Uploaded image for project: 'Project Quay'
  1. Project Quay
  2. PROJQUAY-3810

Quay takes longer to start when LDAP_USER_FILTER look for nested groups in an AD

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Not a Bug
    • Icon: Normal Normal
    • None
    • quay-v3.6.6
    • quay
    • False
    • Hide

      None

      Show
      None
    • False

      Environment

      • Quay 3.6.6 (HA installation)
      • RHEL 8.5 + podman 3.4.2
      • 4 vCPU + 8Gb RAM
      • Upgraded from 3.3.0 to 3.6.6

       

      Issue

      The Quay container takes a long time to startup (~8min), reviewing the logs we can see that the process is stuck at "Validating LDAP":

       

         __   __
  /  \ /  \     ______   _    _     __   __   __
 / /\ / /\ \   /  __  \ | |  | |   /  \  \ \ / /
/ /  / /  \ \  | |  | | | |  | |  / /\ \  \   /
\ \  \ \  / /  | |__| | | |__| | / ____ \  | |
 \ \/ \ \/ /   \_  ___/  \____/ /_/    \_\ |_|
  \__/ \__/      \ \__
                  \___\ by Red Hat
 Build, Store, and Distribute your Containers
Running all default registry services
Running init script '/quay-registry/conf/init/certs_create.sh'
Running init script '/quay-registry/conf/init/certs_install.sh'
Installing extra certificates found in /quay-registry/conf/stack/extra_ca_certs directory
Running init script '/quay-registry/conf/init/copy_config_files.sh'
Running init script '/quay-registry/conf/init/d_validate_config_bundle.sh'
Validating Configuration
time="2022-05-12T08:54:56Z" level=debug msg="Validating AccessSettings"
time="2022-05-12T08:54:56Z" level=debug msg="Validating ActionLogArchiving"
time="2022-05-12T08:54:56Z" level=debug msg="Validating AppTokenAuthentication"
time="2022-05-12T08:54:56Z" level=debug msg="Validating BitbucketBuildTrigger"
time="2022-05-12T08:54:56Z" level=debug msg="Validating BuildManager"
time="2022-05-12T08:54:56Z" level=debug msg="Validating Database"
time="2022-05-12T08:54:56Z" level=debug msg="Scheme: postgresql"
time="2022-05-12T08:54:56Z" level=debug msg="Validating JWTAuthentication"
time="2022-05-12T08:54:56Z" level=debug msg="Validating LDAP"
time="2022-05-12T08:59:10Z" level=debug msg="Validating OIDC"
time="2022-05-12T08:59:10Z" level=debug msg="Validating QuayDocumentation"
time="2022-05-12T08:59:10Z" level=debug msg="Validating Redis"
...

      We have the following LDAP configuration in place:

      LDAP_USER_FILTER: (memberOf:1.2.840.113556.1.4.1941:=CN=xxxx,OU=xxx,OU=xxx,OU=xxx,OU=xxx,OU=xxx,DC=xxxx,DC=xxx,DC=xxx)

      It contains the "1.2.840.113556.1.4.1941" attribute to search for nested groups in an Active Directory. If we remove it, the startup process is normal but the LDAP search is not looking for nested groups.

       

      This configuration was working as expected in Quay 3.3.0.

        1. ldap-perf-tester.py
          5 kB
          Michaela Lang

              Unassigned Unassigned
              dmunneor1@redhat.com Daniel Munne Ortega
              Votes:
              0 Vote for this issue
              Watchers:
              6 Start watching this issue

                Created:
                Updated:
                Resolved: