URL: https://github.com/freeipa/freeipa/pull/1800 Author: tiran Title: #1800: Add nsds5ReplicaReleaseTimeout to replica config Action: opened
PR body: """ The nsds5ReplicaReleaseTimeout setting prevents the monopolization of replicas during initial or busy master-master replication. 389-DS documentation suggets a timeout of 60 seconds to improve convergence of replicas. See: http://directory.fedoraproject.org/docs/389ds/design/repl-conv-design.html Fixes: https://pagure.io/freeipa/issue/7488 Signed-off-by: Christian Heimes <chei...@redhat.com> """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/1800/head:pr1800 git checkout pr1800
From 323f8bc732674f31fbbb5e35a23403cb95fc3700 Mon Sep 17 00:00:00 2001 From: Christian Heimes <chei...@redhat.com> Date: Wed, 11 Apr 2018 13:34:41 +0200 Subject: [PATCH] Add nsds5ReplicaReleaseTimeout to replica config The nsds5ReplicaReleaseTimeout setting prevents the monopolization of replicas during initial or busy master-master replication. 389-DS documentation suggets a timeout of 60 seconds to improve convergence of replicas. See: http://directory.fedoraproject.org/docs/389ds/design/repl-conv-design.html Fixes: https://pagure.io/freeipa/issue/7488 Signed-off-by: Christian Heimes <chei...@redhat.com> --- ipaserver/install/replication.py | 21 ++++++++++++++++----- ipaserver/install/server/upgrade.py | 17 +++++++++++++++++ 2 files changed, 33 insertions(+), 5 deletions(-) diff --git a/ipaserver/install/replication.py b/ipaserver/install/replication.py index e25a2f2cd7..3dbe6b44d4 100644 --- a/ipaserver/install/replication.py +++ b/ipaserver/install/replication.py @@ -474,20 +474,30 @@ def replica_config(self, conn, replica_id, replica_binddn): try: entry = conn.get_entry(dn) + except errors.NotFound: + pass + else: managers = {DN(m) for m in entry.get('nsDS5ReplicaBindDN', [])} + mods = [] if replica_binddn not in managers: # Add the new replication manager - mod = [(ldap.MOD_ADD, 'nsDS5ReplicaBindDN', - replica_binddn)] - conn.modify_s(dn, mod) + mods.append( + (ldap.MOD_ADD, 'nsDS5ReplicaBindDN', replica_binddn) + ) + if 'nsds5replicareleasetimeout' not in entry: + # See https://pagure.io/freeipa/issue/7488 + mods.append( + (ldap.MOD_ADD, 'nsds5replicareleasetimeout', ['60']) + ) + + if mods: + conn.modify_s(dn, mods) self.set_replica_binddngroup(conn, entry) # replication is already configured return - except errors.NotFound: - pass replica_type = self.get_replica_type() @@ -502,6 +512,7 @@ def replica_config(self, conn, replica_id, replica_binddn): nsds5replicabinddn=[replica_binddn], nsds5replicabinddngroup=[self.repl_man_group_dn], nsds5replicabinddngroupcheckinterval=["60"], + nsds5replicareleasetimeout=["60"], nsds5replicalegacyconsumer=["off"], ) conn.add_entry(entry) diff --git a/ipaserver/install/server/upgrade.py b/ipaserver/install/server/upgrade.py index 37f425ef1a..ed845027ae 100644 --- a/ipaserver/install/server/upgrade.py +++ b/ipaserver/install/server/upgrade.py @@ -1637,6 +1637,19 @@ def ntpd_cleanup(fqdn, fstore): sysupgrade.set_upgrade_state('ntpd', 'ntpd_cleaned', True) +def update_replica_config(db_suffix): + dn = DN( + ('cn', 'replica'), ('cn', db_suffix), ('cn', 'mapping tree'), + ('cn', 'config') + ) + entry = api.Backend.ldap2.get_entry(dn) + if 'nsds5replicareleasetimeout' not in entry: + # See https://pagure.io/freeipa/issue/7488 + logger.info("Adding nsds5replicaReleaseTimeout=60 to %s", dn) + entry['nsds5replicareleasetimeout'] = '60' + api.Backend.ldap2.update_entry(entry) + + def upgrade_configuration(): """ Execute configuration upgrade of the IPA services @@ -1781,6 +1794,10 @@ def upgrade_configuration(): ds.configure_dirsrv_ccache() + update_replica_config(ipautil.realm_to_suffix(api.env.realm)) + if ca.is_configured(): + update_replica_config(DN(('o', 'ipaca'))) + ds.stop(ds_serverid) fix_schema_file_syntax() remove_ds_ra_cert(subject_base)
_______________________________________________ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org
