[Freeipa-users] Want faster user-add

Martin Kosek mkosek at redhat.com
Mon Jan 4 12:03:14 UTC 2016 

On 12/22/2015 04:16 PM, Simo Sorce wrote:
> On Tue, 2015-12-22 at 10:24 +0100, thierry bordaz wrote:
>> On 12/21/2015 05:55 PM, Daryl Fonseca-Holt wrote:
>>> Hi all,
>>>
>>> Environment: RHEL6 with IPA 3.0 at current RedHat level. 64-core 
>>> 256-GB RAM Oracle x4470 M2.
>>>
>>> During our migration from NIS on Solaris 140,000+ accounts will be 
>>> added. After tuning per the guides dbmon.sh shows no roevicts and we 
>>> get high cache hit ratios.
>>>
>>> Per a previous discussion with the list the input is broken down into 
>>> batches of less than 1,000 users and the default IPA group is changed 
>>> before each batch. This helped greatly.
>>>
>>> Adding all the users takes many hours. Initially ipa user-add takes an 
>>> average 2.3 seconds per user but degrades by the time there are 
>>> 140,000 users to an average 6.7 seconds per user.
>>>
>>> In tracing it appears that a significant portion of the time ipa 
>>> user-add takes is not the add itself, it is the query at the end that 
>>> displays the resulting user account. Is there any legit way to prevent 
>>> this query?
>>>
>>> The length of time it takes to migrate is not a big concern. The 
>>> concern is the start of the fall school term when we typically add 
>>> approximately 1,300 accounts per hour during the registration period 
>>> with our current system.
>>>
>>> All suggestions will be appreciated.
>>>
>>> Regards, Daryl
>>>
>> Hi Daryl,
>>
>> I can reproduce similar trend of user-add becoming slower and slower.
>>
>> Now in my tests (etime=7s) the time was spent half by authentication and 
>> half by ADD and MOD (update of ipausers group). I agree there are many 
>> direct SRCH (~10) but they all seems to be rapid.
>>
>> I know that the vast majority of the time is spent in DS schema-compat 
>> plugin. Disabling it, during provisioning, reduce the duration by ~3.
>> Now I do not know if it is a valid option to disable this plugin during 
>> provisioning.
> 
> As long as the schema compat is not needed by users during the
> provisioning, turning it off is fine. All the contents are regenerated
> at startup anyway. So it can be re-enabled and the server restarted
> after the bulk provisioning is done.

+1. When provisioning users via "ipa migrate-ds" command, schema compat is
strongly suggested to be turned off too.

More information about the Freeipa-users mailing list