URL: https://github.com/freeipa/freeipa/pull/1800
Author: tiran
 Title: #1800: Add nsds5ReplicaReleaseTimeout to replica config
Action: opened

PR body:
"""
The nsds5ReplicaReleaseTimeout setting prevents the monopolization of
replicas during initial or busy master-master replication. 389-DS
documentation suggets a timeout of 60 seconds to improve convergence of
replicas.

See: http://directory.fedoraproject.org/docs/389ds/design/repl-conv-design.html
Fixes: https://pagure.io/freeipa/issue/7488
Signed-off-by: Christian Heimes <chei...@redhat.com>
"""

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/1800/head:pr1800
git checkout pr1800
From 323f8bc732674f31fbbb5e35a23403cb95fc3700 Mon Sep 17 00:00:00 2001
From: Christian Heimes <chei...@redhat.com>
Date: Wed, 11 Apr 2018 13:34:41 +0200
Subject: [PATCH] Add nsds5ReplicaReleaseTimeout to replica config

The nsds5ReplicaReleaseTimeout setting prevents the monopolization of
replicas during initial or busy master-master replication. 389-DS
documentation suggets a timeout of 60 seconds to improve convergence of
replicas.

See: http://directory.fedoraproject.org/docs/389ds/design/repl-conv-design.html
Fixes: https://pagure.io/freeipa/issue/7488
Signed-off-by: Christian Heimes <chei...@redhat.com>
---
 ipaserver/install/replication.py    | 21 ++++++++++++++++-----
 ipaserver/install/server/upgrade.py | 17 +++++++++++++++++
 2 files changed, 33 insertions(+), 5 deletions(-)

diff --git a/ipaserver/install/replication.py b/ipaserver/install/replication.py
index e25a2f2cd7..3dbe6b44d4 100644
--- a/ipaserver/install/replication.py
+++ b/ipaserver/install/replication.py
@@ -474,20 +474,30 @@ def replica_config(self, conn, replica_id, replica_binddn):
 
         try:
             entry = conn.get_entry(dn)
+        except errors.NotFound:
+            pass
+        else:
             managers = {DN(m) for m in entry.get('nsDS5ReplicaBindDN', [])}
 
+            mods = []
             if replica_binddn not in managers:
                 # Add the new replication manager
-                mod = [(ldap.MOD_ADD, 'nsDS5ReplicaBindDN',
-                        replica_binddn)]
-                conn.modify_s(dn, mod)
+                mods.append(
+                    (ldap.MOD_ADD, 'nsDS5ReplicaBindDN', replica_binddn)
+                )
+            if 'nsds5replicareleasetimeout' not in entry:
+                # See https://pagure.io/freeipa/issue/7488
+                mods.append(
+                    (ldap.MOD_ADD, 'nsds5replicareleasetimeout', ['60'])
+                )
+
+            if mods:
+                conn.modify_s(dn, mods)
 
             self.set_replica_binddngroup(conn, entry)
 
             # replication is already configured
             return
-        except errors.NotFound:
-            pass
 
         replica_type = self.get_replica_type()
 
@@ -502,6 +512,7 @@ def replica_config(self, conn, replica_id, replica_binddn):
             nsds5replicabinddn=[replica_binddn],
             nsds5replicabinddngroup=[self.repl_man_group_dn],
             nsds5replicabinddngroupcheckinterval=["60"],
+            nsds5replicareleasetimeout=["60"],
             nsds5replicalegacyconsumer=["off"],
         )
         conn.add_entry(entry)
diff --git a/ipaserver/install/server/upgrade.py b/ipaserver/install/server/upgrade.py
index 37f425ef1a..ed845027ae 100644
--- a/ipaserver/install/server/upgrade.py
+++ b/ipaserver/install/server/upgrade.py
@@ -1637,6 +1637,19 @@ def ntpd_cleanup(fqdn, fstore):
     sysupgrade.set_upgrade_state('ntpd', 'ntpd_cleaned', True)
 
 
+def update_replica_config(db_suffix):
+    dn = DN(
+        ('cn', 'replica'), ('cn', db_suffix), ('cn', 'mapping tree'),
+        ('cn', 'config')
+    )
+    entry = api.Backend.ldap2.get_entry(dn)
+    if 'nsds5replicareleasetimeout' not in entry:
+        # See https://pagure.io/freeipa/issue/7488
+        logger.info("Adding nsds5replicaReleaseTimeout=60 to %s", dn)
+        entry['nsds5replicareleasetimeout'] = '60'
+        api.Backend.ldap2.update_entry(entry)
+
+
 def upgrade_configuration():
     """
     Execute configuration upgrade of the IPA services
@@ -1781,6 +1794,10 @@ def upgrade_configuration():
 
     ds.configure_dirsrv_ccache()
 
+    update_replica_config(ipautil.realm_to_suffix(api.env.realm))
+    if ca.is_configured():
+        update_replica_config(DN(('o', 'ipaca')))
+
     ds.stop(ds_serverid)
     fix_schema_file_syntax()
     remove_ds_ra_cert(subject_base)
_______________________________________________
FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org
To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org

Reply via email to