Auxiliary Group Membership

Theory

If VOV_USE_INITGROUPS is set, the subtasker calls initgroups(). This is an OS call that sets all (or max 16) auxiliary groups. The resulting list of groups is not cached. Another job will call initgroups() again.

The default is to not call initgroups because it may load the name services too much.

By default, the vovtasker calls the external utility vovgetgroups, which uses the value of VOV_ALARM to decide how long to wait for a reply (default 10 seconds). The VOV_USE_VOVGETGROUPS environment variable can be used to control this behavior:

Set to 0 to disable the call to the external utility and use the getgrent() POSIX API function to find all groups that are valid for a user. If there are more than 16, the list is truncated to the first 16. The list is cached by vovtasker, so only the first job for a user causes traffic with the name services. This is only recommended in small environments, as this method can create significant delays, and even blocking conditions, in complex environments (e.g. Linux with LDAP).

Set to 2 to continue to use the external utility, but instruct the utility to call the getgrent() POSIX API function instead of the default call to getgrouplist(). This is mainly for debugging purposes, since this mode of operation results in slower processing of group information.

History

Prior to 2016.09 & 2015.09u8
If VOV_USE_VOVGETGROUPS was set to any value, when a tasker needs to get group data it will use the vovgetgroups external utility (a separate executable). This utility is robust to LDAP errors or timeouts which would otherwise cause the getgrent library call to hang indefinitely (and block the tasker from issuing further jobs).
Prior to customers switching to Centos6.x and SSSD name service, the use of VOV_USE_VOVGETGROUPS was recommended. After the switch to Centos6.x/SSSD, a bug was found that prevented all groups from being fetched.
Switching to VOV_USE_INITGROUPS=1 and leaving VOV_USE_VOVGETGROUPS unset appeared to fix the problem, but at the probable cost of reduced performance and increased name service load.
2016.09 & 2015.09u8 and Later Versions
If VOV_USE_VOVGETGROUPS was set to any value other than 1, it would behave like pre 2016.09 code and use getgrent(). If VOV_USE_VOVGETGROUPS was set to 1, it would use getgrouplist(), which is a newer utility (but still old) to get group information with higher performance.
The downside to setting VOV_USE_VOVGETGROUPS=1 in 2016.09 is that there may be some off-beat OS's that don't support it (early Darwin, Solaris 7 etc.). However, it seems to be faster, work with SSSD, and doesn't load the name service as much.
The recommendation based on the review of the history and the code is the following:
  • Use VOV_USE_VOVGETROUPS=1 and leave VOV_USE_INITGROUPS unset if you are on <2015.09u8 earlier and not using CentOS6.6 with SSSD (uses non blocking getgrent)
  • Leave VOV_USE_VOVGETGROUPS unset and set VOV_USE_INITGROUPS=1 if you are on < 2015.09u8 and want to use CentOS6.6/SSSD (uses an extra group init & getgrent)
  • Set VOV_USE_VOVGETGROUPS=1 and leave VOV_USE_INITGROUPS unset if you are on 2016.09 or >2015.09u7 and running a common OS (non blocking, getgrouplist)
  • Set VOV_USE_VOVGETGROUPS=1 and leave VOV_USE_INITGROUPS unset if you are on 2016.09 or >2015.09u7 and running an uncommon OS (non blocking, getgrent).
If both are set then VOV_USE_VOVGETGROUPS dominates.