[freeipa PR#5144][opened] Reduce runtime of server installer by nearly a minute
by tiran
URL: https://github.com/freeipa/freeipa/pull/5144
Author: tiran
Title: #5144: Reduce runtime of server installer by nearly a minute
Action: opened
PR body:
"""
This experimental patch speeds up installer by tightening poll/sleep loops, reducing timeouts for DNS and NTP to a sensible value, avoiding duplicate work.
## Add helper for poll/sleep loops with timeout
The Sleeper class is a helper that makes poll/sleep loops with timeout
easier to write. It takes care of edge cases and does not oversleep
timeout deadline.
## Faster certmonger wait_for_request()
wait_for_request() now waits 0.5 instead of 5 seconds. This shoves off
15 to 20 seconds from ipa-server-install while marginally increased
load on the system.
## Remove root-autobind configuration
The new lib389-based installer configured 389-DS with LDAPI support and
autobind for root.
cn=root-autobind,cn=config entry is no longer needed.
## Skip offline dse.ldif patching by default
The installer now stop and patches dse.ldif only when the option
--dirsrv-config-file is used. LDBM nsslapd-db-locks are increased in a
new step.
This speeds up installer by 4 or more seconds on a fast system.
## Retry chronyc waitsync only once
It's unlikely that a third chrony synchronization attempt is going to
succeed after the the first two attempts have failed. Only retry chronyc
waitsync once. Each retry adds a 10 second delay.
This speed up installer by 10 seconds on systems without fully
configured chronyd or no chronyd (e.g. containers).
## Reduce CA record DNS timeout to 10s
30 seconds is still a lot of time for a DNS query. Clients typically
do not wait that long. OpenSSH uses 10 seconds for reverse DNS lookup.
That's considered a long timeout already. It's unlikely that a DNS query
is going to succeed after 10 seconds of failed lookups.
At this point during the installer IPA's BIND DNS instance has been
running long enough to be fully available, too.
The changeset reduces installation time by 40 seconds when ipa-ca DNS
has not been created yet.
See: https://pagure.io/freeipa/issue/6176
## Skip duplicate import of cert profiles
All supported Dogtag versions import the cert profiles during pkispawn
when using the LDAP profile backend.
This reduces the installation time by 9 to 14 seconds
## Use single update LDIF for indices
Index definitions were split across four files. indices.ldif contained
the initial subset of indices. Three update files partly duplicated the
indices and partly added new indices.
All indices are now defined in a single update file that is sorted
alphanumerically.
The changeset avoids two additional index tasks and reduces installation
time by 5 to 10 seconds.
Fixes: https://pagure.io/freeipa/issue/8493
## Remove magic sleep from create_index_task
11 years ago 5ad91a0781 added a magic sleep to work around a rare deadlock
bug in memberOf plugin. Thierry is not aware of any outstanding issues
with memberOf plugin that could lead to a deadlock.
## Add timings to install logs
The logging manager now adds timings for installation steps to the
installer logs. The information can be extracted and dumped to a CSV
file with a simple grep command:
grep -Po 'TIMING: \K.*' /var/log/ipaserver.log > ipaserver.csv
## Use separate install logs for AD and DNS instance
ipa-dns-install and ipa-adtrust-install no longer overwrite
ipaserver-install.log. Instead they use a separate log file.
Add AD-Trust, DNS, KRA, and replica log files to backups.
"""
To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/5144/head:pr5144
git checkout pr5144
3 years, 6 months