<html>
<head>
<meta content="text/html; charset=utf-8" http-equiv="Content-Type">
</head>
<body text="#000000" bgcolor="#FFFFFF">
Hi Daryl,<br>
<br>
In fact the slow DS startup is due to slapi-nis priming:<br>
<br>
<tt> #0 0x00007f189a2689fc in strcmpi_fast<br>
#1 oc_find_nolock<br>
#2 0x00007f189a2699bd in va_expand_one_oc<br>
#3 0x00007f189a269d70 in schema_expand_objectclasses_ext<br>
#4 0x00007f189a26cbea in slapi_schema_expand_objectclasses<br>
#5 0x00007f189a2124a5 in slapi_str2entry<br>
#6 0x00007f188c38037d in backend_set_entry_from <br>
#7 0x00007f188c383316 in backend_shr_set_entry_cb <br>
#8 0x00007f189a26358d in send_ldap_search_entry_ext <br>
#9 0x00007f189a263dcc in send_ldap_search_entry<br>
#10 0x00007f189a240ad3 in iterate<br>
#11 0x00007f189a240c7a in send_results_ext<br>
#12 0x00007f189a24265e in op_shared_search <br>
#13 0x00007f189a2528de in search_internal_callback_pb<br>
#14 0x00007f188c387628 in backend_shr_set_config_entry_add<br>
#15 0x00007f188c3827ad in backend_set_config_entry_add_cb<br>
#16 0x00007f189a26358d in send_ldap_search_entry_ext<br>
#17 0x00007f189a263dcc in send_ldap_search_entry<br>
#18 0x00007f189a240ad3 in iterate<br>
#19 0x00007f189a240c7a in send_results_ext<br>
#20 0x00007f189a24265e in op_shared_search <br>
#21 0x00007f189a2528de in search_internal_callback_pb<br>
#22 0x00007f188c387cbb in backend_shr_startup<br>
#23 0x00007f188c394135 in plugin_startup<br>
#24 0x00007f189a24d847 in plugin_call_func<br>
#25 0x00007f189a24df78 in plugin_call_one<br>
#26 plugin_dependency_startall<br>
#27 0x00007f189a24e381 in plugin_startall<br>
#28 0x00007f189a716bc2 in main<br>
</tt><br>
It lasts from Mon Mar 14 08:50:21 -> Mon Mar 14 08:51:17 CDT<br>
kadmin.service failed to start but the console log does not contain
the exact time of the failure.<br>
Would you check if the failure occurred while DS was starting up ?<br>
If that is the case, like Alexander mentioned, it is already fixed
in slapi-nis 0.55.<br>
<br>
thanks<br>
thierry<br>
<br>
<div class="moz-cite-prefix">On 03/14/2016 03:06 PM, Daryl
Fonseca-Holt wrote:<br>
</div>
<blockquote cite="mid:56E6C57D.3010203@umanitoba.ca" type="cite">
<meta content="text/html; charset=utf-8" http-equiv="Content-Type">
Hi Thierry,<br>
<br>
I moved the old logs into a subdirectory called try1. I did the
recommended ipa-server-install --uninstall. Tried the replica
install again. Failed during kadmind start like the previous time.<br>
<br>
The log from ipa-replica-install (with -d) is at <a
moz-do-not-send="true" class="moz-txt-link-freetext"
href="http://home.cc.umanitoba.ca/%7Efonsecah/ipa/ipareplica-install.log"><a class="moz-txt-link-freetext" href="http://home.cc.umanitoba.ca/~fonsecah/ipa/ipareplica-install.log">http://home.cc.umanitoba.ca/~fonsecah/ipa/ipareplica-install.log</a></a>
<br>
The console script (mostly the same as the log but with my
entries) is at <a moz-do-not-send="true"
class="moz-txt-link-freetext"
href="http://home.cc.umanitoba.ca/%7Efonsecah/ipa/ipa-replica-install.console">http://home.cc.umanitoba.ca/~fonsecah/ipa/ipa-replica-install.console</a>
<br>
The 5 second pstacks are at <a moz-do-not-send="true"
class="moz-txt-link-freetext"
href="http://home.cc.umanitoba.ca/%7Efonsecah/ipa/ipa-replica-install.console">http://home.cc.umanitoba.ca/~fonsecah/ipa/slapd-pstacks.console</a><br>
<br>
Thanks, Daryl<br>
<br>
<br>
<div class="moz-cite-prefix">On 03/11/16 02:40, thierry bordaz
wrote:<br>
</div>
<blockquote cite="mid:56E28490.6030406@redhat.com" type="cite">
<meta http-equiv="Content-Type" content="text/html;
charset=utf-8">
Hello Deryl,<br>
<br>
<blockquote>My understanding is that ns-slapd is first slow to
startup. Then when krb5kdc is starting it may load ns-slapd.<br>
<br>
We identified krb5kdc may be impacted by the number of users
accounts.<br>
From the ns-slapd errors log it is not clear why it is so slow
to start.<br>
<br>
Would you provide the ns-slapd access logs from that period.<br>
Also in order to know where ns-slapd is spending time, it
would really help if you can get regular (each 5s) pstacks
(with 389-ds-debuginfo), during DS startup and then later
during krb5kdc startup.<br>
<br>
best regards<br>
thierry<br>
</blockquote>
<br>
<div class="moz-cite-prefix">On 03/10/2016 11:10 PM, Daryl
Fonseca-Holt wrote:<br>
</div>
<blockquote cite="mid:56E1F0E4.9080605@umanitoba.ca" type="cite">Environment:
<br>
RHEL 7.2 <br>
IPA 4.2.0-15 <br>
nss 3.19.1-19 <br>
389-ds-base 1.3.4.0-26 <br>
sssd 1.13.0-40 <br>
<br>
<br>
I've encountered this problem in IPA 3.0.0 but hoped it was
addressed in 4.2.0. <br>
<br>
Trying to set up a replica of a master with 150,000+ user
accounts, NIS and Schema Compatability enabled on the master.
<br>
<br>
During ipa-replica-install it attempts to start IPA. dirsrv
starts, krb5kdc starts, but then kadmind fails because krb5kdc
has gone missing. <br>
<br>
This happens during restart of IPA in version 3.0.0 too. There
it can be overcome by manually starting each component of IPA
_but_ waiting until ns-slapd-<instance> has settled down
(as seen from top) before starting krb5kdc. I also think that
the startup of krb5kdc loads the LDAP instance quite a bit. <br>
<br>
There is a problem in the startup logic where dirsrv is so
busy that even though krb5kdc successfully starts and allows
the kadmin to begin kdb5kdc is not really able to do its
duties. <br>
<br>
I'm reporting this since there must be some way to delay the
start of krb5kdc and then kadmind until
ns-slapd-<instance> is really open for business. <br>
<br>
# systemctl status krb5kdc.service <br>
● krb5kdc.service - Kerberos 5 KDC <br>
Loaded: loaded (/usr/lib/systemd/system/krb5kdc.service;
disabled; vendor preset: disabled) <br>
Active: inactive (dead) <br>
<br>
Mar 10 14:19:13 jutta.cc.umanitoba.ca systemd[1]: Stopped
Kerberos 5 KDC. <br>
Mar 10 14:20:36 jutta.cc.umanitoba.ca systemd[1]: Starting
Kerberos 5 KDC... <br>
Mar 10 14:20:39 jutta.cc.umanitoba.ca systemd[1]: Started
Kerberos 5 KDC. <br>
<br>
# systemctl status krb5kdc.service <br>
● krb5kdc.service - Kerberos 5 KDC <br>
Loaded: loaded (/usr/lib/systemd/system/krb5kdc.service;
disabled; vendor preset: disabled) <br>
Active: inactive (dead) <br>
<br>
Mar 10 14:19:13 jutta.cc.umanitoba.ca systemd[1]: Stopped
Kerberos 5 KDC. <br>
Mar 10 14:20:36 jutta.cc.umanitoba.ca systemd[1]: Starting
Kerberos 5 KDC... <br>
Mar 10 14:20:39 jutta.cc.umanitoba.ca systemd[1]: Started
Kerberos 5 KDC. <br>
<br>
journalctl -xe was stale by the time I got to it so I've
attached /var/log/messages instead. <br>
<br>
The log from ipa-replica-install (with -d) is at <a
moz-do-not-send="true" class="moz-txt-link-freetext"
href="http://home.cc.umanitoba.ca/%7Efonsecah/ipa/ipareplica-install.log"><a class="moz-txt-link-freetext" href="http://home.cc.umanitoba.ca/~fonsecah/ipa/ipareplica-install.log">http://home.cc.umanitoba.ca/~fonsecah/ipa/ipareplica-install.log</a></a>
<br>
The console script (mostly the same as the log but with my
entries) is at <a moz-do-not-send="true"
class="moz-txt-link-freetext"
href="http://home.cc.umanitoba.ca/%7Efonsecah/ipa/ipa-replica-install.console">http://home.cc.umanitoba.ca/~fonsecah/ipa/ipa-replica-install.console</a>
<br>
The /var/log/dirsrv/ns-slapd-<instance> access log is at
<a moz-do-not-send="true" class="moz-txt-link-freetext"
href="http://home.cc.umanitoba.ca/%7Efonsecah/ipa/access">http://home.cc.umanitoba.ca/~fonsecah/ipa/access</a>
<br>
<br>
Regards, Daryl <br>
<br>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
</blockquote>
<br>
</blockquote>
<br>
<pre class="moz-signature" cols="72">--
--
Daryl Fonseca-Holt
IST/CNS/Unix Server Team
University of Manitoba
204.480.1079
</pre>
</blockquote>
<br>
</body>
</html>