[Freeipa-users] sysctl and/or limits.conf?

Rob Crittenden rcritten at redhat.com
Tue Oct 14 13:58:49 UTC 2014 

Janelle wrote:
> Hi Rob,
> 
> Thanks for that - it clears up one point - and explains why the replica
> manage command shows all masters, but what I don't understand is how to
> get the CA to a "replica" once it is created? I don't see anything in
> the docs on that. Am I missing something very obvious here? I am coming
> from the AD world and trying to replace it, so please excuse my
> ignorance in this area.

ipa-ca-install

rob

> 
> thanks
> Janelle
> 
> 
> On 10/14/14 6:48 AM, Rob Crittenden wrote:
>> Janelle wrote:
>>> Hi again,
>>>
>>> A lot of this information has been very useful.  I did have a question I
>>> could not answer. I noticed in the Deployment Recommendations docs, it
>>> says not to have any more than 4 replication agreements. Perhaps I am
>>> missing something, but I don't see how to get a replica to be a master
>>> to be able to create another replicate?  Am I missing something obvious
>>> here?
>> Every IPA install is a master. The only distinction between servers are
>> the optional services of DNS and a CA. So don't get confused by replica
>> vs master. Once an IPA server is up it is a master.
>>
>> We don't recommend any one master to have more than 4 agreements. Each
>> agreement adds a bit more load on the server to calculate the
>> differences to send to each one, so you want to keep it reasonable. I'd
>> recommend making a map of your topology to ensure that no master ends up
>> alone, or one ends up being overloaded. You can use ipa-replica-manage
>> to control the replication topology. By default a single agreement is
>> set up between a new master and the one that created it.
>>
>> Any master can create a new master.
>>
>> As you do your installations be sure to have at least 2 masters with a
>> CA on it to avoid a single point of failure.
>>
>> rob
>>
>>> Thank you,
>>> ~Janelle
>>>
>>> On 10/13/14 3:18 PM, Dmitri Pal wrote:
>>>> On 10/12/2014 08:07 PM, James wrote:
>>>>> On 12 October 2014 19:55, Janelle <janellenicole80 at gmail.com> wrote:
>>>>>> Hi again,
>>>>>>
>>>>>> I was wondering if there were any suggestions for performance of IPA
>>>>>> and
>>>>>> settings to sysctl and maybe limits.conf? I tried the website, but
>>>>>> did not
>>>>>> see anything.  Have about 3000 servers that will be talking to 3-4
>>>>>> masters/replicas. Are there any formulas to follow?
>>>>>>
>>>>>> thanks
>>>>> If you get an answer to this, or if you know of any other performance
>>>>> tuning params, let me know and I'll build it in to puppet-ipa.
>>>>>
>>>>> Thanks,
>>>>> James
>>>>>
>>>> I do not think it is easy automatable.
>>>> Please see http://www.freeipa.org/page/Deployment_Recommendations and
>>>> part about replicas.
>>>> If 3000 in one datacenter then 3 is good enough or 4 if you are very
>>>> LDAP heavy (some applications are like Jira for example).
>>>> If you have 2 data center I would go for 2+2.
>>>>
>

More information about the Freeipa-users mailing list