Josh
2013-Mar-19 17:34 UTC
[Puppet Users] Slow user resource-type when host is attached to LDAP directory
The majority of our servers are attached to large LDAP directories. However, there are also cases when we need to define local service accounts for whatever reason. We do this with the "user" resource-type. If the host is attached to a LDAP directory, it takes Puppet a VERY long time to process the "user" resource-type. In our case, it takes 60+ seconds to process each user type. Running "puppet resource user username" on the host takes over 2 minutes. During this time, the "puppet" process on each hosts is pegged at 100% CPU usage. Is there any way around this? I have seen it brought up on the list, but not anytime recently (2008, last I searched). Thanks. -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscribe@googlegroups.com. To post to this group, send email to puppet-users@googlegroups.com. Visit this group at http://groups.google.com/group/puppet-users?hl=en. For more options, visit https://groups.google.com/groups/opt_out.
jcbollinger
2013-Mar-20 13:35 UTC
[Puppet Users] Re: Slow user resource-type when host is attached to LDAP directory
On Tuesday, March 19, 2013 12:34:23 PM UTC-5, Josh wrote:> > The majority of our servers are attached to large LDAP directories. > However, there are also cases when we need to define local service > accounts for whatever reason. We do this with the "user" resource-type. > If the host is attached to a LDAP directory, it takes Puppet a VERY long > time to process the "user" resource-type. In our case, it takes 60+ > seconds to process each user type. Running "puppet resource user username" > on the host takes over 2 minutes. During this time, the "puppet" process > on each hosts is pegged at 100% CPU usage. > > Is there any way around this? I have seen it brought up on the list, but > not anytime recently (2008, last I searched). > >This sounds like an issue associated more with your hosts'' configuration than with Puppet itself. Try running your system''s user management commands (for example, useradd / usermod / userdel) directly. I think you will see similar long runtimes. If so, then you cannot attribute your performance problem to Puppet. It is possible that you could improve performance for existing local users by modifying the service priorities in your name service policy to give the local user and group files highest priority (but be aware that this makes local user and group entries supercede LDAP). On common Linuxes that typically means modifying /etc/nsswitch.conf. That''s the best I can do without any details of your manifests or target node configurations. John -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscribe@googlegroups.com. To post to this group, send email to puppet-users@googlegroups.com. Visit this group at http://groups.google.com/group/puppet-users?hl=en. For more options, visit https://groups.google.com/groups/opt_out.