URL: https://github.com/freeipa/freeipa/pull/5145 Author: tiran Title: #5145: Fix nsslapd-db-lock tuning of BDB backend Action: opened
PR body: """ nsslapd-db-lock was moved from cn=config,cn=ldbm database,cn=plugins,cn=config entry to cn=bdb subentry. Manual patching of dse.ldif was no longer working. Installations with 389-DS 1.4.3 and newer are affected. Also skip offline dse.ldif patching by default. The installer now stop and patches dse.ldif only when the option --dirsrv-config-file is used. LDBM nsslapd-db-locks are increased in a new step. This speeds up installer by 4 or more seconds on a fast system. Fixes: https://pagure.io/freeipa/issue/8515 Signed-off-by: Christian Heimes <chei...@redhat.com> """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/5145/head:pr5145 git checkout pr5145
From bfbb89cbeefd0cb7be29a1694e01cab82b61bfcf Mon Sep 17 00:00:00 2001 From: Christian Heimes <chei...@redhat.com> Date: Thu, 24 Sep 2020 12:32:37 +0200 Subject: [PATCH] Fix nsslapd-db-lock tuning of BDB backend nsslapd-db-lock was moved from cn=config,cn=ldbm database,cn=plugins,cn=config entry to cn=bdb subentry. Manual patching of dse.ldif was no longer working. Installations with 389-DS 1.4.3 and newer are affected. Also skip offline dse.ldif patching by default. The installer now stop and patches dse.ldif only when the option --dirsrv-config-file is used. LDBM nsslapd-db-locks are increased in a new step. This speeds up installer by 4 or more seconds on a fast system. Fixes: https://pagure.io/freeipa/issue/8515 Signed-off-by: Christian Heimes <chei...@redhat.com> --- install/share/Makefile.am | 1 + install/share/ldbm-tuning.ldif | 4 ++++ install/updates/10-db-locks.update | 10 +++++++++ install/updates/Makefile.am | 1 + ipapython/ipaldap.py | 1 + ipaserver/install/dsinstance.py | 21 +++++++++++-------- .../test_integration/test_installation.py | 8 +++++++ 7 files changed, 37 insertions(+), 9 deletions(-) create mode 100644 install/share/ldbm-tuning.ldif create mode 100644 install/updates/10-db-locks.update diff --git a/install/share/Makefile.am b/install/share/Makefile.am index 026d83035c..3b437f065a 100644 --- a/install/share/Makefile.am +++ b/install/share/Makefile.am @@ -108,6 +108,7 @@ dist_app_DATA = \ pki-acme-database.conf.template \ pki-acme-engine.conf.template \ pki-acme-issuer.conf.template \ + ldbm-tuning.ldif \ $(NULL) kdcproxyconfdir = $(IPA_SYSCONF_DIR)/kdcproxy diff --git a/install/share/ldbm-tuning.ldif b/install/share/ldbm-tuning.ldif new file mode 100644 index 0000000000..765ccb01a2 --- /dev/null +++ b/install/share/ldbm-tuning.ldif @@ -0,0 +1,4 @@ +dn: cn=bdb,cn=config,cn=ldbm database,cn=plugins,cn=config +changetype: modify +replace: nsslapd-db-locks +nsslapd-db-locks: 50000 diff --git a/install/updates/10-db-locks.update b/install/updates/10-db-locks.update new file mode 100644 index 0000000000..31d2e43526 --- /dev/null +++ b/install/updates/10-db-locks.update @@ -0,0 +1,10 @@ +# Fix nsslapd-db-locks move +# https://pagure.io/freeipa/issue/8515 + +# replace 389-DS default with 50000 locks +dn: cn=bdb,cn=config,cn=ldbm database,cn=plugins,cn=config +replace: nsslapd-db-locks:10000::50000 + +# remove setting from old location +dn: cn=config,cn=ldbm database,cn=plugins,cn=config +remove: nsslapd-db-locks: 50000 diff --git a/install/updates/Makefile.am b/install/updates/Makefile.am index 8a4d9cc6cf..957ad4fa24 100644 --- a/install/updates/Makefile.am +++ b/install/updates/Makefile.am @@ -4,6 +4,7 @@ appdir = $(IPA_DATA_DIR)/updates app_DATA = \ 05-pre_upgrade_plugins.update \ 10-config.update \ + 10-db-locks.update \ 10-enable-betxn.update \ 10-ipapwd.update \ 10-selinuxusermap.update \ diff --git a/ipapython/ipaldap.py b/ipapython/ipaldap.py index 7c9c435741..42f41ae8ac 100644 --- a/ipapython/ipaldap.py +++ b/ipapython/ipaldap.py @@ -759,6 +759,7 @@ class LDAPClient: 'nsslapd-anonlimitsdn': True, 'nsslapd-minssf-exclude-rootdse': True, 'nsslapd-enable-upgrade-hash': True, + 'nsslapd-db-locks': True, }) time_limit = -1.0 # unlimited diff --git a/ipaserver/install/dsinstance.py b/ipaserver/install/dsinstance.py index 24316aaee4..f5b84e904d 100644 --- a/ipaserver/install/dsinstance.py +++ b/ipaserver/install/dsinstance.py @@ -225,9 +225,13 @@ def __common_setup(self): self.step("creating directory server instance", self.__create_instance) self.step("configure autobind for root", self.__root_autobind) - self.step("stopping directory server", self.__stop_instance) - self.step("updating configuration in dse.ldif", self.__update_dse_ldif) - self.step("starting directory server", self.__start_instance) + self.step("tune ldbm plugin", self.__tune_ldbm) + if self.config_ldif is not None: + self.step("stopping directory server", self.__stop_instance) + self.step( + "updating configuration in dse.ldif", self.__update_dse_ldif + ) + self.step("starting directory server", self.__start_instance) self.step("adding default schema", self.__add_default_schemas) self.step("enabling memberof plugin", self.__add_memberof_module) self.step("enabling winsync plugin", self.__add_winsync_module) @@ -592,6 +596,9 @@ def __create_instance(self): # Done! logger.debug("completed creating DS instance") + def __tune_ldbm(self): + self._ldap_mod("ldbm-tuning.ldif") + def __update_dse_ldif(self): """ This method updates dse.ldif right after instance creation. This is @@ -610,11 +617,6 @@ def __update_dse_ldif(self): temp_filename = new_dse_ldif.name with open(dse_filename, "r") as input_file: parser = installutils.ModifyLDIF(input_file, new_dse_ldif) - parser.replace_value( - 'cn=config,cn=ldbm database,cn=plugins,cn=config', - 'nsslapd-db-locks', - [b'50000'] - ) if self.config_ldif: # parse modifications from ldif file supplied by the admin with open(self.config_ldif, "r") as config_ldif: @@ -666,7 +668,8 @@ def stop(self, instance_name="", capture_output=True): ) def restart(self, instance_name="", capture_output=True, wait=True): - api.Backend.ldap2.disconnect() + if api.Backend.ldap2.isconnected(): + api.Backend.ldap2.disconnect() try: super(DsInstance, self).restart( instance_name, capture_output=capture_output, wait=wait diff --git a/ipatests/test_integration/test_installation.py b/ipatests/test_integration/test_installation.py index a82d4131c5..19e00d8e1e 100644 --- a/ipatests/test_integration/test_installation.py +++ b/ipatests/test_integration/test_installation.py @@ -972,6 +972,14 @@ def test_ds_disable_upgrade_hash(self): ) assert "nsslapd-enable-upgrade-hash: off" in result.stdout_text + def test_ldbm_tuning(self): + result = tasks.ldapsearch_dm( + self.master, + "cn=bdb,cn=config,cn=ldbm database,cn=plugins,cn=config", + scope="base" + ) + assert "nsslapd-db-locks: 50000" in result.stdout_text + def test_admin_root_alias_CVE_2020_10747(self): # Test for CVE-2020-10747 fix # https://bugzilla.redhat.com/show_bug.cgi?id=1810160
_______________________________________________ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-devel@lists.fedorahosted.org