2.2. Operating System Requirements
Directory Server is supported on these operating systems: Red Hat Enterprise Linux 4 and 5 (x86 and x86_64), HP-UX 11i (IA 64), and Sun Solaris 9 (sparc 64-bit). The specific operating system requirements and kernel settings, patches, and libraries are listed for each.
Along with meeting the required operating system patches and platforms, system settings, like the number of file descriptors and TCP information, should be reconfigured to optimize the Directory Server performance.
Directory Server includes a tool, dsktune, which simplifies configuring your system settings. This section describes what settings to change on the machine on which Directory Server is installed.
After the packages for Directory Server are installed there is tool called dsktune which can scan a system to check for required and installed patches, memory, system configuration, and other settings required by Directory Server. The dsktune utility even returns information required for tuning the host server's kernel parameters.
The setup program also runs dsktune, reports the findings, and asks you if you want to continue with the setup procedure every time a Directory Server instance is configured.
Red Hat recommends running dsktune before beginning to set up the Directory Server instances so that you can properly configure your kernel settings and install any missing patches. On Red Hat Enterprise Linux and Solaris, the dsktune utility is in the /usr/bin directory; on HP-UX, it is in /opt/dirsrv/bin. To run it, simply use the appropriate command:
/usr/bin/dsktune
Red Hat Directory Server system tuning analysis version 10-AUGUST-2007.
NOTICE : System is i686-unknown-linux2.6.9-34.EL (1 processor).
WARNING: 1011MB of physical memory is available on the system.
1024MB is recommended for best performance on large production system.
NOTICE : The net.ipv4.tcp_keepalive_time is set to 7200000 milliseconds
(120 minutes). This may cause temporary server congestion from lost
client connections.
WARNING: There are only 1024 file descriptors (hard limit) available, which
limit the number of simultaneous connections.
WARNING: There are only 1024 file descriptors (soft limit) available, which
limit the number of simultaneous connections.
dsktune is run every time the Directory Server configuration script, setup-ds-admin, is run.
Directory Server is supported on two versions of Red Hat Enterprise Linux:
Red Hat Enterprise Linux 4 AS and ES on x86 and x86_64 platforms
Red Hat Enterprise Linux 5 Server on x86 and x86_64 platforms
Red Hat Directory Server is also supported running on a virtual guest on Red Hat Enterprise Linux Virtualization Server 5.
Both Red Hat Enterprise Linux versions 4 and 5 on 32-bit and 64-bit platforms have the same system requirements, as listed in Table 2.2, “Red Hat Enterprise Linux Operating System and Hardware Requirements”. The patches required are listed in Section 2.2.2.1, “Red Hat Enterprise Linux Patches”, and the recommended system configuration changes are described in Section 2.2.2.2, “Red Hat Enterprise Linux System Configuration”.
| Criteria | Requirements | |||
|---|---|---|---|---|
| Operating System | Red Hat Enterprise Linux 4 or 5 with the latest patches and upgrades | |||
| CPU Type | Pentium 3 or higher; 500MHz or higher | |||
| Memory/RAM |
|
|||
| Hard Disk |
|
|||
| Other |
To run the Directory Server using port numbers less than 1024, such as the default port 389, you must setup and start the Directory Server as root, but it is not necessary to run the Directory Server as root.
|
The default kernel and glibc versions for Red Hat Enterprise Linux 4 and 5 are the only required versions for the Red Hat Directory Server host machine. If the machine has a single CPU, the kernel must be presented in the form kernel-x.x.x.x. If the machine has multiple CPUs, the kernel must be presented the form kernel-smp-x.x.x.x. To determine the components running on the machine, run rpm -qa.
Run the dsktune utility to see if you need to install any other patches. dsktune helps verify whether the appropriate patches are installed on the system and provides useful information for tuning your kernel parameters for best performance. For information on dsktune, see Section 2.2.1, “Using dsktune”.
| Criteria | Requirements | ||
|---|---|---|---|
| Operating System |
|
||
| Required Filesystem | ext3 |
After verifying the system's kernel and glibc configuration and installing any required modules and patches, fine-tune the Red Hat Enterprise Linux system to work with Directory Server. For the best performance, configure the host server before configuring the Directory Server instance by running the setup-ds-admin.pl script.
For Red Hat Enterprise Linux systems, use the Perl version that is installed with the operating system in /usr/bin/perl for both 32-bit and 64-bit versions of Red Hat Directory Server.
Editing the number of file descriptors on the Linux system can help Directory Server access files more efficiently. Editing the maximum number of file descriptors the kernel can allocate can also improve file access speeds.
First, check the current limit for file descriptors:
cat /proc/sys/fs/file-max
If the setting is lower than 64000, edit the /etc/sysctl.conf file, and reset the fs.file-max parameter:
fs.file-max = 64000
Then increase the maximum number of open files on the system by editing the /etc/security/limits.conf configuration file. Add the following entry:
* - nofile 8192
Edit the /etc/pam.d/system-auth, and add this entry:
session required /lib/security/$ISA/pam_limits.so
Reboot the Linux machine to apply the changes.
It is very important that DNS and reverse DNS be working correctly on the host machine, especially if you are using TLS/SSL or Kerberos with Directory Server.
Configure the DNS resolver and the NIS domain name by the modifying the /etc/resolv.conf, /etc/nsswitch.conf, and /etc/netconfig files, and set the DNS resolver for name resolution.
Edit the /etc/defaultdomain file to include the NIS domain name. This ensures that the fully-qualified host and domain names used for the Directory Server resolve to a valid IP address and that that IP address resolves back to the correct hostname.
Reboot the Red Hat Enterprise Linux machine to apply these changes.
Directory Server runs on HP-UX version 11i only; earlier HP-UX versions are not supported. Directory Server runs on a 64-bit HP-UX 11i environment as a 64-bit process.
Table 2.4, “HP-UX 11i” lists the hardware requirements. Section 2.2.3.1, “HP-UX Patches” lists the required patches, and the recommended system configurations are in Section 2.2.3.2, “HP-UX System Configuration”.
| Criteria | Requirements | |||
|---|---|---|---|---|
| Operating System | HP-UX 11i with the latest patches and upgrades | |||
| CPU Type | HP 9000 architecture with an Itanium CPU | |||
| Memory/RAM |
|
|||
| Hard Disk |
You must use the |
|||
| Other |
To run the Directory Server using port numbers less than 1024, such as the default port 389, you must setup and start the Directory Server as root, but it is not necessary to run the Directory Server as root.
|
The HP-UX 11i host must have the correct packages and dependencies installed to run Directory Server. The patch list changes daily, so check the HP site regularly to ensure you have the latest releases:
The first package to install is the PHSS_30966: ld(1) and linker tools cumulative patch. The other required patches are listed in Table 2.5, “HP-UX 11i Patches”. Run the dsktune utility to see if you need to install any other patches. dsktune helps verify whether the appropriate patches are installed on the system and provides useful information for tuning your kernel parameters for best performance. For information on dsktune, see Section 2.2.1, “Using dsktune”.
| Criteria | Requirements |
|---|---|
| GOLDAPPS11i | B.11.11.0406.5 Gold Applications Patches for HP-UX 11i v1, June 2004 |
| GOLDBASE11i | B.11.11.0406.5 Gold Base Patches for HP-UX 11i v1, June 2004 |
| GOLDQPK11i | HP-UX 11i Quality Pack patch from June 2004 or later |
Before setting up Directory Server, tune your HP-UX system so Directory Server can access the respective kernel parameters. To tune HP-UX systems, enable large file support, set the TIME_WAIT value, and modify kernel parameters.
On HP-UX, Red Hat Directory Server uses the Perl version installed with the operating system in /opt/perl_64/bin/perl. Contact Hewlett-Packard support if this Perl version is not installed.
The parameters to edit and the recommended values are listed in Table 2.6, “HP-UX 11i Kernel Parameters”.
| Parameter | Setting |
|---|---|
| maxfiles | 1024 |
| nkthread | 1328 |
| max_thread_proc | 512 |
| maxuser | 64 |
| maxuprc | 512 |
| nproc | 750 |
Normally, client applications that shut down correctly cause the socket to linger in a TIME_WAIT state. Verify that the TIME_WAIT entry is set to a reasonable duration. For example:
ndd -set /dev/tcp tcp_time_wait_interval 60000
This limits the socket TIME_WAIT state to 60 seconds.
To run Directory Server on HP-UX, you must enable large file support.
Unmount the filesystem using the umount command.
umount /export
Create the large filesystem.
fsadm -F vxfs -o largefiles /dev/vg01/rexport
Remount the filesystem.
/usr/sbin/mount -F vxfs -o largefiles /dev/vg01/export
It is very important that DNS and reverse DNS be working correctly on the host machine, especially if you are using TLS/SSL or Kerberos with Directory Server.
Configure the DNS resolver and the NIS domain name by the modifying the /etc/resolv.conf, /etc/nsswitch.conf, and /etc/netconfig files, and set the DNS resolver for name resolution.
Edit the /etc/defaultdomain file to include the NIS domain name. This ensures that the fully-qualified host and domain names used for the Directory Server resolve to a valid IP address and that that IP address resolves back to the correct hostname.
Then, reboot the HP-UX machine to apply these changes.
Directory Server on Solaris 9 requires an UltraSPARC (SPARC v9) processor, which 64-bit applications as well as high-performance and multi-processor systems. Earlier SPARC processors are not supported. Use the isainfo command to verify that the system has support for sparc9. Verify the system's kernel configuration, install the appropriate modules and patches, and then fine-tune the system to work with Sun Solaris 9.
The system requirements are listed in Table 2.7, “Sun Solaris sparcv9”. The required patches are listed in Section 2.2.4.1, “Solaris Patches”, and the recommended configuration changes are described in Section 2.2.4.2, “Solaris System Configuration”.
| Criteria | Requirements | |||
|---|---|---|---|---|
| Operating System | Solaris 9 with the latest patches and upgrades | |||
| CPU Type | UltraSparc-IIi SPARC v9 300MHz or faster (64-bit) | |||
| Memory/RAM |
|
|||
| Hard Disk |
You must use the |
|||
| Other |
To run the Directory Server using port numbers less than 1024, such as the default port 389, you must setup and start the Directory Server as root, but it is not necessary to run the Directory Server as root.
|
The patches required to run the Directory Server on Solaris 9 are listed in Table 2.8, “Sun Solaris Patches”. Run the dsktune utility to see if you need to install any other patches. dsktune helps verify whether the appropriate patches are installed on the system and provides useful information for tuning your kernel parameters for best performance. For information on dsktune, see Section 2.2.1, “Using dsktune”.
| Patch ID | Description |
|---|---|
| 112998-03 | SunOS 5.9: patch /usr/sbin/syslogd |
| 112875-01 | SunOS 5.9: patch /usr/lib/netsvc/rwall/rpc.rwalld |
| 113146-04 | SunOS 5.9: Apache Security Patch |
| 113068-05 | SunOS 5.9: hpc3130 patch |
| 112963-14 | SunOS 5.9: linker patch |
| 113273-08 | SunOS 5.9: /usr/lib/ssh/sshd patch |
| 112233-12 | SunOS 5.9: Kernel patch |
| 112964-08 | SunOS 5.9: /usr/bin/ksh patch |
| 112808 | CDE1.5: Tooltalk patch |
| 113279-01 | SunOS 5.9: klmmod patch |
| 113278-07 | SunOS 5.9: NFS Daemon patch |
| 113023 | SunOS 5.9: Broken preremove scripts from S9 ALC packages |
| 112601-09 | SunOS 5.9: PGX32 Graphics |
| 113923-02 | X11 6.6.1: security font server patch |
| 112817-18 | SunOS 5.9: Sun Gigaswift Ethernet 1.0 driver patch |
| 113718-02 | SunOS 5.9: usr/lib/utmp_udate patch |
| 114135-01 | SunOS 5.9: at utility patch |
| 112834-04 | SunOS 5.9: patch scsi |
| 112907-03 | SunOS 5.9: libgss patch |
| 113319 | SunOS 5.9: libnsl nispasswd |
| 112785-43 | SunOS 5.9: Xsun patch |
| 112970-07 | SunOS 5.9: patch libresolv |
| 112951-09 | SunOS 5.9: patchadd and patchrm patch |
| 113277-24 | SunOS 5.9: st, sd, and ssd patch |
| 113579-06 | SunOS 5.9: ypserv/ypxfrd patch |
| 112908-14 | SunOS 5.9: krb5 shared object patch |
| 113073-14 | SunOS 5.9: ufs and fsck patch |
After installing any required patches or modules, tune the Solaris system to work with Directory Server. There are three areas that may need modified for optimum Directory Server performance: the TCP service, DNS/NIS service, and the file descriptors.
On Solaris systems, Red Hat Directory Server is installed with a Perl package, RHATperlx, that must be used. This package contains a 64-bit version of Perl 5.8. It is not possible to use the Perl version installed in /usr/bin/perl on Solaris because it is 32 bit and will not work with Directory Server's 64-bit components.
Edit the Solaris TCP configuration Directory Server can access local system ports better. If tuned properly, this may enhance network connection speeds. The maximum achievable throughput for a single TCP connection is determined by several factors, including the maximum bandwidth on the slowest link on the path, bit errors that limit connections, and the total round-trip time.
The configuration that must be edited is in the /dev/tcp directory. Reset the following parameters:
tcp_time_wait_interval determines the time (in milliseconds) that a TCP connection remains in a kernel's table after being closed. If its value is above 30000 (or 30 seconds) and the directory is being used in a LAN, MAN, or other network connection, reduce the value by modifying the /etc/init.d/inetinit file:
ndd -set /dev/tcp tcp_time_wait_interval 30000
The tcp_conn_req_max_q0 and tcp_conn_req_max_q parameters control the connection's maximum backlog that gets accepted by the kernel. If a directory is used by a large number of client hosts simultaneously, increase these values by at least 1024. Edit the /etc/init.d/inetinit file:
ndd -set /dev/tcp tcp_conn_req_max_q0 1024 ndd -set /dev/tcp tcp_conn_req_max_q 1024
The tcp_keepalive_interval setting determines the duration (in seconds) between the keepalive packets sent for each open TCP connection. Edit this setting to remove client connections that disconnect from the network.
Check the tcp_rexmit_interval_initial parameter value for server maintenance testing on a high speed LAN, MAN, or other network connection. For wide area networks, you do not have to change the tcp_rexmit_interval_initial value.
The tcp_smallest_anon_port setting determines the number of simultaneous server connections. If you increase the rlim_fd_max value to over 4096, you must decrease the tcp_smallest_anon_port value in the /etc/init.d/inetinit file.
ndd -set /dev/tcp tcp_smallest_anon_port 8192
Reboot the Solaris machine to apply these changes.
It is very important that DNS and reverse DNS be working correctly on the host machine, especially if you are using TLS/SSL or Kerberos with Directory Server.
Configure the DNS resolver and the NIS domain name by the modifying the /etc/resolv.conf, /etc/nsswitch.conf, and /etc/netconfig files, and set the DNS resolver for name resolution.
Edit the /etc/defaultdomain file to include the NIS domain name. This ensures that the fully-qualified host and domain names used for the Directory Server resolve to a valid IP address and that that IP address resolves back to the correct hostname.
Then, reboot the Solaris machine to apply these changes.
For a large deployment or to support a large number of concurrent connections, increase the number of file descriptors available for the Directory Server. This requires accessing the system-wide maximum file descriptor table. The governing parameter, rlim_fd_max, is in the /etc/system file. By default, if this parameter is not present, the allowed maximum value is 1024. You can increase this to 4096 by adding the line, set rlim_fd_max=4096 to the /etc/system file.
Reboot the Solaris machine to apply these changes.
To determine the soft limit for file descriptors, run the command ulimit -n. You can also use the dsktune utility to determine the file descriptor hard and soft limits, as described in Section 2.2.1, “Using dsktune”.