Chapter 6. Verifying the optimal number of KDC worker processes using IdM Healthcheck

Prerequisites

• The KDC worker process Healthcheck tool is only available on RHEL 8.7 or newer.
• You must perform Healthcheck tests as the root user.

Procedure

• To run the check for KDC worker processes, enter:

  # ipa-healthcheck --source ipahealthcheck.ipa.kdc

  If the number of KDC worker processes matches the number of CPU cores, the test returns SUCCESS as a result:

  {
  	"source": "ipahealthcheck.ipa.kdc",
  	"check": "KDCWorkersCheck",
  	"result": "SUCCESS",
  	"uuid": "68f6e20a-0aa9-427d-8fdc-fbb8196d56cd",
  	"when": "20230105162211Z",
  	"duration": "0.000157",
  	"kw": {
    	"key": "workers"
  	}
  }

  The test returns a WARNING if the number of worker processes does not match the number of CPU cores. In the following example, a host with 2 cores is configured to have only one KDC worker process:

  {
      "source": "ipahealthcheck.ipa.kdc",
      "check": "KDCWorkersCheck",
      "result": "WARNING",
      "uuid": "972b7782-1616-48e0-bd5c-49a80c257895",
      "when": "20230105122236Z",
      "duration": "0.203049",
      "kw": {
        "key": ‘workers’,
        "cpus": 2,
        "workers": 1,
        "expected": "The number of CPUs {cpus} does not match the number of workers {workers} in {sysconfig}"
      }
  }

  The test also outputs a WARNING if there are no configured workers. In the following example, the KRB5KDC_ARGS variable is missing from the /etc/sysconfig/krb5kdc configuration file:

    {
      "source": "ipahealthcheck.ipa.kdc",
      "check": "KDCWorkersCheck",
      "result": "WARNING",
      "uuid": "5d63ea86-67b9-4638-a41e-b71f4
  56efed7",
      "when": "20230105162526Z",
      "duration": "0.000135",
      "kw": {
        "key": "workers",
        "sysconfig": "/etc/sysconfig/krb5kdc",
        "msg": "KRB5KDC_ARGS is not set in {sysconfig}"
      }
    }