Experiencing long Gerrit login times, listing members etc.?
One of the causes can be using or switching to cloud LDAP provider, which of course takes a long time to travel and authenticate each time a request is made. And of course because “cloud is the future” let’s try speeding up the process without using local LDAP provider.
Cutting down the amount of information that is being sent
The first thing you should do is to cut on the amount of internet traffic that needs to be sent and search through
What do you get from your ldapsearch request?
1
ldapsearch -x -D "LoginName" -w Password -H ldap://127.0.0.1:1000 -b "dc=domain,dc=test" >test1
1
2
wc -l test1
8417 test1
Try to get this number as low as possible by creating the smallest list of information possible (number of users, groups etc.)
In some cloud provider cases like, Google workspace, you can select which Users, groups, “OUs” you want to include.
Maybe you don’t need the whole company and all of the “OUs”, maybe you can have a group that contains all the necessary users. Start by cutting the these output information first , which will help with the traffic and CLoud Provider (google workspace) site of things
You can ldapsearch each time after change to see if the number is getting lower and if you still has all of the users and the groups.
Change the Gerrit search-through LDAP scope
To help the speed on the gerrit side of problem, try to define the exact “OUs” where users and groups are stored, pattern of name it should look for..
1
vim /etc/gerrit.config
1
2
3
4
5
6
7
8
[ldap]
server = ldap://127.0.0.1:1636
username =
password =
accountBase = ou=Users,dc=domain,dc=test
groupBase = ou=Groups,dc=domain,dc=test
groupMemberPattern = (&(objectClass=groupOfNames)(member=${dn}))
groupPattern = (&(objectClass=groupOfNames)(cn=gerrit-groups-pattern*))
Cache the ldap information in the GERRIT
You can cut the information to the minimum, but you will probably still experience the unavoidable distance lag in the network time.
To fix that we can cache some of the ldap information, so it’s grabbed locally most of the time.
Change times according to your needs. Try to create a balance between how much time are you willing to have without users synchronization with the active directory (cloud identity…) provider and how many times a day you want someone to experience the “LDAP lag”.
Meaning when the new user come, old one is deactivated or blocked, the password is changed etc..
1
vim /etc/gerrit.config
1
2
3
4
5
6
7
8
[cache "accounts"]
maxAge = 4 hour
[cache "ldap_groups"]
maxAge = 4hour
[cache "ldap_groups_byinclude"]
maxAge = 12 hour
[cache "ldap_usernames"]
maxAge = 4 hour
If you wanna check out what precisely these settings do, go to Gerrit documentation.
Resize gerrit heapsize
Another thing you could do is to change Gerrit heap size.
What is heap size you may ask? (https://www.ibm.com/docs/en/mam/7.6.0?topic=tuning-heap-size-values)
Default value should be max heapsize = 1/4 of available RAM. So to do this automatically, just increase your RAM and the heapsize will follow.
To do it manually (not recommended) change “Xmx” value of gerrit “ExectStart”
1
ExecStart=/usr/bin/java -Xmx2048m -jar ${GERRIT_HOME}/bin/gerrit.war daemon -d ${GERRIT_HOME}