Re: [Freeipa-devel] [PATCHES] 143-147 Improve performance with large groups
On 07/19/2013 01:10 PM, Petr Vobornik wrote:
On 07/18/2013 05:29 PM, Jan Cholasta wrote:
On 18.7.2013 17:26, Martin Kosek wrote:
On 07/18/2013 05:22 PM, Jan Cholasta wrote:
On 18.7.2013 17:07, Martin Kosek wrote:
On 07/18/2013 04:53 PM, Jan Cholasta wrote:
Added patch which adds new hidden option no_members to suppress
membership
processing for commands of all objects that have member attributes.
This can be
used by the WebUI to prevent member lookups where they are not
necessary (as we
discussed off-line with Martin and Petr).
Honza
1) Should the new option really have exclude='webui'? I thought
that Web UI is
the main and only consumer of this option.
The 'webui' context doesn't actually exist and the only meaning of
this stanza
is that the option is not shown in the output of the show_mappings
command.
2) I would clearly state this is an internal option only, e.g.
+ doc=_('INTERNAL: suppress processing of membership attributes.'),
No other internal option has this kind of thing in its doc and nobody
will see
it anyway, so we might just leave it like that IMHO.
OK.
3) It would be nice to state that this option is mutually exclusive
with --all,
but given it is internal anyway and there is no central place to
define it, we
do not need to do that.
The options are not really mutually exclusive at this point, they can be
specified together, --all takes precedence.
Well, they can be specified together, but the option is then NOOP
which could
confuse users which may have different expectations. Being explicit
helps.
I agree.
But
as I said, in this case this is not a requirement.
I agree as well :-)
Honza
Functional ACK for Honza's patch (didn't break Web UI test suite)
Attaching Web UI patch.
It:
1) Removed --all from _find and _show commands used by search pages. All
displayed attributes should be already included in default attributes.
2) Removed search_all_attributes - Not needed since introduction of paging.
3) Added --no-members options to search _show commmands.
ACK. Pushed both Petr's and Honza's patch to master and ipa-3-2.
Martin
___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCHES] 143-147 Improve performance with large groups
On 07/23/2013 01:30 PM, Martin Kosek wrote:
On 07/19/2013 01:10 PM, Petr Vobornik wrote:
On 07/18/2013 05:29 PM, Jan Cholasta wrote:
On 18.7.2013 17:26, Martin Kosek wrote:
On 07/18/2013 05:22 PM, Jan Cholasta wrote:
On 18.7.2013 17:07, Martin Kosek wrote:
On 07/18/2013 04:53 PM, Jan Cholasta wrote:
Added patch which adds new hidden option no_members to suppress
membership
processing for commands of all objects that have member attributes.
This can be
used by the WebUI to prevent member lookups where they are not
necessary (as we
discussed off-line with Martin and Petr).
Honza
1) Should the new option really have exclude='webui'? I thought
that Web UI is
the main and only consumer of this option.
The 'webui' context doesn't actually exist and the only meaning of
this stanza
is that the option is not shown in the output of the show_mappings
command.
2) I would clearly state this is an internal option only, e.g.
+ doc=_('INTERNAL: suppress processing of membership attributes.'),
No other internal option has this kind of thing in its doc and nobody
will see
it anyway, so we might just leave it like that IMHO.
OK.
3) It would be nice to state that this option is mutually exclusive
with --all,
but given it is internal anyway and there is no central place to
define it, we
do not need to do that.
The options are not really mutually exclusive at this point, they can be
specified together, --all takes precedence.
Well, they can be specified together, but the option is then NOOP
which could
confuse users which may have different expectations. Being explicit
helps.
I agree.
But
as I said, in this case this is not a requirement.
I agree as well :-)
Honza
Functional ACK for Honza's patch (didn't break Web UI test suite)
Attaching Web UI patch.
It:
1) Removed --all from _find and _show commands used by search pages. All
displayed attributes should be already included in default attributes.
2) Removed search_all_attributes - Not needed since introduction of paging.
3) Added --no-members options to search _show commmands.
ACK. Pushed both Petr's and Honza's patch to master and ipa-3-2.
Martin
These patches sometimes add the attribute no_members to groups, which
results in 7 tests being broken like this:
==
FAIL: test_cli.TestCLIParsing.test_group_add
--
Traceback (most recent call last):
File /usr/lib/python2.7/site-packages/nose/case.py, line 197, in
runTest
self.test(*self.arg)
File
/var/lib/jenkins/workspace/freeipa-unittests-f19-devel/ipatests/test_cmdline/test_cli.py,
line 73, in test_group_add
version=API_VERSION)
File
/var/lib/jenkins/workspace/freeipa-unittests-f19-devel/ipatests/test_cmdline/test_cli.py,
line 24, in check_command
util.assert_deepequal(kw_expected, kw_got)
File
/var/lib/jenkins/workspace/freeipa-unittests-f19-devel/ipatests/util.py,
line 338, in assert_deepequal
doc, sorted(missing), sorted(extra), expected, got, stack
AssertionError: assert_deepequal: dict keys mismatch.
missing keys = []
extra keys = ['no_members']
expected = {'all': False, 'cn': u'tgroup1', 'raw': False, 'version':
u'2.62', 'external': False, 'nonposix': False, 'description': u'Test group'}
got = {'all': False, 'description': u'Test group', 'no_members':
False, 'raw': False, 'version': u'2.62', 'external': False, 'nonposix':
False, 'cn': u'tgroup1'}
path = ()
--
PetrĀ³
___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCHES] 143-147 Improve performance with large groups
On 07/23/2013 04:54 PM, Petr Viktorin wrote:
On 07/23/2013 01:30 PM, Martin Kosek wrote:
On 07/19/2013 01:10 PM, Petr Vobornik wrote:
On 07/18/2013 05:29 PM, Jan Cholasta wrote:
On 18.7.2013 17:26, Martin Kosek wrote:
On 07/18/2013 05:22 PM, Jan Cholasta wrote:
On 18.7.2013 17:07, Martin Kosek wrote:
On 07/18/2013 04:53 PM, Jan Cholasta wrote:
Added patch which adds new hidden option no_members to suppress
membership
processing for commands of all objects that have member attributes.
This can be
used by the WebUI to prevent member lookups where they are not
necessary (as we
discussed off-line with Martin and Petr).
Honza
1) Should the new option really have exclude='webui'? I thought
that Web UI is
the main and only consumer of this option.
The 'webui' context doesn't actually exist and the only meaning of
this stanza
is that the option is not shown in the output of the show_mappings
command.
2) I would clearly state this is an internal option only, e.g.
+ doc=_('INTERNAL: suppress processing of membership attributes.'),
No other internal option has this kind of thing in its doc and nobody
will see
it anyway, so we might just leave it like that IMHO.
OK.
3) It would be nice to state that this option is mutually exclusive
with --all,
but given it is internal anyway and there is no central place to
define it, we
do not need to do that.
The options are not really mutually exclusive at this point, they
can be
specified together, --all takes precedence.
Well, they can be specified together, but the option is then NOOP
which could
confuse users which may have different expectations. Being explicit
helps.
I agree.
But
as I said, in this case this is not a requirement.
I agree as well :-)
Honza
Functional ACK for Honza's patch (didn't break Web UI test suite)
Attaching Web UI patch.
It:
1) Removed --all from _find and _show commands used by search pages. All
displayed attributes should be already included in default attributes.
2) Removed search_all_attributes - Not needed since introduction of
paging.
3) Added --no-members options to search _show commmands.
ACK. Pushed both Petr's and Honza's patch to master and ipa-3-2.
Martin
These patches sometimes add the attribute no_members to groups, which
results in 7 tests being broken like this:
==
FAIL: test_cli.TestCLIParsing.test_group_add
--
Traceback (most recent call last):
File /usr/lib/python2.7/site-packages/nose/case.py, line 197, in
runTest
self.test(*self.arg)
File
/var/lib/jenkins/workspace/freeipa-unittests-f19-devel/ipatests/test_cmdline/test_cli.py,
line 73, in test_group_add
version=API_VERSION)
File
/var/lib/jenkins/workspace/freeipa-unittests-f19-devel/ipatests/test_cmdline/test_cli.py,
line 24, in check_command
util.assert_deepequal(kw_expected, kw_got)
File
/var/lib/jenkins/workspace/freeipa-unittests-f19-devel/ipatests/util.py,
line 338, in assert_deepequal
doc, sorted(missing), sorted(extra), expected, got, stack
AssertionError: assert_deepequal: dict keys mismatch.
missing keys = []
extra keys = ['no_members']
expected = {'all': False, 'cn': u'tgroup1', 'raw': False, 'version':
u'2.62', 'external': False, 'nonposix': False, 'description': u'Test
group'}
got = {'all': False, 'description': u'Test group', 'no_members':
False, 'raw': False, 'version': u'2.62', 'external': False, 'nonposix':
False, 'cn': u'tgroup1'}
path = ()
Correction: they don't add the attribute to output. It's just that the
CLI tests need to be updated with the new option.
--
PetrĀ³
___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCHES] 143-147 Improve performance with large groups
On 19.7.2013 13:10, Petr Vobornik wrote:
On 07/18/2013 05:29 PM, Jan Cholasta wrote:
On 18.7.2013 17:26, Martin Kosek wrote:
On 07/18/2013 05:22 PM, Jan Cholasta wrote:
On 18.7.2013 17:07, Martin Kosek wrote:
On 07/18/2013 04:53 PM, Jan Cholasta wrote:
Added patch which adds new hidden option no_members to suppress
membership
processing for commands of all objects that have member attributes.
This can be
used by the WebUI to prevent member lookups where they are not
necessary (as we
discussed off-line with Martin and Petr).
Honza
1) Should the new option really have exclude='webui'? I thought
that Web UI is
the main and only consumer of this option.
The 'webui' context doesn't actually exist and the only meaning of
this stanza
is that the option is not shown in the output of the show_mappings
command.
2) I would clearly state this is an internal option only, e.g.
+ doc=_('INTERNAL: suppress processing of membership attributes.'),
No other internal option has this kind of thing in its doc and nobody
will see
it anyway, so we might just leave it like that IMHO.
OK.
3) It would be nice to state that this option is mutually exclusive
with --all,
but given it is internal anyway and there is no central place to
define it, we
do not need to do that.
The options are not really mutually exclusive at this point, they
can be
specified together, --all takes precedence.
Well, they can be specified together, but the option is then NOOP
which could
confuse users which may have different expectations. Being explicit
helps.
I agree.
But
as I said, in this case this is not a requirement.
I agree as well :-)
Honza
Functional ACK for Honza's patch (didn't break Web UI test suite)
Attaching Web UI patch.
It:
1) Removed --all from _find and _show commands used by search pages. All
displayed attributes should be already included in default attributes.
2) Removed search_all_attributes - Not needed since introduction of paging.
3) Added --no-members options to search _show commmands.
Hmm, is the has_members function used to distinguish between objects
with members and without members? If so, would it be helpful to add the
no_members option to all commands (just like all and raw), so that
you don't have to do this check?
Honza
--
Jan Cholasta
___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCHES] 143-147 Improve performance with large groups
On 07/19/2013 03:49 PM, Jan Cholasta wrote:
On 19.7.2013 13:10, Petr Vobornik wrote:
On 07/18/2013 05:29 PM, Jan Cholasta wrote:
On 18.7.2013 17:26, Martin Kosek wrote:
On 07/18/2013 05:22 PM, Jan Cholasta wrote:
On 18.7.2013 17:07, Martin Kosek wrote:
On 07/18/2013 04:53 PM, Jan Cholasta wrote:
Added patch which adds new hidden option no_members to suppress
membership
processing for commands of all objects that have member attributes.
This can be
used by the WebUI to prevent member lookups where they are not
necessary (as we
discussed off-line with Martin and Petr).
Honza
1) Should the new option really have exclude='webui'? I thought
that Web UI is
the main and only consumer of this option.
The 'webui' context doesn't actually exist and the only meaning of
this stanza
is that the option is not shown in the output of the show_mappings
command.
2) I would clearly state this is an internal option only, e.g.
+ doc=_('INTERNAL: suppress processing of membership attributes.'),
No other internal option has this kind of thing in its doc and nobody
will see
it anyway, so we might just leave it like that IMHO.
OK.
3) It would be nice to state that this option is mutually exclusive
with --all,
but given it is internal anyway and there is no central place to
define it, we
do not need to do that.
The options are not really mutually exclusive at this point, they
can be
specified together, --all takes precedence.
Well, they can be specified together, but the option is then NOOP
which could
confuse users which may have different expectations. Being explicit
helps.
I agree.
But
as I said, in this case this is not a requirement.
I agree as well :-)
Honza
Functional ACK for Honza's patch (didn't break Web UI test suite)
Attaching Web UI patch.
It:
1) Removed --all from _find and _show commands used by search pages. All
displayed attributes should be already included in default attributes.
2) Removed search_all_attributes - Not needed since introduction of
paging.
3) Added --no-members options to search _show commmands.
Hmm, is the has_members function used to distinguish between objects
with members and without members? If so, would it be helpful to add the
no_members option to all commands (just like all and raw), so that
you don't have to do this check?
Honza
Yes, that's its purpose. IMO it doesn't matter now, the function is
implemented. The only benefits would be small, not noticeable,
performance gain and tolerance to incorrect use of --no-members. Doesn't
look like a reason for polluting all commands with it.
--
Petr Vobornik
___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCHES] 143-147 Improve performance with large groups
On 07/18/2013 04:53 PM, Jan Cholasta wrote:
On 15.7.2013 17:21, Martin Kosek wrote:
On 07/15/2013 03:43 PM, Jan Cholasta wrote:
On 15.7.2013 15:16, Martin Kosek wrote:
On 07/11/2013 12:15 PM, Alexander Bokovoy wrote:
On Thu, 11 Jul 2013, Jan Cholasta wrote:
We can add WebUI improvements later. I have some WIP, but I need to
discuss
it with Petr first (he's away this week).
Ok.
The patchset is in ipa-3-2 as well now.
Just checking:
1) Jan, did you check size of these new indexes on IPA master with such a
high
number of users? How big are they? I want to make sure that this won't
create
an issue on upgrades to new 3.2.x.
With 10k users, the indices ate roughly 250 MB of disk space.
Scratch that, my measurement method was stupid. It is just 2 MB of extra
space.
2) Does the patch set also fix the problem for Web UI? Currently, I think
it
will still grab and process all member attributes even though it does not
need
it. If the Web UI performance is still not sharp, I would rather leave this
ticket opened and let JanPetr cooperate on the Web UI part.
I agree on keeping the ticket open.
Honza
Ok, I reopened the ticket. Petr and Jan, please cooperate on this one.
Martin
Added patch which adds new hidden option no_members to suppress membership
processing for commands of all objects that have member attributes. This can
be
used by the WebUI to prevent member lookups where they are not necessary (as
we
discussed off-line with Martin and Petr).
Honza
1) Should the new option really have exclude='webui'? I thought that Web UI is
the main and only consumer of this option.
2) I would clearly state this is an internal option only, e.g.
+ doc=_('INTERNAL: suppress processing of membership attributes.'),
3) It would be nice to state that this option is mutually exclusive with --all,
but given it is internal anyway and there is no central place to define it, we
do not need to do that.
Martin
___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCHES] 143-147 Improve performance with large groups
On 18.7.2013 17:07, Martin Kosek wrote:
On 07/18/2013 04:53 PM, Jan Cholasta wrote:
Added patch which adds new hidden option no_members to suppress membership
processing for commands of all objects that have member attributes. This can be
used by the WebUI to prevent member lookups where they are not necessary (as we
discussed off-line with Martin and Petr).
Honza
1) Should the new option really have exclude='webui'? I thought that Web UI is
the main and only consumer of this option.
The 'webui' context doesn't actually exist and the only meaning of this
stanza is that the option is not shown in the output of the
show_mappings command.
2) I would clearly state this is an internal option only, e.g.
+ doc=_('INTERNAL: suppress processing of membership attributes.'),
No other internal option has this kind of thing in its doc and nobody
will see it anyway, so we might just leave it like that IMHO.
3) It would be nice to state that this option is mutually exclusive with --all,
but given it is internal anyway and there is no central place to define it, we
do not need to do that.
The options are not really mutually exclusive at this point, they can be
specified together, --all takes precedence.
Honza
--
Jan Cholasta
___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCHES] 143-147 Improve performance with large groups
On 07/18/2013 05:22 PM, Jan Cholasta wrote:
On 18.7.2013 17:07, Martin Kosek wrote:
On 07/18/2013 04:53 PM, Jan Cholasta wrote:
Added patch which adds new hidden option no_members to suppress membership
processing for commands of all objects that have member attributes. This
can be
used by the WebUI to prevent member lookups where they are not necessary
(as we
discussed off-line with Martin and Petr).
Honza
1) Should the new option really have exclude='webui'? I thought that Web UI
is
the main and only consumer of this option.
The 'webui' context doesn't actually exist and the only meaning of this stanza
is that the option is not shown in the output of the show_mappings command.
2) I would clearly state this is an internal option only, e.g.
+ doc=_('INTERNAL: suppress processing of membership attributes.'),
No other internal option has this kind of thing in its doc and nobody will see
it anyway, so we might just leave it like that IMHO.
OK.
3) It would be nice to state that this option is mutually exclusive with
--all,
but given it is internal anyway and there is no central place to define it,
we
do not need to do that.
The options are not really mutually exclusive at this point, they can be
specified together, --all takes precedence.
Well, they can be specified together, but the option is then NOOP which could
confuse users which may have different expectations. Being explicit helps. But
as I said, in this case this is not a requirement.
Martin
___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCHES] 143-147 Improve performance with large groups
On 18.7.2013 17:26, Martin Kosek wrote:
On 07/18/2013 05:22 PM, Jan Cholasta wrote:
On 18.7.2013 17:07, Martin Kosek wrote:
On 07/18/2013 04:53 PM, Jan Cholasta wrote:
Added patch which adds new hidden option no_members to suppress membership
processing for commands of all objects that have member attributes. This can be
used by the WebUI to prevent member lookups where they are not necessary (as we
discussed off-line with Martin and Petr).
Honza
1) Should the new option really have exclude='webui'? I thought that Web UI is
the main and only consumer of this option.
The 'webui' context doesn't actually exist and the only meaning of this stanza
is that the option is not shown in the output of the show_mappings command.
2) I would clearly state this is an internal option only, e.g.
+ doc=_('INTERNAL: suppress processing of membership attributes.'),
No other internal option has this kind of thing in its doc and nobody will see
it anyway, so we might just leave it like that IMHO.
OK.
3) It would be nice to state that this option is mutually exclusive with --all,
but given it is internal anyway and there is no central place to define it, we
do not need to do that.
The options are not really mutually exclusive at this point, they can be
specified together, --all takes precedence.
Well, they can be specified together, but the option is then NOOP which could
confuse users which may have different expectations. Being explicit helps.
I agree.
But
as I said, in this case this is not a requirement.
I agree as well :-)
Honza
--
Jan Cholasta
___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCHES] 143-147 Improve performance with large groups
On 07/11/2013 12:15 PM, Alexander Bokovoy wrote: On Thu, 11 Jul 2013, Jan Cholasta wrote: On 11.7.2013 11:58, Alexander Bokovoy wrote: On Mon, 08 Jul 2013, Alexander Bokovoy wrote: On Thu, 27 Jun 2013, Jan Cholasta wrote: On 27.6.2013 17:34, Rich Megginson wrote: On 06/27/2013 09:31 AM, Jan Cholasta wrote: The search is hard-coded in the referint plugin, see https://git.fedorahosted.org/cgit/389/ds.git/tree/ldap/servers/plugins/referint/referint.c#n745. Not sure if it makes sense to do a wildcard/substr search here - please file a ticket with 389 to investigate. https://fedorahosted.org/389/ticket/47411 So, should we merge this patchset or wait until 389-ds analyzes 47411? To me it looks like we can use this one as an interim solution, once Web UI performance is checked through. I've commited the patchset to master. Web UI works just fine for me and with a VM limited to 1GB RAM I seem to get snappier response even when running whole IPA stack and Firefox in the same VM. We can add WebUI improvements later. I have some WIP, but I need to discuss it with Petr first (he's away this week). Ok. The patchset is in ipa-3-2 as well now. Just checking: 1) Jan, did you check size of these new indexes on IPA master with such a high number of users? How big are they? I want to make sure that this won't create an issue on upgrades to new 3.2.x. 2) Does the patch set also fix the problem for Web UI? Currently, I think it will still grab and process all member attributes even though it does not need it. If the Web UI performance is still not sharp, I would rather leave this ticket opened and let JanPetr cooperate on the Web UI part. Martin ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCHES] 143-147 Improve performance with large groups
On 15.7.2013 15:16, Martin Kosek wrote: On 07/11/2013 12:15 PM, Alexander Bokovoy wrote: On Thu, 11 Jul 2013, Jan Cholasta wrote: We can add WebUI improvements later. I have some WIP, but I need to discuss it with Petr first (he's away this week). Ok. The patchset is in ipa-3-2 as well now. Just checking: 1) Jan, did you check size of these new indexes on IPA master with such a high number of users? How big are they? I want to make sure that this won't create an issue on upgrades to new 3.2.x. With 10k users, the indices ate roughly 250 MB of disk space. 2) Does the patch set also fix the problem for Web UI? Currently, I think it will still grab and process all member attributes even though it does not need it. If the Web UI performance is still not sharp, I would rather leave this ticket opened and let JanPetr cooperate on the Web UI part. I agree on keeping the ticket open. Honza -- Jan Cholasta ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCHES] 143-147 Improve performance with large groups
On 07/15/2013 03:43 PM, Jan Cholasta wrote: On 15.7.2013 15:16, Martin Kosek wrote: On 07/11/2013 12:15 PM, Alexander Bokovoy wrote: On Thu, 11 Jul 2013, Jan Cholasta wrote: We can add WebUI improvements later. I have some WIP, but I need to discuss it with Petr first (he's away this week). Ok. The patchset is in ipa-3-2 as well now. Just checking: 1) Jan, did you check size of these new indexes on IPA master with such a high number of users? How big are they? I want to make sure that this won't create an issue on upgrades to new 3.2.x. With 10k users, the indices ate roughly 250 MB of disk space. 2) Does the patch set also fix the problem for Web UI? Currently, I think it will still grab and process all member attributes even though it does not need it. If the Web UI performance is still not sharp, I would rather leave this ticket opened and let JanPetr cooperate on the Web UI part. I agree on keeping the ticket open. Honza Ok, I reopened the ticket. Petr and Jan, please cooperate on this one. Martin ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCHES] 143-147 Improve performance with large groups
On Mon, 08 Jul 2013, Alexander Bokovoy wrote: On Thu, 27 Jun 2013, Jan Cholasta wrote: On 27.6.2013 17:34, Rich Megginson wrote: On 06/27/2013 09:31 AM, Jan Cholasta wrote: The search is hard-coded in the referint plugin, see https://git.fedorahosted.org/cgit/389/ds.git/tree/ldap/servers/plugins/referint/referint.c#n745. Not sure if it makes sense to do a wildcard/substr search here - please file a ticket with 389 to investigate. https://fedorahosted.org/389/ticket/47411 So, should we merge this patchset or wait until 389-ds analyzes 47411? To me it looks like we can use this one as an interim solution, once Web UI performance is checked through. I've commited the patchset to master. Web UI works just fine for me and with a VM limited to 1GB RAM I seem to get snappier response even when running whole IPA stack and Firefox in the same VM. -- / Alexander Bokovoy ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCHES] 143-147 Improve performance with large groups
On 11.7.2013 11:58, Alexander Bokovoy wrote: On Mon, 08 Jul 2013, Alexander Bokovoy wrote: On Thu, 27 Jun 2013, Jan Cholasta wrote: On 27.6.2013 17:34, Rich Megginson wrote: On 06/27/2013 09:31 AM, Jan Cholasta wrote: The search is hard-coded in the referint plugin, see https://git.fedorahosted.org/cgit/389/ds.git/tree/ldap/servers/plugins/referint/referint.c#n745. Not sure if it makes sense to do a wildcard/substr search here - please file a ticket with 389 to investigate. https://fedorahosted.org/389/ticket/47411 So, should we merge this patchset or wait until 389-ds analyzes 47411? To me it looks like we can use this one as an interim solution, once Web UI performance is checked through. I've commited the patchset to master. Web UI works just fine for me and with a VM limited to 1GB RAM I seem to get snappier response even when running whole IPA stack and Firefox in the same VM. We can add WebUI improvements later. I have some WIP, but I need to discuss it with Petr first (he's away this week). Honza -- Jan Cholasta ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCHES] 143-147 Improve performance with large groups
On Thu, 11 Jul 2013, Jan Cholasta wrote: On 11.7.2013 11:58, Alexander Bokovoy wrote: On Mon, 08 Jul 2013, Alexander Bokovoy wrote: On Thu, 27 Jun 2013, Jan Cholasta wrote: On 27.6.2013 17:34, Rich Megginson wrote: On 06/27/2013 09:31 AM, Jan Cholasta wrote: The search is hard-coded in the referint plugin, see https://git.fedorahosted.org/cgit/389/ds.git/tree/ldap/servers/plugins/referint/referint.c#n745. Not sure if it makes sense to do a wildcard/substr search here - please file a ticket with 389 to investigate. https://fedorahosted.org/389/ticket/47411 So, should we merge this patchset or wait until 389-ds analyzes 47411? To me it looks like we can use this one as an interim solution, once Web UI performance is checked through. I've commited the patchset to master. Web UI works just fine for me and with a VM limited to 1GB RAM I seem to get snappier response even when running whole IPA stack and Firefox in the same VM. We can add WebUI improvements later. I have some WIP, but I need to discuss it with Petr first (he's away this week). Ok. The patchset is in ipa-3-2 as well now. -- / Alexander Bokovoy ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCHES] 143-147 Improve performance with large groups
On Thu, 27 Jun 2013, Jan Cholasta wrote: On 27.6.2013 17:34, Rich Megginson wrote: On 06/27/2013 09:31 AM, Jan Cholasta wrote: The search is hard-coded in the referint plugin, see https://git.fedorahosted.org/cgit/389/ds.git/tree/ldap/servers/plugins/referint/referint.c#n745. Not sure if it makes sense to do a wildcard/substr search here - please file a ticket with 389 to investigate. https://fedorahosted.org/389/ticket/47411 So, should we merge this patchset or wait until 389-ds analyzes 47411? To me it looks like we can use this one as an interim solution, once Web UI performance is checked through. -- / Alexander Bokovoy ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [PATCHES] 143-147 Improve performance with large groups
Hi,
the attached patches are an attempt to solve
https://fedorahosted.org/freeipa/ticket/3706 without actually removing
ipausers.
I have done some basic timing on IPA with 10k users, the results are:
ipa user-add: 18 s originally, 4 s with the patches
ipa user-del: 54 s originally, 7 s with the patches
Other commands should be affected as well, especially del commands
(deleting an entry triggers a originally unindexed search in the
referint plugin) and member manipulation commands (full member list is
no longer fetched and stored back when adding/removing members).
Patch 147 fixes https://fedorahosted.org/freeipa/ticket/3743.
Honza
--
Jan Cholasta
From ddca9fbf73e985fb8a6e5ea43b0e2e68c957377b Mon Sep 17 00:00:00 2001
From: Jan Cholasta jchol...@redhat.com
Date: Tue, 25 Jun 2013 12:58:37 +
Subject: [PATCH 1/5] Use LDAP search instead of *group_show to check if a
group exists.
https://fedorahosted.org/freeipa/ticket/3706
---
ipalib/plugins/aci.py | 9 +
ipalib/plugins/baseldap.py | 5 +
ipalib/plugins/config.py| 2 +-
ipalib/plugins/hostgroup.py | 4 ++--
ipalib/plugins/netgroup.py | 2 +-
ipalib/plugins/user.py | 2 +-
6 files changed, 15 insertions(+), 9 deletions(-)
diff --git a/ipalib/plugins/aci.py b/ipalib/plugins/aci.py
index dab209e..a7f85dd 100644
--- a/ipalib/plugins/aci.py
+++ b/ipalib/plugins/aci.py
@@ -252,7 +252,8 @@ def _make_aci(ldap, current, aciname, kw):
elif group:
# Not so friendly with groups. This will raise
try:
-entry_attrs = api.Command['group_show'](kw['group'])['result']
+group_dn = api.Object['group'].get_dn_if_exists(kw['group'])
+entry_attrs = {'dn': group_dn}
except errors.NotFound:
raise errors.NotFound(reason=_(Group '%s' does not exist) % kw['group'])
@@ -269,7 +270,7 @@ def _make_aci(ldap, current, aciname, kw):
a.set_target_attr(kw['attrs'])
if valid['memberof']:
try:
-api.Command['group_show'](kw['memberof'])
+api.Object['group'].get_dn_if_exists(kw['memberof'])
except errors.NotFound:
api.Object['group'].handle_not_found(kw['memberof'])
groupdn = _group_from_memberof(kw['memberof'])
@@ -291,8 +292,8 @@ def _make_aci(ldap, current, aciname, kw):
a.set_target(target)
if valid['targetgroup']:
# Purposely no try here so we'll raise a NotFound
-entry_attrs = api.Command['group_show'](kw['targetgroup'])['result']
-target = 'ldap:///%s' % entry_attrs['dn']
+group_dn = api.Object['group'].get_dn_if_exists(kw['targetgroup'])
+target = 'ldap:///%s' % group_dn
a.set_target(target)
if valid['subtree']:
# See if the subtree is a full URI
diff --git a/ipalib/plugins/baseldap.py b/ipalib/plugins/baseldap.py
index bb0de98..1312107 100644
--- a/ipalib/plugins/baseldap.py
+++ b/ipalib/plugins/baseldap.py
@@ -493,6 +493,11 @@ class LDAPObject(Object):
assert isinstance(parent_dn, DN)
return parent_dn
+def get_dn_if_exists(self, *keys, **kwargs):
+dn = self.get_dn(*keys, **kwargs)
+entry = self.backend.get_entry(dn, [''])
+return entry.dn
+
def get_primary_key_from_dn(self, dn):
assert isinstance(dn, DN)
try:
diff --git a/ipalib/plugins/config.py b/ipalib/plugins/config.py
index 33eb174..b9cf050 100644
--- a/ipalib/plugins/config.py
+++ b/ipalib/plugins/config.py
@@ -213,7 +213,7 @@ class config_mod(LDAPUpdate):
if 'ipadefaultprimarygroup' in entry_attrs:
group=entry_attrs['ipadefaultprimarygroup']
try:
-api.Command['group_show'](group)
+api.Object['group'].get_dn_if_exists(group)
except errors.NotFound:
raise errors.NotFound(message=_(The group doesn't exist))
kw = {}
diff --git a/ipalib/plugins/hostgroup.py b/ipalib/plugins/hostgroup.py
index 9fb1029..bc10994 100644
--- a/ipalib/plugins/hostgroup.py
+++ b/ipalib/plugins/hostgroup.py
@@ -122,7 +122,7 @@ class hostgroup_add(LDAPCreate):
assert isinstance(dn, DN)
try:
# check duplicity with hostgroups first to provide proper error
-netgroup = api.Command['hostgroup_show'](keys[-1])
+api.Object['hostgroup'].get_dn_if_exists(keys[-1])
self.obj.handle_duplicate_entry(*keys)
except errors.NotFound:
pass
@@ -130,7 +130,7 @@ class hostgroup_add(LDAPCreate):
try:
# when enabled, a managed netgroup is created for every hostgroup
# make sure that the netgroup can be created
-netgroup = api.Command['netgroup_show'](keys[-1])
+api.Object['netgroup'].get_dn_if_exists(keys[-1])
raise errors.DuplicateEntry(message=unicode(_(\
u'netgroup
Re: [Freeipa-devel] [PATCHES] 143-147 Improve performance with large groups
On 06/27/2013 04:55 PM, Jan Cholasta wrote: Hi, the attached patches are an attempt to solve https://fedorahosted.org/freeipa/ticket/3706 without actually removing ipausers. I have done some basic timing on IPA with 10k users, the results are: ipa user-add: 18 s originally, 4 s with the patches ipa user-del: 54 s originally, 7 s with the patches Other commands should be affected as well, especially del commands (deleting an entry triggers a originally unindexed search in the referint plugin) and member manipulation commands (full member list is no longer fetched and stored back when adding/removing members). Patch 147 fixes https://fedorahosted.org/freeipa/ticket/3743. Honza Thanks for this effort! I quickly went through the patches, they mostly look harmless. Except the following: Subject: [PATCH 4/5] Add missing substring indices for attributes managed by the referint plugin. AFAIK, sub index is a very expensive index - as we discussed offline - adding Rich to advise and confirm this. I think you added it because some plugin was doing substring/wildcard search when an LDAP entry was being deleted - did you identify which one it is? Because I would rather get rid of the bad search than adding so many sub indices. Secondly, did you also check Web UI performance? I think we could noticeable improve user/group lists performance if we added a new (hidden) option to suppress loading membership information which could then be utilized by Web UI. Adding Petr Vobornik to CC to consider this. Martin ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCHES] 143-147 Improve performance with large groups
On 06/27/2013 09:31 AM, Jan Cholasta wrote: On 27.6.2013 17:23, Martin Kosek wrote: Thanks for this effort! I quickly went through the patches, they mostly look harmless. Except the following: Subject: [PATCH 4/5] Add missing substring indices for attributes managed by the referint plugin. AFAIK, sub index is a very expensive index - as we discussed offline - adding Rich to advise and confirm this. I think you added it because some plugin was doing substring/wildcard search when an LDAP entry was being deleted - did you identify which one it is? Because I would rather get rid of the bad search than adding so many sub indices. The search is hard-coded in the referint plugin, see https://git.fedorahosted.org/cgit/389/ds.git/tree/ldap/servers/plugins/referint/referint.c#n745. Not sure if it makes sense to do a wildcard/substr search here - please file a ticket with 389 to investigate. sub index isn't necessarily a bad thing - in this case it may be more beneficial than harmful - if you have enough nsslapd-idlistscanlimit to hold the entire candidate list in a single id list without hurting performance (i.e. a list of 1 entries is probably ok - a list of 100 entries is not) Secondly, did you also check Web UI performance? I think we could noticeable improve user/group lists performance if we added a new (hidden) option to suppress loading membership information which could then be utilized by Web UI. Adding Petr Vobornik to CC to consider this. No, not yet. Honza ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCHES] 143-147 Improve performance with large groups
On 27.6.2013 17:34, Rich Megginson wrote: On 06/27/2013 09:31 AM, Jan Cholasta wrote: The search is hard-coded in the referint plugin, see https://git.fedorahosted.org/cgit/389/ds.git/tree/ldap/servers/plugins/referint/referint.c#n745. Not sure if it makes sense to do a wildcard/substr search here - please file a ticket with 389 to investigate. https://fedorahosted.org/389/ticket/47411 -- Jan Cholasta ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
