Dieser Inhalt ist in der von Ihnen ausgewählten Sprache nicht verfügbar.
Chapter 6. Verifying the optimal number of KDC worker processes using IdM Healthcheck
You can use the Healthcheck tool in Identity Management (IdM) to verify that the Kerberos Key Distribution Center (KDC) is configured to use the optimal number of krb5kdc
worker processes, which should be equal to the number of CPU cores on the host.
You can find the test for the correct number of KDC worker processes under the ipahealthcheck.ipa.kdc
source. As the Healthcheck tool includes many tests, you can narrow down the results by including only the KDC worker tests by adding the --source ipahealthcheck.ipa.kdc
option.
Prerequisites
- The KDC worker process Healthcheck tool is only available on RHEL 8.7 or newer.
-
You must perform Healthcheck tests as the
root
user.
Procedure
To run the check for KDC worker processes, enter:
# ipa-healthcheck --source ipahealthcheck.ipa.kdc
If the number of KDC worker processes matches the number of CPU cores, the test returns
SUCCESS
as a result:{ "source": "ipahealthcheck.ipa.kdc", "check": "KDCWorkersCheck", "result": "SUCCESS", "uuid": "68f6e20a-0aa9-427d-8fdc-fbb8196d56cd", "when": "20230105162211Z", "duration": "0.000157", "kw": { "key": "workers" } }
The test returns a
WARNING
if the number of worker processes does not match the number of CPU cores. In the following example, a host with 2 cores is configured to have only one KDC worker process:{ "source": "ipahealthcheck.ipa.kdc", "check": "KDCWorkersCheck", "result": "WARNING", "uuid": "972b7782-1616-48e0-bd5c-49a80c257895", "when": "20230105122236Z", "duration": "0.203049", "kw": { "key": ‘workers’, "cpus": 2, "workers": 1, "expected": "The number of CPUs {cpus} does not match the number of workers {workers} in {sysconfig}" } }
The test also outputs a
WARNING
if there are no configured workers. In the following example, theKRB5KDC_ARGS
variable is missing from the/etc/sysconfig/krb5kdc
configuration file:{ "source": "ipahealthcheck.ipa.kdc", "check": "KDCWorkersCheck", "result": "WARNING", "uuid": "5d63ea86-67b9-4638-a41e-b71f4 56efed7", "when": "20230105162526Z", "duration": "0.000135", "kw": { "key": "workers", "sysconfig": "/etc/sysconfig/krb5kdc", "msg": "KRB5KDC_ARGS is not set in {sysconfig}" } }
Additional resources
-
man ipa-healthcheck