Hi,
Really weird issue...
We build a docker container to run some ansible playbooks within it. We notice, that IF the container has "ipa-client" package installed, there is a HUGE performance degradation to execute the same playbook. E.g. 20 seconds without ipa-client vs 2 minutes with ipa-client (6 times worse!).
Note that: - We DO NOT enroll the container. We don't run "ipa-client-install" at any point. We just have the "ipa-client" package INSTALLED (like "yum install ipa-client") - The playbooks DO NOT talk to IPA in any way, neither do they run IPA commands. They are totally unrelated to ipa-client actually.
The delay seems to be during the connection - i.e. it doesn't matter WHAT exactly ansible task does. It gets stuck for all tasks on something like this (note timestamp):
<192.168.1.1> EXEC /bin/sh -c '/usr/bin/python /root/.ansible/tmp/ansible-tmp-1574346920.3942568-62901531545767/AnsiballZ_stat.py && sleep 0' 852 1574346920.65004: opening command with Popen() 852 1574346920.65758: done running command with Popen() 852 1574346920.65791: getting output with communicate() 852 1574346921.00213: done communicating <<<<<< note the delay here, this happens for each task 852 1574346921.00227: done with local.exec_command()
So, JUST HAVING ipa-client installed somehow causes this slowness.
Any idea what ipa-client package can alter in system behavior, if we don't actually enroll in IPA domain?
P.S. You might be wondering WHY we actually have this ipa-client there... well, that's the point: it's totally unrelated to this particular thing... it's just that some of the playbooks need to use IPA commands, that's why we have ipa-client installed. But even NOT the playbook that we are testing above...
--- Regards, Dmitry Perets
Dmitry Perets via FreeIPA-users wrote:
Hi,
Really weird issue...
We build a docker container to run some ansible playbooks within it. We notice, that IF the container has "ipa-client" package installed, there is a HUGE performance degradation to execute the same playbook. E.g. 20 seconds without ipa-client vs 2 minutes with ipa-client (6 times worse!).
Note that:
- We DO NOT enroll the container. We don't run "ipa-client-install" at any point. We just have the "ipa-client" package INSTALLED (like "yum install ipa-client")
- The playbooks DO NOT talk to IPA in any way, neither do they run IPA commands. They are totally unrelated to ipa-client actually.
The delay seems to be during the connection - i.e. it doesn't matter WHAT exactly ansible task does. It gets stuck for all tasks on something like this (note timestamp):
<192.168.1.1> EXEC /bin/sh -c '/usr/bin/python /root/.ansible/tmp/ansible-tmp-1574346920.3942568-62901531545767/AnsiballZ_stat.py && sleep 0' 852 1574346920.65004: opening command with Popen() 852 1574346920.65758: done running command with Popen() 852 1574346920.65791: getting output with communicate() 852 1574346921.00213: done communicating <<<<<< note the delay here, this happens for each task 852 1574346921.00227: done with local.exec_command()
So, JUST HAVING ipa-client installed somehow causes this slowness.
Any idea what ipa-client package can alter in system behavior, if we don't actually enroll in IPA domain?
P.S. You might be wondering WHY we actually have this ipa-client there... well, that's the point: it's totally unrelated to this particular thing... it's just that some of the playbooks need to use IPA commands, that's why we have ipa-client installed. But even NOT the playbook that we are testing above...
The package itself is just files, zero configuration except a bash completion script. There is a post-install script that should only fire on upgrades and even then only if the client is configured.
I'd see what else is pulled in my installing ipa-client.
rob
freeipa-users@lists.fedorahosted.org
-
Dmitry Perets -
Rob Crittenden