dcesetup: Hang While Adding Security Replica to a Large Cell
(404GR 18-Sep-2002)

Problem 

A hang may occur while running the dcesetup configuration script.  It occurs when adding a DCE client host in a large DCE registry cell, as a security replica to a cell's master security server. The hang appears when the script is waiting for completion of the replication, after starting the security server.

Problems may also appear as serviceability messages logged, indicating failure to allocate memory for some DCE processes such as secd. These logs appear in /opt/dcelocal/var/security/secd.log or /opt/dcelocal/var/svc/fatal.log

Explanation

The hang is not due to a problem in DCE, but originates due to a memory shortage issue on the replica machine.  You may need to increase swap space and memory resources, as described under Solution Steps.

Security replica configuration will not continue when there is not enough memory to temporarily store the incoming replication data from the master registry.  The client system's memory resources need to be big enough for a security database replication.

Traditionally, Tru64 Unix clients contain allocations of memory for processes defined by process (proc) subsystem attributes. For a large DCE master registry, you may need to increase the per process memory allocation on the replica machine by changing the replica's default proc subsystem attributes.

The following proc subsystem attributes are related to this problem:

NOTE:  Refer to the Compaq Tru64 Unix 5.1, 5.1A documentation and manpages for full explanations of these operating system terms.  For proc subsystem attributes, look under the sysconfig command.  You may also use that documentation to look for up-to-date information on swap spaces, swapon and sysconfigdb commands, used later in this technote.

Solution Steps

Following are the recommended steps to find how much space is used, and to allocate sufficient memory (both as swap space and subsystem attributes) to enable the successful completion of dcesetup configuration.  Please note that this may not work with all configurations

Step 1: Check for sufficient swap space

Use the swapon -s command from a shell window to see if the default swap space is sufficient. The total swap space available should be, at most, sufficient enough for memory allocations of the total of the sizes defined in all three proc subsystem attributes.  The stack sizes will be proportional to the data size.

You can increase the swap space according to the Tru64 manpage instructions for the swapon command.

Step 2:  Measure process memory allocations

To see the actual allocations on your system, type from a command shell window: 

# sysconfig -q proc 

If the memory allocations do not look sufficient, follow:

    Step 3 to increase process memory, then
    Step 4 to reboot the system for the new allocations to take effect.

Step 3: Change the proc subsystem attributes

The following example is one way to change proc subsystem attributes, to increase the allocation:

a) Create a new text file containing the definitions of the new memory allocations. 

The following example allocates 256MB of memory for each of the attributes. You may allocate different values for any of the attributes.  (In a case of a security registry consisting of 75,000 users, 256 MB was sufficient for the per_proc_data_size attribute.)

 You can use the following template to create the text file:

   proc:
    max_per_proc_stack_size=256000000 
    per_proc_stack_size=256000000
    per_proc_data_size=256000000

b) Save this file as /tmp/subsyschange_proc.

c) Use the sysconfigdb command to load the new memory allocation values into their corresponding attributes, as follows:

    # sysconfigdb -m -f /tmp/subsyschange_proc   

This will automatically update the /etc/sysconfigtab file, with a new proc entry, towards the end of the file.  You do not need to make any manual alterations to the sysconfigtab file

Step 4: Reboot the system

A system reboot is required for the new proc subsystem attributes to take effect on the replica system.

Step 5: Verify re-allocation

After the system reboots and you log in, but before you start the configuration of the replica, repeat the command, # sysconfig -q proc (Step 1), to see if the new values are all set.

• If the attributes are what you had defined them to be in Step 3, then follow the standard procedure to configure the security replica. 

• If you encounter a problem when changing the memory allocation, refer to the Tru64 Unix system documentation, before adding a security replica.

Step 6: Verify replica  (later, optional)

When the security replica configuration is completed, it is highly recommended that you check the DCE registries states and other attributes to ensure that they are all functional. This includes checking both master and slave (replica) registries. Follow the guidelines shown in the OSF DCE - Core Components.