High load due to getpwent() call on every signing

From: Новгородов Игорь <igor_at_novg.net>
Date: Thu, 10 Dec 2015 15:27:43 +0300

Hello list!

We've got quite a rare problem.

All of our Linux servers are using LDAP-based authentication with nslcd
daemon doing lookups.
When the mail servers are under high load, the nslcd daemon goes crazy
on CPU usage, as LDAP servers do.

While investigating the issue, it was tracked down to OpenDKIM which
signs our mails.

Digging deeper into the code, it became clear that OpenDKIM *on every*
singing operations calls:
     1. dkimf_loadkey() then
     2. dkimf_securefile() then
     3. dkimf_checkfsnode() then finally
     4. getpwent()

So, on *every* signing operation OpenDKIM requests *all* users from LDAP
(there are 400+ of them) and things go nasty.

Maybe we should consider changing the logic?

I'm not in any way familiar with OpenDKIM internals, but maybe we should
load the keys and check all necessary stuff
only once on daemon's load and not on every signing?

There may exist even more complex nsswitch.conf configurations which may
lead to more harsh consequences...

Received on Thu Dec 10 2015 - 12:27:55 PST

This archive was generated by hypermail 2.3.0 : Thu Dec 10 2015 - 12:36:00 PST