[Freeipa-users] ipa-replica-install IPA startup timing issue

[Alexander Bokovoy]

On Mon, 14 Mar 2016, Daryl Fonseca-Holt wrote:
>Hello Thierry,
>
>In searching for a way to slow down the start of kadmind I discovered 
>that the prepare-replica install-replica process was modifying 
>/etc/sysconfig/krb5kdc to this:
>  KRB5KDC_ARGS='-w 64'
>  KRB5REALM=UOFMT1
>  KRB5KDC_ARGS='-w 64'
>during the configuration of krb5kdc. Prior to that the file only 
>contained:
>  KRB5KDC_ARGS=
>
>I paused the replica-install as soon as this change appeared, made 
>KRB5KDC_ARGS null, then resumed. The replica-install completed without 
>error.
>
>Here's where it gets a bit odd. That value was, at one time, used on 
>the master where the prepare-replica was done but has not been in 
>/etc/sysconfig/krb5kdc for a long time. How is it being propagated 
>from the master to the new replica?
>
>Is there some way to decrypt the replica file copied from the master 
>to the replica after the replica-prepare to confirm that is where the 
>value is coming from? Or is it being calculated on the replica? And 
>why does it appear twice?
>
>64 is the number of cores on the master and replica hosts. At one time 
>I adjusted /etc/sysconfig/krb5kdc on the master so there would be one 
>krb5kdc daemon process for each core but later decided to wait until 
>stress testing showed that it was actually useful. I observed that 
>starting that many instances of krb5kdc did stress the dirsrv instance 
>for a little while during an ipactl restart.
I think this value is not in the replica file. This is part of
configuration of Kerberos KDC
(ipaserver/krbinstance.py, see KrbInstance.__configure_instance())
and it is based on the value of 'getconf _NPROCESSORS_ONLN'.

When replica is being installed, the installer will call
KrbInstance.create_replica() and that one will call
__configure_instance(), thus setting up the KRB5KDC_ARGS to 
'-w <_NPROCESSORS_ONLN>'.
-- 
/ Alexander Bokovoy