[Freeipa-users] IPA Load Problems?

Martin Kosek mkosek at redhat.com
Wed Sep 4 07:44:41 UTC 2013 

On 08/30/2013 11:08 PM, John Moyer wrote:
> Well IPA has machine entries on some test clusters that I'm rolling IPA
> out on (20 machines maybe) but the user base is the same (about 80 ~ 100)
> accounts with maybe 40 to 50 groups?
> 
> I've stood up a clone of the jira server along with IPA.   I cleared my
> logs and then did the sync and ran the log analyzer on it.   These stats
> are pretty much ONLY for that jira sync I don't have any other connections
> pointed to it.
> 
> 
> Start of Log:    30/Aug/2013:15:57:13 End of Log:
> 30/Aug/2013:16:01:14
> 
> Processed Log Time:   Hours, 4 Minutes, 1 Seconds
> 
> Restarts:                     1 Total Connections:            824 SSL
> Connections:              824 Peak Concurrent Connections:  6 Total
> Operations:             1806 Total Results:                1805 Overall
> Performance:          99.9%
> 
> Searches:                     968        (4.02/sec)  (241.00/min) 
> Modifications:                5          (0.02/sec)  (1.24/min) Adds:
> 0          (0.00/sec)  (0.00/min) Deletes:                      0
> (0.00/sec)  (0.00/min) Mod RDNs:                     0          (0.00/sec)
> (0.00/min) Compares:                     0          (0.00/sec)
> (0.00/min) Binds:                        833        (3.46/sec)
> (207.39/min)
> 
> Proxied Auth Operations:      0 Persistent Searches:          1 Internal
> Operations:          0 Entry Operations:             0 Extended
> Operations:          0 Abandoned Requests:           0 Smart Referrals
> Received:     0
> 
> VLV Operations:               0 VLV Unindexed Searches:       0 SORT
> Operations:              0
> 
> Entire Search Base Queries:   0 Unindexed Searches:           1
> 

This looks like a promising way to find out the reason, thanks John. However,
I see just one unindexed search. Is the access log complete? Previously I see
that the sync takes 900 seconds/15 minutes, but there is only 4 minutes the
access log. Note that it it may take some time until the log is dumped.

I think it would be also useful to run the analyzer with "-ula" flags as Rob
suggested earlier to find out the unindexed searches (if any).

What I find interesting is that JIRA does a lot of LDAP BINDs. Can the
problem be in longer BINDs than with than expected (compared to for example
plain LDAP servers)? Performance-wise, it would be I think better if JIRA
does just one BIND and run all the LDAP searches the established connection.
But I do not know if it can be configured this way.

Rich, Rob, I am wondering if the slow up is not really caused by the binds,
we have several DS plugins tied to the BIND operation, it may be useful to
analyze if they do not take too long.

Martin

More information about the Freeipa-users mailing list