Hi everyone.
Recently, I have noticed a significant increase in the load generated by the
automember-rebuild command, even when there are no changes to be made to the
user's group membership. This high load also propagates via replication and
affects the entire infrastructure (we have about 30 replicas).
As an example, I issued the following command:
ipa automember-rebuild --type=group --users=someuser
Despite the fact that the user 'someuser' already had all the required group
memberships, the automember-rebuild command generated a significant amount of
load on the system.
Problem user for example have 23 groups in total, 18 of them are the result of
automember rules. With automember we are roughly solving the problem of some
identity service, that has no support for ldap nested groups, therefore some
users should be directly inserted as group members via automember rule, insted
of relying in nestines.
So, when a batch of users getting added I used bash script:
#!/bin/bash
TOTAL_USERS=$(ipa user-find --all --sizelimit=0 | grep 'User login:' | awk
'/User login:/ {print $3}' | wc -l)
COUNTER=1
for g in $(ipa user-find --all --sizelimit=0 | grep 'User login:' | awk '/User
login:/ {print $3}')
do
echo User $g
ipa automember-rebuild --type=group --users=$g
echo Number of entries processed $COUNTER/$TOTAL_USERS
let COUNTER++
done
To assign needed groups to a new users, if someone was left un-handled by the
first line support. But with time as a amout of groups and replicas grew I
started to experience problems I described above, even when no changes are were
to be applied. So I came to a conclusion that I lack understanding of what
automember-rebuild actually does under the hood. For what I only know it puts
tasks under the "cn=automember rebuild membership,cn=tasks,cn=config".
What would certainly helped is this feature
https://directory.fedoraproject.org/docs/389ds/design/log-operation-stats.html
but it's not availiable for my version of 389ds (389-Directory/1.4.3.28,
ipa-server-4.9.10-6, CentOS8 container)
So questions are:
1) Can someone provide overview of what automember-rebuild does under the hood?
2) Does those changes affected by replication, even if no changes needs to be
applied? (i.e. users already in needed groups but command still being issued
for every user)
3) Why is 389-ds being affected so much on 18 rules of membership? For what I
see in the monitoring tools I get heavy delays on the disk IO. Is it really to
much or it should not affect this much and I need to look for some system
tuning (4 CPU 8GB RAM currently, ssd disk).
_______________________________________________
FreeIPA-users mailing list -- [email protected]
To unsubscribe send an email to [email protected]
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/[email protected]
Do not reply to spam, report it:
https://pagure.io/fedora-infrastructure/new_issue
