LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Server (https://www.linuxquestions.org/questions/linux-server-73/)
-   -   Slowness after install FreeIPA on CentOS7 (https://www.linuxquestions.org/questions/linux-server-73/slowness-after-install-freeipa-on-centos7-4175687586/)

tchen003 12-27-2020 08:44 PM

Slowness after install FreeIPA on CentOS7
 
I follow below guide to install FreeIPA

Question 1: the install failed at below stage. I have already turned off firewall and selinux. Any advice why requesting to CA got no response?

Code:

  [12/30]: requesting RA certificate from CA
  [error] RuntimeError: request timed out
ipapython.admintool: ERROR    request timed out
ipapython.admintool: ERROR    The ipa-server-install command failed. See /var/log/ipaserver-install.log for more information
Killed
[root@ipa ~]#

Question 2: my server is becoming very slow. It take 5 seconds to print out the current time. Any advice?

Code:

[root@ipa ~]# time date
Sun Dec 27 20:20:03 EST 2020

real    0m5.143s
user    0m0.000s
sys    0m0.009s
[root@ipa ~]#

Reference: https://medium.com/@iced_burn/instal...s-7-9dd7d3d611

berndbausch 12-28-2020 02:06 AM

Quote:

Originally Posted by tchen003 (Post 6200679)
Question 1: the install failed at below stage. I have already turned off firewall and selinux. Any advice why requesting to CA got no response?

See /var/log/ipaserver-install.log for more information.
Quote:

Question 2: my server is becoming very slow. It take 5 seconds to print out the current time. Any advice?
I would start with strace to find out which system call(s) are likely at the root of this behaviour.

The five seconds look suspiciously like the five seconds it takes to get an SSH shell prompt when DNS resolution is not set up correctly, but I can't come up with a good reason for date to use DNS. On the other hand, bad DNS configuration might well cause the CA access to fail, however this is pure speculation. Therefore check the log (which is what you should do in all troubleshooting scenarios - that's what logs are for).

bgstack15 01-02-2021 06:27 PM

Agreed on the DNS resolution issue. Although in my experience, it doesn't even have to be ssh. It could be the system trying to look itself up. So, for example, if your hostname is "ipa," then it's possible that the /etc/hosts was munged, as well as /etc/resolv.conf so that all listed resolvers, and the /etc/hosts entry, for "ipa" (unqualified) fails to return any value, or a bad value.

In a (Kerberos) domain situation such as FreeIPA or Active Directory, a Linux system really should get back as its IP address for its own hostname as its public IP address and not loopback. I had to hard-code these values into /etc/hosts in one of my environments, because dns sucked (don't ask). That is, for host server12345vm, I put into /etc/hosts the string "192.168.11.5 server12345vm.example.com server12345vm" where 192.168.11.5 was my public (relatively speaking) IP address.
If I had put "127.0.0.1 server12345vm.example.com" which is the default, into /etc/hosts, then my Kerberos auth would not work.


All times are GMT -5. The time now is 02:43 AM.