[Freeipa-users] caching of lookups / performance problem

Sullivan, Daniel [CRI] dsullivan2 at bsd.uchicago.edu
Tue Jan 31 20:05:18 UTC 2017 

Hi,

I figured out what was going on with this issue.  Basically cache timeouts were causing a large number of uid numbers in an arbitrarily-timed directory listing to have expired cache records, which causes those records to be looked up again by the data provider (and thus blocking ‘ls -l’).  To work around this issue now we currently setting the entry_cache_timeout to something arbitrarily high, i.e. 999999, I’m questioning whether or not this is the best approach.  I’d like to use something like refresh_expired_interval, although based on my testing it appears that this does not update records for a trusted AD domain.  I’ve also tried using enumeration, and that doesn’t seem to work either.

I suppose my question is this; is there a preferred method to keep cache records up-to-date for a trusted AD domain?  Right now I am thinking about cron-tabbing an ‘ls -l’ of /home and allowing entry_cache_nowait_percentage to fill this function, although that seems hacky to me.

Any advisement that could be provided would be greatly appreciated.

Best,

Dan Sullivan

> On Jan 30, 2017, at 10:52 AM, Sullivan, Daniel [CRI] <dsullivan2 at bsd.uchicago.edu> wrote:
> 
> Hi,
> 
> I have another question about sssd performance.  I’m having a difficult time doing a regularly performant ‘ls -l’ operation against /home, a mounted NFS share of all of our users home directories.  There are 667 entries in this folder, and all of them have IDs that are resolvable via freeipa/sssd.  We are using an AD trusted domain.
> 
> It is clear to me why an initial invocation of this lookup should take some time (populating the local ldb cache).   And it does.  Usually around 5-10 minutes, but sometimes longer.  After the initial lookups are complete, the output of ‘ls -l' renders fine, and I can inspect the local filesystem cache using ldbsearch and see that it is populated.  The issue is that if I wait a while, or restart sssd, it appears that I have to go through all of these lookups again to render the directory listing.
> 
> I am trying to find an optimal configuration for sssd.conf that will allow a performant ‘ls -l’ listing of a directory with a large number of different id numbers assigned to filesystem objects to always return results immediately from the local cache (after an initial invocation of this command for any given directory).  I think basically what I want is to have the ldb cache always ‘up-to-date’, or at least have sssd willing to immediately dump what it has without having to do a bunch of lookups while blocking the ‘ls -l’ thread.  If possible, whatever solution implemented should also survive a restart of the sssd process.  In short, aside from an initial invocation, I never want ‘ls -l’ to take more than a few seconds.
> 
> The issue described above is somewhat problematic because it appears to cause contention on the sssd process effectively allowing a user doing ls -l /home to inadvertently degrade system performance for another user.
> 
> So far I have tried:
> 
> 1)  Implementing 'enumeration = true' for the [domain] section .  This seems to have no impact.  It might be worthwhile to note that we are using an AD trusted domain.
> 2)  Using the refresh_expired_interval configuration for the [domain] section
> 
> I have read the following two documents in a decent level of detail:
> 
> https://jhrozek.wordpress.com/2015/08/19/performance-tuning-sssd-for-large-ipa-ad-trust-deployments/
> https://jhrozek.wordpress.com/2015/03/11/anatomy-of-sssd-user-lookup/
> 
> It almost seems to me like the answer to this would be to keep the LDB cache valid indefinitely (step 4 on https://jhrozek.wordpress.com/2015/03/11/anatomy-of-sssd-user-lookup/).
> 
> Presumably this is a problem that somebody has seen before.  Would somebody be able to advise on the best way to deal with this?  I appreciate your help.
> 
> Thank you,
> 
> Dan
> 
> -- 
> Manage your subscription for the Freeipa-users mailing list:
> https://www.redhat.com/mailman/listinfo/freeipa-users
> Go to http://freeipa.org for more info on the project

More information about the Freeipa-users mailing list