Refactor #10324
closed
Performance issues with Foreman Proxy Puppet CA plugin and large CA inventories
Description
Proxy::PuppetCa.list (https://github.com/theforeman/smart-proxy/blob/develop/modules/puppetca/puppetca_main.rb#L69) takes an extremely long period of time to complete when the CA inventory list is relatively large and there have been a relatively large number of revoked certificates.
The source of this issue is in Proxy::PuppetCa#ca_inventory, which performs a very slow O(n^2) operation to build up a hash of certificate data and whether each certificate has been revoked. In particular, the Proxy::PuppetCa#ca_inventory iterates through every certificate in the inventory and then looks up that certificate's serial in the array returned by Proxy::PuppetCa#revoked_serials. When both the inventory and the list of revoked clients is large, this operation is extremely slow.
The downstream effect of this issue is that trying to interact with the Puppet CA via Foreman simply times out (the read_timeout on the RestClient request is only 60 seconds, the Proxy::PuppetCa.list operation in our environment takes approximately 80s).
Perhaps a way to make this faster this would be to just return a valueless Hash from Proxy::PuppetCa#revoked_serials so that the serial lookup is ~O(1).
Just to give you some numbers to work with, we have approximately 10900 certificates in our inventory and about 8900 of them are revoked.
Updated by The Foreman Bot over 9 years ago
- Status changed from New to Ready For Testing
- Pull request https://github.com/theforeman/smart-proxy/pull/283 added
- Pull request deleted (
)
Updated by Jon McKenzie over 9 years ago
- Status changed from Ready For Testing to Closed
- % Done changed from 0 to 100
Applied in changeset 0a83088cf447fc4f67d1c68fd375adea7fb0a709.
Updated by Dominic Cleal over 9 years ago
- Assignee set to Jon McKenzie
- Translation missing: en.field_release set to 50