In recent version Linux systems- not available at the time of initial release of the product- which have the possibility of being configured to use cgroups and slices, and where PIM daemons are starting by using a service file (seos.service) in systemd; the seosd daemon is unable to start with real-time priority, which leads to issues with performance of PIM operations.
The priority of the seosd daemon cannot be subsequently changed and the following error message is reported in the system logs
Failed to execute seosd in real-time priority.
This is happening despite having set the
rt_priority=yes
parameter in seos.ini
Redhat Enterprise Linux Server 7.x, and above and SuSe Linux 12 SP4 and above
CA Privileged Identity Manager 12.8 SP1 or CA Privileged Access Manager Server Control r14.X.
Systemd is not able to set real-time priority at the default slice, so seosd processes cannot start with the right priority
If you are running PIM 14.X/PAM SC 14.X, you only need to make sure that native cgroup management binaries are installed (e.g., libcgroup-tools package on SLES) in the endpoint being configured with cgroups, as the steps that follow are already being put in place at installation time.
For PIM 12.81, where cgroups were not available at the time of release, SE have provided a replacement script for seload, rt-seload, which will use cgexec, part of the cgtools package, to set the different seos daemons in a slice having real-time priority.
This script is part of the latest 12.81 builds and it is also attached to the present document. If not present, it can be obtained by opening a ticket with Broadcom Support or by looking at the contents of the latest 12.81 installation builds
To install it simply do
cp <AC_installation_directory>/bin/seload <AC_installation_directory>/bin/seload-bin
cp <AC_installation_directory>/rt-seload <AC_installation_directory>/bin/seload
Optionally it is possible to configure a specific slice so that the seos processes run in their own slice with real-time priority by editing the seos.service file to include it:
[Unit]
Description=CA Privileged Access Manager Server Control
[Service]
Type=forking
Slice=rt.slice
ExecStart=/opt/CA/eTrustAccessControl/bin/seload
ExecStop=/opt/CA/eTrustAccessControl/bin/secons -sk
[Install]
WantedBy=multi-user.target
So defined, the service will start seos daemons in slice rt.slice.
The following commands will provide information as to what slices the different processes are running
systemd-cgls
and the following command will list the seos processes and their priorities
ps xawwf -eo pid,user,pri,ni,cgroup,args| grep "<prefix_of_PIM_install_dir>"| grep -v grep