Project

General

Profile

Bug #7469

local_sync_accounts() slowness can trigger GUI/XMLRPC failures with many accounts

Added by Jim Pingle 4 months ago. Updated 4 months ago.

Status:
Confirmed
Priority:
High
Category:
User manager
Target version:
Start date:
04/12/2017
Due date:
% Done:

0%

Affected version:
All
Affected Architecture:

Description

When a firewall has many local accounts, the time it takes for local_sync_accounts() to finish grows large enough to trigger timeouts and other problems for XMLRPC.

Notably, in an HA cluster this becomes a burden because that function is called for each filter sync.

On stand-alone firewalls the function is only called during bootup, so it does not have quite the same impact in that scenario, though it still delays the boot process.

To illustrate the issue I made a playback script that calls local_sync_accounts() and nothing else:

: grep -c '<user>' /conf/config.xml 
44
: time pfSsh.php playback localsyncusers
1.379u 5.649s 1:17.53 9.0%    633+216k 0+16190io 0pf+0w

For 44 accounts this particular test firewall needed 1 min 17 seconds to complete the sync process. This could easily overrun PHP/XMLRPC timeouts depending on the speed of the firewall cpu/disks/etc.

We have at least one customer hitting the issue ( 16693 ), plus at least one user report ( https://forum.pfsense.org/index.php?topic=127546.0 )

History

#1 Updated by Renato Botelho 4 months ago

  • Target version changed from 2.4.0 to 2.4.1

Pushing to 2.4.1 because the whole function should be changed to be optimized

Also available in: Atom PDF