[Freeipa-devel] [PATCH] 1083 improve migration performance
Martin Kosek
mkosek at redhat.com
Tue Feb 5 12:23:55 UTC 2013
On 02/04/2013 08:05 PM, Rob Crittenden wrote:
> Martin Kosek wrote:
>> On 02/01/2013 04:21 PM, Rob Crittenden wrote:
>>> I did some analysis on migration and found several areas impacting performance:
>>>
>>> 1. We were calling user_mod to reset the magic value in description to not
>>> create a UPG. This caused a lot of unnecessary queries to display the user.
>>>
>>> 2. We check the remote LDAP server to make sure that the GID is valid and added
>>> a cache. We lacked a negative cache.
>>>
>>> 3. The biggest drag on performance was managing the default users group. After
>>> about 1000 users it would take about half a second to calculate the modlist and
>>> another half second for 389-ds to apply the change.
>>>
>>> This patch addresses all of these.
>>>
>>> For the last what I do is only do the group addition every 100 records. A query
>>> is run to find all users who aren't in the default users group and those are
>>> added.
>>>
>>> I also added a bit of logging so one can better track the progress of
>>> migration.
>>>
>>> I migrated 12.5k users with compat enabled in 3 1/2 hours.
>>>
>>> I migrated the same 12.5k users and 2k groups with compat disabled in 30
>>> minutes.
>>>
>>> By contrast when I started, with compat enabled, I migrated:
>>>
>>> 1000 users in 7 minutes
>>> 2000 users in 27 minutes
>>> 3000 users in 1 hour
>>>
>>> rob
>>>
>>
>> Good job, this should improve the migration plugin perfomance a lot. Just few
>> minor remarks:
>>
>> 1) I am not native speaker, but this looks strange to me:
>>
>> +_krb_failed_msg = _('Unable to determine Kerberos principal %s already exists.
>> Use \'ipa user-mod\' to set it manually.')
>
> Yup, typo on my part.
>
>>
>> Shouldn't it read "Unable to determine IF Kerberos principal..."?
>>
>> 2) In:
>>
>> + searchfilter = "(&(objectclass=posixAccount)(!(memberof=%s)))" %
>> group_dn
>> + (result, truncated) = ldap.find_entries(searchfilter,
>> + ['member'], api.env.container_user, scope=_ldap.SCOPE_SUBTREE,
>> + time_limit = -1)
>>
>> Shouldn't we search with empty attrs_list ("attrs_list=['']")? We do not need
>> nor use the member attribute anyway.
>
> Sure. I had it in my head that asking for an empty list returned everything. I
> did some quick testing and asking for a blank attribute returns no attributes,
> so I think will work.
>
>>
>> 3) In
>>
>> + if migrate_cnt > 0 and migrate_cnt % 100:
>> + api.log.info("%d %ss migrated. %s elapsed." %
>> (migrate_cnt, ldap_obj_name, total_dur))
>>
>> I think you wanted to do this condition:
>>
>> if migrate_cnt > 0 and migrate_cnt % 100 == 0:
>
> Yup, this is what I get for adding something right before submitting the patch.
> Fixed.
>
>
>> 4) In _update_default_group:
>>
>> + api.log.debug('Adding users to group duration %s' % d)
>>
>> I would improve it this way:
>>
>> + mode = " (forced)" if force else ""
>> + api.log.debug('Adding %d users to group%s, duration %s', migrate_cnt,
>> mode, d)
>
> Sure, added.
>
>>
>> 5) We now print a lot of interesting migration-related information to IPA
>> server httpd error_log. I think it may be useful to also add a note about it to
>> "ipa help migration" I think that regular admins may not have a clue that we
>> log information like this to this error log.
>
> I added a short logging section.
>
> rob
>
Almost there!
1) Few new typos:
+recommended that this be evaluated post-migration to correct or
^^
...
+/etc/ipa/defult.conf or /etc/ipa/server.conf, then an entry will be printed
^^^^^^^^^^^
2) ipausers group update may report error for the whole migration if there is
no user to update (e.g. if all migrated users already exist in IPA):
# ipa migrate-ds --with-compat...
ipa: ERROR: no such entry
This is the misbehaving LDAP search:
+ searchfilter = "(&(objectclass=posixAccount)(!(memberof=%s)))" % group_dn
+ (result, truncated) = ldap.find_entries(searchfilter,
+ [''], api.env.container_user, scope=_ldap.SCOPE_SUBTREE,
+ time_limit = -1)
Martin
More information about the Freeipa-devel
mailing list