Re: [Freeipa-users] 2.20 dirsrv memory usage
Stephen Ingram wrote: On Thu, Jul 12, 2012 at 2:59 PM, Steven Jones steven.jo...@vuw.ac.nz wrote: Hi, I had huge memory issues pre 6.3, now its low and flatSounds like you have an issue somewhere. My normal cpu use is a few hundred mhzbut when something goes wrong such as replication failing that climbs...ditto memory use Yes, I saw your conversation with Rich on this list about that. And, yes, 6.2 (2.1.3) was bad for me too. I'm not sure why 2.2.0 is still having issues. It was an upgrade from 2.1.3, but the upgrade seemed to complete without issue. I'm also not even doing replication yet so I'm not sure why memory is so high. Web interface is much slower too so perhaps something else is wrong. Can you tell where it is being slow? Does it seem related to retrieving data from LDAP? You might check your 389-ds access logs and look for searches with notes=U. Perhaps you are missing an index. rob ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
[Freeipa-users] Slowdowns in freeIPA 2.2.0
I have this test server with 8.000 entries, recently upgraded from 2.1.3 to 2.2.0 and I'm seeing some big slowdowns and I would like to know where to look to debug them. The server is centos 6.3 with ipa-server-2.2.0-16.el6.x86_64 and 389-ds-base-1.2.10.2-20.el6_3.x86_64 First of all in 2.2.0 ldapsearch with -Y GSSAPI is much slower than using plain autentication: # time ldapsearch -x uid=bdteg01662 dn # extended LDIF # # LDAPv3 # base dc=xxx,dc=gob,dc=ve (default) with scope subtree # filter: uid=bdteg01662 # requesting: dn # # bdteg01662, users, accounts, xxx.gob.ve dn: uid=bdteg01662,cn=users,cn=accounts,dc=xxx,dc=gob,dc=ve # search result search: 2 result: 0 Success # numResponses: 2 # numEntries: 1 real0m0.006s user0m0.001s sys 0m0.003s # time ldapsearch -Y GSSAPI uid=bdteg01662 dn SASL/GSSAPI authentication started SASL username: ad...@xxx.gob.ve SASL SSF: 56 SASL data security layer installed. # extended LDIF # # LDAPv3 # base dc=xxx,dc=gob,dc=ve (default) with scope subtree # filter: uid=bdteg01662 # requesting: dn # # bdteg01662, users, accounts, xxx.gob.ve dn: uid=bdteg01662,cn=users,cn=accounts,dc=xxx,dc=gob,dc=ve # search result search: 4 result: 0 Success # numResponses: 2 # numEntries: 1 real0m2.344s user0m0.007s sys 0m0.005s As a consequence of this all of the ipa commands run a bit slow. But the real slowdown is in the web interface, every search is terribly slow and any search that returns more than 4 or 5 entries never completes, it shows a dialogue that says just Unknown error. In the dirsrv access logs I see that the search completes in a short time and the apache error log doesn't show any error whatsoever. Note this is a test system, there are no other users of this server, and the compat plugin is disabled. -- Loris Santamaria linux user #70506 xmpp:lo...@lgs.com.ve Links Global Services, C.A.http://www.lgs.com.ve Tel: 0286 952.06.87 Cel: 0414 095.00.10 sip:1...@lgs.com.ve If I'd asked my customers what they wanted, they'd have said a faster horse - Henry Ford smime.p7s Description: S/MIME cryptographic signature ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Slowdowns in freeIPA 2.2.0
On 07/13/2012 11:46 AM, Loris Santamaria wrote: I have this test server with 8.000 entries, recently upgraded from 2.1.3 to 2.2.0 and I'm seeing some big slowdowns and I would like to know where to look to debug them. The server is centos 6.3 with ipa-server-2.2.0-16.el6.x86_64 and 389-ds-base-1.2.10.2-20.el6_3.x86_64 First of all in 2.2.0 ldapsearch with -Y GSSAPI is much slower than using plain autentication: Hm. The only difference would be a new kerberos driver. Please take a look at the KDC logs and see what is going on there. # time ldapsearch -x uid=bdteg01662 dn # extended LDIF # # LDAPv3 # base dc=xxx,dc=gob,dc=ve (default) with scope subtree # filter: uid=bdteg01662 # requesting: dn # # bdteg01662, users, accounts, xxx.gob.ve dn: uid=bdteg01662,cn=users,cn=accounts,dc=xxx,dc=gob,dc=ve # search result search: 2 result: 0 Success # numResponses: 2 # numEntries: 1 real 0m0.006s user 0m0.001s sys 0m0.003s # time ldapsearch -Y GSSAPI uid=bdteg01662 dn SASL/GSSAPI authentication started SASL username: ad...@xxx.gob.ve SASL SSF: 56 SASL data security layer installed. # extended LDIF # # LDAPv3 # base dc=xxx,dc=gob,dc=ve (default) with scope subtree # filter: uid=bdteg01662 # requesting: dn # # bdteg01662, users, accounts, xxx.gob.ve dn: uid=bdteg01662,cn=users,cn=accounts,dc=xxx,dc=gob,dc=ve # search result search: 4 result: 0 Success # numResponses: 2 # numEntries: 1 real 0m2.344s user 0m0.007s sys 0m0.005s As a consequence of this all of the ipa commands run a bit slow. But the real slowdown is in the web interface, every search is terribly slow and any search that returns more than 4 or 5 entries never completes, it shows a dialogue that says just Unknown error. In the dirsrv access logs I see that the search completes in a short time and the apache error log doesn't show any error whatsoever. Note this is a test system, there are no other users of this server, and the compat plugin is disabled. IPA in 2.2 uses memcached and session caching so web UI should be faster than in earlier versions. I wonder if the version of the memcached is misbehaving on CentOS 6.3. Can you please provide mode details on that front? Look at the httpd logs. There might be something that would give you some hints about what is going on. ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users -- Thank you, Dmitri Pal Sr. Engineering Manager IPA project, Red Hat Inc. --- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] BIND named.conf
On 07/13/2012 07:04 PM, Michael Mercier wrote: Hello, I am by no means an expert either, but I believe what you are recommending would forward requests for myzone.tld to the ip.of.forwarder1 etc. I want ipaserver1 to actually be a slave (do AXFR / IXFR -- hold all the data) of myzone.tld, and have ipaserver2 slave this data from ipaserver1. The replicas in IPA do not need to be specially configured to be slaves of each other. They have the same data which is replicated by LDAP back end so it is not clear why you are trying to configure the replicas to be in master-slave relation. Thanks, Mike On 13-Jul-12, at 5:11 PM, KodaK wrote: On Fri, Jul 13, 2012 at 3:13 PM, Michael Mercier mmerc...@gmail.com wrote: Hello, When using IPA 2.2.0 with DNS setup (--setup-dns), is there any issues with adding slaves to the named.conf file? example on ipaserver1: zone myzone.tld { type slave; file slave/myzone.db masters { u.x.y.z; w.x.y.z; }; allow-notify { u.x.y.z; w.x.y.z; }; also-notify { ipaserver2 }; }; I'm no expert, but I think you'd want to use the command line option dnsconfig-mod: ipa dnsconfig-mod --forwarder=ip.of.forwarder1;ip.of.forwarder2 myzone.tld -- The government is going to read our mail anyway, might as well make it tough for them. GPG Public key ID: B6A1A7C6 ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users -- Thank you, Dmitri Pal Sr. Engineering Manager for IdM portfolio Red Hat Inc. --- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] BIND named.conf
I will try to be more clear... My IPA zone is named intranet.local running on ipaserver1 and ipaserver2. I have another zone (call it myzone.tld) hosted on some other systems. I would like ipaserver1 and ipaserver2 to both be a slave for this zone (not use a forwarder for the zone). Considering that ipaserver1 and ipaserver2 use the dynamic-db entry in named.conf, is there anything that I should be concerned about if I were to add: zone myzone.tld { type slave; file slave/myzone.db masters { u.x.y.z; w.x.y.z; }; allow-notify { u.x.y.z; w.x.y.z; }; also-notify { ipaserver2 }; }; to ipaserver1? I had considered adding the zone via 'ipa dnszone-add ipaserver1.intranet.local' but I did not find anything specific in the documentation describing how to configure the new zone as a slave of another system. Also, the number of entries in the zone is large and there are a many updates per day and I was uncertain of the type of performance I could expect. Thanks, Mike On 13-Jul-12, at 7:10 PM, Dmitri Pal wrote: On 07/13/2012 07:04 PM, Michael Mercier wrote: Hello, I am by no means an expert either, but I believe what you are recommending would forward requests for myzone.tld to the ip.of.forwarder1 etc. I want ipaserver1 to actually be a slave (do AXFR / IXFR -- hold all the data) of myzone.tld, and have ipaserver2 slave this data from ipaserver1. The replicas in IPA do not need to be specially configured to be slaves of each other. They have the same data which is replicated by LDAP back end so it is not clear why you are trying to configure the replicas to be in master-slave relation. Thanks, Mike On 13-Jul-12, at 5:11 PM, KodaK wrote: On Fri, Jul 13, 2012 at 3:13 PM, Michael Mercier mmerc...@gmail.com wrote: Hello, When using IPA 2.2.0 with DNS setup (--setup-dns), is there any issues with adding slaves to the named.conf file? example on ipaserver1: zone myzone.tld { type slave; file slave/myzone.db masters { u.x.y.z; w.x.y.z; }; allow-notify { u.x.y.z; w.x.y.z; }; also-notify { ipaserver2 }; }; I'm no expert, but I think you'd want to use the command line option dnsconfig-mod: ipa dnsconfig-mod --forwarder=ip.of.forwarder1;ip.of.forwarder2 myzone.tld -- The government is going to read our mail anyway, might as well make it tough for them. GPG Public key ID: B6A1A7C6 ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users -- Thank you, Dmitri Pal Sr. Engineering Manager for IdM portfolio Red Hat Inc. --- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users