Re: [Freeipa-users] ipa_server and ipa_backup_server failover time
-- Original -- From: "Jakub Hrozek";<jhro...@redhat.com>; Date: Mon, Jan 9, 2017 07:04 PM To: "Matrix"<matrix...@qq.com>; Cc: "freeipa-users"<freeipa-users@redhat.com>; Subject: Re: [Freeipa-users] ipa_server and ipa_backup_server failover time (please keep CC-ing the list..) On Mon, Jan 09, 2017 at 04:39:04PM +0800, Matrix wrote: > Sorry, i did not trigger authentication at all. Just to check sssd logs. > around 15 minutes later, I saw below messages shown: > > (Mon Jan 9 01:46:35 2017) [sssd[be[fwmrm.net]]] [fo_set_port_status] > (0x0100): Marking port 0 of server 'ipa02.example.com' as 'working' > > Re-check it with authentication, failover will be happened immediately. Yes, then that is expected, the identity lookup was probably answered from the cache. > > >> No, sorry, the timeouts for switching between back up and primary > >> servers are hardcoded. > > May I know how long it will take for worst case? > Seems to be 30 minutes: > > https://github.com/SSSD/sssd/blob/master/src/providers/data_provider_fo.c#L49 It should be 30 seconds? 30 min is too long. and in man page, has been explained as 30 seconds Matrix-- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] ipa_server and ipa_backup_server failover time
(please keep CC-ing the list..) On Mon, Jan 09, 2017 at 04:39:04PM +0800, Matrix wrote: > Sorry, i did not trigger authentication at all. Just to check sssd logs. > around 15 minutes later, I saw below messages shown: > > (Mon Jan 9 01:46:35 2017) [sssd[be[fwmrm.net]]] [fo_set_port_status] > (0x0100): Marking port 0 of server 'ipa02.example.com' as 'working' > > Re-check it with authentication, failover will be happened immediately. Yes, then that is expected, the identity lookup was probably answered from the cache. > > >> No, sorry, the timeouts for switching between back up and primary > >> servers are hardcoded. > > May I know how long it will take for worst case? Seems to be 30 minutes: https://github.com/SSSD/sssd/blob/master/src/providers/data_provider_fo.c#L49 -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
[Freeipa-users] ipa_server and ipa_backup_server failover time
Hi, all The purpose of this email is to know more about timeout ipa server failover. Env: # rpm -qa | grep sssd sssd-krb5-common-1.13.0-40.el7_2.12.x86_64 python-sssdconfig-1.13.0-40.el7_2.12.noarch sssd-ipa-1.13.0-40.el7_2.12.x86_64 sssd-client-1.13.0-40.el7_2.12.x86_64 sssd-ad-1.13.0-40.el7_2.12.x86_64 sssd-proxy-1.13.0-40.el7_2.12.x86_64 sssd-common-pac-1.13.0-40.el7_2.12.x86_64 sssd-ldap-1.13.0-40.el7_2.12.x86_64 sssd-krb5-1.13.0-40.el7_2.12.x86_64 sssd-common-1.13.0-40.el7_2.12.x86_64 sssd-1.13.0-40.el7_2.12.x86_64 base config: # cat /etc/sssd/sssd.conf [domain/example.com] cache_credentials = True krb5_store_password_if_offline = True ipa_domain = example.com id_provider = ipa auth_provider = ipa access_provider = ipa ipa_hostname = spare01.example.com chpass_provider = ipa debug_level = 4 ldap_tls_cacert = /etc/ipa/ca.crt [sssd] services = nss, sudo, pam, ssh config_file_version = 2 domains = example.com Situation A: both Server A and Server B have been configured in 'ipa_server' ipa_server = ipa01.example.com, ipa02.example.com Once ipa01 ipa service failed, id lookup/auth will be failed over to ipa02 around 15mins later. It should be controlled by 'ldap_connection_expire_timeout', with default value 900 seconds. I have proved it with changing it to 300 seconds. But if ipa01 was brought back, id lookup/auth will not be back to ipa01. Is it expected ? Situation B: Server A has been configured as 'ipa_server', and Server B configured as 'ipa_backup_server' ipa_server = ipa01.example.com ipa_backup_server = ipa02.example.com Once ipa01 ipa service failed, id lookup/auth will be failed over ipa02 some minutes later. I have tried 2 times, failover time is around 10min ~ 15min. Is it possible to control it more accurate? how to? any parameters I can try? Best Regards Matrix-- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
