[Freeipa-users] IPA very very slow
Rich Megginson
rmeggins at redhat.com
Fri Jun 12 20:36:47 UTC 2015
On 06/12/2015 02:10 PM, Martin Kosek wrote:
> On 06/12/2015 09:15 PM, William Graboyes wrote:
>> -----BEGIN PGP SIGNED MESSAGE-----
>> Hash: SHA512
>>
>> Hi Martin,
>>
>> Here are the outputs of the various commands, cleaned of course:
>>
>> time ldapsearch
>> SASL/EXTERNAL authentication started
>> ldap_sasl_interactive_bind_s: Unknown authentication method (-6)
>> additional info: SASL(-4): no mechanism available:
>>
>> real 0m32.464s
>> user 0m0.385s
>> sys 0m0.052s
>
> This is quite long time. We should check respective dirsrv errors and
> access logs snippets.
>
> Also, the command above did not exit successfully, I would recommend
> doing at least
>
> # ldapsearch -x -h `hostname` "(uid=admin)"
To eliminate DNS from the equation, use
# time ldapsearch -x -h 127.0.0.1 "(uid=admin)"
>
>>
>> time host ipa-server-2.foo.org <-- server with issues
>> ipa-server-2.foo.org has address 10.0.0.2
>>
>> real 0m0.070s
>> user 0m0.010s
>> sys 0m0.006s
>>
>> time host ipa-server-1.foo.org <-- replicant with no issues
>> ipa-server-1.foo.org has address 10.0.0.3
>>
>> real 0m0.073s
>> user 0m0.012s
>> sys 0m0.006s
>>
>> time kinit
>> kinit: Cannot contact any KDC for realm 'FOO.ORG' while getting
>> initial credentials
>>
>> real 0m27.049s
>> user 0m0.013s
>> sys 0m0.004s
>>
>> ^^^ has been something I have been seeing intermittently
>>
>>
>>
>> On 6/12/15 12:11 AM, Martin Kosek wrote:
>>>> Hi List,
>>>>
>>>> This is a problem that has surfaced after a reboot of this system
>>>> in particular. It is being really, really slow. In terms of
>>>> hardware usage issues, there are none. It is taking 3-5 minutes
>>>> to list users in the gui. Running commands like
>>>> ipa-replica-manage list is taking between 30seconds and 3
>>>> minutes. Memory usage is low, cpu usage is low, iops are low. I
>>>> really have no idea where to start here, there is noting really
>>>> damning in the logs. I have tried restarting IPA (ipactl
>>>> restart) stopping and starting IPA (ipactl stop wait... ipactl
>>>> start), and rebooting the entire server.
>>>>
>>>> The oddest thing is that there have been some krb errors saying
>>>> that they cannot contact the krb server.. logging into the gui
>>>> saying your session has timed out..
>>>>
>>>> It is just general strangeness.
>>>>
>>>> ipa-server-4.1.0-18.el7.centos.3.x86_64
>>>> sssd-ipa-1.12.2-58.el7_1.6.x86_64
>>>> krb5-server-1.12.2-14.el7.x86_64
>>>>
>>>> Any help would be greatly appreciated.
>>>>
>>>> Thanks, Bill
>>>
>>> I would recommend starting with simple things, seeing the
>>> performance and then following with more complex stuff:
>>>
>>> - Try bare "ldapsearch" against the FreeIPA LDAP server, see the
>>> response rate. If it is also slow, we have the root cause. Before
>>> ringing on DS people doors, see if for example DNS is not slow and
>>> there are no DNS timeouts in play - "host ipa.server.test" will
>>> tell you that
>>>
>>> - If DS is OK, try Kerberos - kinit, kvno commands
>>>
>>> - If Kerberos is also OK and "ipa-replica-manage list" is still
>>> slow, maybe we should just "strace" it to see what it waits on.
>>>
>>> HTH, Martin
>>>
>> -----BEGIN PGP SIGNATURE-----
>> Version: GnuPG/MacGPG2 v2
>> Comment: GPGTools - https://gpgtools.org
>>
>> iQIcBAEBCgAGBQJVey+3AAoJEJFMz73A1+zruo8P/13JTUKxgSKUchH/2UQWH94N
>> EAPj3hhgNeMjY1TCgjAhceavidXTj5oCbt3D2wSiZwxAodurXy1PkCmQUs9NpZ+N
>> 3uKPD01tSnIl/eocP8aNHNrPfn5W7xijffbpaQsnNCgn5DMvLG0b8sEDKA2A9TQi
>> qhluvjMrWM4yOITc4A2+IWCASy1UfG0fRBuK+hHp+F72at6Q6luEiaxC4TymSF7L
>> f7XomuQmaEnvYl44hlqnyh/9FaERGyFs5crKTrLpFeLPrk149HYHwFqCbd28SY3p
>> QLSQxraLnSvT/7y2d9kc7vmJFvxEFC/q4Q05xL81u/Sg691lb0qX0SVuHfFST87I
>> xSypfQ3110wUzk7X4+oXpPX/ziomsXkjELhi81iurdU/iA9bAqtuEYf8HtvcrF7b
>> QlqZA0t1D78QDTbaNOIE6LVAY2Zxkpdhu/qwCMvtS8TlPGt9U8Kt4U6eoFfTFn8C
>> GFx61vNfBFmqOQX7w0Q36jqUCQG0VRipsC0oeqGVEeUvIDW/G9TG4m8O+vmZ60Lj
>> DgpIoxwXaO4TT5aZcDDpIlgs67ZxaW+9VAmJh+G3w664rQ3jnE6JMwzyxDmqFhZ5
>> cto0910Y5GqWL9wShmpTBy1/nVAJivdXK4D6eykOgKq80vXKbZOWPqIT2oEqXSA0
>> rYUBJPLWtHHVLigc6lW7
>> =R7vN
>> -----END PGP SIGNATURE-----
>>
>
More information about the Freeipa-users
mailing list