Hello people
Could I have advice how to debug why slapd on ipa server is constantly using 15-30% cpu.. this behaviour started on ca master after successful migration from rhel7 to latest rhel 8.9.
There were no problems during migration, there were only 2 ipa nodes to upgrade. Immediately after upgrade everything was fine but after 24 hours ipa server that is also ca master, started using cpu more way more than second ipa server. All ipa related operations and commands are slow but work. Error log for dirsrv is clean. I used crontab to run ipa-backup during night and that is only operation that has happened after migration.
I dont have deeper knowledge about ipa nor ldap so I thought that perhaps fresh replica from second ipa server could help, it didnt. I used ipa-replica-manage re-initialize from other node, no errors with that one but didnt do any good.
After this I tried ipa-replica-manage list-ruv but I am not sure how to interpret result:
[root@ipa user]# ipa-replica-manage list-ruv Directory Manager password:
Replica Update Vectors: primary.ipa.server:389: 30 secondary.ipa.server:389: 28 primary.ipa.server:389: 26 Certificate Server Replica Update Vectors: primary.ipa.server:389: 31 secondary.ipa.server:389: 29 primary.ipa.server:389: 24 primary.ipa.server:389: 23 primary.ipa.server:389: 22 primary.ipa.server:389: 21 primary.ipa.server:389: 18 primary.ipa.server:389: 17 primary.ipa.server:389: 16 [root@ipa user]#
This ipa service setup is old and has had many migrations over the time, starting from rhel6. Does this output mean there are duplicate & obsolete replication agreements? Could this be the reason why slapd is using so much cpu?
Any help is appreciated! Risto
risto hartikainen via FreeIPA-users wrote:
Hello people
Could I have advice how to debug why slapd on ipa server is constantly using 15-30% cpu.. this behaviour started on ca master after successful migration from rhel7 to latest rhel 8.9.
There were no problems during migration, there were only 2 ipa nodes to upgrade. Immediately after upgrade everything was fine but after 24 hours ipa server that is also ca master, started using cpu more way more than second ipa server. All ipa related operations and commands are slow but work. Error log for dirsrv is clean. I used crontab to run ipa-backup during night and that is only operation that has happened after migration.
I dont have deeper knowledge about ipa nor ldap so I thought that perhaps fresh replica from second ipa server could help, it didnt. I used ipa-replica-manage re-initialize from other node, no errors with that one but didnt do any good.
After this I tried ipa-replica-manage list-ruv but I am not sure how to interpret result:
[root@ipa user]# ipa-replica-manage list-ruv Directory Manager password:
Replica Update Vectors: primary.ipa.server:389: 30 secondary.ipa.server:389: 28 primary.ipa.server:389: 26 Certificate Server Replica Update Vectors: primary.ipa.server:389: 31 secondary.ipa.server:389: 29 primary.ipa.server:389: 24 primary.ipa.server:389: 23 primary.ipa.server:389: 22 primary.ipa.server:389: 21 primary.ipa.server:389: 18 primary.ipa.server:389: 17 primary.ipa.server:389: 16 [root@ipa user]#
This ipa service setup is old and has had many migrations over the time, starting from rhel6. Does this output mean there are duplicate & obsolete replication agreements? Could this be the reason why slapd is using so much cpu?
Any help is appreciated!
ipa-replica-manage clean-dangling-ruv will remove any unnecessary (dangling) RUVs.
The most common cause for them was domail-level 0 installs that were removed. Since this dates back to RHEL 6 that's very possible.
I don't know that this accounts for all the CPU usage.
rob
Thanks Rob for the tip, cpu load dropped to ~normal after cleaning obsolete RUVs.
Risto
On Fri, May 3, 2024, 15:37 Rob Crittenden rcritten@redhat.com wrote:
risto hartikainen via FreeIPA-users wrote:
Hello people
Could I have advice how to debug why slapd on ipa server is constantly
using 15-30% cpu.. this behaviour started on ca master after successful migration from rhel7 to latest rhel 8.9.
There were no problems during migration, there were only 2 ipa nodes to
upgrade. Immediately after upgrade everything was fine but after 24 hours ipa server that is also ca master, started using cpu more way more than second ipa server. All ipa related operations and commands are slow but work. Error log for dirsrv is clean. I used crontab to run ipa-backup during night and that is only operation that has happened after migration.
I dont have deeper knowledge about ipa nor ldap so I thought that
perhaps fresh replica from second ipa server could help, it didnt. I used ipa-replica-manage re-initialize from other node, no errors with that one but didnt do any good.
After this I tried ipa-replica-manage list-ruv but I am not sure how to
interpret result:
[root@ipa user]# ipa-replica-manage list-ruv Directory Manager password:
Replica Update Vectors: primary.ipa.server:389: 30 secondary.ipa.server:389: 28 primary.ipa.server:389: 26 Certificate Server Replica Update Vectors: primary.ipa.server:389: 31 secondary.ipa.server:389: 29 primary.ipa.server:389: 24 primary.ipa.server:389: 23 primary.ipa.server:389: 22 primary.ipa.server:389: 21 primary.ipa.server:389: 18 primary.ipa.server:389: 17 primary.ipa.server:389: 16 [root@ipa user]#
This ipa service setup is old and has had many migrations over the time,
starting from rhel6. Does this output mean there are duplicate & obsolete replication agreements? Could this be the reason why slapd is using so much cpu?
Any help is appreciated!
ipa-replica-manage clean-dangling-ruv will remove any unnecessary (dangling) RUVs.
The most common cause for them was domail-level 0 installs that were removed. Since this dates back to RHEL 6 that's very possible.
I don't know that this accounts for all the CPU usage.
rob
freeipa-users@lists.fedorahosted.org