On 12/30/2011 07:19 PM, JR Aquino wrote:
> On Dec 30, 2011, at 5:45 PM, Erinn Looney-Triggs wrote:
>> I have been slowly rolling out FreeIPA to my systems, trying to track
>> differences/changes. One of the most noticeable has been a large slow
>> down in file access times.
>> Let me explain as best as I can. I use AIDE to track the file system
>> (think tripwire) and it runs checks once a day. During these checks it
>> is scanning (almost) the entire file system and comparing it to a stored
>> database. On a moderately powered system with ~151k files, an AIDE run
>> will usually take ~30 minutes. After the system becomes an IPA client
>> the same run will generally take ~90-120 minutes. Un-install the
>> ipa-client, back to ~30 minutes for an AIDE run.
>> Now clearly a lot of lookups are being done for user names and group
>> names, and this will have a performance hit that is dependant on the
>> network. However, the odd thing is that even when running on the IPA
>> server itself the slowdown is still the same.
>> Not sure if this is an IPA problem, an SSSD problem, a bit of both, or
>> neither, perhaps it is just the way it is, but a slowdown of 3-4x seems
>> a bit much to me. Clearly the results are not scientific, however, they
>> have been generally reproducible since I started rolling IPA out.
>> As a side note this slowdown has also broken bacula backups, as the
>> bacula client is scanning the filesystem for change (using accurate
>> backups) the director times out.
>> Any thoughts, or opinions? Workarounds etc? I have checked to make sure
>> that SSSD caching is enabled, and functional.
>> Thanks,
>> -Erinn
> I am assuming that these are all running as local users.
> From the sssd.conf man page in the nss section:
> filter_users, filter_groups (string)
>            Exclude certain users from being fetched from the sss NSS 
> database. This is particularly useful for system accounts. This option can 
> also be set per-domain or include fully-qualified names to filter only users 
> from the
>            particular domain.
>            Default: root
> Try adding this to your sssd.conf:
> [nss]
>            filter_groups = root,bacula,aide,otherdaemonuser <-as needed
>            filter_users = root,bacula,aide,otherdaemonuser <- as needed
> Let me know if that solves your issue.

Thanks for pointing that out, completely missed that option! Wouldn't it
be sweet to have an option that say looked at /etc/login.defs and just
didn't lookup anything under MIN_UID, on the assumption that those are
system accounts? Certainly would stop a lot of lookups I imagine.

Of course you would have to leave it as an option and probably default
it to off given the odd things people do with their systems.


Attachment: signature.asc
Description: OpenPGP digital signature

Freeipa-users mailing list

Reply via email to