freeipa

Clone
Source Code
GIT

#7803 Missing index on idnsName
Closed: fixed 5 years ago Opened 5 years ago by cheimes.

Closed: fixed
Reopen Issue

Issue

The data structures for the internal DNS server use the attribute idnsName instead of cn in the DN. It's also used to search for entries when entries are added, modified, or removed. There is currently no index on idnsName, which can lead to performance issues.

Steps to Reproduce

Prepare test zones and reverse zones:

$ ipa dnszone-add 172.16.0.0/20
  Zone name: 172.16.0.0/20.
$ ipa dnszone-add --name-from-ip=fd69:9e50:7266:e08c::/64
Zone name [c.8.0.e.6.6.2.7.0.5.e.9.9.6.d.f.ip6.arpa.]: 
  Zone name: c.8.0.e.6.6.2.7.0.5.e.9.9.6.d.f.ip6.arpa.
  Active zone: TRUE
$ ipa dnszone-find | grep 'Zone name'
  Zone name: 16.172.in-addr.arpa.
  Zone name: c.8.0.e.6.6.2.7.0.5.e.9.9.6.d.f.ip6.arpa.
  Zone name: ipa.example.

Add records:

$ ipa dnsrecord-add ipa.example. testhost1 --a-ip-address=172.16.0.1 --a-create-reverse --aaaa-ip-address=fd69:9e50:7266:e08c::1 --aaaa-create-reverse
  Record name: testhost1
  A record: 172.16.0.1
  AAAA record: fd69:9e50:7266:e08c::1
$ ipa host-add testhost1.ipa.example.
----------------------------------
Added host "testhost1.ipa.example"
----------------------------------
  Host name: testhost1.ipa.example
  Principal name: host/testhost1.ipa.example@IPA.EXAMPLE
  Principal alias: host/testhost1.ipa.example@IPA.EXAMPLE
  Password: False
  Keytab: False
  Managed by: testhost1.ipa.example

Delete host with update DNS

$ ipa host-del testhost1.ipa.example. --updatedns
------------------------------------
Deleted host "testhost1.ipa.example"
------------------------------------
$ ipa dnsrecord-find ipa.example. testhost1
----------------------------
Number of entries returned 0
----------------------------

Actual behavior

logconv.pl shows multiple unindexed searched related to DNS:

Unindex search from dnsrecord-add operation:

  Unindexed Component #5 (notes=U)
  -  Date/Time:             10/Dec/2018:10:06:30
  -  Connection Number:     3253
  -  Operation Number:      22
  -  Etime:                 0.0000881499
  -  Nentries:              0
  -  IP Address:            10.37.170.218
  -  Search Base:           idnsname=16.172.in-addr.arpa.,cn=dns,dc=ipa,dc=example
  -  Search Scope:          2 (subtree)
  -  Search Filter:         (&(idnsname=1.0)(&(objectclass=top)(objectclass=idnsrecord)))
  -  Bind DN:               uid=admin,cn=users,cn=accounts,dc=ipa,dc=example

  Unindexed Component #6 (notes=U)
  -  Date/Time:             10/Dec/2018:10:06:30
  -  Connection Number:     3253
  -  Operation Number:      37
  -  Etime:                 0.0000786556
  -  Nentries:              0
  -  IP Address:            10.37.170.218
  -  Search Base:           idnsname=c.8.0.e.6.6.2.7.0.5.e.9.9.6.d.f.ip6.arpa.,cn=dns,dc=ipa,dc=example
  -  Search Scope:          2 (subtree)
  -  Search Filter:         (&(idnsname=1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0)(&(objectclass=top)(objectclass=idnsrecord)))
  -  Bind DN:               uid=admin,cn=users,cn=accounts,dc=ipa,dc=example

Expected behavior

No unindexed searches

Version/Release/Distribution

freeipa-server-4.7.2-1.fc29.x86_64
freeipa-client-4.7.2-1.fc29.x86_64
package ipa-server is not installed
package ipa-client is not installed
389-ds-base-1.4.0.18-1.fc29.x86_64
pki-ca-10.6.8-3.fc29.noarch
krb5-server-1.16.1-21.fc29.x86_64

In other scenarios I have seen unindexed searches on arecord, aaaarecord, or even all records for dnsrecord-add --cname-hostname + dnsrecord-del.

  Unindexed Component #8 (notes=U)
  -  Date/Time:             10/Dec/2018:10:11:46
  -  Connection Number:     3267
  -  Operation Number:      7
  -  Etime:                 0.0029685505
  -  Nentries:              1
  -  IP Address:            10.37.170.218
  -  Search Base:           idnsname=ipa.example.,cn=dns,dc=ipa,dc=example
  -  Search Scope:          2 (subtree)
  -  Search Filter:         (&(|(idnsname=*testhost1*)(arecord=*testhost1*)(aaaarecord=*testhost1*)(a6record=*testhost1*)(afsdbrecord=*testhost1*)(aplrecord=*testhost1*)(certrecord=*t
esthost1*)(cnamerecord=*testhost1*)(dhcidrecord=*testhost1*)(dlvrecord=*testhost1*)(dnamerecord=*testhost1*)(dsrecord=*testhost1*)(hiprecord=*testhost1*)(hinforecord=*testhost1*)(ipse
ckeyrecord=*testhost1*)(keyrecord=*testhost1*)(kxrecord=*testhost1*)(locrecord=*testhost1*)(mdrecord=*testhost1*)(minforecord=*testhost1*)(mxrecord=*testhost1*)(naptrrecord=*testhost1
*)(nsrecord=*testhost1*)(nsecrecord=*testhost1*)(nxtrecord=*testhost1*)(ptrrecord=*testhost1*)(rrsigrecord=*testhost1*)(rprecord=*testhost1*)(sigrecord=*testhost1*)(spfrecord=*testhos
t1*)(srvrecord=*testhost1*)(sshfprecord=*testhost1*)(tlsarecord=*testhost1*)(txtrecord=*testhost1*)(urirecord=*testhost1*))(&(objectclass=top)(objectclass=idnsrecord)))
  -  Bind DN:               uid=admin,cn=users,cn=accounts,dc=ipa,dc=example

Just a remark, note=U means the filter of the search request can not provide a candidate list. But the server managed to index the search using ancestorid system index. So the filter did not help but base search did: limited number of entries under idnsname=ipa.example.,cn=dns,dc=ipa,dc=example.
This is the reason why the search was so fast.
IMHO notes=U should be a help for the ldapclient to enhance the filter or index some of the component.

A major concern is about notes=A. Here it means client filter and system indexes failed to identify a finite list of candidate.

I forgot to mention that I extracted the log output on a simple test system. The test setup just has two replicas and one client. I'm currently creating artificial test entries to test how the performance degrades with several hundred entries.

I've created about 1000 DNS records and their reverse with one IPv4 and IPv6 adress each. The filter now takes an etime of about 11-12ms with some outlier with more than 150ms.

  Unindexed Component #2379 (notes=U)
  -  Date/Time:             10/Dec/2018:13:52:39
  -  Connection Number:     5329
  -  Operation Number:      37
  -  Etime:                 0.0112565619
  -  Nentries:              0
  -  IP Address:            10.37.170.218
  -  Search Base:           idnsname=16.172.in-addr.arpa.,cn=dns,dc=ipa,dc=example
  -  Search Scope:          2 (subtree)
  -  Search Filter:         (&(idnsname=217.3)(&(objectclass=top)(objectclass=idnsrecord)))
  -  Bind DN:               uid=admin,cn=users,cn=accounts,dc=ipa,dc=example

  Unindexed Component #2380 (notes=U)
  -  Date/Time:             10/Dec/2018:13:52:53
  -  Connection Number:     5345
  -  Operation Number:      22
  -  Etime:                 0.0120726568
  -  Nentries:              0
  -  IP Address:            10.37.170.218
  -  Search Base:           idnsname=c.8.0.e.6.6.2.7.0.5.e.9.9.6.d.f.ip6.arpa.,cn=dns,dc=ipa,dc=example
  -  Search Scope:          2 (subtree)
  -  Search Filter:         (&(idnsname=5.2.2.0.3.0.0.0.0.0.0.0.0.0.0.0)(&(objectclass=top)(objectclass=idnsrecord)))
  -  Bind DN:               uid=admin,cn=users,cn=accounts,dc=ipa,dc=example

  Unindexed Component #2381 (notes=U)
  -  Date/Time:             10/Dec/2018:13:53:10
  -  Connection Number:     5365
  -  Operation Number:      37
  -  Etime:                 0.0116983687
  -  Nentries:              0
  -  IP Address:            10.37.170.218
  -  Search Base:           idnsname=c.8.0.e.6.6.2.7.0.5.e.9.9.6.d.f.ip6.arpa.,cn=dns,dc=ipa,dc=example
  -  Search Scope:          2 (subtree)
  -  Search Filter:         (&(idnsname=5.3.2.0.3.0.0.0.0.0.0.0.0.0.0.0)(&(objectclass=top)(objectclass=idnsrecord)))
  -  Bind DN:               uid=admin,cn=users,cn=accounts,dc=ipa,dc=example

  Unindexed Component #2382 (notes=U)
  -  Date/Time:             10/Dec/2018:13:53:23
  -  Connection Number:     5381
  -  Operation Number:      22
  -  Etime:                 0.1856511499
  -  Nentries:              0
  -  IP Address:            10.37.170.218
  -  Search Base:           idnsname=c.8.0.e.6.6.2.7.0.5.e.9.9.6.d.f.ip6.arpa.,cn=dns,dc=ipa,dc=example
  -  Search Scope:          2 (subtree)
  -  Search Filter:         (&(idnsname=3.4.2.0.3.0.0.0.0.0.0.0.0.0.0.0)(&(objectclass=top)(objectclass=idnsrecord)))
  -  Bind DN:               uid=admin,cn=users,cn=accounts,dc=ipa,dc=example

without index

[10/Dec/2018:14:08:40.524514293 +0100] conn=5409 op=3 SRCH base="idnsname=16.172.in-addr.arpa.,cn=dns,dc=ipa,dc=example" scope=2 filter="(&(idnsName=217.3)(&(objectClass=top)(objectClass=idnsrecord)))" attrs=ALL
[10/Dec/2018:14:08:40.687782248 +0100] conn=5409 op=3 RESULT err=0 tag=101 nentries=1 etime=0.0163868027 notes=U
[10/Dec/2018:14:08:47.347412174 +0100] conn=5411 op=3 SRCH base="idnsname=16.172.in-addr.arpa.,cn=dns,dc=ipa,dc=example" scope=2 filter="(&(idnsName=217.3)(&(objectClass=top)(objectClass=idnsrecord)))" attrs=ALL
[10/Dec/2018:14:08:47.469878863 +0100] conn=5411 op=3 RESULT err=0 tag=101 nentries=1 etime=0.1877338162 notes=U

etime 0.0163868027 and 0.1877338162

with index on idnsName

[10/Dec/2018:14:13:14.369247885 +0100] conn=5426 op=3 SRCH base="idnsname=16.172.in-addr.arpa.,cn=dns,dc=ipa,dc=example" scope=2 filter="(&(idnsName=217.3)(&(objectClass=top)(objectClass=idnsrecord)))" attrs=ALL
[10/Dec/2018:14:13:14.370583489 +0100] conn=5426 op=3 RESULT err=0 tag=101 nentries=1 etime=0.0001891507

etime 0.0001891507

Metadata Update from @cheimes:
- Custom field on_review adjusted to https://github.com/freeipa/freeipa/pull/2670
5 years ago

Metadata Update from @cheimes:
- Issue assigned to cheimes
5 years ago

Metadata Update from @cheimes:
- Issue set to the milestone: FreeIPA 4.6.5
5 years ago

master:

ipa-4-6:

ipa-4-7:

Metadata Update from @cheimes:
- Issue close_status updated to: fixed
- Issue status updated to: Closed (was: Open)
5 years ago

Login to comment on this ticket.

Metadata

performance

None
None
None
None
None
None
None
None
None
None
None
None
https://github.com/freeipa/freeipa/pull/2670
None
None
None
None
None
None
None
None
Powered by Pagure 5.13.3
DocumentationFile an IssueAboutSSH Hostkey/Fingerprint
© Red Hat, Inc. and others.