Bug 28729 - Quota nicht bei jeder Anmeldung auswerten
Quota nicht bei jeder Anmeldung auswerten
Product: UCS
Classification: Unclassified
Component: Quota
UCS 3.2
Other Linux
: P2 enhancement (vote)
: UCS 3.2-5-errata
Assigned To: Stefan Gohmann
Felix Botner
Depends on:
Blocks: 36104 36989
  Show dependency treegraph
Reported: 2012-10-10 10:52 CEST by Janis Meybohm
Modified: 2015-05-07 13:46 CEST (History)
7 users (show)

See Also:
What kind of report is it?: ---
What type of bug is this?: ---
Who will be affected by this bug?: ---
How will those affected feel about the bug?: ---
User Pain:
Enterprise Customer affected?:
School Customer affected?:
ISV affected?:
Waiting Support:
Flags outvoted after Product Owner Review:
Ticket number:
Bug group (optional): UCS Performance
Max CVSS v3 score:


Note You need to log in before you can comment on or make changes to this bug.
Description Janis Meybohm univentionstaff 2012-10-10 10:52:32 CEST
An Ticket 2012072421004332 berichtete ein Kunde performance Probleme bei der Windows Anmeldung (sowie Fehlermeldungen beim "net rpc join") durch /usr/sbin/univention-user-quota.

Ggf. könnte man hier, ähnlich wie bei Mail-Quota, definierbar machen dass die Quota z.B. nur einmal am Tag, einmal in 4 Stunden o.ä. ausgewertet werden (steuerbar per UCR).

Als Workaround kann die Auswertung derzeit mit "ucr set quota/userdefault=no" deaktiviert werden.
Comment 1 Ingo Steuwer univentionstaff 2013-11-26 19:59:53 CET
The problem occurs more often in UCS@school environments like 2013112621003598

UCS@school usually comes with a larger number of shares (one per class), which increases the problem. univention-user-quota processes each share with a policy result in case one matches to the current user. In addition, it seems to run more than one time per user (maybe samba4 triggers pam-session on each connection to a share?).

ideas to improve the script:
- modify it to run it once per user per day (as mentioned in comment #1)
- cache the informations about shares and their policy results
- fork a background process instead of blocking the PAM stack
Comment 2 Jan Christoph Ebersbach univentionstaff 2014-09-04 15:24:25 CEST
Also reported in Ticket #2014090421000331.
Comment 3 Tim Petersen univentionstaff 2014-10-08 15:12:26 CEST
Also reported at 2014100821000213
Comment 4 Tim Petersen univentionstaff 2014-10-29 07:17:21 CET
(In reply to Ingo Steuwer from comment #1)
> The problem occurs more often in UCS@school environments like
> 2013112621003598
> UCS@school usually comes with a larger number of shares (one per class),
> which increases the problem.

In one case (2014100821000213) - it is not possible to even run the script once a day, as one run with >25000 users and >4000 shares takes much more than one day.

Another idea would be to configure a list with shares on wich the quota should be updated. This seems to dramatically increase the run time.
Comment 5 Jan Christoph Ebersbach univentionstaff 2014-11-18 10:24:46 CET
Another UCS@school customer reported this issue at Ticket #2014101321000203.
Comment 6 Tim Petersen univentionstaff 2015-02-03 09:57:04 CET
Reported at 2015012621000311
Comment 7 Stefan Gohmann univentionstaff 2015-03-23 08:46:41 CET
I think we should change it in the following way:

* The tool univention-user-quota doesn't run the policy_result itself. It uses a cache directory.

* The cache directory is filled by a listener module. 

* The listener module has to re-create the cache for one share if the share path, the share hostname, or the policy reference has been changed at a share object or if a quota policy has been changed or if a policy reference has been changed at a parent object.
Comment 8 Stefan Gohmann univentionstaff 2015-04-07 06:46:09 CEST
Backported from UCS 4.0-1errata, see Bug #36989 for details.

ucs-test: r59599

univention-quota: r59600

YAML: 2015-04-03-univention-quota.yaml: r59601

For QA: see also /usr/share/ucs-test/53_samba-common/50quota
Comment 9 Stefan Gohmann univentionstaff 2015-04-13 06:15:13 CEST
Some more fixes: r59715 + r59717 + r59721 + r59723

A new directory /var/cache/univention-quota/todo has been added. The listener module now uses this directory to transfer the DNs from the handler to the postrun. The listener also uses the connection to the ldap/master if other ldap servers (ldap/server/*) are not reachable.
Comment 10 Felix Botner univentionstaff 2015-05-05 14:50:31 CEST
OK - see bug #36989

Comment 11 Janek Walkenhorst univentionstaff 2015-05-07 13:46:39 CEST