Dmitry Perets via FreeIPA-users wrote: > Hi, > > Really weird issue... > > We build a docker container to run some ansible playbooks within it. > We notice, that IF the container has "ipa-client" package installed, there is > a HUGE performance degradation to execute the same playbook. > E.g. 20 seconds without ipa-client vs 2 minutes with ipa-client (6 times > worse!). > > Note that: > - We DO NOT enroll the container. We don't run "ipa-client-install" at any > point. We just have the "ipa-client" package INSTALLED (like "yum install > ipa-client") > - The playbooks DO NOT talk to IPA in any way, neither do they run IPA > commands. They are totally unrelated to ipa-client actually. > > The delay seems to be during the connection - i.e. it doesn't matter WHAT > exactly ansible task does. It gets stuck for all tasks on something like this > (note timestamp): > > <192.168.1.1> EXEC /bin/sh -c '/usr/bin/python > /root/.ansible/tmp/ansible-tmp-1574346920.3942568-62901531545767/AnsiballZ_stat.py > && sleep 0' > 852 1574346920.65004: opening command with Popen() > 852 1574346920.65758: done running command with Popen() > 852 1574346920.65791: getting output with communicate() > 852 1574346921.00213: done communicating <<<<<< > note the delay here, this happens for each task > 852 1574346921.00227: done with local.exec_command() > > So, JUST HAVING ipa-client installed somehow causes this slowness. > > Any idea what ipa-client package can alter in system behavior, if we don't > actually enroll in IPA domain? > > P.S. You might be wondering WHY we actually have this ipa-client there... > well, that's the point: it's totally unrelated to this particular thing... > it's just that some of the playbooks need to use IPA commands, that's why we > have ipa-client installed. But even NOT the playbook that we are testing > above...
The package itself is just files, zero configuration except a bash completion script. There is a post-install script that should only fire on upgrades and even then only if the client is configured. I'd see what else is pulled in my installing ipa-client. rob _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org