Lightrun
question-mark
Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

Change the flush mode to auto

See original GitHub issue

Describe the bug

After upgrade from Keycloak 15.1.1 WildFly to Keycloak 17.0.0 Quarkus we have noticed that response from /auth/admin/realms/<realm>/users is much slower. Also CPU on keycloak server spikes to 100% CPU.

I.e. /auth/admin/realms/<realm>/users?first=0&max=7045 takes: 15.1.1 - 34 seconds 17.0.0 - about 7 min

We do not observe slow queries on DB level.

keycloak conf:

db=mariadb
db-username=user
db-password=xxx
db-url=jdbc:mariadb:sequential://x.x.x.x:3306,x.x.x.x:3306,x.x.x.x:3306/keycloak

http-enabled=true
http-port=8180
kc.http.relative-path=auth
kc.https.relative-path=auth

quarkus-properties-enabled=true

# Metrics and healthcheck are disabled by default
kc.metrics-enabled=true

cache=ispn
cache.config.file=cache-ispn.xml

proxy=passthrough

hostname=xxx

cache_ispn:

<?xml version="1.0" encoding="UTF-8"?>
<!--
       ~ Copyright 2019 Red Hat, Inc. and/or its affiliates
  ~ and other contributors as indicated by the @author tags.
  ~
  ~ Licensed under the Apache License, Version 2.0 (the "License");
  ~ you may not use this file except in compliance with the License.
  ~ You may obtain a copy of the License at
  ~
  ~ http://www.apache.org/licenses/LICENSE-2.0
  ~
  ~ Unless required by applicable law or agreed to in writing, software
  ~ distributed under the License is distributed on an "AS IS" BASIS,
  ~ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
  ~ See the License for the specific language governing permissions and
  ~ limitations under the License.
  -->

<infinispan
        xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
        xsi:schemaLocation="urn:infinispan:config:11.0 http://www.infinispan.org/schemas/infinispan-config-11.0.xsd"
        xmlns="urn:infinispan:config:11.0">
    <jgroups>
        <!-- Add JGroups stacks for Infinispan clustering. -->
      <stack name="kc-tcp" extends="tcp">
                <TCP bind_port="7700" />
        <TCPPING initial_hosts="${jgroups.tcpping.initial_hosts:x.x.x.x[7700],x.x.x.x[7700]}"
                 port_range="0"
                 stack.combine="REPLACE"
                 stack.position="MPING"/>
    </stack>
    </jgroups>
    <cache-container name="keycloak">
        <transport lock-timeout="60000"
                   stack="kc-tcp"/>
        <local-cache name="realms">
            <encoding>
                <key media-type="application/x-java-object"/>
                <value media-type="application/x-java-object"/>
            </encoding>
            <memory max-count="10000"/>
        </local-cache>
        <local-cache name="users">
            <encoding>
                <key media-type="application/x-java-object"/>
                <value media-type="application/x-java-object"/>
            </encoding>
            <memory max-count="10000"/>
        </local-cache>
        <distributed-cache name="sessions" owners="2">
            <expiration lifespan="-1"/>
        </distributed-cache>
        <distributed-cache name="authenticationSessions" owners="2">
            <expiration lifespan="-1"/>
        </distributed-cache>
        <distributed-cache name="offlineSessions" owners="2">
            <expiration lifespan="-1"/>
        </distributed-cache>
        <distributed-cache name="clientSessions" owners="2">
            <expiration lifespan="-1"/>
        </distributed-cache>
        <distributed-cache name="offlineClientSessions" owners="2">
            <expiration lifespan="-1"/>
        </distributed-cache>
        <distributed-cache name="loginFailures" owners="2">
            <expiration lifespan="-1"/>
        </distributed-cache>
        <local-cache name="authorization">
            <encoding>
                <key media-type="application/x-java-object"/>
                <value media-type="application/x-java-object"/>
            </encoding>
            <memory max-count="10000"/>
        </local-cache>
        <replicated-cache name="work">
            <expiration lifespan="-1"/>
        </replicated-cache>
        <local-cache name="keys">
            <encoding>
                <key media-type="application/x-java-object"/>
                <value media-type="application/x-java-object"/>
            </encoding>
            <expiration max-idle="3600000"/>
            <memory max-count="1000"/>
        </local-cache>
        <distributed-cache name="actionTokens" owners="2">
            <encoding>
                <key media-type="application/x-java-object"/>
                <value media-type="application/x-java-object"/>
            </encoding>
            <expiration max-idle="-1" lifespan="-1" interval="300000"/>
            <memory max-count="-1"/>
        </distributed-cache>
    </cache-container>
</infinispan>

Build command: ./kc.sh build --cache-config-file cache-ispn.xml --cache ispn --http-relative-path auth --metrics-enabled true -Dkc.db-tx-type=enabled -Dkc.db-driver=org.mariadb.jdbc.Driver

show-config:

Current Mode: none
Runtime Configuration:
        kc.cache =  ispn (PropertiesConfigSource[source=file:/home/keycloak/keycloak-17.0.0/bin/../conf/keycloak.conf])
        kc.cache-config-file =  cache-ispn.xml (PersistedConfigSource)
        kc.config.args =  show-config (SysPropConfigSource)
        kc.db =  mariadb (PropertiesConfigSource[source=file:/home/keycloak/keycloak-17.0.0/bin/../conf/keycloak.conf])
        kc.db-password =  ******* (PropertiesConfigSource[source=file:/home/keycloak/keycloak-17.0.0/bin/../conf/keycloak.conf])
        kc.db-url =  jdbc:mariadb:sequential://x.x.x.x:3306,x.x.x.x:3306,x.x.x.x:3306/keycloak (PropertiesConfigSource[source=file:/home/keycloak/keycloak-17.0.0/bin/../conf/keycloak.conf])
        kc.db-username =  user (PropertiesConfigSource[source=file:/home/keycloak/keycloak-17.0.0/bin/../conf/keycloak.conf])
        kc.home.dir =  /home/keycloak/keycloak-17.0.0/bin/../ (SysPropConfigSource)
        kc.hostname =  xxx (PropertiesConfigSource[source=file:/home/keycloak/keycloak-17.0.0/bin/../conf/keycloak.conf])
        kc.http-enabled =  true (PropertiesConfigSource[source=file:/home/keycloak/keycloak-17.0.0/bin/../conf/keycloak.conf])
        kc.http-port =  8180 (PropertiesConfigSource[source=file:/home/keycloak/keycloak-17.0.0/bin/../conf/keycloak.conf])
        kc.http-relative-path =  auth (PersistedConfigSource)
        kc.metrics-enabled =  true (PersistedConfigSource)
        kc.proxy =  passthrough (PropertiesConfigSource[source=file:/home/keycloak/keycloak-17.0.0/bin/../conf/keycloak.conf])
        kc.quarkus-properties-enabled =  true (PersistedConfigSource)
        kc.show.config =  none (SysPropConfigSource)
        kc.spi.theme.cache-templates =  false (PropertiesConfigSource[source=file:/home/keycloak/keycloak-17.0.0/bin/../conf/keycloak.conf])
        kc.spi.theme.cache-themes =  false (PropertiesConfigSource[source=file:/home/keycloak/keycloak-17.0.0/bin/../conf/keycloak.conf])
        kc.spi.theme.static-max-age =  -1 (PropertiesConfigSource[source=file:/home/keycloak/keycloak-17.0.0/bin/../conf/keycloak.conf])
        kc.version =  17.0.0 (SysPropConfigSource)

Version

17.0.0

Expected behavior

Get users from REST API is similar fast as on 15.1.1

Actual behavior

Get users from REST API is slow

How to Reproduce?

Try to get users from REST API: /auth/admin/realms/<realm>/users?first=0&max=7045

Anything else?

No response

Issue Analytics

  • State:closed
  • Created 2 years ago
  • Comments:27 (16 by maintainers)

github_iconTop GitHub Comments

1reaction
pedroigorcommented, Mar 11, 2022

PHEW 😃

And thanks for contributing this.

1reaction
emikolajczakcommented, Mar 11, 2022

Hi, On new VM looks good. Get all users takes 18 sec. It looks that your fix working. Thanks for your assistance 😃

Read more comments on GitHub >

github_iconTop Results From Across the Web

What to use Flush Mode 'Auto' or 'Commit' - Stack Overflow
As I've written above when FlushMode.AUTO (default) is used it will flush session before every query (HQL, Criteria, SQL query) made to the ......
Read more >
FlushMode in JPA and Hibernate - What it is and how to ...
The FlushMode defines when new entities and your changes on existing ones get written to the database. This might seem like a simple...
Read more >
FlushMode (Hibernate JavaDocs) - Red Hat on GitHub
Represents a flushing strategy. The flush process synchronizes database state with session state by detecting state changes and executing SQL statements.
Read more >
How to override the default Hibernate Session FlushMode
In this article, we are going to see how we can override the default FlushMode used by Hibernate. If you bootstrap Hibernate natively,...
Read more >
FlushMode in JPA and Hibernate – What it is and ... - YouTube
The FlushMode defines when new entities and your changes on existing ones get written to the database. This might seem like a simple...
Read more >

github_iconTop Related Medium Post

No results found

github_iconTop Related StackOverflow Question

No results found

github_iconTroubleshoot Live Code

Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start Free

github_iconTop Related Reddit Thread

No results found

github_iconTop Related Hackernoon Post

No results found

github_iconTop Related Tweet

No results found

github_iconTop Related Dev.to Post

No results found

github_iconTop Related Hashnode Post

No results found
Previous page

Keycloak unable to start using legacy JPA storage with CockroachDB

Next page

Content-Security-Policy issue with KC_HOSTNAME_ADMIN option set