Red Hat Directory Server 7.1: Red Hat Directory Server Installation Guide | ||
---|---|---|
Prev | Chapter 2. Computer System Requirements | Next |
This section contains information on operating-system versions and patches required for installing Directory Server:
Directory Server provides a utility named dsktune that can help you verify whether you have the appropriate patches installed on your system. The utility also provides useful information and advice on how to tune your kernel parameters for best performance.
To enable you to run dsktune before installing the Directory Server, the utility is placed, along with the setup program, in the directory where you unpack product binaries. The setup program allows specifying of a pre-pre-installation program to be run before the Directory Server installation begins; in the slapd.inf file, a new field named PrePreInstall is defined for specifying the path to the executable, which must be relative to the setup program. By default, the PrePreInstall field is set to the dsktune utility path, enabling you to run the utility as a part of the Directory Server installation.
After you have installed the Directory Server, you can find the utility in this directory:
serverRoot/bin/slapd/server |
For information on running dsktune, see Chapter 7 Troubleshooting.
Tip | |
---|---|
Tip: It is strongly recommended that you run the dsktune utility. Kernel parameters make a significant performance difference; for example, in some cases on HP-UX systems, Directory Server may not run on stock kernel parameters. |
If you plan to install Directory Server on a machine running the Red Hat Enterprise Linux operating system, follow the recommendations outlined in these sections:
In addition to these recommendations, be sure to check the Red Hat website for the latest information pertaining to your Linux version: http://www.redhat.com/apps/support/
Ensure that you have sufficient disk space before downloading the software:
Download drive: 120 MB
Installation drive: 2 GB
Directory Server is certified to work on:
The Intel Pentium series processors [i686].
The default kernel/glibc revisions that comes along with Red Hat Enterprise Linux and the other kernel revisions with their corresponding glibc revisions as mentioned below.
Red Hat Enterprise Linux 3:
Default kernel: kernel-2.4.21-3.EL
Kernel used for certification: kernel-2.4.21-27.0.2.EL
Default glibc: glibc-2.3.2-95.3
glibc used for certification: glibc-2.3.2-95.33
Required Filesytem: ext3 (LARGEFILES support enabled) filesystem has been used for the certification process.
Red Hat Enterprise Linux 4:
Default kernel: kernel-2.6.9-5_EL
Kernel used for certification: kernel-2.6.9-5.0.5.EL
Default glibc: glibc-2.3-4.2
glibc used for certification: glibc-2.3.2-95.30
Required Filesytem: ext3 (LARGEFILES support enabled) filesystem has been used for the certification process.
With certain installed RPM packages on Red Hat Enterprise Linux, the server does not start.
Tip | ||
---|---|---|
Red Hat Enterprise Linux is distributed with two RPM packages for glibc, one for 386 processors and higher, the other for 486 or Pentium processors and higher. The 386 package has no NPTL support. If the 386 package is installed on a machine, you lose NPTL support. Once this has happened, it is very hard to detect because rpm -q reports the package name and version without the architecture tag. To determine which RPM package is installed, run the following command:
|
Directory Server has been certified on Red Hat Enterprise Linux with the following kernel and glibc versions:
Red Hat Enterprise Linux 3: kernel revisions 2.4.21-4.EL (kernel-2.4.21-4.EL.i686.rpm) and glibc version 2.3.2-95.20 (glibc-2.3.2-95.20.i686.rpm).
Red Hat Enterprise Linux 4: default kernel kernel-2.6.9-5_EL (with certification on kernel-2.6.9-5.0.5.EL) and glibc version glibc-2.3-4.2 (with certification on glibc-2.3.2-95.30).
It is recommended that you use these kernel and glibc versions. If the machine is a single CPU machine, the corresponding kernel would be of the form kernel-x.x.x.x. If the machine is a multi-CPU machine, the corresponding kernel would be of the form kernel-smp-x.x.x.x.
You can get the list of software installed on your system, including patches, by running: rpm�-qa
This section contains some basic system tuning information. Changing any of the following kernel-tuning parameters requires a system reboot.
NFS Tuning: This tuning is recommended if you are using Directory Server to write to NFS mounted drives. On Linux, NFS is typically recommended to be done over TCP and not over UDP. Make the following change to the /etc/rc.d/init.d/autofs file:
+ localoptions='rsize=8192,wsize=8192,vers=3,tcp' |
TCP Tuning: You can increase the number of available local system ports available by running this command:
echo "1024 65000" > /proc/sys/net/ipv4/ip_local_port_range |
Make this change permanent by adding this line to the /etc/sysctl.conf file:
net.ipv4.ip_local_port_range = 1024 65000 |
File Tuning: Check the current maximum number of files that can be stored on your system:
cat /proc/sys/fs/file-max |
If this number is less than 64000, increase it with this command:
echo 64000 > /proc/sys/fs/file-max |
Make the change permanent by adding this line to the /etc/sysctl.conf file:
fs.file-max = 64000 |
Then, you need to increase the maximum number of open files. Add the following line to the /etc/security/limits.conf file:
* - nofile 8192 |
Lastly, edit the file /etc/pam.d/system-auth to include this line if it does not already exist:
session required /lib/security/$ISA/pam_limits.so |
You must log out and then log back in for changes in the limits.conf file to take effect.
You need the gunzip utility to unpack the Directory Server software. The GNU gzip and gunzip programs are described in more detail at http://www.gnu.org/software/gzip/gzip.html and can be obtained from many software distribution sites.
You may need Adobe Acrobat Reader to read the documentation. If you do not have it installed, you can download it from http://www.adobe.com/products/acrobat/readstep2.html.
This section contains the following information:
Ensure that you have sufficient disk space before downloading the software.
Download drive: 120 MB
Installation drive: 2 GB
Directory Server is not supported on HP-UX 10 or earlier versions. The minimum system module required is HP-UX 11i. Directory Server may only be used on a 64-bit HP-UX 11i environment as a 64-bit process and may contain up to 8 GB of process memory.
For best results, Directory Server requires an HP 9000 architecture with a PA-RISC 2.0 CPU.
Before you install Directory Server, ensure that the host system is updated with the latest patches recommended by the operating-system vendor. Because the list of recommended patches changes with time, you must always check the operating system vendor's site for a list of patches that you may need to install. Listed below are two URLs to aid you in this effort:
Here are some recommendations:
For HP-UX 11i, install the latest HP-UX 11i Quality Pack (GOLDQPK11i) patch from June 2004 or later. For details, refer to http://www.software.hp.com/SUPPORT_PLUS/qpk.html.
The PHSS_30966: ld(1) and linker tools cumulative patch is critical before installation of Directory Server.
The following patches are recommended:
Run the dsktune utility to see if you need to install any other patches. The utility helps you to verify whether you have the appropriate patches installed on your system and provides useful information and advice on how to tune your kernel parameters for best performance. For information on the dsktune utility, see Section 2.3.1 dsktune Utility.
Set your kernel parameters as follows:
Set maxfiles to 1024.
Set nkthread to 1328; nkthread is a computed value: (((NPROC*7)/4+16).
Set max_thread_proc to 512.
Set maxusers to 64.
Set maxuprc to 512.
Set nproc to 750.
Typically, client applications that do not properly shut down the socket cause it to linger in a TIME_WAIT state. To prevent this, you should consider changing the TIME_WAIT setting to a reasonable value. For example, setting
ndd -set /dev/tcp tcp_time_wait_interval 60000 |
limits the TIME_WAIT state of sockets to 60 seconds.
You also need to turn on large file support in order for Directory Server to work properly. To change an existing filesystem (from one that has no large files to one that accepts large files):
Unmount the system using the umount command:
umount /export |
Create the large filesystem:
fsadm -F vxfs -o largefiles /dev/vg01/rexport |
Remount the filesystem:
/usr/sbin/mount -F vxfs -o largefiles /dev/vg01/export |
For additional information and recommendations about setting these parameters, consult your operating-system documentation.
You need the gunzip utility to unpack the Directory Server software. The GNU gzip and gunzip programs are described in more detail at http://www.gnu.org/software/gzip/gzip.html and can be obtained from many software distribution sites.
You may need Adobe Acrobat Reader to read the documentation. If you do not have it installed, you can download it from http://www.adobe.com/products/acrobat/readstep2.html.
If you plan to install Directory Server on a machine running the Solaris 9 operating system, follow the recommendations outlined in these sections:
In addition to these recommendations, be sure to check Sun's website for the latest information pertaining to your operating system version. For example, you should read the Solaris Operating Environment Security Sun Blueprint at http://www.sun.com/blueprints/0100/security.pdf for advice on guarding against potential security threats.
Below are two URLs that you may find useful:
Ensure that you have sufficient disk space before downloading the Directory Server software.
Download drive: 120 MB
Partition containing /opt/redhat-ds: 2 GB
Directory Server requires the use of an UltraSPARC (SPARC v9) processor, as this processor includes support for high-performance and multiprocessor systems. Earlier SPARC processors are not supported.
If you run Directory Server on a 64-bit Sun Solaris 8 UltraSPARC machine, it runs as a 32-bit application.
You must use Solaris 9 with the Sun recommended patches. The Sun recommended patch clusters can be obtained from your Solaris support representative or from the http://sunsolve.sun.com site.
Solaris patches are identified by two numbers; for example, 112233-04. The first number (112233) identifies the patch itself. The second number identifies the version of the patch; in the example above, the patch is version number 04.
Table 2-5 provides the list of Solaris 9 patches that were used during the testing of this release of Directory Server. You must install these patches on your machine before installing the Directory Server product. (The command showrev -p lists the patches that have been installed on your machine.)
Also, keep in mind that Directory Server provides a utility named dsktune that can help you verify whether you have the appropriate patches installed on your system. For details, see Section 2.3.1 dsktune Utility
In addition to the patches listed in Table 2-5 and the patches identified by the dsktune utility, we recommend that you check the operating system vendor's web site for information on installing the latest version of the patch clusters to benefit from the latest fixes.
You must reboot your machine after installing the patches.
112998-03: | SunOS 5.9: patch /usr/sbin/syslogd |
112875-01: | SunOS 5.9: patch /usr/lib/netsvc/rwall/rpc.rwalld |
113146-04: | SunOS 5.9: Apache Security Patch |
113068-05: | SunOS 5.9: hpc3130 Patch |
112963-14: | SunOS 5.9: linker patch |
113273-08: | SunOS 5.9: /usr/lib/ssh/sshd Patch |
112233-12: | SunOS 5.9: Kernel Patch |
112964-08: | SunOS 5.9: /usr/bin/ksh Patch |
112808-06: | CDE1.5: Tooltalk Patch |
113279-01: | SunOS 5.9: klmmod Patch |
113278-07: | SunOS 5.9: NFS Daemon Patch |
113023-01: | SunOS 5.9: Broken preremove scripts in S9 ALC packages |
112764-07: | SunOS 5.9: Sun Quad FastEthernet qfe driver |
113033-04: | SunOS 5.9: patch /kernel/drv/isp and /kernel/drv/sparcv9/isp |
112601-09: | SunOS 5.9: PGX32 Graphics |
113923-02: | X11 6.6.1: security font server Patch |
112817-18: | SunOS 5.9: Sun GigaSwift Ethernet 1.0 driver Patch |
113718-02: | SunOS 5.9: usr/lib/utmp_update Patch |
114135-01: | SunOS 5.9: at utility Patch |
112834-04: | SunOS 5.9: patch scsi |
112907-03: | SunOS 5.9: libgss Patch |
113319-19: | SunOS 5.9: libnsl nispasswd patch |
112785-43: | X11 6.6.1: Xsun Patch |
112970-07: | SunOS 5.9: patch libresolv |
112951-09: | SunOS 5.9: patchadd and patchrm Patch |
113277-24: | SunOS 5.9: st, sd, and ssd Patch |
113579-06: | SunOS 5.9: ypserv/ypxfrd Patch |
112908-14: | SunOS 5.9: krb5 shared object Patch |
113073-14: | SunOS 5.9: ufs and fsck Patch |
Table 2-5. Solaris 9 Patch List
Basic Solaris tuning guidelines are available from several books, including Sun Performance and Tuning: Java and the Internet (ISBN 0-13-095249-4). Advanced tuning information is available in the Solaris Tunable Parameters Reference Manual (816-7137), which can be obtained from http://docs.sun.com/db/doc/816-7137.
The system-wide maximum file descriptor table size setting limits the number of concurrent connections that can be established to Directory Server. The governing parameter, rlim_fd_max, is set in the /etc/system file. By default, if this parameter is not present, the maximum is 1024. It can be raised to 4096 by adding a line such as set rlim_fd_max=4096 to /etc/system and rebooting the system.
Caution | |
---|---|
This parameter should not be raised above 4096 without first consulting your Sun Solaris support representative since it may affect the stability of the system. |
You should also set the soft limit for file descriptors:
ulimit -n in csh limit desc 1024 |
Use the dsktune utility (see Section 2.3.1 dsktune Utility) to learn about the hard and soft limits for file descriptors.
By default, the TCP/IP implementation in a Solaris kernel is not correctly tuned for Internet or Intranet services. The following /dev/tcp tuning parameters should be inspected and, if necessary, changed to fit the network topology of the installation environment.
The tcp_time_wait_interval in Solaris 9 specifies the number of milliseconds that a TCP connection is held in the kernel's table after it has been closed. If its value is above 30000 (30 seconds) and the directory is being used in a LAN, MAN, or under a single network administration, it should be reduced by adding a line to the /etc/init.d/inetinit file similar to the following:
ndd -set /dev/tcp tcp_time_wait_interval 30000 |
The tcp_conn_req_max_q0 and tcp_conn_req_max_q parameters control the maximum backlog of connections that the kernel accepts on behalf of the Directory Server process. If the directory is expected to be used by a large number of client hosts simultaneously, these values should be raised to at least 1024 by adding a line to the /etc/init.d/inetinit file similar to the following:
ndd -set /dev/tcp tcp_conn_req_max_q0 1024 ndd -set /dev/tcp tcp_conn_req_max_q 1024 |
The tcp_keepalive_interval specifies the interval in seconds between keepalive packets sent by Solaris for each open TCP connection. This can be used to remove connections to clients that have become disconnected from the network.
The tcp_rexmit_interval_initial value should be inspected when performing server performance testing on a LAN or high speed MAN or WAN. For operations on the wide area Internet, its value need not be changed.
The tcp_smallest_anon_port controls the number of simultaneous connections that can be made to the server. When rlim_fd_max has been increased to above 4096, this value should be decreased by adding a line to the /etc/init.d/inetinit file similar to the following :
ndd -set /dev/tcp tcp_smallest_anon_port 8192 |
Prior to installation, it is necessary to have configured the DNS resolver or NIS domain name.
The DNS resolver is typically set by the file /etc/resolv.conf. However, also check the file /etc/nsswitch.conf and, on Solaris, /etc/netconfig to ensure that the DNS resolver is used for name resolution.
If you are not already using NIS, you also need to set the default NIS domain name. Typically, this is done by placing the NIS domain name in the file /etc/defaultdomain and rebooting or by using the domainname command.
Not necessary for Red Hat Enterprise Linux.
Necessary Java JRE libraries are not bundled with Directory Server. They must be downloaded and extracted separately prior to installation. If they are not, installation fails.
Note | |
---|---|
It is recommended that you use the test versions of the Java JRE package; HP was tested with j2re1.4.2_07; Sun was tested with j2re1.4.2_04. Use the Solaris 9 32-bit package for both 32-bit and 64-bit Sun installations. |
Obtain the OS-appropriate Java libraries from either http://www.java.com or http://www.hp.com/products1/unix/java/
Extract these files in a separate directory from your Directory Server installation, such as /export/redhat/jre.
Make sure the JRE package is executable, then run the file. For example:
chmod a+x j2re-1_4_2_04-solaris-sparc.sh ./j2re-1_4_2_05-solaris-sparc.sh |
This extracts a new JRE directory called j2re.1.4.2_05.
When you first run setup, you are asked for the JRE path. Fill in the absolute path as follows:
/export/redhat/jre/j2re1.4.2_04 |
If you are doing a silent installation, set the JRE path as an environment variable before running setup:
export NSJRE=/tmp/java/jre/j2re1.4.2_04 |