rpms/ipa
7
0
Fork 0
Code Issues Pull Requests Releases Activity
615535485a
ipa/SOURCES/0021-Fix-nsslapd-db-lock-tuning-of-BDB-backend_rhbz#1882472.patch
CentOS Sources 615535485a import ipa-4.8.7-13.module+el8.3.0+8376+0bba7131
2021-09-10 11:02:33 +00:00

216 lines
8.1 KiB
Diff
Raw Blame History

Adapted patch for ipatests/test_integration/test_installation.py due to
missing commit 930f4b3d1dc03f9e365b007b027d65e146a08f05 (Prevent local account
takeover).
From 87e5c0500b76b7cbeecedc0c28d44095c7063186 Mon Sep 17 00:00:00 2001
From: Christian Heimes <cheimes@redhat.com>
Date: Thu, 24 Sep 2020 12:32:37 +0200
Subject: [PATCH] Fix nsslapd-db-lock tuning of BDB backend
nsslapd-db-lock was moved from cn=config,cn=ldbm database,cn=plugins,cn=config
entry to cn=bdb subentry. Manual patching of dse.ldif was no longer
working. Installations with 389-DS 1.4.3 and newer are affected.
Low lock count can affect performance during high load, e.g. mass-import
of users or lots of concurrent connections.
Bump minimal DS version to 1.4.3. Fedora 32 and RHEL 8.3 have 1.4.3.
Fixes: https://pagure.io/freeipa/issue/8515
See: https://pagure.io/freeipa/issue/5914
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Francois Cami <fcami@redhat.com>
Reviewed-By: Francois Cami <fcami@redhat.com>
---
freeipa.spec.in | 17 ++++++-----------
install/share/Makefile.am | 1 +
install/share/ldbm-tuning.ldif | 4 ++++
install/updates/10-db-locks.update | 10 ++++++++++
install/updates/Makefile.am | 1 +
ipapython/ipaldap.py | 1 +
ipaserver/install/dsinstance.py | 9 ++++-----
.../test_customized_ds_config_install.py | 3 ++-
.../test_integration/test_installation.py | 19 +++++++++++++++++++
9 files changed, 48 insertions(+), 17 deletions(-)
create mode 100644 install/share/ldbm-tuning.ldif
create mode 100644 install/updates/10-db-locks.update
diff --git a/freeipa.spec.in b/freeipa.spec.in
index 1db7d6457..8e6736b60 100755
--- a/freeipa.spec.in
+++ b/freeipa.spec.in
@@ -55,10 +55,9 @@
%global selinux_policy_version 3.14.3-21
%global slapi_nis_version 0.56.1-4
%global python_ldap_version 3.1.0-1
-# python3-lib389
-# Fix for "Installation fails: Replica Busy"
-# https://pagure.io/389-ds-base/issue/49818
-%global ds_version 1.4.0.16
+# 1.4.3 moved nsslapd-db-locks to cn=bdb sub-entry
+# https://pagure.io/freeipa/issue/8515
+%global ds_version 1.4.3
# Fix for TLS 1.3 PHA, RHBZ#1775158
%global httpd_version 2.4.37-21
@@ -89,13 +88,9 @@
# fix for segfault in python3-ldap, https://pagure.io/freeipa/issue/7324
%global python_ldap_version 3.1.0-1
-# Fix for create suffix
-# https://pagure.io/389-ds-base/issue/49984
-%if 0%{?fedora} >= 30
-%global ds_version 1.4.1.1
-%else
-%global ds_version 1.4.0.21
-%endif
+# 1.4.3 moved nsslapd-db-locks to cn=bdb sub-entry
+# https://pagure.io/freeipa/issue/8515
+%global ds_version 1.4.3
# Fix for TLS 1.3 PHA, RHBZ#1775146
%if 0%{?fedora} >= 31
diff --git a/install/share/Makefile.am b/install/share/Makefile.am
index 53bd8f5d5..53485edfa 100644
--- a/install/share/Makefile.am
+++ b/install/share/Makefile.am
@@ -102,6 +102,7 @@ dist_app_DATA = \
ipaca_default.ini \
ipaca_customize.ini \
ipaca_softhsm2.ini \
+ ldbm-tuning.ldif \
$(NULL)
kdcproxyconfdir = $(IPA_SYSCONF_DIR)/kdcproxy
diff --git a/install/share/ldbm-tuning.ldif b/install/share/ldbm-tuning.ldif
new file mode 100644
index 000000000..765ccb01a
--- /dev/null
+++ b/install/share/ldbm-tuning.ldif
@@ -0,0 +1,4 @@
+dn: cn=bdb,cn=config,cn=ldbm database,cn=plugins,cn=config
+changetype: modify
+replace: nsslapd-db-locks
+nsslapd-db-locks: 50000
diff --git a/install/updates/10-db-locks.update b/install/updates/10-db-locks.update
new file mode 100644
index 000000000..31d2e4352
--- /dev/null
+++ b/install/updates/10-db-locks.update
@@ -0,0 +1,10 @@
+# Fix nsslapd-db-locks move
+# https://pagure.io/freeipa/issue/8515
+
+# replace 389-DS default with 50000 locks
+dn: cn=bdb,cn=config,cn=ldbm database,cn=plugins,cn=config
+replace: nsslapd-db-locks:10000::50000
+
+# remove setting from old location
+dn: cn=config,cn=ldbm database,cn=plugins,cn=config
+remove: nsslapd-db-locks: 50000
diff --git a/install/updates/Makefile.am b/install/updates/Makefile.am
index 8a4d9cc6c..957ad4fa2 100644
--- a/install/updates/Makefile.am
+++ b/install/updates/Makefile.am
@@ -4,6 +4,7 @@ appdir = $(IPA_DATA_DIR)/updates
app_DATA = \
05-pre_upgrade_plugins.update \
10-config.update \
+ 10-db-locks.update \
10-enable-betxn.update \
10-ipapwd.update \
10-selinuxusermap.update \
diff --git a/ipapython/ipaldap.py b/ipapython/ipaldap.py
index 3eac95a87..5c43413cc 100644
--- a/ipapython/ipaldap.py
+++ b/ipapython/ipaldap.py
@@ -753,6 +753,7 @@ class LDAPClient:
'nsslapd-anonlimitsdn': True,
'nsslapd-minssf-exclude-rootdse': True,
'nsslapd-enable-upgrade-hash': True,
+ 'nsslapd-db-locks': True,
})
time_limit = -1.0 # unlimited
diff --git a/ipaserver/install/dsinstance.py b/ipaserver/install/dsinstance.py
index 3fc0de371..065c6f78f 100644
--- a/ipaserver/install/dsinstance.py
+++ b/ipaserver/install/dsinstance.py
@@ -226,6 +226,7 @@ class DsInstance(service.Service):
self.step("creating directory server instance", self.__create_instance)
self.step("configure autobind for root", self.__root_autobind)
+ self.step("tune ldbm plugin", self.__tune_ldbm)
self.step("stopping directory server", self.__stop_instance)
self.step("updating configuration in dse.ldif", self.__update_dse_ldif)
self.step("starting directory server", self.__start_instance)
@@ -592,6 +593,9 @@ class DsInstance(service.Service):
# Done!
logger.debug("completed creating DS instance")
+ def __tune_ldbm(self):
+ self._ldap_mod("ldbm-tuning.ldif")
+
def __update_dse_ldif(self):
"""
This method updates dse.ldif right after instance creation. This is
@@ -610,11 +614,6 @@ class DsInstance(service.Service):
temp_filename = new_dse_ldif.name
with open(dse_filename, "r") as input_file:
parser = installutils.ModifyLDIF(input_file, new_dse_ldif)
- parser.replace_value(
- 'cn=config,cn=ldbm database,cn=plugins,cn=config',
- 'nsslapd-db-locks',
- [b'50000']
- )
if self.config_ldif:
# parse modifications from ldif file supplied by the admin
with open(self.config_ldif, "r") as config_ldif:
diff --git a/ipatests/test_integration/test_customized_ds_config_install.py b/ipatests/test_integration/test_customized_ds_config_install.py
index a2fcc7dd2..95195a014 100644
--- a/ipatests/test_integration/test_customized_ds_config_install.py
+++ b/ipatests/test_integration/test_customized_ds_config_install.py
@@ -4,7 +4,8 @@ from ipatests.pytest_ipa.integration import tasks
DIRSRV_CONFIG_MODS = """
# https://fedorahosted.org/freeipa/ticket/4949
-dn: cn=config,cn=ldbm database,cn=plugins,cn=config
+# https://pagure.io/freeipa/issue/8515
+dn: cn=bdb,cn=config,cn=ldbm database,cn=plugins,cn=config
changetype: modify
replace: nsslapd-db-locks
nsslapd-db-locks: 100000
diff --git a/ipatests/test_integration/test_installation.py b/ipatests/test_integration/test_installation.py
index c939c6450..ec826edb7 100644
--- a/ipatests/test_integration/test_installation.py
+++ b/ipatests/test_integration/test_installation.py
@@ -972,6 +972,25 @@ class TestInstallMaster(IntegrationTest):
)
assert "nsslapd-enable-upgrade-hash: off" in result.stdout_text
+ def test_ldbm_tuning(self):
+ # check db-locks in new cn=bdb subentry (1.4.3+)
+ result = tasks.ldapsearch_dm(
+ self.master,
+ "cn=bdb,cn=config,cn=ldbm database,cn=plugins,cn=config",
+ ["nsslapd-db-locks"],
+ scope="base"
+ )
+ assert "nsslapd-db-locks: 50000" in result.stdout_text
+
+ # no db-locks configuration in old global entry
+ result = tasks.ldapsearch_dm(
+ self.master,
+ "cn=config,cn=ldbm database,cn=plugins,cn=config",
+ ["nsslapd-db-locks"],
+ scope="base"
+ )
+ assert "nsslapd-db-locks" not in result.stdout_text
+
class TestInstallMasterKRA(IntegrationTest):
--
2.26.2
Reference in New Issue View Git Blame Copy Permalink