[Freeipa-users] ipa-replica-install IPA startup timing issue

thierry bordaz tbordaz at redhat.com
Fri Mar 11 16:05:27 UTC 2016 

Daryl,

Thanks for your help for grabbing additional data.
I am afraid any debug option at DS level would make it worse. Also there 
are several debug options so first we need to know what is the potential 
culprit to turn one only the right level. I will look at the 
errors/access (sorry I missed the link) and will be back to you.

have a good week end
thierry

On 03/11/2016 02:52 PM, Daryl Fonseca-Holt wrote:
>
>
> On 03/11/16 02:40, thierry bordaz wrote:
>> Hello Deryl,
>>
>>     My understanding is that ns-slapd is first slow to startup. Then
>>     when krb5kdc is starting it may load ns-slapd.
>>
>>     We identified krb5kdc may be impacted by the number of users
>>     accounts.
>>     From the ns-slapd errors log it is not clear why it is so slow to
>>     start.
>>
>>     Would you provide the ns-slapd  access logs from that period.
>>
>
> I provided the one from the instance at the link below because it was 
> too large to attach to the e-mail. Or is their some other log showing 
> what's needed? Or some debug option I need to turn up?
>>
>>     Also in order to know where ns-slapd is spending time, it would
>>     really help if you can get regular (each 5s) pstacks (with
>>     389-ds-debuginfo), during DS startup and then later during
>>     krb5kdc startup.
>>
> Will do but it will be next week before I can get it. I have an 
> all-day first aid and safety training course today.
>
>>     best regards
>>     thierry
>>
>>
>> On 03/10/2016 11:10 PM, Daryl Fonseca-Holt wrote:
>>> Environment:
>>>   RHEL 7.2
>>>   IPA 4.2.0-15
>>>   nss 3.19.1-19
>>>   389-ds-base 1.3.4.0-26
>>>   sssd 1.13.0-40
>>>
>>>
>>> I've encountered this problem in IPA 3.0.0 but hoped it was 
>>> addressed in 4.2.0.
>>>
>>> Trying to set up a replica of a master with 150,000+ user accounts, 
>>> NIS and Schema Compatability enabled on the master.
>>>
>>> During ipa-replica-install it attempts to start IPA. dirsrv starts, 
>>> krb5kdc starts, but then kadmind fails because krb5kdc has gone 
>>> missing.
>>>
>>> This happens during restart of IPA in version 3.0.0 too. There it 
>>> can be overcome by manually starting each component of IPA _but_ 
>>> waiting until ns-slapd-<instance> has settled down (as seen from 
>>> top) before starting krb5kdc. I also think that the startup of 
>>> krb5kdc loads the LDAP instance quite a bit.
>>>
>>> There is a problem in the startup logic where dirsrv is so busy that 
>>> even though krb5kdc successfully starts and allows the kadmin to 
>>> begin kdb5kdc is not really able to do its duties.
>>>
>>> I'm reporting this since there must be some way to delay the start 
>>> of krb5kdc and then kadmind until ns-slapd-<instance> is really open 
>>> for business.
>>>
>>> # systemctl status krb5kdc.service
>>> ● krb5kdc.service - Kerberos 5 KDC
>>>    Loaded: loaded (/usr/lib/systemd/system/krb5kdc.service; 
>>> disabled; vendor preset: disabled)
>>>    Active: inactive (dead)
>>>
>>> Mar 10 14:19:13 jutta.cc.umanitoba.ca systemd[1]: Stopped Kerberos 5 
>>> KDC.
>>> Mar 10 14:20:36 jutta.cc.umanitoba.ca systemd[1]: Starting Kerberos 
>>> 5 KDC...
>>> Mar 10 14:20:39 jutta.cc.umanitoba.ca systemd[1]: Started Kerberos 5 
>>> KDC.
>>>
>>> # systemctl status krb5kdc.service
>>> ● krb5kdc.service - Kerberos 5 KDC
>>>    Loaded: loaded (/usr/lib/systemd/system/krb5kdc.service; 
>>> disabled; vendor preset: disabled)
>>>    Active: inactive (dead)
>>>
>>> Mar 10 14:19:13 jutta.cc.umanitoba.ca systemd[1]: Stopped Kerberos 5 
>>> KDC.
>>> Mar 10 14:20:36 jutta.cc.umanitoba.ca systemd[1]: Starting Kerberos 
>>> 5 KDC...
>>> Mar 10 14:20:39 jutta.cc.umanitoba.ca systemd[1]: Started Kerberos 5 
>>> KDC.
>>>
>>> journalctl -xe was stale by the time I got to it so I've attached 
>>> /var/log/messages instead.
>>>
>>> The log from ipa-replica-install (with -d) is at 
>>> http://home.cc.umanitoba.ca/~fonsecah/ipa/ipareplica-install.log
>>> The console script (mostly the same as the log but with my entries) 
>>> is at 
>>> http://home.cc.umanitoba.ca/~fonsecah/ipa/ipa-replica-install.console
>>> The /var/log/dirsrv/ns-slapd-<instance> access log is at 
>>> http://home.cc.umanitoba.ca/~fonsecah/ipa/access
>>>
>>> Regards, Daryl
>>>
>>>
>>>
>>
>
> -- 
>   --
>   Daryl Fonseca-Holt
>   IST/CNS/Unix Server Team
>   University of Manitoba
>   204.480.1079

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20160311/4984b024/attachment.htm>

More information about the Freeipa-users mailing list