I previously had tested FreeIPA running on a Raspberry Pi 3B+ and as long as I didn't run the Dogtag server on it performance seemed acceptable for the purpose. These are only being used as local DNS/LDAP/Krb5 replicas, everything also runs on both physical x86_64 and VM x86_64 servers as well in more than one location.

However now that I'm trying to set up Pis for actual use (previously had set up a test environment to validate using them) I'm running into major performance issues once certmonger starts. Using a systemd timer to delay start until everything else starts at least lets everything else FreeIPA related start up and work, but once certmonger starts it still hammers the system using tons of memory and causing lots of swapping.

Is there any reason for it to spawn so many processes all at once, versus doing them in a more serial fashion? And did something change in FreeIPA/certmonger behavior in the last year that would cause such a performance regression in memory limited scenarios? Previously I just had zram swap and it was fine, now I have to replace that with actual swap on storage.

Also, there's currently no certs needing renewal or anything on this system, so why does it even spawn so many processes ? 

root      1699     1  0 03:55 ?        00:00:00 /usr/sbin/certmonger -S -p /var/run/certmonger.pid -n
root      1720  1699  0 03:55 ?        00:00:00 /usr/bin/python3 -E /usr/libexec/certmonger/ipa-server-guard /usr/libexec/certmonger/ipa-submit
root      1721  1699  0 03:55 ?        00:00:00 /usr/bin/python3 -E /usr/libexec/certmonger/ipa-server-guard /usr/libexec/certmonger/ipa-submit
root      1722  1699  0 03:55 ?        00:00:00 /usr/bin/python3 -E /usr/libexec/certmonger/ipa-server-guard /usr/libexec/certmonger/ipa-submit
root      1723  1699  0 03:55 ?        00:00:00 /usr/bin/python3 -E /usr/libexec/certmonger/ipa-server-guard /usr/libexec/certmonger/ipa-submit
root      1724  1699  0 03:55 ?        00:00:00 /usr/bin/python3 -E /usr/libexec/certmonger/ipa-server-guard /usr/libexec/certmonger/ipa-submit
root      1725  1699  0 03:55 ?        00:00:00 /usr/bin/python3 -E /usr/libexec/certmonger/ipa-server-guard /usr/libexec/certmonger/ipa-submit
root      1726  1699  0 03:55 ?        00:00:00 /usr/bin/python3 -E /usr/libexec/certmonger/ipa-server-guard /usr/libexec/certmonger/ipa-submit
root      1727  1699  0 03:55 ?        00:00:00 /usr/bin/python3 -E /usr/libexec/certmonger/ipa-server-guard /usr/libexec/certmonger/ipa-submit
root      1742  1699  0 03:55 ?        00:00:00 /usr/libexec/certmonger/dogtag-ipa-renew-agent-submit
root      1759  1699  0 03:56 ?        00:00:00 /usr/bin/python3 -E /usr/libexec/certmonger/dogtag-ipa-ca-renew-agent-submit
root      1761  1699  0 03:56 ?        00:00:00 /usr/bin/python3 -E /usr/libexec/certmonger/dogtag-ipa-ca-renew-agent-submit
root      1762  1699  0 03:56 ?        00:00:00 /usr/bin/python3 -E /usr/libexec/certmonger/dogtag-ipa-ca-renew-agent-submit
root      1763  1699  0 03:56 ?        00:00:00 /usr/bin/python3 -E /usr/libexec/certmonger/dogtag-ipa-ca-renew-agent-submit
root      1764  1699  0 03:56 ?        00:00:00 /usr/bin/python3 -E /usr/libexec/certmonger/dogtag-ipa-ca-renew-agent-submit
root      1765  1699  0 03:56 ?        00:00:00 /usr/bin/python3 -E /usr/libexec/certmonger/dogtag-ipa-ca-renew-agent-submit
root      1767  1699  0 03:56 ?        00:00:00 /usr/bin/python3 -E /usr/libexec/certmonger/dogtag-ipa-ca-renew-agent-submit
root      1768  1699  0 03:56 ?        00:00:00 /usr/bin/python3 -E /usr/libexec/certmonger/dogtag-ipa-ca-renew-agent-submit
root      1769  1699  0 03:56 ?        00:00:00 /usr/bin/python3 -E /usr/libexec/certmonger/dogtag-ipa-ca-renew-agent-submit --reuse-existing
root      1770  1699  0 03:56 ?        00:00:00 /usr/bin/python3 -E /usr/libexec/certmonger/dogtag-ipa-ca-renew-agent-submit --reuse-existing
root      1771  1699  0 03:56 ?        00:00:00 /usr/bin/python3 -E /usr/libexec/certmonger/dogtag-ipa-ca-renew-agent-submit --reuse-existing
root      1772  1699  0 03:56 ?        00:00:00 /usr/bin/python3 -E /usr/libexec/certmonger/dogtag-ipa-ca-renew-agent-submit --reuse-existing
root      1773  1699  0 03:56 ?        00:00:00 /usr/bin/python3 -E /usr/libexec/certmonger/dogtag-ipa-ca-renew-agent-submit --reuse-existing
root      1774  1699  0 03:56 ?        00:00:00 /usr/bin/python3 -E /usr/libexec/certmonger/dogtag-ipa-ca-renew-agent-submit --reuse-existing
root      1775  1699  0 03:56 ?        00:00:00 /usr/bin/python3 -E /usr/libexec/certmonger/dogtag-ipa-ca-renew-agent-submit --reuse-existing
root      1776  1699  0 03:57 ?        00:00:00 /usr/bin/python3 -E /usr/libexec/certmonger/dogtag-ipa-ca-renew-agent-submit --reuse-existing

Eventually these complete and things settle down but it takes a very long time, and without delaying certmonger until after the rest of FreeIPA it can cause various IPA services to take so long that they die and fail to start.