[Freeipa-users] ipa-replica-install IPA startup timing issue
Daryl Fonseca-Holt
Daryl.Fonseca-Holt at umanitoba.ca
Tue Mar 15 02:12:05 UTC 2016
Hello Thierry,
In searching for a way to slow down the start of kadmind I discovered
that the prepare-replica install-replica process was modifying
/etc/sysconfig/krb5kdc to this:
KRB5KDC_ARGS='-w 64'
KRB5REALM=UOFMT1
KRB5KDC_ARGS='-w 64'
during the configuration of krb5kdc. Prior to that the file only
contained:
KRB5KDC_ARGS=
I paused the replica-install as soon as this change appeared, made
KRB5KDC_ARGS null, then resumed. The replica-install completed without
error.
Here's where it gets a bit odd. That value was, at one time, used on the
master where the prepare-replica was done but has not been in
/etc/sysconfig/krb5kdc for a long time. How is it being propagated from
the master to the new replica?
Is there some way to decrypt the replica file copied from the master to
the replica after the replica-prepare to confirm that is where the value
is coming from? Or is it being calculated on the replica? And why does
it appear twice?
64 is the number of cores on the master and replica hosts. At one time I
adjusted /etc/sysconfig/krb5kdc on the master so there would be one
krb5kdc daemon process for each core but later decided to wait until
stress testing showed that it was actually useful. I observed that
starting that many instances of krb5kdc did stress the dirsrv instance
for a little while during an ipactl restart.
--
Daryl Fonseca-Holt
IST/CNS/Unix Server Team
University of Manitoba
204.480.1079
More information about the Freeipa-users
mailing list