Re: [Freeipa-users] 2.20 dirsrv memory usage
Stephen Ingram wrote: On Thu, Jul 12, 2012 at 2:59 PM, Steven Jones steven.jo...@vuw.ac.nz wrote: Hi, I had huge memory issues pre 6.3, now its low and flatSounds like you have an issue somewhere. My normal cpu use is a few hundred mhzbut when something goes wrong such as replication failing that climbs...ditto memory use Yes, I saw your conversation with Rich on this list about that. And, yes, 6.2 (2.1.3) was bad for me too. I'm not sure why 2.2.0 is still having issues. It was an upgrade from 2.1.3, but the upgrade seemed to complete without issue. I'm also not even doing replication yet so I'm not sure why memory is so high. Web interface is much slower too so perhaps something else is wrong. Can you tell where it is being slow? Does it seem related to retrieving data from LDAP? You might check your 389-ds access logs and look for searches with notes=U. Perhaps you are missing an index. rob ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
[Freeipa-users] Slowdowns in freeIPA 2.2.0
I have this test server with 8.000 entries, recently upgraded from 2.1.3 to 2.2.0 and I'm seeing some big slowdowns and I would like to know where to look to debug them. The server is centos 6.3 with ipa-server-2.2.0-16.el6.x86_64 and 389-ds-base-1.2.10.2-20.el6_3.x86_64 First of all in 2.2.0 ldapsearch with -Y GSSAPI is much slower than using plain autentication: # time ldapsearch -x uid=bdteg01662 dn # extended LDIF # # LDAPv3 # base dc=xxx,dc=gob,dc=ve (default) with scope subtree # filter: uid=bdteg01662 # requesting: dn # # bdteg01662, users, accounts, xxx.gob.ve dn: uid=bdteg01662,cn=users,cn=accounts,dc=xxx,dc=gob,dc=ve # search result search: 2 result: 0 Success # numResponses: 2 # numEntries: 1 real0m0.006s user0m0.001s sys 0m0.003s # time ldapsearch -Y GSSAPI uid=bdteg01662 dn SASL/GSSAPI authentication started SASL username: ad...@xxx.gob.ve SASL SSF: 56 SASL data security layer installed. # extended LDIF # # LDAPv3 # base dc=xxx,dc=gob,dc=ve (default) with scope subtree # filter: uid=bdteg01662 # requesting: dn # # bdteg01662, users, accounts, xxx.gob.ve dn: uid=bdteg01662,cn=users,cn=accounts,dc=xxx,dc=gob,dc=ve # search result search: 4 result: 0 Success # numResponses: 2 # numEntries: 1 real0m2.344s user0m0.007s sys 0m0.005s As a consequence of this all of the ipa commands run a bit slow. But the real slowdown is in the web interface, every search is terribly slow and any search that returns more than 4 or 5 entries never completes, it shows a dialogue that says just Unknown error. In the dirsrv access logs I see that the search completes in a short time and the apache error log doesn't show any error whatsoever. Note this is a test system, there are no other users of this server, and the compat plugin is disabled. -- Loris Santamaria linux user #70506 xmpp:lo...@lgs.com.ve Links Global Services, C.A.http://www.lgs.com.ve Tel: 0286 952.06.87 Cel: 0414 095.00.10 sip:1...@lgs.com.ve If I'd asked my customers what they wanted, they'd have said a faster horse - Henry Ford smime.p7s Description: S/MIME cryptographic signature ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Slowdowns in freeIPA 2.2.0
On 07/13/2012 11:46 AM, Loris Santamaria wrote: I have this test server with 8.000 entries, recently upgraded from 2.1.3 to 2.2.0 and I'm seeing some big slowdowns and I would like to know where to look to debug them. The server is centos 6.3 with ipa-server-2.2.0-16.el6.x86_64 and 389-ds-base-1.2.10.2-20.el6_3.x86_64 First of all in 2.2.0 ldapsearch with -Y GSSAPI is much slower than using plain autentication: Hm. The only difference would be a new kerberos driver. Please take a look at the KDC logs and see what is going on there. # time ldapsearch -x uid=bdteg01662 dn # extended LDIF # # LDAPv3 # base dc=xxx,dc=gob,dc=ve (default) with scope subtree # filter: uid=bdteg01662 # requesting: dn # # bdteg01662, users, accounts, xxx.gob.ve dn: uid=bdteg01662,cn=users,cn=accounts,dc=xxx,dc=gob,dc=ve # search result search: 2 result: 0 Success # numResponses: 2 # numEntries: 1 real 0m0.006s user 0m0.001s sys 0m0.003s # time ldapsearch -Y GSSAPI uid=bdteg01662 dn SASL/GSSAPI authentication started SASL username: ad...@xxx.gob.ve SASL SSF: 56 SASL data security layer installed. # extended LDIF # # LDAPv3 # base dc=xxx,dc=gob,dc=ve (default) with scope subtree # filter: uid=bdteg01662 # requesting: dn # # bdteg01662, users, accounts, xxx.gob.ve dn: uid=bdteg01662,cn=users,cn=accounts,dc=xxx,dc=gob,dc=ve # search result search: 4 result: 0 Success # numResponses: 2 # numEntries: 1 real 0m2.344s user 0m0.007s sys 0m0.005s As a consequence of this all of the ipa commands run a bit slow. But the real slowdown is in the web interface, every search is terribly slow and any search that returns more than 4 or 5 entries never completes, it shows a dialogue that says just Unknown error. In the dirsrv access logs I see that the search completes in a short time and the apache error log doesn't show any error whatsoever. Note this is a test system, there are no other users of this server, and the compat plugin is disabled. IPA in 2.2 uses memcached and session caching so web UI should be faster than in earlier versions. I wonder if the version of the memcached is misbehaving on CentOS 6.3. Can you please provide mode details on that front? Look at the httpd logs. There might be something that would give you some hints about what is going on. ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users -- Thank you, Dmitri Pal Sr. Engineering Manager IPA project, Red Hat Inc. --- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] BIND named.conf
On 07/13/2012 07:04 PM, Michael Mercier wrote:
Hello,
I am by no means an expert either, but I believe what you are
recommending would forward requests for myzone.tld to the
ip.of.forwarder1 etc.
I want ipaserver1 to actually be a slave (do AXFR / IXFR -- hold all
the data) of myzone.tld, and have ipaserver2 slave this data from
ipaserver1.
The replicas in IPA do not need to be specially configured to be slaves
of each other. They have the same data which is replicated by LDAP back
end so it is not clear why you are trying to configure the replicas to
be in master-slave relation.
Thanks,
Mike
On 13-Jul-12, at 5:11 PM, KodaK wrote:
On Fri, Jul 13, 2012 at 3:13 PM, Michael Mercier mmerc...@gmail.com
wrote:
Hello,
When using IPA 2.2.0 with DNS setup (--setup-dns), is there any
issues with adding slaves to the named.conf file?
example on ipaserver1:
zone myzone.tld {
type slave;
file slave/myzone.db
masters { u.x.y.z; w.x.y.z; };
allow-notify { u.x.y.z; w.x.y.z; };
also-notify { ipaserver2 };
};
I'm no expert, but I think you'd want to use the command line option
dnsconfig-mod:
ipa dnsconfig-mod --forwarder=ip.of.forwarder1;ip.of.forwarder2
myzone.tld
--
The government is going to read our mail anyway, might as well make it
tough for them. GPG Public key ID: B6A1A7C6
___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users
--
Thank you,
Dmitri Pal
Sr. Engineering Manager for IdM portfolio
Red Hat Inc.
---
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/
___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] BIND named.conf
I will try to be more clear...
My IPA zone is named intranet.local running on ipaserver1 and
ipaserver2.
I have another zone (call it myzone.tld) hosted on some other
systems. I would like ipaserver1 and ipaserver2 to both be a slave
for this zone (not use a forwarder for the zone).
Considering that ipaserver1 and ipaserver2 use the dynamic-db entry in
named.conf, is there anything that I should be concerned about if I
were to add:
zone myzone.tld {
type slave;
file slave/myzone.db
masters { u.x.y.z; w.x.y.z; };
allow-notify { u.x.y.z; w.x.y.z; };
also-notify { ipaserver2 };
};
to ipaserver1?
I had considered adding the zone via 'ipa dnszone-add
ipaserver1.intranet.local' but I did not find anything specific in the
documentation describing how to configure the new zone as a slave of
another system. Also, the number of entries in the zone is large and
there are a many updates per day and I was uncertain of the type of
performance I could expect.
Thanks,
Mike
On 13-Jul-12, at 7:10 PM, Dmitri Pal wrote:
On 07/13/2012 07:04 PM, Michael Mercier wrote:
Hello,
I am by no means an expert either, but I believe what you are
recommending would forward requests for myzone.tld to the
ip.of.forwarder1 etc.
I want ipaserver1 to actually be a slave (do AXFR / IXFR -- hold all
the data) of myzone.tld, and have ipaserver2 slave this data from
ipaserver1.
The replicas in IPA do not need to be specially configured to be
slaves
of each other. They have the same data which is replicated by LDAP
back
end so it is not clear why you are trying to configure the replicas to
be in master-slave relation.
Thanks,
Mike
On 13-Jul-12, at 5:11 PM, KodaK wrote:
On Fri, Jul 13, 2012 at 3:13 PM, Michael Mercier
mmerc...@gmail.com
wrote:
Hello,
When using IPA 2.2.0 with DNS setup (--setup-dns), is there any
issues with adding slaves to the named.conf file?
example on ipaserver1:
zone myzone.tld {
type slave;
file slave/myzone.db
masters { u.x.y.z; w.x.y.z; };
allow-notify { u.x.y.z; w.x.y.z; };
also-notify { ipaserver2 };
};
I'm no expert, but I think you'd want to use the command line option
dnsconfig-mod:
ipa dnsconfig-mod --forwarder=ip.of.forwarder1;ip.of.forwarder2
myzone.tld
--
The government is going to read our mail anyway, might as well
make it
tough for them. GPG Public key ID: B6A1A7C6
___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users
--
Thank you,
Dmitri Pal
Sr. Engineering Manager for IdM portfolio
Red Hat Inc.
---
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/
___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users
___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users
