mirror of
https://salsa.debian.org/freeipa-team/freeipa.git
synced 2025-02-25 18:55:28 -06:00
18a8a41580
* Drop support for python 2 * Only import traceback and syslog when needed * Only import ipaserver.install.certs when the lock is needed * Only import ipautil when run is needed For the unsupported operations case this improves performance by 95% For the supported operations that don't require a lock the improvement is about 50%. For the supported operations that require a lock the improvement is about 20% When configuring a CA certmonger calls its helper with the following operations: IDENTIFY FETCH-ROOTS GET-SUPPORTED-TEMPLATES GET-DEFAULT-TEMPLATE GET-NEW-REQUEST-REQUIREMENTS GET-RENEW-REQUEST-REQUIREMENTS FETCH-SCEP-CA-CAPS FETCH-SCEP-CA-CERTS Only IDENTIFY, FETCH-ROOTS and GET-NEW-REQUEST-REQUIREMENTS are supported by ipa-submit, along with the request options SUBMIT and POLL. Which means every time the IPA CA in certmonger is updated eight calls to ipa-server-guard are made so the savings are cumulative. The savings when executing these eight operations is a 73% decrease (.7 sec vs 2.5 sec). https://pagure.io/freeipa/issue/8425 Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com> Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
Ground rules on adding new schema Brand new schema, particularly when written specifically for IPA, should be added in share/*.ldif. Any new files need to be explicitly loaded in ipaserver/install/dsinstance.py. These simply get copied directly into the new instance schema directory. Existing schema (e.g. in an LDAP draft) may either be added as a separate ldif in share or as an update in the updates directory. The advantage of adding the schema as an update is if 389-ds ever adds the schema then the installation won't fail due to existing schema failing to load during bootstrap. If the new schema requires a new container then this should be added to install/bootstrap-template.ldif.