On Fri, 2008-10-24 at 10:39 +0200, Max Kellermann wrote:
> On 2008/10/23 16:55, Trond Myklebust <[email protected]> wrote:
> > Can you add a '-v' to the rpc.gssd daemon startup line? I'd like to see
> > how often you are creating new gss contexts.
>
> There is no rpc.gssd running on any of these servers, we're using
> plain NFSv3 without (protocol based) authentication. Do you want me
> to start it anyway?
Sorry. I misread your email. I read it as saying that you had krb5
enabled on your mountpoint, but what you really said was just that you
have compiled up the module.
OK, could you please describe your environment a bit. Do you have lots
of different users logged in at the same time, or do you perhaps use
newgrp or su to switch uid/gids a lot on your processes?
I'm trying to see if there might be a reason for the lookup in the
credcache being such a heavy duty operation in your setup.
Cheers
Trond
On 2008/10/24 20:09, Trond Myklebust <[email protected]> wrote:
> OK, could you please describe your environment a bit. Do you have lots
> of different users logged in at the same time, or do you perhaps use
> newgrp or su to switch uid/gids a lot on your processes?
> I'm trying to see if there might be a reason for the lookup in the
> credcache being such a heavy duty operation in your setup.
It's a web server for shared hosting. The web space is mounted via
NFSv3 from a NetApp. There is a huge number of web sites on this
cluster. All web sites are owned by the same UID, and the web server
runs as a different UID (read-only access).
Each time a CGI starts, its uid is changed to the one "owner" UID
(similar to mod_suexec, but there's only one UID for all customer
accounts). Each time a CGI starts, its chroot (pivot_root) is
constructed with several bind mounts (in a separate namespace with
CLONE_NEWNS).
There are no new users or groups being created. There are only 2 UIDs
accessing NFS: the webserver (ro) and CGI (rw).
Max