PIM(EP) r12.8 SP1: How to configure to run seosd as real-time priority on OS side
search cancel

PIM(EP) r12.8 SP1: How to configure to run seosd as real-time priority on OS side

book

Article ID: 103209

calendar_today

Updated On:

Products

CA Virtual Privilege Manager CA Privileged Identity Management Endpoint (PIM) CA Privileged Access Manager (PAM)

Issue/Introduction

In recent version Linux systems- not available at the time of initial release of the product- which have the possibility of being configured to use cgroups and slices, and where PIM daemons are starting by using a service file (seos.service) in systemd; the seosd daemon is unable to start with real-time priority, which leads to issues with performance of PIM operations.

The priority of the seosd daemon cannot be subsequently changed and the following error message is reported in the system logs

 Failed to execute seosd in real-time priority.

This is happening despite having set the 

rt_priority=yes

parameter in seos.ini 

Environment

Redhat Enterprise Linux Server 7.x, and above and SuSe Linux 12 SP4 and above
CA Privileged Identity Manager 12.8 SP1 or CA Privileged Access Manager Server Control r14.X.

Cause

Systemd is not able to set real-time priority at the default slice, so seosd processes cannot start with the right priority
 

Resolution

If you are running PIM 14.X/PAM SC 14.X, you only need to make sure that native cgroup management binaries are installed (e.g., libcgroup-tools package on SLES) in the endpoint being configured with cgroups, as the steps that follow are already being put in place at installation time.

For PIM 12.81, where cgroups were not available at the time of release, SE have provided a replacement script for seload, rt-seload, which will use cgexec, part of the cgtools package, to set the different seos daemons in a slice having real-time priority. 

This script is part of the latest 12.81 builds and it is also attached to the present document. If not present, it can be obtained by opening a ticket with Broadcom Support or by looking at the contents of the latest 12.81 installation builds

To install it simply do

  • Edit the replacement rt-seload script to reflect the location of your PIM location, for instance: SEOSDIR="/opt/CA/AccessControl"
  • Copy the rt-seload in place of the original seload binary

cp <AC_installation_directory>/bin/seload  <AC_installation_directory>/bin/seload-bin

cp <AC_installation_directory>/rt-seload <AC_installation_directory>/bin/seload

  • Make sure that the cgtools package, containing cgexec is installed. In different SuSe and Redhat versions the package is part of the libcgroup-tools rpm, but it is possible that in the latest versions of the distributions, the tools are made into other packages, so please check

Optionally it is possible to configure a specific slice so that the seos processes run in their own slice with real-time priority by editing the seos.service file to include it:

[Unit]
Description=CA Privileged Access Manager Server Control
[Service]
Type=forking
Slice=rt.slice
ExecStart=/opt/CA/eTrustAccessControl/bin/seload
ExecStop=/opt/CA/eTrustAccessControl/bin/secons -sk
[Install]
WantedBy=multi-user.target

So defined, the service will start seos daemons in slice rt.slice. 

Additional Information

The following commands will provide information as to what slices the different processes are running

systemd-cgls

and the following command will list the seos processes and their priorities

ps xawwf -eo pid,user,pri,ni,cgroup,args| grep "<prefix_of_PIM_install_dir>"| grep -v grep

 

Attachments

1666789073898__rt-seload get_app