If VOV_USE_INITGROUPS is set, the "subslave" calls initgroups(). This is an OS call that sets all auxiliary groups (up to 16 anyway).
The resulting list of groups is not cached. Another job will call initgroups() again.
The default (neither VOV_USE_VOVGETGROUPS nor VOV_USE_INITGROUPS are set) is to not call initgroups() because it may load the name services too much.
Instead, by default, we use getgrent() to find all groups that are valid for a user.
If it is more than 16, we truncate the list to the first 16. The list is cached by vovslave, so only the first job for a user causes traffic with the name services.
If VOV_USE_VOVGETGROUPS then we externalize the call to getgrent(), which in days back use the freeze the entire vovslave.
This means that vovslave calls vovgetgroups. vovgetgroups uses the value of VOV_ALARM to decide how long to wait for a reply (default 10 seconds).
With 2016.09 and 2015.09u8 a change to vovgetgroups was made to use the more modern getgrouplist() call that had better compatibility with Centos6 and sssd name services.
Use VOV_USE_VOVGETGROUPS if it works for your environment - there are known VOV version, OS and name service dependencies.
Prior to 2016.09 & 2015.09u8
if VOV_USE_VOVGETGROUPS were set to any value then when a slave needs to get group data it will use the vovgetgroups external (it’s a separate executable) utility. This utility is robust to LDAP errors or timeouts which would otherwise cause the getgrent library call to hang indefinitely (and block the slave from issuing further jobs).
Before one customer switched to Centos6.x and SSSD name service, the use of VOV_USE_VOVGETGROUPS was recommended.
After the switch to Centos6.x/sssd, they found that not all groups could be fetched.
Switching to VOV_USE_INITGROUPS=1 and VOV_USE_VOVGETGROUPS unset, appeared to fix the problem but at the probable cost of reduced performance and increased name service load.
2016.09 & 2015.09u8 and later…
If VOV_USE_VOVGETGROUPS were set to any value other than 1 then it would behave like pre 2016.09 code and use getgrent().
If VOV_USE_VOVGETGROUPS were set to 1 then it would use getgrouplist(). getgrouplist() is a newer (but still old) to get group information with higher performance.
Downsides to VOV_USE_VOVGETGROUPS=1 in 2016.09, I don’t think there are many but some off-beat OS’s may not support it. (Early Darwin, Solaris 7 etc.).
It is faster, works with SSSD, doesn’t load the name service as much (AFAIK).
So I think the recommendation based on our review of the history and the code...
VOV_USE_VOVGETROUPS=1 VOV_USE_INITGROUPS unset if you are on <2015.09u8 earlier and not using CentOS6.6 with sssd. (uses non blocking getgrent)
VOV_USE_VOVGETGROUPS unset, VOV_USE_INITGROUPS=1 if you are on <2015.09u8 and want to use CentOS6.6/sssd. (uses an extra group init & getgrent)
VOV_USE_VOVGETGROUPS=1 VOV_USE_INITGROUPS unset if you are on 2016.09 or >2015.09u7 and running some half sensible OS. (non blocking, getgrouplist).
VOV_USE_VOVGETGROUPS!=1 VOV_USE_INITGROUPS unset if you are on 2016.09 or >2015.09u7 and running some strange OS (non blocking, getgrent).
if both are set then VOV_USE_VOVGETGROUPS dominates.