rpms/sssd
7
0
Fork 0
Code Issues Pull Requests Releases Activity

- Apply 0005-watchdog-add-arm_watchdog-and-disarm_watchdog-calls

Browse Source 
0006-sbus-arm-watchdog-for-sbus_connect_init_send
 0007-sysdb-fix-string-comparison-when-checking-for-overrides patches
This commit is contained in:
eabdullin 2023-08-08 16:47:27 +03:00
parent 87cae3c020
commit 5ddcf41b6f
4 changed files with 208 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

106
SOURCES/0005-watchdog-add-arm_watchdog-and-disarm_watchdog-calls.patch Normal file
View File

@ -0,0 +1,106 @@
From 2cd5a6a2c8fd1826177d6bb51e7d4f4ad368bcfb Mon Sep 17 00:00:00 2001
From: Sumit Bose <sbose@redhat.com>
Date: Fri, 9 Jun 2023 12:31:39 +0200
Subject: [PATCH 1/2] watchdog: add arm_watchdog() and disarm_watchdog() calls
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Those two new calls can be used if there are requests stuck by e.g.
waiting on replies where there is no other way to handle the timeout and
get the system back into a stable state. They should be only used as a
last resort.
Resolves: https://github.com/SSSD/sssd/issues/6803
Reviewed-by: Alexey Tikhonov <atikhono@redhat.com>
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
(cherry picked from commit 75f2b35ad3b9256de905d05c5108400d35688554)
---
src/util/util.h | 12 ++++++++++++
src/util/util_watchdog.c | 28 ++++++++++++++++++++++++++--
2 files changed, 38 insertions(+), 2 deletions(-)
diff --git a/src/util/util.h b/src/util/util.h
index a8356e0cd..9dbcf3301 100644
--- a/src/util/util.h
+++ b/src/util/util.h
@@ -756,6 +756,18 @@ int setup_watchdog(struct tevent_context *ev, int interval);
void teardown_watchdog(void);
int get_watchdog_ticks(void);
+/* The arm_watchdog() and disarm_watchdog() calls will disable and re-enable
+ * the watchdog reset, respectively. This means that after arm_watchdog() is
+ * called the watchdog will not be resetted anymore and it will kill the
+ * process if disarm_watchdog() wasn't called before.
+ * Those calls should only be used when there is no other way to handle
+ * waiting request and recover into a stable state.
+ * Those calls cannot be nested, i.e. after calling arm_watchdog() it should
+ * not be called a second time in a different request because then
+ * disarm_watchdog() will disable the watchdog coverage for both. */
+void arm_watchdog(void);
+void disarm_watchdog(void);
+
/* from files.c */
int sss_remove_tree(const char *root);
int sss_remove_subtree(const char *root);
diff --git a/src/util/util_watchdog.c b/src/util/util_watchdog.c
index b1534e499..abafd94b9 100644
--- a/src/util/util_watchdog.c
+++ b/src/util/util_watchdog.c
@@ -40,6 +40,7 @@ struct watchdog_ctx {
time_t timestamp;
struct tevent_fd *tfd;
int pipefd[2];
+ bool armed; /* if 'true' ticks counter will not be reset */
} watchdog_ctx;
static void watchdog_detect_timeshift(void)
@@ -89,8 +90,13 @@ static void watchdog_event_handler(struct tevent_context *ev,
struct timeval current_time,
void *private_data)
{
- /* first thing reset the watchdog ticks */
- watchdog_reset();
+ if (!watchdog_ctx.armed) {
+ /* first thing reset the watchdog ticks */
+ watchdog_reset();
+ } else {
+ DEBUG(SSSDBG_IMPORTANT_INFO,
+ "Watchdog armed, process might be terminated soon.\n");
+ }
/* then set a new watchodg event */
watchdog_ctx.te = tevent_add_timer(ev, ev,
@@ -197,6 +203,7 @@ int setup_watchdog(struct tevent_context *ev, int interval)
watchdog_ctx.ev = ev;
watchdog_ctx.input_interval = interval;
watchdog_ctx.timestamp = time(NULL);
+ watchdog_ctx.armed = false;
ret = pipe(watchdog_ctx.pipefd);
if (ret == -1) {
@@ -264,3 +271,20 @@ int get_watchdog_ticks(void)
{
return __sync_add_and_fetch(&watchdog_ctx.ticks, 0);
}
+
+void arm_watchdog(void)
+{
+ if (watchdog_ctx.armed) {
+ DEBUG(SSSDBG_CRIT_FAILURE,
+ "arm_watchdog() is called although the watchdog is already armed. "
+ "This indicates a programming error and should be avoided because "
+ "it will most probably not work as expected.\n");
+ }
+
+ watchdog_ctx.armed = true;
+}
+
+void disarm_watchdog(void)
+{
+ watchdog_ctx.armed = false;
+}
--
2.38.1

53
SOURCES/0006-sbus-arm-watchdog-for-sbus_connect_init_send.patch Normal file
View File

@ -0,0 +1,53 @@
From 55564defec8fdbb4d9df6b0124a8b18b31743230 Mon Sep 17 00:00:00 2001
From: Sumit Bose <sbose@redhat.com>
Date: Fri, 9 Jun 2023 13:01:47 +0200
Subject: [PATCH 2/2] sbus: arm watchdog for sbus_connect_init_send()
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
There seem to be conditions where the reply in the
sbus_call_DBus_Hello_send() request gets lost and the backend cannot
properly initialize its sbus/DBus server. Since the backend cannot be
connected by the frontends in this state the best way to recover would
be a restart. Since the event-loop is active in this state, e.g. waiting
for the reply, the watchdog will not consider the process as hung and
will not restart the process.
To make the watchdog handle this case arm_watchdog() and
disarm_watchdog() are called before and after the request, respectively.
Resolves: https://github.com/SSSD/sssd/issues/6803
Reviewed-by: Alexey Tikhonov <atikhono@redhat.com>
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
(cherry picked from commit cca9361d92501e0be34d264d370fe897a0c970af)
---
src/sbus/connection/sbus_connection_connect.c | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/src/sbus/connection/sbus_connection_connect.c b/src/sbus/connection/sbus_connection_connect.c
index 45a0fa491..edc090e15 100644
--- a/src/sbus/connection/sbus_connection_connect.c
+++ b/src/sbus/connection/sbus_connection_connect.c
@@ -67,6 +67,8 @@ sbus_connect_init_send(TALLOC_CTX *mem_ctx,
tevent_req_set_callback(subreq, sbus_connect_init_hello_done, req);
+ arm_watchdog();
+
return req;
}
@@ -111,6 +113,8 @@ static void sbus_connect_init_done(struct tevent_req *subreq)
uint32_t res;
errno_t ret;
+ disarm_watchdog();
+
req = tevent_req_callback_data(subreq, struct tevent_req);
ret = sbus_call_DBus_RequestName_recv(subreq, &res);
--
2.38.1

36
SOURCES/0007-sysdb-fix-string-comparison-when-checking-for-overrides.patch Normal file
View File

@ -0,0 +1,36 @@
From 01d02794e02f051ea9a78cd63b30384de3e7c9b0 Mon Sep 17 00:00:00 2001
From: Sumit Bose <sbose@redhat.com>
Date: Wed, 10 May 2023 10:27:08 +0200
Subject: [PATCH] sysdb: fix string comparison when checking for overrides
When checking if the input group-name is the original name from AD or an
overwritten one the comparison is currently done case sensitive. Since
AD handles names case-insensitive and hence SSSD should do this as well
this comparison might cause issues.
The patch replace the case sensitive comparison with a comparison with
respects the case_sensitive of the domain the object is coming from.
Resolves: https://github.com/SSSD/sssd/issues/6720
Reviewed-by: Alexey Tikhonov <atikhono@redhat.com>
Reviewed-by: Iker Pedrosa <ipedrosa@redhat.com>
---
src/db/sysdb_search.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/src/db/sysdb_search.c b/src/db/sysdb_search.c
index 7efd570e78..e4c53b8535 100644
--- a/src/db/sysdb_search.c
+++ b/src/db/sysdb_search.c
@@ -1225,7 +1225,9 @@ int sysdb_getgrnam(TALLOC_CTX *mem_ctx,
res->msgs[0], ORIGINALAD_PREFIX SYSDB_NAME, NULL);
if (originalad_sanitized_name != NULL
- && strcmp(originalad_sanitized_name, sanitized_name) != 0) {
+ && !sss_string_equal(domain->case_sensitive,
+ originalad_sanitized_name,
+ sanitized_name)) {
fmt_filter = SYSDB_GRNAM_FILTER;
base_dn = sysdb_group_base_dn(tmp_ctx, domain);
res = NULL;

14
SPECS/sssd.spec
View File

@ -19,7 +19,7 @@
Name: sssd Name: sssd
Version: 2.8.2 Version: 2.8.2
Release: 2%{?dist} Release: 3%{?dist}.alma
Group: Applications/System Group: Applications/System
Summary: System Security Services Daemon Summary: System Security Services Daemon
License: GPLv3+ License: GPLv3+
@ -32,6 +32,13 @@ Patch0002: 0002-SSS_CLIENT-fix-error-codes-returned-by-common-read-w.patch
Patch0003: 0003-SSS_CLIENT-if-poll-returns-POLLNVAL-then-socket-is-a.patch Patch0003: 0003-SSS_CLIENT-if-poll-returns-POLLNVAL-then-socket-is-a.patch
Patch0004: 0004-PAM_SSS-close-sss_cli_sd-should-also-be-protected-wi.patch Patch0004: 0004-PAM_SSS-close-sss_cli_sd-should-also-be-protected-wi.patch
# Patches were taken from:
# https://gitlab.com/redhat/centos-stream/rpms/sssd/-/commit/26c81cdfa6fdda4aab69e0184839be0fb74ef73d
Patch0005: 0005-watchdog-add-arm_watchdog-and-disarm_watchdog-calls.patch
Patch0006: 0006-sbus-arm-watchdog-for-sbus_connect_init_send.patch
# https://github.com/SSSD/sssd/commit/01d02794e02f051ea9a78cd63b30384de3e7c9b0
Patch0007: 0007-sysdb-fix-string-comparison-when-checking-for-overrides.patch
### Downstream Patches ### ### Downstream Patches ###
### Dependencies ### ### Dependencies ###
@ -1213,6 +1220,11 @@ fi
%systemd_postun_with_restart sssd.service %systemd_postun_with_restart sssd.service
%changelog %changelog
* Tue Aug 08 2023 Eduard Abdullin <eabdullin@almalinux.org> - 2.8.2-3.alma
- Apply 0005-watchdog-add-arm_watchdog-and-disarm_watchdog-calls
0006-sbus-arm-watchdog-for-sbus_connect_init_send
0007-sysdb-fix-string-comparison-when-checking-for-overrides patches
* Mon Feb 13 2023 Alexey Tikhonov <atikhono@redhat.com> - 2.8.2-2 * Mon Feb 13 2023 Alexey Tikhonov <atikhono@redhat.com> - 2.8.2-2
- Resolves: rhbz#2149091 - Update to sssd-2.7.3-4.el8_7.1.x86_64 resulted in "Request to sssd failed. Device or resource busy" - Resolves: rhbz#2149091 - Update to sssd-2.7.3-4.el8_7.1.x86_64 resulted in "Request to sssd failed. Device or resource busy"