The RPC client library for XML-RPC and JSON-RPC calls does not support "Connection: keep-alive" to benefit from persistent TCP connection. Every RPC call creates a new TCP connection and therefore triggers a TLS handshake. A persistent TCP connection improves performance and reduces both overhead and latency. Even for a local and idling server, keep-alive can reduce round-trip time by 20% or more.
How this supposed to work in case of the command line use? Each ipa CLI call is done by a separate process so cannot do any reuse of existing TCP connection. This would only help 'ipa console' case and use of the framework's Python API, so actual benefit is not that big for a typical use (which is CLI).
You are assuming that the ipa CLI creates only one connection for each call. For some plugins it performs multiple HTTPS connections. For example ipa vault-add involves at least seven HTTPS connection.
ipa vault-add
I'm asking for details of what is going on. At the very least, I'd like to see this spelled out in the ticket.
Improving responsiveness of vault command is welcomed, but let's not forget about a bigger picture. You would need to start from the authentication first, then metadata request, then actual command execution. That would be three TCP connections already.
Some analysis is good to have.
This ticket is not about analyzing the vault, but about applying an old, simple and common technique to reduce the overhead of TCP and TLS/SSL handshake. I have used vault as an example because it is both most relevant for my work and benefits most from keep-alive. In a production env with multiple masters, all ipa CLI calls would benefit from connection keep-alive. ipa performs at least one ping to find a working framework instance. keep-alive would reduce the cost for TCP and TLS/SSL handshake at least in half.
Now to your question
Here are some logs (noise removed) for each vault op:
$ ipa vault-add --password=12345 key vault_add_internal/1(u'key', ipavaultsalt='...', version=u'2.215'): SUCCESS vault_show/1(u'key', version=u'2.215'): SUCCESS vault_show/1(u'key', version=u'2.215'): SUCCESS vaultconfig_show/1(version=u'2.215'): SUCCESS vault_retrieve_internal/1(u'key', session_key=...', version=u'2.215'): NotFound $ ipa vault-archive --password=12345 --data='secret' key vaultconfig_show/1(version=u'2.215'): SUCCESS vault_archive_internal/1(u'key', session_key='...', nonce='...', version=u'2.215'): SUCCESS vault_show/1(u'key', version=u'2.215'): SUCCESS vault_show/1(u'key', version=u'2.215'): SUCCESS vaultconfig_show/1(version=u'2.215'): SUCCESS vault_retrieve_internal/1(u'key', session_key='...', version=u'2.215'): SUCCESS vaultconfig_show/1(version=u'2.215'): SUCCESS vault_archive_internal/1(u'key', session_key='...', nonce='...', version=u'2.215'): SUCCESS $ ipa vault-retrieve --password=12345 key vault_show/1(u'key', version=u'2.215'): SUCCESS vaultconfig_show/1(version=u'2.215'): SUCCESS vault_retrieve_internal/1(u'key', session_key='...', version=u'2.215'): SUCCESS
I did some experiments with python-requests. With a fast local vagrant box, 10 requests in a single session with keep-alive are about 15 to 40% faster than a TCP connection for each request. For 10 requests to a remote system (ipa.demo1.freeipa.org) keep-alive is about 3 to 4 times (!) faster. In the latter case I simple retrieve https://ipa.demo1.freeipa.org/.
ipa.demo1.freeipa.org
https://ipa.demo1.freeipa.org/
Metadata Update from @cheimes: - Issue assigned to someone - Issue set to the milestone: FreeIPA 4.5
Metadata Update from @cheimes: - Custom field affects_doc reset - Custom field blocking reset - Custom field component reset - Custom field keywords reset - Custom field rhbz reset - Custom field type reset - Issue close_status updated to: None - Issue set to the milestone: None (was: FreeIPA 4.5) - Issue tagged with: integration
Metadata Update from @pvoborni: - Custom field affects_doc reset - Custom field tester adjusted to wanted - Issue set to the milestone: FreeIPA 4.5
Metadata Update from @mbasti: - Issue set to the milestone: FreeIPA 4.5.1 (was: FreeIPA 4.5)
Metadata Update from @tkrizek: - Issue assigned to tkrizek (was: someone)
master:
ipa-4-5:
Metadata Update from @tkrizek: - Issue close_status updated to: fixed - Issue status updated to: Closed (was: Open)
Metadata Update from @pvoborni: - Custom field rhbz adjusted to https://bugzilla.redhat.com/show_bug.cgi?id=1434384
Issue linked to bug 1434384
Log in to comment on this ticket.