Skip to main content

Posts

Showing posts from January, 2022

SSSD - Privesc timeouts returning 'permission denied'

When using 'become: true' in one of your tasks and centralized users (389-ds, FreeIPA, Active Directory) the authentication daemon needs to validate if the user is allowed to run sudo on that host. Timeouts can happen for various reasons, so it's best to check /var/log/secure or /var/log/auth for errors. In my case, I got this error: pam_sss(systemd-user:account): Access denied for user executor: 6 (Permission denied) The first thing to check is if the user is allowed to use that service on the host. In my case with FreeIPA, the result is just a hbactest command away: [archy@ipa02 ~]$ ipa hbactest --user 'executor' --host 'logstash02.archyslife.lan' --service 'sudo' | egrep -vi 'not' -------------------- Access granted: True -------------------- Matched rules: allow_executor_all_hosts In further debugging, I found that the swap and ram were heavily utilized on that host. The solution here was to restart the service that was...
Post a Comment
Read more

Foreman - goferd.service takes huge amounts of RAM

When having a huge amount of hosts, qpidd might not allocate enough connections for all hosts which then leads to goferd consuming huge amounts of ram over time. A possible solution is to increase the number of max-connections on the foreman server [archy@katello01 ~]$ sudo vim /etc/qpid/qpidd.conf max-connections = 966 [archy@katello01 ~]$ sudo systemctl restart qpidd.service The value of max-connections is calculated using this formula: (amount of hosts * 2) + (amount on inter-satellite connections * 100) = max-connections Feel free to comment and / or suggest a topic.
Post a Comment
Read more

Ansible - Performance Tweaking the ansible.cfg

If you have a huge amount of hosts, the execution runtimes can really skyrocket. The playbook with the roles took about 90 minutes to complete on ~250 Hosts with no tweaks to the ansible.cfg. First, switch to the directory where your ansible plays reside in and enable the timer callback plugin: [archy@ansible02 /var/ansible]$ echo 'callback_whitelist = timer' >> ansible.cfg This will summarize what tasks took a long time to execute. If there's nothing obvious, you can increase the forks. By default, it's set to '5' in the /etc/ansible/ansible.cfg [archy@ansible02 /var/ansible]$ echo 'forks = 50' >> ansible.cfg Run your playbook again and check the timings. The 'forks' parameter is only limited by cpu and network throughput ... so this might require some tweaking for your specific environment. Using only the 'forks' parameter, the execution runtime of the aforementioned play dropped by -15 minutes. The last performance tw...
Post a Comment
Read more