License: LGPLv3+ +Requires: libsss_nss_idmap = %{version}-%{release} + +%description -n libsss_nss_idmap-devel +Utility library for SID and certificate based lookups + +%package -n python3-libsss_nss_idmap +Summary: Python3 bindings for libsss_nss_idmap +License: LGPLv3+ +Requires: libsss_nss_idmap = %{version}-%{release} +%{?python_provide:%python_provide python3-libsss_nss_idmap} + +%description -n python3-libsss_nss_idmap +The python3-libsss_nss_idmap contains the bindings so that libsss_nss_idmap can +be used by Python applications. + +%package dbus +Summary: The D-Bus responder of the SSSD +License: GPLv3+ +Requires: sssd-common = %{version}-%{release} +%{?systemd_requires} + +%description dbus +Provides the D-Bus responder of the SSSD, called the InfoPipe, that allows +the information from the SSSD to be transmitted over the system bus. + +%if 0%{?rhel} +%package polkit-rules +Summary: Rules for polkit integration for SSSD +Group: Applications/System +License: GPLv3+ +Requires: polkit >= 0.106 +Requires: sssd-common = %{version}-%{release} + +%description polkit-rules +Provides rules for polkit integration with SSSD. This is required +for smartcard support. +%endif + +%package winbind-idmap +Summary: SSSD's idmap_sss Backend for Winbind +License: GPLv3+ and LGPLv3+ +Requires: libsss_nss_idmap = %{version}-%{release} +Requires: libsss_idmap = %{version}-%{release} +Conflicts: sssd-common < %{version}-%{release} + +%description winbind-idmap +The idmap_sss module provides a way for Winbind to call SSSD to map UIDs/GIDs +and SIDs. + +%package nfs-idmap +Summary: SSSD plug-in for NFSv4 rpc.idmapd +License: GPLv3+ +Conflicts: sssd-common < %{version}-%{release} + +%description nfs-idmap +The libnfsidmap sssd module provides a way for rpc.idmapd to call SSSD to map +UIDs/GIDs to names and vice versa. It can be also used for mapping principal +(user) name to IDs(UID or GID) or to obtain groups which user are member of. + +%package -n libsss_certmap +Summary: SSSD Certificate Mapping Library +License: LGPLv3+ +Conflicts: sssd-common < %{version}-%{release} + +%description -n libsss_certmap +Library to map certificates to users based on rules + +%package -n libsss_certmap-devel +Summary: SSSD Certificate Mapping Library +License: LGPLv3+ +Requires: libsss_certmap = %{version}-%{release} + +%description -n libsss_certmap-devel +Library to map certificates to users based on rules + +%package kcm +Summary: An implementation of a Kerberos KCM server +License: GPLv3+ +Requires: sssd-common = %{version}-%{release} +%if %{build_kcm_renewals} +Requires: krb5-libs >= %{krb5_version} +%endif +%{?systemd_requires} + +%description kcm +An implementation of a Kerberos KCM server. Use this package if you want to +use the KCM: Kerberos credentials cache. + +%package idp +Summary: Kerberos plugins and OIDC helper for external identity providers. +License: GPLv3+ +Requires: sssd-common = %{version}-%{release} + +%description idp +This package provides Kerberos plugins that are required to enable +authentication against external identity providers. Additionally a helper +program to handle the OAuth 2.0 Device Authorization Grant is provided. + +%if %{build_passkey} +%package passkey +Summary: SSSD helpers and plugins needed for authentication with passkey token +License: GPLv3+ +Requires: sssd-common = %{version}-%{release} +Requires: libfido2 + +%description passkey +This package provides helper processes and Kerberos plugins that are required to +enable authentication with passkey token. +%endif + +%prep +%autosetup -p1 + +%build + +autoreconf -ivf + +%configure \ + --disable-rpath \ + --disable-static \ + --enable-gss-spnego-for-zero-maxssf \ + --enable-nfsidmaplibdir=%{_libdir}/libnfsidmap \ + --enable-nsslibdir=%{_libdir} \ + --enable-pammoddir=%{_libdir}/security \ + --enable-sss-default-nss-plugin \ + --enable-systemtap \ + --with-db-path=%{dbpath} \ + --with-gpo-cache-path=%{gpocachepath} \ + --with-init-dir=%{_initrddir} \ + --with-initscript=systemd \ + --with-krb5-rcache-dir=%{_localstatedir}/cache/krb5rcache \ + --with-mcache-path=%{mcpath} \ + --with-pid-path=%{_rundir} \ + --with-pipe-path=%{pipepath} \ + --with-pubconf-path=%{pubconfpath} \ + --with-sssd-user=%{sssd_user} \ + --with-syslog=journald \ + --with-test-dir=/dev/shm \ +%if %{build_subid} + --with-subid \ +%endif +%if 0%{?fedora} + --disable-polkit-rules-path \ +%endif +%if %{build_passkey} + --with-passkey \ +%endif + %{nil} + +%make_build all docs runstatedir=%{_rundir} + +%py3_shebang_fix src/tools/analyzer/sss_analyze +sed -i -e 's:/usr/bin/python:/usr/bin/python3:' src/tools/sss_obfuscate + +%check +export CK_TIMEOUT_MULTIPLIER=10 +%make_build check VERBOSE=yes +unset CK_TIMEOUT_MULTIPLIER + +%install + +%make_install + +# Prepare language files +/usr/lib/rpm/find-lang.sh $RPM_BUILD_ROOT sssd + +# Copy default logrotate file +mkdir -p $RPM_BUILD_ROOT/%{_sysconfdir}/logrotate.d +install -m644 src/examples/logrotate $RPM_BUILD_ROOT%{_sysconfdir}/logrotate.d/sssd + +# Make sure SSSD is able to run on read-only root +mkdir -p $RPM_BUILD_ROOT/%{_sysconfdir}/rwtab.d +install -m644 src/examples/rwtab $RPM_BUILD_ROOT%{_sysconfdir}/rwtab.d/sssd + +# Kerberos KCM credential cache by default +mkdir -p $RPM_BUILD_ROOT/%{_sysconfdir}/krb5.conf.d +cp $RPM_BUILD_ROOT/%{_datadir}/sssd-kcm/kcm_default_ccache \ + $RPM_BUILD_ROOT/%{_sysconfdir}/krb5.conf.d/kcm_default_ccache + +# Enable krb5 idp plugins by default (when sssd-idp package is installed) +cp $RPM_BUILD_ROOT/%{_datadir}/sssd/krb5-snippets/sssd_enable_idp \ + $RPM_BUILD_ROOT/%{_sysconfdir}/krb5.conf.d/sssd_enable_idp + +# Enable krb5 passkey plugins by default (when sssd-passkey package is installed) +%if %{build_passkey} +cp $RPM_BUILD_ROOT/%{_datadir}/sssd/krb5-snippets/sssd_enable_passkey \ + $RPM_BUILD_ROOT/%{_sysconfdir}/krb5.conf.d/sssd_enable_passkey +%endif + +# krb5 configuration snippet +cp $RPM_BUILD_ROOT/%{_datadir}/sssd/krb5-snippets/enable_sssd_conf_dir \ + $RPM_BUILD_ROOT/%{_sysconfdir}/krb5.conf.d/enable_sssd_conf_dir + +# Create directory for cifs-idmap alternative +# Otherwise this directory could not be owned by sssd-client +mkdir -p $RPM_BUILD_ROOT/%{_sysconfdir}/cifs-utils + +# Remove .la files created by libtool +find $RPM_BUILD_ROOT -name "*.la" -exec rm -f {} \; + +# Suppress developer-only documentation +rm -Rf ${RPM_BUILD_ROOT}/%{_docdir}/%{name} + +# Older versions of rpmbuild can only handle one -f option +# So we need to append to the sssd*.lang file +for file in `find $RPM_BUILD_ROOT/%{python3_sitelib} -maxdepth 1 -name "*.egg-info" 2> /dev/null` +do + echo %{python3_sitelib}/`basename $file` >> python3_sssdconfig.lang +done + +touch sssd.lang +for subpackage in sssd_ldap sssd_krb5 sssd_ipa sssd_ad sssd_proxy sssd_tools \ + sssd_client sssd_dbus sssd_nfs_idmap sssd_winbind_idmap \ + libsss_certmap sssd_kcm +do + touch $subpackage.lang +done + +for man in `find $RPM_BUILD_ROOT/%{_mandir}/??/man?/ -type f | sed -e "s#$RPM_BUILD_ROOT/%{_mandir}/##"` +do + lang=`echo $man | cut -c 1-2` + case `basename $man` in + sss_cache*) + echo \%lang\(${lang}\) \%{_mandir}/${man}\* >> sssd.lang + ;; + sss_ssh*) + echo \%lang\(${lang}\) \%{_mandir}/${man}\* >> sssd.lang + ;; + sss_rpcidmapd*) + echo \%lang\(${lang}\) \%{_mandir}/${man}\* >> sssd_nfs_idmap.lang + ;; + sss_*) + echo \%lang\(${lang}\) \%{_mandir}/${man}\* >> sssd_tools.lang + ;; + sssctl*) + echo \%lang\(${lang}\) \%{_mandir}/${man}\* >> sssd_tools.lang + ;; + sssd_krb5_*) + echo \%lang\(${lang}\) \%{_mandir}/${man}\* >> sssd_client.lang + ;; + pam_sss*) + echo \%lang\(${lang}\) \%{_mandir}/${man}\* >> sssd_client.lang + ;; + sssd-ldap*) + echo \%lang\(${lang}\) \%{_mandir}/${man}\* >> sssd_ldap.lang + ;; + sssd-krb5*) + echo \%lang\(${lang}\) \%{_mandir}/${man}\* >> sssd_krb5.lang + ;; + sssd-ipa*) + echo \%lang\(${lang}\) \%{_mandir}/${man}\* >> sssd_ipa.lang + ;; + sssd-ad*) + echo \%lang\(${lang}\) \%{_mandir}/${man}\* >> sssd_ad.lang + ;; + sssd-proxy*) + echo \%lang\(${lang}\) \%{_mandir}/${man}\* >> sssd_proxy.lang + ;; + sssd-ifp*) + echo \%lang\(${lang}\) \%{_mandir}/${man}\* >> sssd_dbus.lang + ;; + sssd-kcm*) + echo \%lang\(${lang}\) \%{_mandir}/${man}\* >> sssd_kcm.lang + ;; + idmap_sss*) + echo \%lang\(${lang}\) \%{_mandir}/${man}\* >> sssd_winbind_idmap.lang + ;; + sss-certmap*) + echo \%lang\(${lang}\) \%{_mandir}/${man}\* >> libsss_certmap.lang + ;; + *) + echo \%lang\(${lang}\) \%{_mandir}/${man}\* >> sssd.lang + ;; + esac +done + +# Print these to the rpmbuild log +echo "sssd.lang:" +cat sssd.lang + +echo "python3_sssdconfig.lang:" +cat python3_sssdconfig.lang + +for subpackage in sssd_ldap sssd_krb5 sssd_ipa sssd_ad sssd_proxy sssd_tools \ + sssd_client sssd_dbus sssd_nfs_idmap sssd_winbind_idmap \ + libsss_certmap sssd_kcm +do + echo "$subpackage.lang:" + cat $subpackage.lang +done + +%files +%license COPYING + +%files common -f sssd.lang +%license COPYING +%doc src/examples/sssd-example.conf +%{_sbindir}/sssd +%{_unitdir}/sssd.service +%{_unitdir}/sssd-autofs.socket +%{_unitdir}/sssd-autofs.service +%{_unitdir}/sssd-nss.socket +%{_unitdir}/sssd-nss.service +%{_unitdir}/sssd-pac.socket +%{_unitdir}/sssd-pac.service +%{_unitdir}/sssd-pam.socket +%{_unitdir}/sssd-pam-priv.socket +%{_unitdir}/sssd-pam.service +%{_unitdir}/sssd-ssh.socket +%{_unitdir}/sssd-ssh.service +%{_unitdir}/sssd-sudo.socket +%{_unitdir}/sssd-sudo.service + +%dir %{_libexecdir}/%{servicename} +%{_libexecdir}/%{servicename}/sssd_be +%{_libexecdir}/%{servicename}/sssd_nss +%{_libexecdir}/%{servicename}/sssd_pam +%{_libexecdir}/%{servicename}/sssd_autofs +%{_libexecdir}/%{servicename}/sssd_ssh +%{_libexecdir}/%{servicename}/sssd_sudo +%{_libexecdir}/%{servicename}/p11_child +%{_libexecdir}/%{servicename}/sssd_check_socket_activated_responders + +%dir %{_libdir}/%{name} +%{_libdir}/%{name}/libsss_simple.so + +#Internal shared libraries +%{_libdir}/%{name}/libsss_child.so +%{_libdir}/%{name}/libsss_crypt.so +%{_libdir}/%{name}/libsss_cert.so +%{_libdir}/%{name}/libsss_debug.so +%{_libdir}/%{name}/libsss_krb5_common.so +%{_libdir}/%{name}/libsss_ldap_common.so +%{_libdir}/%{name}/libsss_util.so +%{_libdir}/%{name}/libsss_semanage.so +%{_libdir}/%{name}/libifp_iface.so +%{_libdir}/%{name}/libifp_iface_sync.so +%{_libdir}/%{name}/libsss_iface.so +%{_libdir}/%{name}/libsss_iface_sync.so +%{_libdir}/%{name}/libsss_sbus.so +%{_libdir}/%{name}/libsss_sbus_sync.so + +%{ldb_modulesdir}/memberof.so +%{_bindir}/sss_ssh_authorizedkeys +%{_bindir}/sss_ssh_knownhostsproxy +%{_sbindir}/sss_cache +%{_libexecdir}/%{servicename}/sss_signal + +%dir %{sssdstatedir} +%dir %{_localstatedir}/cache/krb5rcache +%attr(700,%{sssd_user},%{sssd_user}) %dir %{dbpath} +%attr(775,%{sssd_user},%{sssd_user}) %dir %{mcpath} +%attr(700,root,root) %dir %{secdbpath} +%attr(751,root,root) %dir %{deskprofilepath} +%ghost %attr(0664,%{sssd_user},%{sssd_user}) %verify(not md5 size mtime) %{mcpath}/passwd +%ghost %attr(0664,%{sssd_user},%{sssd_user}) %verify(not md5 size mtime) %{mcpath}/group +%ghost %attr(0664,%{sssd_user},%{sssd_user}) %verify(not md5 size mtime) %{mcpath}/initgroups +%attr(755,%{sssd_user},%{sssd_user}) %dir %{pipepath} +%attr(750,%{sssd_user},root) %dir %{pipepath}/private +%attr(755,%{sssd_user},%{sssd_user}) %dir %{pubconfpath} +%attr(755,%{sssd_user},%{sssd_user}) %dir %{gpocachepath} +%attr(750,%{sssd_user},%{sssd_user}) %dir %{_var}/log/%{name} +%attr(700,%{sssd_user},%{sssd_user}) %dir %{_sysconfdir}/sssd +%attr(711,%{sssd_user},%{sssd_user}) %dir %{_sysconfdir}/sssd/conf.d +%attr(711,root,root) %dir %{_sysconfdir}/sssd/pki +%ghost %attr(0600,root,root) %config(noreplace) %{_sysconfdir}/sssd/sssd.conf +%dir %{_sysconfdir}/logrotate.d +%config(noreplace) %{_sysconfdir}/logrotate.d/sssd +%dir %{_sysconfdir}/rwtab.d +%config(noreplace) %{_sysconfdir}/rwtab.d/sssd +%dir %{_datadir}/sssd +%config(noreplace) %{_sysconfdir}/pam.d/sssd-shadowutils +%dir %{_libdir}/%{name}/conf +%{_libdir}/%{name}/conf/sssd.conf + +%{_datadir}/sssd/cfg_rules.ini +%{_mandir}/man1/sss_ssh_authorizedkeys.1* +%{_mandir}/man1/sss_ssh_knownhostsproxy.1* +%{_mandir}/man5/sssd.conf.5* +%{_mandir}/man5/sssd-simple.5* +%{_mandir}/man5/sssd-sudo.5* +%{_mandir}/man5/sssd-session-recording.5* +%{_mandir}/man8/sssd.8* +%{_mandir}/man8/sss_cache.8* +%dir %{_datadir}/sssd/systemtap +%{_datadir}/sssd/systemtap/id_perf.stp +%{_datadir}/sssd/systemtap/nested_group_perf.stp +%{_datadir}/sssd/systemtap/dp_request.stp +%{_datadir}/sssd/systemtap/ldap_perf.stp +%dir %{_datadir}/systemtap +%dir %{_datadir}/systemtap/tapset +%{_datadir}/systemtap/tapset/sssd.stp +%{_datadir}/systemtap/tapset/sssd_functions.stp +%{_mandir}/man5/sssd-systemtap.5* + +%if 0%{?rhel} +%files polkit-rules +%{_datadir}/polkit-1/rules.d/* +%endif + +%files ldap -f sssd_ldap.lang +%license COPYING +%{_libdir}/%{name}/libsss_ldap.so +%{_mandir}/man5/sssd-ldap.5* +%{_mandir}/man5/sssd-ldap-attributes.5* + +%files krb5-common +%license COPYING +%attr(755,%{sssd_user},%{sssd_user}) %dir %{pubconfpath}/krb5.include.d +%attr(%{child_attrs},root,%{sssd_user}) %{_libexecdir}/%{servicename}/ldap_child +%attr(%{child_attrs},root,%{sssd_user}) %{_libexecdir}/%{servicename}/krb5_child + +%files krb5 -f sssd_krb5.lang +%license COPYING +%{_libdir}/%{name}/libsss_krb5.so +%{_mandir}/man5/sssd-krb5.5* +%config(noreplace) %{_sysconfdir}/krb5.conf.d/enable_sssd_conf_dir +%dir %{_datadir}/sssd/krb5-snippets +%{_datadir}/sssd/krb5-snippets/enable_sssd_conf_dir + +%files common-pac +%license COPYING +%{_libexecdir}/%{servicename}/sssd_pac + +%files ipa -f sssd_ipa.lang +%license COPYING +%attr(700,%{sssd_user},%{sssd_user}) %dir %{keytabdir} +%{_libdir}/%{name}/libsss_ipa.so +%attr(%{child_attrs},root,%{sssd_user}) %{_libexecdir}/%{servicename}/selinux_child +%{_mandir}/man5/sssd-ipa.5* + +%files ad -f sssd_ad.lang +%license COPYING +%{_libdir}/%{name}/libsss_ad.so +%{_libexecdir}/%{servicename}/gpo_child +%{_mandir}/man5/sssd-ad.5* + +%files proxy +%license COPYING +%attr(%{child_attrs},root,%{sssd_user}) %{_libexecdir}/%{servicename}/proxy_child +%{_libdir}/%{name}/libsss_proxy.so + +%files dbus -f sssd_dbus.lang +%license COPYING +%{_libexecdir}/%{servicename}/sssd_ifp +%{_mandir}/man5/sssd-ifp.5* +%{_unitdir}/sssd-ifp.service +# InfoPipe DBus plumbing +%{_datadir}/dbus-1/system.d/org.freedesktop.sssd.infopipe.conf +%{_datadir}/dbus-1/system-services/org.freedesktop.sssd.infopipe.service + +%files client -f sssd_client.lang +%license src/sss_client/COPYING src/sss_client/COPYING.LESSER +%{_libdir}/libnss_sss.so.2 +%if %{build_subid} +%{_libdir}/libsubid_sss.so +%endif +%{_libdir}/security/pam_sss.so +%{_libdir}/security/pam_sss_gss.so +%{_libdir}/krb5/plugins/libkrb5/sssd_krb5_locator_plugin.so +%{_libdir}/krb5/plugins/authdata/sssd_pac_plugin.so +%dir %{_libdir}/cifs-utils +%{_libdir}/cifs-utils/cifs_idmap_sss.so +%dir %{_sysconfdir}/cifs-utils +%ghost %{_sysconfdir}/cifs-utils/idmap-plugin +%dir %{_libdir}/%{name} +%dir %{_libdir}/%{name}/modules +%{_libdir}/%{name}/modules/sssd_krb5_localauth_plugin.so +%{_mandir}/man8/pam_sss.8* +%{_mandir}/man8/pam_sss_gss.8* +%{_mandir}/man8/sssd_krb5_locator_plugin.8* +%{_mandir}/man8/sssd_krb5_localauth_plugin.8* + +%files -n libsss_sudo +%license src/sss_client/COPYING +%{_libdir}/libsss_sudo.so* + +%files -n libsss_autofs +%license src/sss_client/COPYING src/sss_client/COPYING.LESSER +%dir %{_libdir}/%{name}/modules +%{_libdir}/%{name}/modules/libsss_autofs.so + +%files tools -f sssd_tools.lang +%license COPYING +%{_sbindir}/sss_obfuscate +%{_sbindir}/sss_override +%{_sbindir}/sss_debuglevel +%{_sbindir}/sss_seed +%{_sbindir}/sssctl +%{_libexecdir}/%{servicename}/sss_analyze +%{python3_sitelib}/sssd/ +%{_mandir}/man8/sss_obfuscate.8* +%{_mandir}/man8/sss_override.8* +%{_mandir}/man8/sss_debuglevel.8* +%{_mandir}/man8/sss_seed.8* +%{_mandir}/man8/sssctl.8* + +%files -n python3-sssdconfig -f python3_sssdconfig.lang +%dir %{python3_sitelib}/SSSDConfig +%{python3_sitelib}/SSSDConfig/*.py* +%dir %{python3_sitelib}/SSSDConfig/__pycache__ +%{python3_sitelib}/SSSDConfig/__pycache__/*.py* +%dir %{_datadir}/sssd +%{_datadir}/sssd/sssd.api.conf +%{_datadir}/sssd/sssd.api.d + +%files -n python3-sss +%{python3_sitearch}/pysss.so + +%files -n python3-sss-murmur +%{python3_sitearch}/pysss_murmur.so + +%files -n libsss_idmap +%license src/sss_client/COPYING src/sss_client/COPYING.LESSER +%{_libdir}/libsss_idmap.so.* + +%files -n libsss_idmap-devel +%doc idmap_doc/html +%{_includedir}/sss_idmap.h +%{_libdir}/libsss_idmap.so +%{_libdir}/pkgconfig/sss_idmap.pc + +%files -n libipa_hbac +%license src/sss_client/COPYING src/sss_client/COPYING.LESSER +%{_libdir}/libipa_hbac.so.* + +%files -n libipa_hbac-devel +%doc hbac_doc/html +%{_includedir}/ipa_hbac.h +%{_libdir}/libipa_hbac.so +%{_libdir}/pkgconfig/ipa_hbac.pc + +%files -n libsss_nss_idmap +%license src/sss_client/COPYING src/sss_client/COPYING.LESSER +%{_libdir}/libsss_nss_idmap.so.* + +%files -n libsss_nss_idmap-devel +%doc nss_idmap_doc/html +%{_includedir}/sss_nss_idmap.h +%{_libdir}/libsss_nss_idmap.so +%{_libdir}/pkgconfig/sss_nss_idmap.pc + +%files -n python3-libsss_nss_idmap +%{python3_sitearch}/pysss_nss_idmap.so + +%files -n python3-libipa_hbac +%{python3_sitearch}/pyhbac.so + +%files winbind-idmap -f sssd_winbind_idmap.lang +%dir %{_libdir}/samba/idmap +%{_libdir}/samba/idmap/sss.so +%{_mandir}/man8/idmap_sss.8* + +%files nfs-idmap -f sssd_nfs_idmap.lang +%{_mandir}/man5/sss_rpcidmapd.5* +%{_libdir}/libnfsidmap/sss.so + +%files -n libsss_certmap -f libsss_certmap.lang +%license src/sss_client/COPYING src/sss_client/COPYING.LESSER +%{_libdir}/libsss_certmap.so.* +%{_mandir}/man5/sss-certmap.5* + +%files -n libsss_certmap-devel +%doc certmap_doc/html +%{_includedir}/sss_certmap.h +%{_libdir}/libsss_certmap.so +%{_libdir}/pkgconfig/sss_certmap.pc + +%files kcm -f sssd_kcm.lang +%{_libexecdir}/%{servicename}/sssd_kcm +%config(noreplace) %{_sysconfdir}/krb5.conf.d/kcm_default_ccache +%dir %{_datadir}/sssd-kcm +%{_datadir}/sssd-kcm/kcm_default_ccache +%{_unitdir}/sssd-kcm.socket +%{_unitdir}/sssd-kcm.service +%{_mandir}/man8/sssd-kcm.8* + +%files idp +%{_libexecdir}/%{servicename}/oidc_child +%{_libdir}/%{name}/modules/sssd_krb5_idp_plugin.so +%{_datadir}/sssd/krb5-snippets/sssd_enable_idp +%config(noreplace) %{_sysconfdir}/krb5.conf.d/sssd_enable_idp + +%if %{build_passkey} +%files passkey +%attr(755,%{sssd_user},%{sssd_user}) %{_libexecdir}/%{servicename}/passkey_child +%{_libdir}/%{name}/modules/sssd_krb5_passkey_plugin.so +%{_datadir}/sssd/krb5-snippets/sssd_enable_passkey +%config(noreplace) %{_sysconfdir}/krb5.conf.d/sssd_enable_passkey +%endif + +%if 0%{?rhel} +%pre common +getent group sssd >/dev/null || groupadd -r sssd +getent passwd sssd >/dev/null || useradd -r -g sssd -d / -s /sbin/nologin -c "User for sssd" sssd +%endif + +%post common +%systemd_post sssd.service +%systemd_post sssd-autofs.socket +%systemd_post sssd-nss.socket +%systemd_post sssd-pac.socket +%systemd_post sssd-pam.socket +%systemd_post sssd-pam-priv.socket +%systemd_post sssd-ssh.socket +%systemd_post sssd-sudo.socket + +%preun common +%systemd_preun sssd.service +%systemd_preun sssd-autofs.socket +%systemd_preun sssd-nss.socket +%systemd_preun sssd-pac.socket +%systemd_preun sssd-pam.socket +%systemd_preun sssd-pam-priv.socket +%systemd_preun sssd-ssh.socket +%systemd_preun sssd-sudo.socket + +%postun common +%systemd_postun_with_restart sssd-autofs.socket +%systemd_postun_with_restart sssd-nss.socket +%systemd_postun_with_restart sssd-pac.socket +%systemd_postun_with_restart sssd-pam.socket +%systemd_postun_with_restart sssd-pam-priv.socket +%systemd_postun_with_restart sssd-ssh.socket +%systemd_postun_with_restart sssd-sudo.socket + +# Services have RefuseManualStart=true, therefore we can't request restart. +%systemd_postun sssd-autofs.service +%systemd_postun sssd-nss.service +%systemd_postun sssd-pac.service +%systemd_postun sssd-pam.service +%systemd_postun sssd-ssh.service +%systemd_postun sssd-sudo.service + +%post dbus +%systemd_post sssd-ifp.service + +%preun dbus +%systemd_preun sssd-ifp.service + +%postun dbus +%systemd_postun_with_restart sssd-ifp.service + +%post kcm +%systemd_post sssd-kcm.socket + +%preun kcm +%systemd_preun sssd-kcm.socket + +%postun kcm +%systemd_postun_with_restart sssd-kcm.socket +%systemd_postun_with_restart sssd-kcm.service + +%post client +/usr/sbin/alternatives --install /etc/cifs-utils/idmap-plugin cifs-idmap-plugin %{_libdir}/cifs-utils/cifs_idmap_sss.so 20 + +%preun client +if [ $1 -eq 0 ] ; then + /usr/sbin/alternatives --remove cifs-idmap-plugin %{_libdir}/cifs-utils/cifs_idmap_sss.so +fi + +%posttrans common +%systemd_postun_with_restart sssd.service + +%changelog +* Thu Jan 21 2021 Pavel Březina <pbrezina@redhat.com> - @PACKAGE_NAME@-@PACKAGE_VERSION@-0@PRERELEASE_VERSION@ +- Built from upstream sources. diff --git a/contrib/systemtap/dp_request.stp b/contrib/systemtap/dp_request.stp new file mode 100644 index 0000000..0fa1082 --- /dev/null +++ b/contrib/systemtap/dp_request.stp @@ -0,0 +1,85 @@ +/* Start Run with: + * stap -v dp_request.stp + * + * Then reproduce slow login or id/getent in another terminal. + * Ctrl-C running stap once login completes. + * + * Probe tapsets are in /usr/share/systemtap/tapset/sssd.stp + */ + + +global num_dp_requests + +global time_in_dp_req +global elapsed_time +global dp_req_send_start +global dp_req_send_end + +/* Used for tracking slowest request as tz_ctime() only converts seconds, not ms */ +global dp_req_send_sec_start +global dp_req_send_sec_end + +global slowest_req_name +global slowest_req_target +global slowest_req_method +global slowest_req_time = 0 +global slowest_req_start_time +global slowest_req_end_time + +function print_report() +{ + printf("\nEnding Systemtap Run - Providing Summary\n") + printf("Total Number of DP requests: [%d]\n", num_dp_requests) + printf("Total time in DP requests: [%s]\n", msecs_to_string(time_in_dp_req)) + printf("Slowest request data:\n") + printf("\tRequest: [%s]\n", slowest_req_name) + printf("\tTarget: [%s]\n", dp_target_str(slowest_req_target)) + printf("\tMethod: [%s]\n", dp_method_str(slowest_req_method)) + printf("\tStart Time: [%s]\n", tz_ctime(slowest_req_start_time)) + printf("\tEnd Time: [%s]\n", tz_ctime(slowest_req_end_time)) + printf("\tDuration: [%s]\n\n", msecs_to_string(slowest_req_time)) +} + +probe dp_req_send +{ + dp_req_send_start = gettimeofday_ms() + dp_req_send_sec_start = gettimeofday_s() + + printf("\t--> DP Request [%s] sent for domain [%s]\n", dp_req_name, dp_req_domain) + printf("\t--> Target: [%s] - Method: [%s]\n", dp_target_str(dp_req_target), dp_method_str(dp_req_method)) + + num_dp_requests++ +} + +probe dp_req_done +{ + dp_req_send_end = gettimeofday_ms() + dp_req_send_sec_end = gettimeofday_s() + elapsed_time = (dp_req_send_end - dp_req_send_start) + + printf("\t\t DP Request [%s] finished with return code [%d]: [%s]\n", + dp_req_name, dp_ret, dp_errorstr) + printf("\t\t Elapsed time [%s]\n\n", msecs_to_string(elapsed_time)) + + /* Track slowest request information */ + if (elapsed_time > slowest_req_time) { + slowest_req_time = elapsed_time + slowest_req_name = dp_req_name + slowest_req_method = dp_req_method + slowest_req_target = slowest_req_target + slowest_req_start_time = dp_req_send_sec_start + slowest_req_end_time = dp_req_send_sec_end + } + + time_in_dp_req += (dp_req_send_end - dp_req_send_start) +} + +probe begin +{ + printf("\t*** Beginning run! ***\n") +} + +probe end +{ + print_report() +} diff --git a/contrib/systemtap/id_perf.stp b/contrib/systemtap/id_perf.stp new file mode 100644 index 0000000..a778975 --- /dev/null +++ b/contrib/systemtap/id_perf.stp @@ -0,0 +1,167 @@ +global in_id + +global runtime_start +global runtime_end + +global num_transactions +global time_in_transactions +global trans_start_time +global trans_end_time + +global time_in_ldb +global ldb_start_time +global ldb_end_time + +global num_ldap_searches +global time_in_ldap +global ldap_start_time +global ldap_end_time + +global acct_req_types +global acct_req_times +global acct_req_rtime + +global bts + +function print_acct_req(req_type) +{ + str_req = acct_req_desc(req_type) + printf("\tNumber of %s requests: %d\n", str_req, acct_req_types[req_type]) + printf("\tTime spent in %s requests: %d\n", str_req, acct_req_times[req_type]) + printf("\n") +} + +function print_report() +{ + max_trans_time = 0 + max_trans_time_bt = "" + + total_time = runtime_end - runtime_start + printf("Total run time of id was: %d ms\n", total_time) + printf("Number of zero-level cache transactions: %d\n", num_transactions) + printf("Time spent in level-0 sysdb transactions: %d ms\n", time_in_transactions) + printf("Time spent writing to LDB: %d ms\n", time_in_ldb) + printf("Number of LDAP searches: %d\n", num_ldap_searches) + printf("Time spent waiting for LDAP: %d ms\n", time_in_ldap) + + printf("LDAP searches breakdown:\n") + foreach (req_type in acct_req_types) { + print_acct_req(req_type) + } + + printf("Unaccounted time: %d ms\n", + total_time - time_in_transactions - time_in_ldap) + + printf("sysdb transaction breakdown:\n") + foreach ([b] in bts) { + printf("%d hits of transaction %s\n", @count(bts[b]), b) + printf("avg:%d min: %d max: %d sum: %d\n\n", + @avg(bts[b]), @min(bts[b]), @max(bts[b]), @sum(bts[b])) + + if (@max(bts[b]) > max_trans_time) { + max_trans_time = @max(bts[b]) + max_trans_time_bt = b + } + } + + if (max_trans_time > 0) { + printf("The most expensive transaction breakdown, per transaction:\n") + print(@hist_linear(bts[max_trans_time_bt], 0, 500, 50)) + } +} + +probe process("/usr/bin/id").begin +{ + in_id = 1 + + num_transactions = 0 + time_in_transactions = 0 + + num_ldap_searches = 0 + time_in_ldap = 0 + time_in_ldb = 0 + + acct_req_types[0x0001] = 0 + acct_req_types[0x0002] = 0 + acct_req_types[0x0003] = 0 + + acct_req_times[0x0001] = 0 + acct_req_times[0x0002] = 0 + acct_req_times[0x0003] = 0 + + acct_req_rtime[0x0001] = 0 + acct_req_rtime[0x0002] = 0 + acct_req_rtime[0x0003] = 0 + + runtime_start = gettimeofday_ms() +} + +probe process("/usr/bin/id").end +{ + in_id = 0 + + runtime_end = gettimeofday_ms() + print_report() + + delete bts +} + +probe sssd_transaction_start +{ + if (nesting == 0 && in_id == 1) { + num_transactions++ + trans_start_time = gettimeofday_ms() + } +} + +probe sssd_transaction_commit_before +{ + if (nesting == 0 && in_id == 1) { + ldb_start_time = gettimeofday_ms() + } +} + +probe sssd_transaction_commit_after +{ + if (nesting == 0 && in_id == 1) { + ldb_end_time = gettimeofday_ms() + time_in_ldb += (ldb_end_time-ldb_start_time) + + trans_end_time = gettimeofday_ms() + time_in_transactions += (trans_end_time-trans_start_time) + + bt = sprint_ubacktrace() + bts[bt] <<< (trans_end_time-trans_start_time) + } +} + +probe sdap_search_send +{ + if (in_id == 1) { + num_ldap_searches++ + ldap_start_time = gettimeofday_ms() + } +} + +probe sdap_search_recv +{ + if (in_id == 1) { + ldap_end_time = gettimeofday_ms() + time_in_ldap += (ldap_end_time-ldap_start_time) + } +} + +probe sdap_acct_req_send +{ + if (in_id == 1) { + acct_req_types[entry_type]++ + acct_req_rtime[entry_type] = gettimeofday_ms() + } +} + +probe sdap_acct_req_recv +{ + if (in_id == 1) { + acct_req_times[entry_type] += (gettimeofday_ms() - acct_req_rtime[entry_type]) + } +} diff --git a/contrib/systemtap/ldap_perf.stp b/contrib/systemtap/ldap_perf.stp new file mode 100644 index 0000000..dd24ab5 --- /dev/null +++ b/contrib/systemtap/ldap_perf.stp @@ -0,0 +1,114 @@ +/* Start Run with: + * + * stap ldap_perf.stp + * + * Then reproduce slow operation in another terminal. + * Ctrl-C running stap once login completes. + * + * This script watches all sssd_be processes. This can be limited by + * specifying sssd_be process id + * + * stap -G sssd_be_pid=1234 ldap_perf.stp + * + * Probe tapsets are in /usr/share/systemtap/tapset/sssd.stp + */ + +global start_time; +global sdap_attributes; +global query_attributes; +global sssd_be_pid=0; + +global slowest_request_time; +global slowest_request_filter; +global slowest_request_scope; +global slowest_request_base; +global slowest_request_attrs; + +probe begin +{ + printf("===== ldap queries probe started =====\n"); + id = pid(); + start_time[id] = gettimeofday_us(); + query_attributes[id] = ""; + slowest_request_time = 0; + slowest_request_filter = ""; + slowest_request_scope = 0; + slowest_request_base = ""; + slowest_request_attrs = ""; +} + +probe sdap_parse_entry +{ + id = pid(); + if (sssd_be_pid == 0 || sssd_be_pid == id) { + idx = 0; + while ([id, attr, idx] in sdap_attributes) { + idx++; + } + sdap_attributes[id, attr, idx] = value; + } +} + +probe sdap_parse_entry_done +{ + id = pid(); + if (sssd_be_pid == 0 || sssd_be_pid == id) { + dn = sdap_attributes[id, "OriginalDN", 0]; + printf("[%d] <- dn: %s\n", id, dn); + delete sdap_attributes[id, "OriginalDN", *]; + foreach ([x, attr, idx] in sdap_attributes[id,*,*]) { + printf("[%d] <- %s: %s\n", id, attr, sdap_attributes[x, attr, idx]); + } + delete sdap_attributes[id, *, *]; + } +} + +probe sdap_search_send +{ + id = pid(); + if (sssd_be_pid == 0 || sssd_be_pid == id) { + printf("[%d] -> ldap request: basedn '%s', scope %d, filter '%s'\n", + id, base, scope, filter); + printf("[%d] -> attrs: %s\n", id, attrs); + query_attributes[id] = attrs; + start_time[id] = gettimeofday_ms(); + delete sdap_attributes[id, *, *]; + } +} + + +probe sdap_search_recv +{ + id = pid(); + if (sssd_be_pid == 0 || sssd_be_pid == id) { + delta = gettimeofday_ms() - start_time[id]; + printf("[%d] ldap response to request: basedn '%s', scope %d, filter '%s'\n", + id, base, scope, filter); + printf("[%d] took: %d ms\n", id, delta); + printf("[%d]--------------------------------------------------\n", id); + + if (slowest_request_time < delta) { + slowest_request_time = delta; + slowest_request_base = base; + slowest_request_scope = scope; + slowest_request_filter = filter; + slowest_request_attrs = query_attributes[id]; + } + } +} + +probe process("/usr/libexec/sssd/sssd_be").end +{ + printf("done\n"); +} + +probe end +{ + printf("\n===== slowest ldap request =====\n"); + printf("base: '%s'\nscope: %d\nfilter: '%s'\nattrs: %s\ntook: %d ms\n", + slowest_request_base, + slowest_request_scope, + slowest_request_filter, + slowest_request_attrs, + slowest_request_time); +} diff --git a/contrib/systemtap/nested_group_perf.stp b/contrib/systemtap/nested_group_perf.stp new file mode 100644 index 0000000..0c7ff03 --- /dev/null +++ b/contrib/systemtap/nested_group_perf.stp @@ -0,0 +1,333 @@ +global time_in_populate +global populate_start_time +global populate_end_time + +global time_in_save +global save_start_time +global save_end_time + +global time_in_groupreq +global groupreq_start +global groupreq_end + +global user_req_index = 0 +global group_req_index = 1 +global unknown_req_index = 2 +global deref_req_index = 3 +global ldap_req_times + +global user_req_start +global user_req_end + +global group_req_start +global group_req_end + +global unknown_req_start +global unknown_req_end + +global deref_req_start +global deref_req_end + +global time_in_deref_nested +global deref_req_nested_start +global deref_req_nested_end + +global time_in_deref_process +global deref_req_process_start +global deref_req_process_end + +global time_in_transactions +global trans_start_time +global trans_end_time + +global time_in_ldb +global ldb_start_time +global ldb_end_time + +global time_in_nested_gr_req +global nested_gr_req_start_time +global nested_gr_req_end_time + +global time_in_nested_gr_process_req +global nested_gr_process_req_start_time +global nested_gr_process_req_end_time + +global time_in_split_members +global split_members_start +global split_members_end + +global time_in_check_cache +global check_cache_start +global check_cache_end + +global time_in_search_users +global search_users_start +global search_users_end + +global time_in_search_groups +global search_groups_start +global search_groups_end + +global time_in_populate_search_users +global populate_search_users_start +global populate_search_users_end + +function print_report() +{ + user_req_total = @sum(ldap_req_times[user_req_index]) + group_req_total = @sum(ldap_req_times[group_req_index]) + unknown_req_total = @sum(ldap_req_times[unknown_req_index]) + deref_req_total = @sum(ldap_req_times[deref_req_index]) + all_req_total = user_req_total + group_req_total + unknown_req_total + deref_req_total + + # systemtap doesn't handle floating point numbers.. + trans_rate = 10000 * time_in_transactions / time_in_groupreq + nested_rate = 10000 * time_in_nested_gr_req / time_in_groupreq + + printf("Time spent in group sssd_be searches: %d\n", time_in_groupreq) + printf("Time spent in sdap_nested_group_send/recv: %d ms (ratio: %d.%02d%%)\n", + time_in_nested_gr_req, nested_rate/100, nested_rate%100) + printf("Time spent in zero-level sysdb transactions: %d ms (ratio: %d.%02d%%)\n", + time_in_transactions, trans_rate/100, trans_rate%100) + printf("\n") + + printf("Breakdown of sdap_nested_group req (total: %d ms)\n", time_in_nested_gr_req); + printf("\tsdap_nested_group_process req: %d\n", time_in_nested_gr_process_req) + printf("\t\tsdap_nested_group_process_split req: %d\n", time_in_split_members) + printf("\t\t\tsdap_nested_group_check_cache: %d\n", time_in_check_cache) + printf("\t\t\t\tsdap_nested_group_sysdb_search_users: %d\n", time_in_search_users) + printf("\t\t\t\tsdap_nested_group_sysdb_search_groups: %d\n", time_in_search_groups) + printf("\t\tldap request breakdown of total %d\n", all_req_total) + printf("\t\t\tsdap_nested_group_deref req: %d\n", time_in_deref_nested) + printf("\t\t\t\tsdap_deref_search_send req %d\n", deref_req_total) + printf("\t\t\t\tprocessing deref results: %d\n", time_in_deref_process) + printf("\t\t\tsdap_nested_group_lookup_user req: %d\n", user_req_total) + printf("\t\t\tsdap_nested_group_lookup_group req: %d\n", group_req_total) + printf("\t\t\tTime spent refreshing unknown members: %d\n", unknown_req_total) + printf("\n") + + printf("Breakdown of results processing (total %d)\n", time_in_transactions); + printf("\tTime spent populating nested members: %d\n", time_in_populate) + printf("\t\tTime spent searching ldb while populating nested members: %d\n", time_in_populate_search_users) + printf("\tTime spent saving nested members: %d\n", time_in_save) + printf("\tTime spent writing to the ldb: %d ms\n", time_in_ldb) + printf("\n") +} + +probe sssd_transaction_start +{ + if (nesting == 0) { + num_transactions++ + trans_start_time = gettimeofday_ms() + } +} + +probe sssd_transaction_commit_before +{ + if (nesting == 0) { + ldb_start_time = gettimeofday_ms() + } +} + +probe sssd_transaction_commit_after +{ + if (nesting == 0) { + trans_end_time = gettimeofday_ms() + time_in_transactions += (trans_end_time-trans_start_time) + + ldb_end_time = gettimeofday_ms() + time_in_ldb += (ldb_end_time - ldb_start_time) + } +} + +probe sdap_deref_send +{ + deref_req_start = gettimeofday_ms() +} + +probe sdap_deref_recv +{ + deref_req_end = gettimeofday_ms() + ldap_req_times[deref_req_index] <<< (deref_req_end - deref_req_start) +} + +probe sdap_nested_group_lookup_user_send +{ + user_req_start = gettimeofday_ms() +} + +probe sdap_nested_group_lookup_user_recv +{ + user_req_end = gettimeofday_ms() + ldap_req_times[user_req_index] <<< (user_req_end - user_req_start) +} + +probe sdap_nested_group_lookup_group_send +{ + group_req_start = gettimeofday_ms() +} + +probe sdap_nested_group_lookup_group_recv +{ + group_req_end = gettimeofday_ms() + ldap_req_times[group_req_index] <<< (group_req_end - group_req_start) +} + +probe sdap_nested_group_lookup_unknown_send +{ + unknown_req_start = gettimeofday_ms() +} + +probe sdap_nested_group_lookup_unknown_recv +{ + unknown_req_end = gettimeofday_ms() + ldap_req_times[unknown_req_index] <<< (unknown_req_end - unknown_req_start) +} + +probe sdap_nested_group_deref_send +{ + deref_req_nested_start = gettimeofday_ms() +} + +probe sdap_nested_group_deref_recv +{ + deref_req_nested_end = gettimeofday_ms() + time_in_deref_nested += (deref_req_nested_end - deref_req_nested_start) +} + +probe sdap_nested_group_deref_process_pre +{ + deref_req_process_start = gettimeofday_ms() +} + +probe sdap_nested_group_deref_process_post +{ + deref_req_process_end = gettimeofday_ms() + time_in_deref_process += (deref_req_process_end - deref_req_process_start) +} + +probe sdap_nested_group_populate_pre +{ + populate_start_time = gettimeofday_ms() +} + +probe sdap_nested_group_populate_post +{ + populate_end_time = gettimeofday_ms() + time_in_populate += (populate_end_time - populate_start_time) +} + +probe sdap_nested_group_save_pre +{ + save_start_time = gettimeofday_ms() +} + +probe sdap_nested_group_save_post +{ + save_end_time = gettimeofday_ms() + time_in_save += (save_end_time - save_start_time) +} + +probe sdap_nested_group_send +{ + nested_gr_req_start_time = gettimeofday_ms() +} + +probe sdap_nested_group_recv +{ + nested_gr_req_end_time = gettimeofday_ms() + time_in_nested_gr_req += (nested_gr_req_end_time - nested_gr_req_start_time) +} + +probe sdap_nested_group_process_send +{ + nested_gr_process_req_start_time = gettimeofday_ms() +} + +probe sdap_nested_group_process_recv +{ + nested_gr_process_req_end_time = gettimeofday_ms() + time_in_nested_gr_process_req += (nested_gr_process_req_end_time - nested_gr_process_req_start_time) +} + +probe sdap_nested_group_process_split_pre +{ + split_members_start = gettimeofday_ms() +} + +probe sdap_nested_group_process_split_post +{ + split_members_end = gettimeofday_ms() + time_in_split_members += (split_members_end - split_members_start) +} + +probe sdap_nested_group_check_cache_pre +{ + check_cache_start = gettimeofday_ms() +} + +probe sdap_nested_group_check_cache_post +{ + check_cache_end = gettimeofday_ms() + time_in_check_cache += (check_cache_end - check_cache_start) +} + +probe sdap_nested_group_sysdb_search_users_pre +{ + search_users_start = gettimeofday_ms() +} + +probe sdap_nested_group_sysdb_search_users_post +{ + search_users_end = gettimeofday_ms() + time_in_search_users += (search_users_end - search_users_start) +} + +probe sdap_nested_group_sysdb_search_groups_pre +{ + search_groups_start = gettimeofday_ms() +} + +probe sdap_nested_group_sysdb_search_groups_post +{ + search_groups_end = gettimeofday_ms() + time_in_search_groups += (search_groups_end - search_groups_start) +} + +probe sdap_nested_group_populate_search_users_pre +{ + populate_search_users_start = gettimeofday_ms() +} + +probe sdap_nested_group_populate_search_users_post +{ + populate_search_users_end = gettimeofday_ms() + time_in_populate_search_users += (populate_search_users_end - populate_search_users_start) +} + +probe sdap_acct_req_send +{ + if (entry_type == 0x0002) { + groupreq_start = gettimeofday_ms() + } +} + +probe sdap_acct_req_recv +{ + if (entry_type == 0x0002) { + groupreq_end = gettimeofday_ms() + time_in_groupreq += (groupreq_end - groupreq_start) + } +} + +probe begin +{ + time_in_populate = 0 + time_in_save = 0 + time_in_transactions = 0 +} + +probe end +{ + print_report() +} |