[Freeipa-users] strange replica install error (another one)

Thu Dec 4 16:41:48 UTC 2014

On 12/04/2014 04:56 PM, Janelle wrote:
> Hi all,
>
> just (pam)auth and nslcd
>
> It was ported from a running OpenLDAP environment to IPA.  Just trying 
> to do conversions in stages so as not to change too much all at once. 
> Thought I could go from OpenLDAP to IPA and just use the backend of 
> 389ds. Functionally it does work, but the load kills it. Seems like 
> FDs are a huge problem.  But all the settings documented don't see to 
> resolve the magic:
>
> / Netscape Portable Runtime error -5971 (Process open FD table is full.)/
>
> error.
>
> Shouldn't this increase file descriptors in conjunction with 
> /etc/sysconfig/dirsrv.systemd change? FS-limits across the OS are set 
> to 65535 - /etc/security/limits.conf, /proc, sysctl.conf -- everything 
> but 389-ds itself. But I still can't get this to work, although it 
> does not give an error.
>
> ldapmodify -x -D "cn=directory manager" -W <<EOF
> dn: cn=config,cn=ldbm database,cn=plugins,cn=config
> changetype: modify
> replace: nsslapd-maxdescriptors
> nsslapd-maxdescriptors: 65535
> -
> replace: nsslapd-dtablesize
> nsslapd-dtablesize: 65535
> -
> replace: nsslapd-reservedescriptors
> nsslapd-reservedescriptors: 100
> EOF
there are two problems
- how to increase the connetction table size in DS
I would suggest to replace nsslapd-conntablesize and restart the server, 
the change is not dynamic
- why you are running out of file descriptors
you should query "cn=monitor" to check the effective tablesize and the 
number of established connections
it could be a problem of clients not well behaving and not closing 
connections. you could set a low value of nsslapd-idletimeout to get rid 
of these connections

>
> Thanks
> ~J
>
> On 12/4/14 7:40 AM, Rob Crittenden wrote:
>> Dmitri Pal wrote:
>>> On 12/04/2014 09:41 AM, Rich Megginson wrote:
>>>> On 12/04/2014 08:39 AM, Rich Megginson wrote:
>>>>> On 12/04/2014 01:45 AM, Petr Spacek wrote:
>>>>>> On 4.12.2014 05:02, Janelle wrote:
>>>>>>> Thanks -- still a bit strange that it did not show up on some
>>>>>>> servers - vary
>>>>>>> random and intermittent.
>>>>>>>
>>>>>>> BTW - a bit of information others might find useful.  If you try to
>>>>>>> use the
>>>>>>> "LDAP" portion of IPA for authentication - rather than fulling
>>>>>>> installing the
>>>>>>> IPA client and using Kerberos - the servers running ds-389 do not
>>>>>>> do well in
>>>>>>> handling the load. In other words - a few hundred hosts trying to
>>>>>>> authenticate
>>>>>>> via LDAP only will send CPU through the roof and crashes the slapd
>>>>>>> process
>>>>>>> often.
>>>>> That should not happen.
>>>>> For crashes, we would need to look at some stack traces:
>>>>> http://www.port389.org/docs/389ds/FAQ/faq.html#debugging-crashes
>>>>> For situations when the CPU is through the roof, that is very similar
>>>>> to debugging hangs:
>>>>> http://www.port389.org/docs/389ds/FAQ/faq.html#debugging-hangs
>>>> Sorry, forgot to mention that since this is IPA you'll also need to
>>>> install the ipa-debuginfo and slapi-nis-debuginfo packages.
>>>>
>>> I would also add a question about your client configuration.
>>> For example if you use SSSD with enumerate=true for your clients then
>>> yes you will get your environment to the knees pretty quickly.
>> I assumed SSSD wasn't being used at all which begs the question: what
>> is? nss_ldap? Is nslcd being used?
>>
>> What is hitting LDAP, only auth or something else (e.g. sudo, automount).
>>
>> rob
>>
>>>>>>> Since IPA is supposed to handle all options, I guess I am
>>>>>>> disappointed.
>>>>>>>
>>>>>>> regards
>>>>>>> ~J
>>>>>>>
>>>>>>>
>>>>>>> On 12/3/14 2:56 PM, Dmitri Pal wrote:
>>>>>>>> On 12/03/2014 04:40 PM, Janelle wrote:
>>>>>>>>> Here is a bit of baffling one on 4.0.5:
>>>>>>>>>
>>>>>>>>> Replica install p11-kit???
>>>>>>>> This is a part of the DNSSEC set of packages.
>>>>>>>>
>>>>>>>>> Connection from master to replica is OK.
>>>>>>>>>
>>>>>>>>> Connection check OK
>>>>>>>>> p11-kit: ipa.p11-kit: x-public-key-info: invalid or unsupported
>>>>>>>>> attribute
>>>>>>>>> Configuring NTP daemon (ntpd)
>>>>>>>>>     [1/4]: stopping ntpd
>>>>>>>>>     [2/4]: writing configuration
>>>>>>>>> ...
>>>>>>>>>
>>>>>>>>> Your system may be partly configured.
>>>>>>>>> Run /usr/sbin/ipa-server-install --uninstall to clean up.
>>>>>>>>>
>>>>>>>>> LDAP error: UNWILLING_TO_PERFORM
>>>>>>>>> database is read-only
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> Thoughts?
>>>>>> We need more information about your problem.
>>>>>>
>>>>>> As always, please start with information requested on
>>>>>> http://www.freeipa.org/page/Troubleshooting#Reporting_bugs
>>>>>>
>>>>>> /var/log/ipa*.log from affected replica will be invaluable (along
>>>>>> with exact
>>>>>> package version numbers [including p11-kit] and repo configuration).
>>>>>>
>
>
>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20141204/b55aa0f5/attachment.htm>