On Mon, 14 Mar 2016, Daryl Fonseca-Holt wrote:
Hello Thierry,
In searching for a way to slow down the start of kadmind I discovered
that the prepare-replica install-replica process was modifying
/etc/sysconfig/krb5kdc to this:
KRB5KDC_ARGS='-w 64'
KRB5REALM=UOFMT1
KRB5KDC_ARGS='-w 64'
during the configuration of krb5kdc. Prior to that the file only
contained:
KRB5KDC_ARGS=
I paused the replica-install as soon as this change appeared, made
KRB5KDC_ARGS null, then resumed. The replica-install completed without
error.
Here's where it gets a bit odd. That value was, at one time, used on
the master where the prepare-replica was done but has not been in
/etc/sysconfig/krb5kdc for a long time. How is it being propagated
from the master to the new replica?
Is there some way to decrypt the replica file copied from the master
to the replica after the replica-prepare to confirm that is where the
value is coming from? Or is it being calculated on the replica? And
why does it appear twice?
64 is the number of cores on the master and replica hosts. At one time
I adjusted /etc/sysconfig/krb5kdc on the master so there would be one
krb5kdc daemon process for each core but later decided to wait until
stress testing showed that it was actually useful. I observed that
starting that many instances of krb5kdc did stress the dirsrv instance
for a little while during an ipactl restart.
I think this value is not in the replica file. This is part of
configuration of Kerberos KDC
(ipaserver/krbinstance.py, see KrbInstance.__configure_instance())
and it is based on the value of 'getconf _NPROCESSORS_ONLN'.
When replica is being installed, the installer will call
KrbInstance.create_replica() and that one will call
__configure_instance(), thus setting up the KRB5KDC_ARGS to
'-w <_NPROCESSORS_ONLN>'.
--
/ Alexander Bokovoy
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project
