schwoerb Absent Member.
Absent Member.
665 views

Cyclical CPU increases

I am seeing 30min escalating CPU usage cycles on our two main eDirectory 9.1 replicas running on SLES 12SP3. The one server where it is more pronounced, starts at about 10-15% average CPU (according to VMware tools) and works its way up to almost 80%. Then at almost 30mins, it drops like a rock. I am wondering if anyone else has seen such an occurrence. I can't find any particular clients that are doing this cyclical loading.
Labels (1)
0 Likes
6 Replies
Knowledge Partner Knowledge Partner
Knowledge Partner

Re: Cyclical CPU increases

On 11/15/2018 10:54 AM, schwoerb wrote:
>
> I am seeing 30min escalating CPU usage cycles on our two main eDirectory
> 9.1 replicas running on SLES 12SP3. The one server where it is more
> pronounced, starts at about 10-15% average CPU (according to VMware
> tools) and works its way up to almost 80%. Then at almost 30mins, it
> drops like a rock. I am wondering if anyone else has seen such an


What operations are happening during this time in eDirectory? Do you have
something pulling in objects regularly, frequently, etc.? What clients
(Linux boxes, IDM driver configs, web applications, backup solutions,
etc.) point to this particular box, and when do they do what they do?

You should be able to use 'ss' or 'netstat' to show connected clients from
outside. You could also use ndstrace to see what eDirectory is doing
internally, for example if there are searches coming in via LDAP, or if
there are internal searches happening which are not using indexes.

If you want to get aggressive with it, turn the instance off and see who
complains about it being down, or see if the utilization increases move to
another box (DNS round robin or load balancer involved) and then move up
based on that.

It may be worth noting that utilization like this is not a problem, per
se. If no clients are complaining right now it would seem eDirectory is
doing its job, even though it has a huge load placed on it. It may be
useful to see what kind of CPU use is recorded via the 'top' command, e.g.
if the utilization is %us (user space, eDirectory itself or some other
process on the box), or %sy (system stuff, often the kernel), or %wa (wait
on I/O; often means your disks are a bottleneck), etc.

--
Good luck.

If you find this post helpful and are logged into the web interface,
show your appreciation and click on the star below.

If you want to send me a private message, please let me know in the
forum as I do not use the web interface often.
0 Likes
schwoerb Absent Member.
Absent Member.

Re: Cyclical CPU increases

I solved the issue. It was the purger that was running every 30 min. Running it every 10min has kept the CPU below 30-40%.

I am still curious if there is a way to log every LDAP query (and by whom) that is executed to review them? I have a few vended apps that must be making some queries that are taking a lot of resources. I ran Sun One LDAP for a number of years and their logging was fantastic to find issues with apps.
0 Likes
Knowledge Partner
Knowledge Partner

Re: Cyclical CPU increases

schwoerb wrote:

> I am still curious if there is a way to log every LDAP query (and by
> whom) that is executed to review them?


I'd try something like:

ndstrace -c nodebug
ndstrace -c +tags +time +ldap
ndstrace -l > ldap.trace &

Make sure to set LDAP tracing options in iManager (LDAP Server object) to what
you need to see but not more, e.g. disable packet dumping or extended
operations details for better readability and trace volume.

--
http://www.is4it.de/en/solution/identity-access-management/

(If you find this post helpful, please click on the star below.)
______________________________________________
https://www.is4it.de/identity-access-management
0 Likes
Micro Focus Expert
Micro Focus Expert

Re: Cyclical CPU increases

On 2018-11-28 17:24, Lothar Haeger wrote:
> Make sure to set LDAP tracing options in iManager (LDAP Server object) to what
> you need to see but not more, e.g. disable packet dumping or extended
> operations details for better readability and trace volume.


You can also set these on the command line:
https://support.microfocus.com/kb/doc.php?id=7007106

--
Norbert
0 Likes
Knowledge Partner
Knowledge Partner

Re: Cyclical CPU increases

Norbert Klasen wrote:

> You can also set these on the command line:
> https://support.microfocus.com/kb/doc.php?id=7007106


Cool, I did not know the ldapconfig command could do that.

Just had a quick look for how to set individual options and here's what
"ldapconfig get" lists for keywords when you have ticked all boxes in iManager:

LDAP Screen Level: Operation| Connection| BerDecode| Config| Extensions|
Error| Critical| DataConnection

Not exactly intuitive considering the labels in iManager are:

Critical Error Messages (=Critical)
Non-critical Error Messages (=Error)
Configuration Processing (=Config)
Informational Error Messages (=Operation?)
Messages from LDAP Extended Operations (=Extensions?)
Connection Information (=Connection)
Packet Dump or Decoding (in HEX format) (=BerDecode?)
Additional connection and operation information (in HEX format)
(=DataConnection???)

Anyone mored enough to verify the mapping? I do not even dare to ask for a doc
link...

--
http://www.is4it.de/en/solution/identity-access-management/

(If you find this post helpful, please click on the star below.)
______________________________________________
https://www.is4it.de/identity-access-management
0 Likes
Knowledge Partner Knowledge Partner
Knowledge Partner

Re: Cyclical CPU increases

On 11/28/2018 11:34 AM, Lothar Haeger wrote:
> Norbert Klasen wrote:
>
>> You can also set these on the command line:
>> https://support.microfocus.com/kb/doc.php?id=7007106

>
> Cool, I did not know the ldapconfig command could do that.


This is part of my new-server setup script. Enabling all screen options
just needs to be a default, and with newer versions of eDir I think it may
be, where newer == 9.1 or later; don't quote me on it.

> Just had a quick look for how to set individual options and here's what
> "ldapconfig get" lists for keywords when you have ticked all boxes in iManager:


Individual options are crazy; there is no reason not to have them all. I
think even the ones we think look insane (e.g. Packet Dump) have
not-so-secretly been disabled within eDir for years, as nothing has ever
shown me packets in ndstrace from the LDAP filter.

> Anyone mored enough to verify the mapping? I do not even dare to ask for a doc
> link...


You are working WAY too hard:


ldapconfig set 'LDAP Screen Level=all'


--
Good luck.

If you find this post helpful and are logged into the web interface,
show your appreciation and click on the star below.

If you want to send me a private message, please let me know in the
forum as I do not use the web interface often.
0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.