<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN"> <HTML><HEAD> <META http-equiv=Content-Type content="text/html; charset=us-ascii"> <META content="MSHTML 6.00.2800.1605" name=GENERATOR></HEAD> <BODY> <DIV dir=ltr align=left>Andrey, </DIV> <DIV dir=ltr align=left>Thanks this actually helps alot towards my understanding. Appreciate the information, that logconv.pl is slick!</DIV> <DIV dir=ltr align=left> </DIV> <DIV dir=ltr align=left>James</DIV> <DIV class=OutlookMessageHeader lang=en-us dir=ltr align=left> </DIV> <DIV></DIV>Hi, we use following approaches: 1. we limit the idle connection time "net.ipv4.tcp_keepalive_time = ..." in /etc/sysctl.conf 2. fs.file-max = 65000 in the same sysct.conf 3. In "/etc/profile" we have added the libe "ulimit -n 65000", otherwise /etc/init.d/dirsrv takes the value by default of 8192 4. echo "ldap hard nofile 65000" >> /etc/security/limits.conf echo "ldap soft nofile 65000" >> /etc/security/limits.conf echo "ldap hard core 64" >> /etc/security/limits.conf echo "ldap soft core 64" >> /etc/security/limits.conf echo "root hard nofile 65000" >> /etc/security/limits.conf echo "root soft nofile 65000" >> /etc/security/limits.conf echo "root hard core 64" >> /etc/security/limits.conf echo "root soft core 64" >> /etc/security/limits.conf 5. verification of unindexed searches ("notes=U") 6. nsscache on clients we have approx 180 clients, and even without nsscache about 300 conns in parallel are ok... You can also use logconv.pl -V logfile to analyse your logs and stats... <DIV class=gmail_quote>2009/2/26 Chavez, James R. <<A href="mailto:james.chavez@sanmina-sci.com">james.chavez@sanmina-sci.com</A>> <BLOCKQUOTE class=gmail_quote style="PADDING-LEFT: 1ex; MARGIN: 0pt 0pt 0pt 0.8ex; BORDER-LEFT: rgb(204,204,204) 1px solid"> <DIV> <DIV></DIV> <DIV class=Wj3C7c> Thanks, I think that may be our issue. Can I ask what parameters you set to accomplish this? And also what is your "net.ipv4.tcp_keepalive_time" set to? Thanks again James We had the same problem. We set the idle timeout, and it was fixed. By default it doesn't timeout connections. We are only doing around 4K transactions a minute, but the idle connections would constantly grow to 1024. Once putting in the timeout we maintain only about 30 idle at a time. We set our limit to 60 seconds. -Kevin -----Original Message----- From: <A href="mailto:fedora-directory-users-bounces@redhat.com">fedora-directory-users-bounces@redhat.com</A> [mailto:<A href="mailto:fedora-directory-users-bounces@redhat.com">fedora-directory-users-bounces@redhat.com</A>] On Behalf Of Chavez, James R. Sent: Thursday, February 26, 2009 9:24 AM To: General discussion list for the Fedora Directory server project. Subject: RE: [Fedora-directory-users] Too many FDS open -----Original Message----- From: <A href="mailto:fedora-directory-users-bounces@redhat.com">fedora-directory-users-bounces@redhat.com</A> [mailto:<A href="mailto:fedora-directory-users-bounces@redhat.com">fedora-directory-users-bounces@redhat.com</A>] On Behalf Of sigid@JINLab Sent: Thursday, February 26, 2009 12:43 AM To: General discussion list for the Fedora Directory server project. Subject: Re: [Fedora-directory-users] Too many FDS open Chavez, James R. wrote: > Hello Rich, list, > > > Earlier today we started getting this error in our FDS error log > repeatedly. Obviously connections were being refused at this point. I > had to restart the directory server for the server to function again. > Prior to releasing this box into production I did set the parameters > according to the Installation guide specifications. The output of > "ulimit -n" is 8192. The output of "sysctl -p" is below.(I increased > fs.file-max from 64000)Does anything look off? > net.ipv4.tcp_syncookies = 1 > net.ipv4.tcp_keepalive_time = 300 > fs.file-max = 128000 > net.ipv4.ip_local_port_range = 1024 65000 > > I also changed the setting in the config from > nsslapd-maxdescriptors: 1024 to > nsslapd-maxdescriptors: 8192 > > Is there a way to tweak these settings so that this will not happen in > the future? > This is a dedicated consumer or read only replica. > Directory size is roughly 20,000 users. > We are running FC9 and FDS 1.1.1-3. > We are lacking in RAM but look to improve on that shortly. > > I do see on the web past posts to this list regarding this error, I am > currently looking through them. Is there anyone out there that has > experienced this and gotten past it? > > Thanks > James > > [25/Feb/2009:13:30:08 -0600] - Not listening for new connections - too > many fds open > [25/Feb/2009:13:30:08 -0600] - Listening for new connections again > [25/Feb/2009:13:30:08 -0600] - Not listening for new connections - too > many fds open > [25/Feb/2009:13:30:08 -0600] - Listening for new connections again Is your client using windows OS? is there any posibilities that it could be virus replicating and distributing it self into networks? If storing file on domain/networks using FDS for authentication, the frequently authentication process should cause the "too many fds open". -- We are using all Linux clients. I would not think it would be virus related. This implementation is actually replacing Windows. This box is the authentication source for all the Linux clients. What effect if any does replication have on fds or file descriptors.. Thanks James CONFIDENTIALITY This e-mail message and any attachments thereto, is intended only for use by the addressee(s) named herein and may contain legally privileged and/or confidential information. If you are not the intended recipient of this e-mail message, you are hereby notified that any dissemination, distribution or copying of this e-mail message, and any attachments thereto, is strictly prohibited. If you have received this e-mail message in error, please immediately notify the sender and permanently delete the original and any copies of this email and any prints thereof. ABSENT AN EXPRESS STATEMENT TO THE CONTRARY HEREINABOVE, THIS E-MAIL IS NOT INTENDED AS A SUBSTITUTE FOR A WRITING. Notwithstanding the Uniform Electronic Transactions Act or the applicability of any other law of similar substance and effect, absent an express statement to the contrary hereinabove, this e-mail message its contents, and any attachments hereto are not intended to represent an offer or acceptance to enter into a contract and are not otherwise intended to bind the sender, Sanmina-SCI Corporation (or any of its subsidiaries), or any other person or entity. -- Fedora-directory-users mailing list <A href="mailto:Fedora-directory-users@redhat.com">Fedora-directory-users@redhat.com</A> <A href="https://www.redhat.com/mailman/listinfo/fedora-directory-users" target=_blank>https://www.redhat.com/mailman/listinfo/fedora-directory-users</A> </DIV></DIV>Ahh, I think I found it for the idle connections. Thanks for the pointer, I appreciate it. <DIV> <DIV></DIV> <DIV class=Wj3C7c> James CONFIDENTIALITY This e-mail message and any attachments thereto, is intended only for use by the addressee(s) named herein and may contain legally privileged and/or confidential information. If you are not the intended recipient of this e-mail message, you are hereby notified that any dissemination, distribution or copying of this e-mail message, and any attachments thereto, is strictly prohibited. If you have received this e-mail message in error, please immediately notify the sender and permanently delete the original and any copies of this email and any prints thereof. ABSENT AN EXPRESS STATEMENT TO THE CONTRARY HEREINABOVE, THIS E-MAIL IS NOT INTENDED AS A SUBSTITUTE FOR A WRITING. Notwithstanding the Uniform Electronic Transactions Act or the applicability of any other law of similar substance and effect, absent an express statement to the contrary hereinabove, this e-mail message its contents, and any attachments hereto are not intended to represent an offer or acceptance to enter into a contract and are not otherwise intended to bind the sender, Sanmina-SCI Corporation (or any of its subsidiaries), or any other person or entity. -- Fedora-directory-users mailing list <A href="mailto:Fedora-directory-users@redhat.com">Fedora-directory-users@redhat.com</A> <A href="https://www.redhat.com/mailman/listinfo/fedora-directory-users" target=_blank>https://www.redhat.com/mailman/listinfo/fedora-directory-users</A> </DIV></DIV></BLOCKQUOTE></DIV> CONFIDENTIALITY This e-mail message and any attachments thereto, is intended only for use by the addressee(s) named herein and may contain legally privileged and/or confidential information. If you are not the intended recipient of this e-mail message, you are hereby notified that any dissemination, distribution or copying of this e-mail message, and any attachments thereto, is strictly prohibited. If you have received this e-mail message in error, please immediately notify the sender and permanently delete the original and any copies of this email and any prints thereof. ABSENT AN EXPRESS STATEMENT TO THE CONTRARY HEREINABOVE, THIS E-MAIL IS NOT INTENDED AS A SUBSTITUTE FOR A WRITING. Notwithstanding the Uniform Electronic Transactions Act or the applicability of any other law of similar substance and effect, absent an express statement to the contrary hereinabove, this e-mail message its contents, and any attachments hereto are not intended to represent an offer or acceptance to enter into a contract and are not otherwise intended to bind the sender, Sanmina-SCI Corporation (or any of its subsidiaries), or any other person or entity. </BODY></HTML>