[Freeipa-users] ipa-replica-install IPA startup timing issue

Fri Mar 11 13:52:12 UTC 2016


On 03/11/16 02:40, thierry bordaz wrote:
> Hello Deryl,
>
>     My understanding is that ns-slapd is first slow to startup. Then
>     when krb5kdc is starting it may load ns-slapd.
>
>     We identified krb5kdc may be impacted by the number of users accounts.
>     From the ns-slapd errors log it is not clear why it is so slow to
>     start.
>
>     Would you provide the ns-slapd  access logs from that period.
>

I provided the one from the instance at the link below because it was 
too large to attach to the e-mail. Or is their some other log showing 
what's needed? Or some debug option I need to turn up?
>
>     Also in order to know where ns-slapd is spending time, it would
>     really help if you can get regular (each 5s) pstacks (with
>     389-ds-debuginfo), during DS startup and then later during krb5kdc
>     startup.
>
Will do but it will be next week before I can get it. I have an all-day 
first aid and safety training course today.

>     best regards
>     thierry
>
>
> On 03/10/2016 11:10 PM, Daryl Fonseca-Holt wrote:
>> Environment:
>>   RHEL 7.2
>>   IPA 4.2.0-15
>>   nss 3.19.1-19
>>   389-ds-base 1.3.4.0-26
>>   sssd 1.13.0-40
>>
>>
>> I've encountered this problem in IPA 3.0.0 but hoped it was addressed 
>> in 4.2.0.
>>
>> Trying to set up a replica of a master with 150,000+ user accounts, 
>> NIS and Schema Compatability enabled on the master.
>>
>> During ipa-replica-install it attempts to start IPA. dirsrv starts, 
>> krb5kdc starts, but then kadmind fails because krb5kdc has gone missing.
>>
>> This happens during restart of IPA in version 3.0.0 too. There it can 
>> be overcome by manually starting each component of IPA _but_ waiting 
>> until ns-slapd-<instance> has settled down (as seen from top) before 
>> starting krb5kdc. I also think that the startup of krb5kdc loads the 
>> LDAP instance quite a bit.
>>
>> There is a problem in the startup logic where dirsrv is so busy that 
>> even though krb5kdc successfully starts and allows the kadmin to 
>> begin kdb5kdc is not really able to do its duties.
>>
>> I'm reporting this since there must be some way to delay the start of 
>> krb5kdc and then kadmind until ns-slapd-<instance> is really open for 
>> business.
>>
>> # systemctl status krb5kdc.service
>> ● krb5kdc.service - Kerberos 5 KDC
>>    Loaded: loaded (/usr/lib/systemd/system/krb5kdc.service; disabled; 
>> vendor preset: disabled)
>>    Active: inactive (dead)
>>
>> Mar 10 14:19:13 jutta.cc.umanitoba.ca systemd[1]: Stopped Kerberos 5 
>> KDC.
>> Mar 10 14:20:36 jutta.cc.umanitoba.ca systemd[1]: Starting Kerberos 5 
>> KDC...
>> Mar 10 14:20:39 jutta.cc.umanitoba.ca systemd[1]: Started Kerberos 5 
>> KDC.
>>
>> # systemctl status krb5kdc.service
>> ● krb5kdc.service - Kerberos 5 KDC
>>    Loaded: loaded (/usr/lib/systemd/system/krb5kdc.service; disabled; 
>> vendor preset: disabled)
>>    Active: inactive (dead)
>>
>> Mar 10 14:19:13 jutta.cc.umanitoba.ca systemd[1]: Stopped Kerberos 5 
>> KDC.
>> Mar 10 14:20:36 jutta.cc.umanitoba.ca systemd[1]: Starting Kerberos 5 
>> KDC...
>> Mar 10 14:20:39 jutta.cc.umanitoba.ca systemd[1]: Started Kerberos 5 
>> KDC.
>>
>> journalctl -xe was stale by the time I got to it so I've attached 
>> /var/log/messages instead.
>>
>> The log from ipa-replica-install (with -d) is at 
>> http://home.cc.umanitoba.ca/~fonsecah/ipa/ipareplica-install.log
>> The console script (mostly the same as the log but with my entries) 
>> is at 
>> http://home.cc.umanitoba.ca/~fonsecah/ipa/ipa-replica-install.console
>> The /var/log/dirsrv/ns-slapd-<instance> access log is at 
>> http://home.cc.umanitoba.ca/~fonsecah/ipa/access
>>
>> Regards, Daryl
>>
>>
>>
>

-- 
  --
  Daryl Fonseca-Holt
  IST/CNS/Unix Server Team
  University of Manitoba
  204.480.1079

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20160311/4ca6afc3/attachment.htm>