On 06/12/2015 03:25 PM, William Graboyes wrote:
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Hi Ken,
I ran this command back to back, I am snipping some of the results.
First time I ran the command:
time ldapsearch -x -h 127.0.0.1 "(uid=admin)"
# extended LDIF
#
# LDAPv3
# base <dc=foo,dc=org> (default) with scope subtree
# filter: (uid=admin)
# requesting: ALL
#
- --snip--
# search result
search: 2
result: 0 Success
# numResponses: 3
# numEntries: 2
real 0m0.056s
user 0m0.003s
sys 0m0.004s
Run on the same server not 5 seconds after the previous command:
time ldapsearch -x -h 127.0.0.1 "(uid=admin)"
# extended LDIF
#
# LDAPv3
# base <dc=foo,dc=org> (default) with scope subtree
# filter: (uid=admin)
# requesting: ALL
#
- -- snip --
# search result
search: 2
result: 0 Success
# numResponses: 3
# numEntries: 2
real 0m31.756s
user 0m0.003s
sys 0m0.005s
Ok. First, see
http://www.port389.org/docs/389ds/FAQ/faq.html#debugging-crashes
You'll also have to do
# debuginfo-install ipa-server slapi-nis
to get all of the ipa packages.
Next, see http://www.port389.org/docs/389ds/FAQ/faq.html#debugging-hangs
Reproduce the problem, and during the 30 seconds the directory server is
processing the search request, run the gdb command several times to get
stack traces during the search request.
I am starting to see this error in the dirserv logs:
[12/Jun/2015:14:06:51 -0700] slapi_ldap_bind - Error: could not send
startTLS request: error -1 (Can't contact LDAP server) errno 107
(Transport endpoint is not connected)
[12/Jun/2015:14:11:51 -0700] slapi_ldap_bind - Error: could not send
startTLS request: error -1 (Can't contact LDAP server) errno 107
(Transport endpoint is not connected)
[12/Jun/2015:14:16:51 -0700] slapi_ldap_bind - Error: could not send
startTLS request: error -1 (Can't contact LDAP server) errno 107
(Transport endpoint is not connected)
[12/Jun/2015:14:21:51 -0700] slapi_ldap_bind - Error: could not send
startTLS request: error -1 (Can't contact LDAP server) errno 107
(Transport endpoint is not connected)
I doubt this is related to the performance. This looks like the server
is attempting to contact a replica which is down, and has backed off for
the full 5 minute max backoff.
Thanks,
Bill Graboyes
On 6/12/15 1:36 PM, Rich Megginson wrote:
On 06/12/2015 02:10 PM, Martin Kosek wrote:
On 06/12/2015 09:15 PM, William Graboyes wrote:
Hi Martin,
Here are the outputs of the various commands, cleaned of course:
time ldapsearch SASL/EXTERNAL authentication started
ldap_sasl_interactive_bind_s: Unknown authentication method (-6)
additional info: SASL(-4): no mechanism available:
real 0m32.464s user 0m0.385s sys 0m0.052s
This is quite long time. We should check respective dirsrv
errors and access logs snippets.
Also, the command above did not exit successfully, I would
recommend doing at least
# ldapsearch -x -h `hostname` "(uid=admin)"
To eliminate DNS from the equation, use
# time ldapsearch -x -h 127.0.0.1 "(uid=admin)"
time host ipa-server-2.foo.org <-- server with issues
ipa-server-2.foo.org has address 10.0.0.2
real 0m0.070s user 0m0.010s sys 0m0.006s
time host ipa-server-1.foo.org <-- replicant with no issues
ipa-server-1.foo.org has address 10.0.0.3
real 0m0.073s user 0m0.012s sys 0m0.006s
time kinit kinit: Cannot contact any KDC for realm 'FOO.ORG' while
getting initial credentials
real 0m27.049s user 0m0.013s sys 0m0.004s
^^^ has been something I have been seeing intermittently
On 6/12/15 12:11 AM, Martin Kosek wrote:
Hi List,
This is a problem that has surfaced after a reboot of
this system in particular. It is being really, really
slow. In terms of hardware usage issues, there are none.
It is taking 3-5 minutes to list users in the gui.
Running commands like ipa-replica-manage list is taking
between 30seconds and 3 minutes. Memory usage is low,
cpu usage is low, iops are low. I really have no idea
where to start here, there is noting really damning in
the logs. I have tried restarting IPA (ipactl restart)
stopping and starting IPA (ipactl stop wait... ipactl
start), and rebooting the entire server.
The oddest thing is that there have been some krb errors
saying that they cannot contact the krb server.. logging
into the gui saying your session has timed out..
It is just general strangeness.
ipa-server-4.1.0-18.el7.centos.3.x86_64
sssd-ipa-1.12.2-58.el7_1.6.x86_64
krb5-server-1.12.2-14.el7.x86_64
Any help would be greatly appreciated.
Thanks, Bill
I would recommend starting with simple things, seeing the
performance and then following with more complex stuff:
- Try bare "ldapsearch" against the FreeIPA LDAP server,
see the response rate. If it is also slow, we have the root
cause. Before ringing on DS people doors, see if for
example DNS is not slow and there are no DNS timeouts in
play - "host ipa.server.test" will tell you that
- If DS is OK, try Kerberos - kinit, kvno commands
- If Kerberos is also OK and "ipa-replica-manage list" is
still slow, maybe we should just "strace" it to see what it
waits on.
HTH, Martin
-----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2
Comment: GPGTools - https://gpgtools.org
iQIcBAEBCgAGBQJVe05nAAoJEJFMz73A1+zrg7QP/3s19crgzjSeic4KYZ3nYn80
9CWVLlm2/m7XU8Zeazm0nmlfMDTeBWJOLG0bXQKV3MYcGChSnX/vxQ9hqWJtzzvq
30MpgfyRKCNFOUcfAXB4YDINFd6/RrWl/lRii0eNksli+DXDlzarXsby+11G42kn
XtRp/7EPmZixdy8G+CLYzY2mgzpyTheMWAk8+CQORjLJTi/hmMrkKxC5Ij8Q5Vtp
qG2oUXgMeoBnCQyij+AQ1IqrlByt3iTtXsx5PdxB8eQ/kswOghFVokM83a1IqfOL
yvspUpnCg5XgU9fN7+HDt45d/i2ZcXcM7gQjlAUmFtE2c0kcuu7LTiahD56ESyMc
DkDQqI/MO/X/nb6JD7QNXy4bCjHiAPB2LyVbimqDepoyiW1QwuptdBuZmBZ6DXkj
l2mbVUOma9ql61Cl/YTw4v7lsQS7Vf3Hc8Qua6o12fLJIYOwPL9FgDTznGh7S8F3
DhUA0m1kzaZFB+7Js52UoiV9Qh3sRCSx0RyZ5hfPX3LgZyw+XORvjNQvPTYhSQ7A
SKAK7/TEwlLxSVWikWvwfpMankVdbSVo06BsgHEkGdM/O8ymbxbLqGZo1FwFaocA
Uocf4p1K7JBz/FfNb5OtI4o3JTiWs7LLGEYGZwGtlHHFZV42VfWdyeA3V/v0GUuW
UXKUprDG3PjvK5HG2rP1
=hr/W
-----END PGP SIGNATURE-----
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project
