[Freeipa-users] Large slow down when using IPA
JR Aquino
JR.Aquino at citrix.com
Sat Dec 31 04:19:13 UTC 2011
On Dec 30, 2011, at 5:45 PM, Erinn Looney-Triggs wrote:
> I have been slowly rolling out FreeIPA to my systems, trying to track
> differences/changes. One of the most noticeable has been a large slow
> down in file access times.
>
> Let me explain as best as I can. I use AIDE to track the file system
> (think tripwire) and it runs checks once a day. During these checks it
> is scanning (almost) the entire file system and comparing it to a stored
> database. On a moderately powered system with ~151k files, an AIDE run
> will usually take ~30 minutes. After the system becomes an IPA client
> the same run will generally take ~90-120 minutes. Un-install the
> ipa-client, back to ~30 minutes for an AIDE run.
>
> Now clearly a lot of lookups are being done for user names and group
> names, and this will have a performance hit that is dependant on the
> network. However, the odd thing is that even when running on the IPA
> server itself the slowdown is still the same.
>
> Not sure if this is an IPA problem, an SSSD problem, a bit of both, or
> neither, perhaps it is just the way it is, but a slowdown of 3-4x seems
> a bit much to me. Clearly the results are not scientific, however, they
> have been generally reproducible since I started rolling IPA out.
>
> As a side note this slowdown has also broken bacula backups, as the
> bacula client is scanning the filesystem for change (using accurate
> backups) the director times out.
>
> Any thoughts, or opinions? Workarounds etc? I have checked to make sure
> that SSSD caching is enabled, and functional.
>
> Thanks,
>
> -Erinn
I am assuming that these are all running as local users.
>From the sssd.conf man page in the nss section:
filter_users, filter_groups (string)
Exclude certain users from being fetched from the sss NSS database. This is particularly useful for system accounts. This option can also be set per-domain or include fully-qualified names to filter only users from the
particular domain.
Default: root
Try adding this to your sssd.conf:
[nss]
filter_groups = root,bacula,aide,otherdaemonuser <-as needed
filter_users = root,bacula,aide,otherdaemonuser <- as needed
Let me know if that solves your issue.
More information about the Freeipa-users
mailing list