We'd like to test FreeIPA in our environment, but I'm having a little bit
of trouble importing DNS zone files.
Running on fresh install of CentOS 7.4.1708 with
I install a vanilla IPA server from scratch with (something along these
ipa-server-install --mkhomedir --setup-dns --setup-adtrust
--netbios-name=REALM --enable-compat --no-forwarders --realm=REALM.BLAHBLAH
I have prepared an LDIF file for importing our reverse zone (around about
140k entries, thanks to lots of $GENERATE$ in our existing zone files).
I then import the LDIF into 389ds with:
ldapadd -c -d -1 -Y GSSAPI < reverse.ldif
This starts off generally well, but always ends up hanging, with slapd
locking up too.
To cut a long story short, every few minutes there are some entries in the
dirsrv access log which appear to be associated with processes related to
the CA role and the AD trust role, and it's when these accesses happen that
the whole thing locks up so that nothing works at all. Then dirsrv needs to
be killed (-KILL) and restarted.
No load, no massive CPU utilisation, the thing looks to be locked up in
some kind of futex deadlock. The tunables I've found don't appear to offer
any help for this.
I have tried this a number of times now slicing and dicing a number of
different ways: using sudo, using root, using the Directory Manager, using
the admin GSSAPI credentials, 1000k entries at a time with pauses, yadda
yadda. Generally this all fails eventually.
On the other hand, it appears to work OK if I use the ipa dnsrecord-add
command, but on a geological timescale.
So, is this expected behaviour? I haven't seen anybody else on the list
asking about this kind of thing - so am I doing something wrong maybe? Are
there tunables I can - er - tune, at least for a bulk import phase? Or is
it maybe a bug? Certainly it makes me nervous to think there might be a
race condition in an insert operation which can result in deadlock for the
Thanks in advance for consideration
Andrew Stubbs, PhD
Head of Technical Operations
+44 203 770 4582
FreeIPA-users mailing list -- email@example.com
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org