On 08/05/2013 09:17 PM, John Moyer wrote:
Hello,
So I've been preparing my infrastructure for a big change from an
older openldap system to a nice new IPA server. I have a redundant
secondary server and snapshots taken daily. I populated all my user
data into IPA, and gave the users a week to set a password. They all
did this and the big switch was this past weekend. We had done
previous tests on each server and it all worked. We switched this
past weekend and it worked great.
This morning a light load hit it (since I've only put a small fraction
of our servers on it about 15) and the primary came to it's knees.
What platform? What version of ipa? What version of 389-ds-base?
What was the nature of the load? Search requests? Update requests?
Updates from replication?
The logconv.pl tool can be used to analyze the 389-ds-base access logs.
During this time of the load, are there any errors in the errors log?
Processor spiked, and logs started to fill (didn't fill at this point).
I'm not sure what you mean by "logs started to fill (didn't fill at this
point)."
I then decided it's probably a glitch (I'm an optimist) so I
restarted IPA services. They all restarted except for named which
crashed (which then caused everything to stop). I looked and now the
disk was full.
Which directory contained the files that caused the disk to become
full? /var/log? /var/lib? Somewhere else?
So I trash the logs (had no easy place to put them at the time which I
regret now) and I restart the services again.
What do you mean by "trash the logs"?
IPA fully crashes now (didn't even start the DIRSRV for my domain).
Which component of IPA is crashing? If it is dirsrv that is refusing to
start, is it crashing? What's in /var/log/dirsrv/slapd-*/errors?
If it is crashing, we will need a core file and/or stack trace - see
http://port389.org/wiki/FAQ#Debugging_Crashes
So here are my questions:
1. Any idea what caused this? Any performance issues that have been
seen?
It could be almost anything given the above information.
2. Are the connection settings for IPA good out of the box? I ask
because in RHDS (in the first versions I used) the default connection
timeouts were a MAJOR issue,
How so? Details?
I used to run a network of 400 servers and I had to set the time-outs
to >30sec which made my servers run really really well,
Exactly which timeout settings are you talking about?
but if I used the 60 min defaults they also would come to their knees.
Is there a buried setting like this? (However, I must admit there
didn't seem like there were a lot of connections like when I had the
issue with the 400 servers years ago).
Also is there an easy place to set log rotation settings? (If it's
log rotate just let me know, I just don't want to step on an internal
app rotate).
IPA does not provide a GUI nor a command line utility for managing 389
logging settings.
This document gives an example of how logs are managed using the RHDS
GUI (not available when using IPA).
https://access.redhat.com/site/documentation/en-US/Red_Hat_Directory_Server/9.0/html/Administration_Guide/Monitoring_Server_and_Database_Activity.html#types-of-log-files
However, all of these correspond to settings which you can set via
ldapmodify:
https://access.redhat.com/site/documentation/en-US/Red_Hat_Directory_Server/9.0/html/Configuration_Command_and_File_Reference/Core_Server_Configuration_Reference.html#cnconfig-nsslapd_accesslog_logexpirationtime_Access_Log_Expiration_Time
There are several attributes which control access log rotation parameters.
Thanks,
_____________________________________________________
John Moyer
Director, IT Operations
_______________________________________________
Freeipa-users mailing list
[email protected]
https://www.redhat.com/mailman/listinfo/freeipa-users
_______________________________________________
Freeipa-users mailing list
[email protected]
https://www.redhat.com/mailman/listinfo/freeipa-users
