Send 389-users mailing list submissions to
389-users@xxxxxxxxxxxxxxxxxxxxxxx
To subscribe or unsubscribe via the World Wide Web, visit
https://admin.fedoraproject.org/mailman/listinfo/389-users
or, via email, send a message with subject or body 'help' to
389-users-request@xxxxxxxxxxxxxxxxxxxxxxx
You can reach the person managing the list at
389-users-owner@xxxxxxxxxxxxxxxxxxxxxxx
When replying, please edit your Subject line so it is more specific
than "Re: Contents of 389-users digest..."
Today's Topics:
1. Re: DS crashed /killed by OS (Mark Reynolds)
2. Re: Passwordless sudo - is it possible? (Todor Petkov)
3. Re: Passwordless sudo - is it possible? (Alan Willis)
4. Re: Passwordless sudo - is it possible? (Gordon Messmer)
----------------------------------------------------------------------
Message: 1
Date: Mon, 2 Nov 2015 09:52:27 -0500
From: Mark Reynolds <mareynol@xxxxxxxxxx>
To: firstyear@xxxxxxxxxx, "General discussion list for the 389
Directory server project." <389-users@xxxxxxxxxxxxxxxxxxxxxxx>
Subject: Re: DS crashed /killed by OS
Message-ID: <563778AB.6020603@xxxxxxxxxx>
Content-Type: text/plain; charset="utf-8"; Format="flowed"
On 11/01/2015 08:50 PM, William Brown wrote:
On Thu, 2015-10-22 at 17:48 +0000, Fong, Trevor wrote:
Hi German,
Thanks for your suggestion. I’m happy to confirm that setting
userRoot’s nsslapd-cachememsize: 429496730 (1/15th of previous value
of 6 GB) has addressed the memory issue for now, and % Mem for the ns
-slapd process seems to be at a manageable level.
Thanks very much,
Trev
As I understand it, the fragmentation is due to the use of fastbins.
see man mallopt M_MXFAST for an explination.
You may be able to reduce fragmentation with the setting nsslapd-malloc
-mxfast, but you may see a (potentially severe) degredation in
performance. As I understand the value is by default 64 on a 32 bit
system, and 128 on a 64bit one, so perhaps try reducing it by half and
see if that helps.
I'm not sure if this is a supported option either so you may not wish
to enable it. You should always try changes like this on a non
-production system first.
Well we have not seen any significant improvement modifying the fast
bins(M_MXFAST). So while it can slightly reduce fragmentation,
unfortunately it's not really a solution. Now using a different memory
allocator, like jemalloc, has shown significant improvements in memory
size/fragmentation. Checkout:
http://www.port389.org/docs/389ds/FAQ/jemalloc-testing.html
The only issue is that jemalloc is not available on all platforms
yet(especially older versions of RHEL/fedora).
Mark
Alternatelly, you can set the cachemem to autosize with nsslapd-cache
-autosize=50 or something like that. This way the cache will use only
50% of the free ram on the system. I believe this value is determined
at server start up, rather than being constantly adjusted through the
lifetime of the process.
Remember, that with the caching, there is some good material in the
tuning guide which may help you understand the correct values you
should set for your cache sizes based on the number of entries you
have.
https://access.redhat.com/documentation/en-US/Red_Hat_Directory_Server/
10/html/Performance_Tuning_Guide/index.html
As Germane said, there is work to reduce the impace of memory
fragmentation on process memory size, so these are hopefully temporary
solutions.
-
Sincerely,
William Brown
Software Engineer
Red Hat, Brisbane
--
389 users mailing list
389-users@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/389-users
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.fedoraproject.org/pipermail/389-users/attachments/20151102/3ce9cccc/attachment-0001.html>
------------------------------
Message: 2
Date: Mon, 02 Nov 2015 17:02:47 +0200
From: Todor Petkov <zakk@xxxxxxxxx>
To: firstyear@xxxxxxxxxx, "General discussion list for the 389
Directory server project." <389-users@xxxxxxxxxxxxxxxxxxxxxxx>
Subject: Re: Passwordless sudo - is it possible?
Message-ID: <8b524973ea5bde440927c4a6997f52da@xxxxxxxxx>
Content-Type: text/plain; charset=US-ASCII; format=flowed
On 02/11/2015 10:20 AM, Todor Petkov wrote:
Hello,
my bad, I meant that I have added the line in sudoers, but it was not
working.
However, I have added the user as "uniquemember" of the group, not
just "gidNumber" and it's OK now.
Thanks.
Hi,
small update:
when the group is with NOPASSWD:ALL, it's not working.
If the user has specific record, it's OK.
I can change the sudoers record with pssh, but if someone can give a
hint how to make the group record working, I will appreciate it.
Regards,
------------------------------
Message: 3
Date: Mon, 2 Nov 2015 07:54:33 -0800
From: Alan Willis <alwillis@xxxxxxxxxxxxx>
To: "General discussion list for the 389 Directory server project."
<389-users@xxxxxxxxxxxxxxxxxxxxxxx>
Cc: firstyear@xxxxxxxxxx
Subject: Re: Passwordless sudo - is it possible?
Message-ID:
<CAAw=1wPi5f98WQbWb5sx0VV4QypycqcAX-zZ_gckDxmoc=szRA@xxxxxxxxxxxxxx>
Content-Type: text/plain; charset="utf-8"
To get NOPASSWD behavior when using ldap to distribute your sudo records,
you need to add a sudo options attribute to the sudo rule in ldap to negate
the default authentication requirement.
From http://www.sudo.ws/man/1.8.13/sudoers.man.html
authenticate:
If set, users must authenticate themselves via a password (or other means
of authentication) before they may run commands. This default may be
overridden via the PASSWD and NOPASSWD tags. This flag is on by default.
To negate it, place a '!' in front of it as the value to a sudo options
attribute in ldap.
On Mon, Nov 2, 2015 at 7:02 AM, Todor Petkov <zakk@xxxxxxxxx> wrote:
On 02/11/2015 10:20 AM, Todor Petkov wrote:
Hello,
my bad, I meant that I have added the line in sudoers, but it was not
working.
However, I have added the user as "uniquemember" of the group, not
just "gidNumber" and it's OK now.
Thanks.
Hi,
small update:
when the group is with NOPASSWD:ALL, it's not working.
If the user has specific record, it's OK.
I can change the sudoers record with pssh, but if someone can give a hint
how to make the group record working, I will appreciate it.
Regards,
--
389 users mailing list
389-users@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/389-users
