I previously had tested FreeIPA running on a Raspberry Pi 3B+ and as long
as I didn't run the Dogtag server on it performance seemed acceptable for
the purpose. These are only being used as local DNS/LDAP/Krb5 replicas,
everything also runs on both physical x86_64 and VM x86_64 servers as well
in more than one location.
However now that I'm trying to set up Pis for actual use (previously had
set up a test environment to validate using them) I'm running into major
performance issues once certmonger starts. Using a systemd timer to delay
start until everything else starts at least lets everything else FreeIPA
related start up and work, but once certmonger starts it still hammers the
system using tons of memory and causing lots of swapping.
Is there any reason for it to spawn so many processes all at once, versus
doing them in a more serial fashion? And did something change in
FreeIPA/certmonger behavior in the last year that would cause such a
performance regression in memory limited scenarios? Previously I just had
zram swap and it was fine, now I have to replace that with actual swap on
storage.
Also, there's currently no certs needing renewal or anything on this
system, so why does it even spawn so many processes ?
root 1699 1 0 03:55 ? 00:00:00 /usr/sbin/certmonger -S -p
/var/run/certmonger.pid -n
root 1720 1699 0 03:55 ? 00:00:00 /usr/bin/python3 -E
/usr/libexec/certmonger/ipa-server-guard /usr/libexec/certmonger/ipa-submit
root 1721 1699 0 03:55 ? 00:00:00 /usr/bin/python3 -E
/usr/libexec/certmonger/ipa-server-guard /usr/libexec/certmonger/ipa-submit
root 1722 1699 0 03:55 ? 00:00:00 /usr/bin/python3 -E
/usr/libexec/certmonger/ipa-server-guard /usr/libexec/certmonger/ipa-submit
root 1723 1699 0 03:55 ? 00:00:00 /usr/bin/python3 -E
/usr/libexec/certmonger/ipa-server-guard /usr/libexec/certmonger/ipa-submit
root 1724 1699 0 03:55 ? 00:00:00 /usr/bin/python3 -E
/usr/libexec/certmonger/ipa-server-guard /usr/libexec/certmonger/ipa-submit
root 1725 1699 0 03:55 ? 00:00:00 /usr/bin/python3 -E
/usr/libexec/certmonger/ipa-server-guard /usr/libexec/certmonger/ipa-submit
root 1726 1699 0 03:55 ? 00:00:00 /usr/bin/python3 -E
/usr/libexec/certmonger/ipa-server-guard /usr/libexec/certmonger/ipa-submit
root 1727 1699 0 03:55 ? 00:00:00 /usr/bin/python3 -E
/usr/libexec/certmonger/ipa-server-guard /usr/libexec/certmonger/ipa-submit
root 1742 1699 0 03:55 ? 00:00:00
/usr/libexec/certmonger/dogtag-ipa-renew-agent-submit
root 1759 1699 0 03:56 ? 00:00:00 /usr/bin/python3 -E
/usr/libexec/certmonger/dogtag-ipa-ca-renew-agent-submit
root 1761 1699 0 03:56 ? 00:00:00 /usr/bin/python3 -E
/usr/libexec/certmonger/dogtag-ipa-ca-renew-agent-submit
root 1762 1699 0 03:56 ? 00:00:00 /usr/bin/python3 -E
/usr/libexec/certmonger/dogtag-ipa-ca-renew-agent-submit
root 1763 1699 0 03:56 ? 00:00:00 /usr/bin/python3 -E
/usr/libexec/certmonger/dogtag-ipa-ca-renew-agent-submit
root 1764 1699 0 03:56 ? 00:00:00 /usr/bin/python3 -E
/usr/libexec/certmonger/dogtag-ipa-ca-renew-agent-submit
root 1765 1699 0 03:56 ? 00:00:00 /usr/bin/python3 -E
/usr/libexec/certmonger/dogtag-ipa-ca-renew-agent-submit
root 1767 1699 0 03:56 ? 00:00:00 /usr/bin/python3 -E
/usr/libexec/certmonger/dogtag-ipa-ca-renew-agent-submit
root 1768 1699 0 03:56 ? 00:00:00 /usr/bin/python3 -E
/usr/libexec/certmonger/dogtag-ipa-ca-renew-agent-submit
root 1769 1699 0 03:56 ? 00:00:00 /usr/bin/python3 -E
/usr/libexec/certmonger/dogtag-ipa-ca-renew-agent-submit --reuse-existing
root 1770 1699 0 03:56 ? 00:00:00 /usr/bin/python3 -E
/usr/libexec/certmonger/dogtag-ipa-ca-renew-agent-submit --reuse-existing
root 1771 1699 0 03:56 ? 00:00:00 /usr/bin/python3 -E
/usr/libexec/certmonger/dogtag-ipa-ca-renew-agent-submit --reuse-existing
root 1772 1699 0 03:56 ? 00:00:00 /usr/bin/python3 -E
/usr/libexec/certmonger/dogtag-ipa-ca-renew-agent-submit --reuse-existing
root 1773 1699 0 03:56 ? 00:00:00 /usr/bin/python3 -E
/usr/libexec/certmonger/dogtag-ipa-ca-renew-agent-submit --reuse-existing
root 1774 1699 0 03:56 ? 00:00:00 /usr/bin/python3 -E
/usr/libexec/certmonger/dogtag-ipa-ca-renew-agent-submit --reuse-existing
root 1775 1699 0 03:56 ? 00:00:00 /usr/bin/python3 -E
/usr/libexec/certmonger/dogtag-ipa-ca-renew-agent-submit --reuse-existing
root 1776 1699 0 03:57 ? 00:00:00 /usr/bin/python3 -E
/usr/libexec/certmonger/dogtag-ipa-ca-renew-agent-submit --reuse-existing
Eventually these complete and things settle down but it takes a very long
time, and without delaying certmonger until after the rest of FreeIPA it
can cause various IPA services to take so long that they die and fail to
start.
Show replies by thread