rpms/ipa
7
0
Fork 0
Code Issues Pull Requests Releases Activity

Support 389-ds with lmdb backend

Browse Source 
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
This commit is contained in:
Alexander Bokovoy 2024-02-08 18:21:32 +02:00
parent f407801376
commit d41e5ca07b
3 changed files with 197 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

83
freeipa-support-389-ds-with-lmdb-backup.patch Normal file
View File

@ -0,0 +1,83 @@
From 677d30806662856595289525ef529a77adbf2272 Mon Sep 17 00:00:00 2001
From: Florence Blanc-Renaud <flo@redhat.com>
Date: Fri, 26 Jan 2024 13:26:48 +0100
Subject: [PATCH] ipa-backup: adapt for 389ds switch to LMDB
ipa-backup is relying on the presence of the directory
/var/lib/dirsrv/slapd-<INSTANCE>/db/ipaca/
to detect if the CA is installed on the server and backup
the ipaca backend.
With the switch to LMDB, this directory does not exist and the
backup is missing ipaca information.
Use lib389.cli_ctl.dblib.run_dbscan utility instead to
check if ipaca backend is present (this method has been
introduced in 389ds 2.1.0 and works with Berkeley DB and LMDB).
Fixes: https://pagure.io/freeipa/issue/9516
Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Thierry Bordaz <tbordaz@redhat.com>
---
freeipa.spec.in | 7 ++++---
ipaserver/install/ipa_backup.py | 8 ++++++--
2 files changed, 10 insertions(+), 5 deletions(-)
diff --git a/freeipa.spec.in b/freeipa.spec.in
index a091fee68..997a55d8d 100755
--- a/freeipa.spec.in
+++ b/freeipa.spec.in
@@ -78,8 +78,8 @@
%global ds_version 1.4.3.16-12
%global selinux_policy_version 3.14.3-107
%else
-# DNA interval enabled
-%global ds_version 2.0.5-1
+# version supporting LMDB and lib389.cli_ctl.dblib.run_dbscan utility
+%global ds_version 2.1.0
%global selinux_policy_version 38.1.1-1
%endif
@@ -124,10 +124,11 @@
# Make sure to use 389-ds-base versions that fix https://github.com/389ds/389-ds-base/issues/4700
# and has DNA interval enabled
+# version supporting LMDB and lib389.cli_ctl.dblib.run_dbscan utility
%if 0%{?fedora} < 34
%global ds_version 1.4.4.16-1
%else
-%global ds_version 2.0.7-1
+%global ds_version 2.1.0
%endif
# Fix for TLS 1.3 PHA, RHBZ#1775146
diff --git a/ipaserver/install/ipa_backup.py b/ipaserver/install/ipa_backup.py
index 2904c9e2e..f4fa73ff5 100644
--- a/ipaserver/install/ipa_backup.py
+++ b/ipaserver/install/ipa_backup.py
@@ -41,6 +41,7 @@ from ipaserver.install import installutils
from ipapython import ipaldap
from ipaplatform.constants import constants
from ipaplatform.tasks import tasks
+from lib389.cli_ctl.dblib import run_dbscan
# pylint: disable=import-error
if six.PY3:
@@ -337,8 +338,11 @@ class Backup(admintool.AdminTool):
instance = ipaldap.realm_to_serverid(api.env.realm)
if os.path.exists(paths.VAR_LIB_SLAPD_INSTANCE_DIR_TEMPLATE %
instance):
- if os.path.exists(paths.SLAPD_INSTANCE_DB_DIR_TEMPLATE %
- (instance, 'ipaca')):
+ # Check existence of ipaca backend
+ dbpath = (paths.SLAPD_INSTANCE_DB_DIR_TEMPLATE %
+ (instance, ""))
+ output = run_dbscan(['-L', dbpath])
+ if 'ipaca/' in output:
self.db2ldif(instance, 'ipaca', online=options.online)
self.db2ldif(instance, 'userRoot', online=options.online)
self.db2bak(instance, online=options.online)
--
2.43.0

106
freeipa-support-389-ds-with-lmdb-restore.patch Normal file
View File

@ -0,0 +1,106 @@
From cb16071635e8c60faa5b6062ed1dd61c3f133fa3 Mon Sep 17 00:00:00 2001
From: Rob Crittenden <rcritten@redhat.com>
Date: Wed, 7 Feb 2024 13:42:11 -0500
Subject: ipa-restore: adapt for 389-ds switch to LMDB
ipa-restore is relying on the presence of specific directories,
e.g. /var/lib/dirsrv/slapd-<INSTANCE>/db/ipaca, to detect
which backends are in use (userRoot or ipaca).
With the switch to LMDB, these directories do not exist and the
restore fails finding the ipaca backend.
Use lib389.cli_ctl.dblib.run_dbscan utility instead to
check which backends are present.
This method was been introduced in 389ds 2.1.0 and works with
Berkeley DB and LMDB.
Fixes: https://pagure.io/freeipa/issue/9526
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
---
ipaserver/install/ipa_restore.py | 45 +++++++++++++++++++++++++++-----
1 file changed, 38 insertions(+), 7 deletions(-)
diff --git a/ipaserver/install/ipa_restore.py b/ipaserver/install/ipa_restore.py
index 5b7ac61d08f..88b34477049 100644
--- a/ipaserver/install/ipa_restore.py
+++ b/ipaserver/install/ipa_restore.py
@@ -50,6 +50,8 @@
from ipaplatform import services
from ipaplatform.paths import paths
+from lib389.cli_ctl.dblib import run_dbscan
+
try:
from ipaserver.install import adtrustinstance
except ImportError:
@@ -65,6 +67,29 @@
logger = logging.getLogger(__name__)
+backends = [] # global to save running dbscan multiple times
+
+
+def get_backends(db_dir):
+ """Retrieve the set of backends directly from the current database"""
+ global backends
+
+ if backends:
+ return backends
+
+ output = run_dbscan(['-L', db_dir])
+ output = output.replace(db_dir + '/', '')
+ output = output.split('\n')
+ for line in output:
+ if '/' not in line:
+ continue
+ backends.append(line.split('/')[0].strip().lower())
+ backends = set(backends)
+ if 'changelog' in backends:
+ backends.remove('changelog')
+
+ return backends
+
def recursive_chown(path, uid, gid):
'''
@@ -295,8 +320,9 @@ def run(self):
if options.backend:
for instance in self.instances:
db_dir = (paths.SLAPD_INSTANCE_DB_DIR_TEMPLATE %
- (instance, options.backend))
- if os.path.exists(db_dir):
+ (instance, ""))
+ backends = get_backends(db_dir)
+ if options.backend.lower() in backends:
break
else:
raise admintool.ScriptError(
@@ -304,15 +330,20 @@ def run(self):
self.backends = [options.backend]
+ missing_backends = []
for instance, backend in itertools.product(self.instances,
self.backends):
db_dir = (paths.SLAPD_INSTANCE_DB_DIR_TEMPLATE %
- (instance, backend))
- if os.path.exists(db_dir):
- break
- else:
+ (instance, ""))
+ backends = get_backends(db_dir)
+ if backend.lower() not in backends:
+ missing_backends.append(backend)
+
+ if missing_backends:
raise admintool.ScriptError(
- "Cannot restore a data backup into an empty system")
+ "Cannot restore a data backup into an empty system. "
+ "Missing backend(s) %s" % ', '.join(missing_backends)
+ )
logger.info("Performing %s restore from %s backup",
restore_type, self.backup_type)

11
freeipa.spec
View File

@ -78,8 +78,8 @@
%global ds_version 1.4.3.16-12
%global selinux_policy_version 3.14.3-107
%else
# DNA interval enabled
%global ds_version 2.0.5-1
# version supporting LMDB and lib389.cli_ctl.dblib.run_dbscan utility
%global ds_version 2.1.0
%global selinux_policy_version 38.1.1-1
%endif
@ -200,7 +200,7 @@
Name: %{package_name}
Version: %{IPA_VERSION}
Release: 2%{?rc_version:.%rc_version}%{?dist}
Release: 3%{?rc_version:.%rc_version}%{?dist}
Summary: The Identity, Policy and Audit system
License: GPL-3.0-or-later
@ -229,6 +229,8 @@ Patch0009: 0005-pyca-42.0.0-support.patch
Patch0010: 0004-ipa-cli-krb5-crash.patch
Patch0011: 0003-kdb-memory-leak.patch
Patch0012: 0010-support-samba-4.20.patch
Patch0013: freeipa-support-389-ds-with-lmdb-backup.patch
Patch0014: freeipa-support-389-ds-with-lmdb-restore.patch
# RHEL spec file only: START: Change branding to IPA and Identity Management
# Moved branding logos and background to redhat-logos-ipa-80.4:
@ -1749,6 +1751,9 @@ fi
%endif
%changelog
* Thu Feb 08 2024 Alexander Bokovoy <abokovoy@redhat.com> - 4.11.1-3
- Support 389-ds with lmdb backend
* Wed Jan 24 2024 Fedora Release Engineering <releng@fedoraproject.org> - 4.11.1-2
- Rebuild against Samba 4.20rc1
- Fix memory leak in Kerberos KDC driver