I am trying to learn more about FreeIPA, so I would like to go through https://github.com/freeipa/freeipa-workshop I don't have any additional hardware, so I decided to use stacked virtual machines inside of one large VM on my workstation. Originally I thought that the host VM (named borsalino, because it has Fedora installed) would be “large” with 2GB RAM and there would be three 512 MB subVMs; after all official Red Hat documentation claims that 512 MB RAM is enough for the RHEL-7 installation from the local ISO image. After struggling for two days with this lie and some other issues, I finally learned that 1 GB RAM is really the minimum for any RHEL-7 these days.
After finally installing three VMs 1 GB each, and installing all prerequisits according to building (unfortunately, Vagrant image ftweedal/freeipa-workshop doesn’t seem to exist anymore), I got the system of three subVMs working. So, I run sudo ipa-server-install --no-host-dns --mkhomedir and answered all questions according to Unit 1. Result was (after long long time, hour or so) failure with the attached log.
ftweedal/freeipa-workshop
sudo ipa-server-install --no-host-dns --mkhomedir
When I upgraded the server VM to 2 GB RAM, the result was even more fascinating. After cleaning up the system (with sudo ipa-server-install -U --uninstall), I tried again, and after similarly long time (hour or more), when the system was most of the time on 100 % CPU and load average was well above 15, the system failed again (another log attached), but at least fifteen minutes after that the system was still unresponsive with top showing long line of running processes related to dogtail (see the screenshot of top) all keeping VM in the similarly unresponsive state.
sudo ipa-server-install -U --uninstall
$ rpm -q freeipa-server freeipa-client ipa-server ipa-client 389-ds-base pki-ca krb5-server
package freeipa-server is not installed package freeipa-client is not installed ipa-server-4.5.0-22.el7.centos.x86_64 ipa-client-4.5.0-22.el7.centos.x86_64 389-ds-base-1.3.6.1-26.el7_4.x86_64 pki-ca-10.4.1-17.el7_4.noarch krb5-server-1.15.1-8.el7.x86_64
see attached logs and screenshots <img alt="ipaserver-install-1GB.log" src="/freeipa/issue/raw/6fbe5c2591af95aaa02d968bb64356f7f161e7171fb46fbc8307aef3ac19b54b-ipaserver-install-1GB.log" />
https://mcepl.fedorapeople.org/tmp/ipaserver-install-1GB.log
https://mcepl.fedorapeople.org/tmp/ipaserver-install-2GB.log
https://mcepl.fedorapeople.org/tmp/freeipa-top.png
Sorry, I don't see what you are trying to claim with this issue with regards to FreeIPA. Official RHEL IdM documentation at https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/linux_domain_identity_authentication_and_policy_guide/installing-ipa#server-hw-recomendations explains some hardware requirements from the LDAP server point of view. They are very conservative and recommend 3GB RAM at least per IPA master. In practice, our test configurations work with few dozen users with 1.5GB RAM per instance. The majority of RAM is taken by Dogtag CA, not LDAP server, though.
Your description of what you went through does not seem to contradict what documentation for RHEL IdM suggests. In addition, I think that freeipa-users@ mailing list would be a better venue to discuss.
I'm trying to understand what you are suggesting us to fix here, feel free to comment more but as I don't see a particular issue in what is documented versus what you experienced, should we close this ticket?
I agree with Alexander. The issue tracker is the wrong place to discuss your installation problems. The freeipa users mailing list is a better suited for it.
By the way, in the past I was able to get IPA 4.5 working on a VM with about 1.5 GB but I had to modify some configs to reduce memory consumption of Dogtag and 389-DS.
I asked him to open it to track the 20 or so certmonger invocations in the attached image of top.
Besides, I have now reproduced the same problem with the virtual machine having (according to free -h) 3.6 GB RAM. Still not enough?
free -h
@mcepl, could you please make it clearer what the problem is?
I'm sorry but I don't really get what you are claiming the problem is. Is your problem that certmonger has multiple certificates to track and has to start multiple handlers (it does it in parallel) and they all wait for the corresponding CAs to respond?
This bug description is really asking for a clarity.
I cannot reproduce the problem. I just installed FreeIPA 4.6. on a Fedora 27 VM with 2 CPU cores and 2 GB of RAM. It took about 10 minutes to install a master with CA and KRA and DNS server including DNSSEC.
# rpm -qa freeipa-server freeipa-server-4.6.1-3.fc27.x86_64 # free -m total used free shared buff/cache available Mem: 1995 896 284 0 814 872 Swap: 63 0 63 # cat /proc/cpuinfo ... processor : 1 vendor_id : GenuineIntel cpu family : 6 model : 42 model name : Intel Xeon E312xx (Sandy Bridge) stepping : 1 microcode : 0x1 cpu MHz : 2199.998 cache size : 4096 KB ...
@abbra My problem is that even with 3.6G large virtual machine, I don't have running FreeIPA instance. Just uploading whole compressed image of VM to barstool, but it will take another ten hours (at least) to get there.
Yes, it is possible that too many child processes of certmonger are the cause, maybe not, and yes perhaps I am stupid (most likely), but I was asked to file this bug. And yes, perhaps, I should ask for advice on the email list, but I asked on IRC and this is the result, and I am not sure what's worse about IRC over email.
@mcepl got you now. Sorry, since there was no subcontext for this issue filed, it looked like a rant which definitely belongs to a different medium. Let's see if we can get something out of your VM image.
@abbra and yes, it was a bit ranty. I am sorry. I have been struggling with this for the last three days (and I was supposed to do something else in the last two of them), so I am bit frustrated. Not your fault, and I shouldn't vent my frustration on y'all.
The image of VM in question was provided privately in ${internal_home of mcepl}/ipa-virtual
An option may be to use python-psutils to detect a machine that doesn't meet minimal specifications and abort in advance of the installation.
Login to comment on this ticket.