A test system running CentOS 7 and SIMP 6.4 has very high latency during puppet agent runs when the SIMP Compliance Engine is turned on. I used the documentation found at Enable STIG Mode to configure the test system.
1 or 2 CPU (tried both, no difference)
I noticed before running the puppet agent with the compliance engine enabled the following figure in /opt/puppetserver/puppet/cache/state/last_run_summary.yaml:
Both disa_stig and nist compliance profiles had a similar effect:
Notice a 43x increase in time
Overall time for a puppet run jumps from about 37s to about 10m30s when comparing with and without the compliance engine enabled.
I tried disabling selinux and antivirus; none are effective. No logs that I've inspected indicate a problem either:
'iotop' shows no disk i/o bottlenecks. 'top' shows that the java process related to puppetserver runs at 100% cpu load, but only one core. RAM shows no limitations on processes.
Issue closed but documentation needs to be corrected as indicated in
This sounds a problem with your Puppet server. What are the specs on it? Is it memory constrained?
More important question: was this before or after you changed compliance_markup::enforcement to an array?
No, this issue was not caused by lack of resources on the puppet server. I noticed no strain on CPU or RAM. The problem was fixed when I changed the value type from a string to an array.