URL: https://github.com/freeipa/freeipa/pull/5164 Author: tiran Title: #5164: Speed up DS related installer steps Action: opened
PR body: """ ## Remove root-autobind configuration The new lib389-based installer configured 389-DS with LDAPI support and autobind for root. cn=root-autobind,cn=config entry is no longer needed. ## Skip offline dse.ldif patching by default The installer now stop and patches dse.ldif only when the option --dirsrv-config-file is used. LDBM nsslapd-db-locks are increased in a new step. This speeds up installer by 4 or more seconds on a fast system. ## Remove magic sleep from create_index_task 11 years ago 5ad91a0781 added a magic sleep to work around a rare deadlock bug in memberOf plugin. Thierry is not aware of any outstanding issues with memberOf plugin that could lead to a deadlock. Total speedup: ~10s Related: https://pagure.io/freeipa/issue/8521 """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/5164/head:pr5164 git checkout pr5164
From 8d8595dbb584522ab9444961783b34c19cc58d1b Mon Sep 17 00:00:00 2001 From: Christian Heimes <chei...@redhat.com> Date: Mon, 21 Sep 2020 12:52:36 +0200 Subject: [PATCH 1/3] Remove root-autobind configuration The new lib389-based installer configured 389-DS with LDAPI support and autobind for root. cn=root-autobind,cn=config entry is no longer needed. Related: https://pagure.io/freeipa/issue/8521 Signed-off-by: Christian Heimes <chei...@redhat.com> --- install/share/Makefile.am | 1 - install/share/root-autobind.ldif | 19 ------------------- install/updates/10-config.update | 4 ++++ ipaserver/install/dsinstance.py | 14 ++------------ 4 files changed, 6 insertions(+), 32 deletions(-) delete mode 100644 install/share/root-autobind.ldif diff --git a/install/share/Makefile.am b/install/share/Makefile.am index 1c1cd25db2..684da8ddec 100644 --- a/install/share/Makefile.am +++ b/install/share/Makefile.am @@ -80,7 +80,6 @@ dist_app_DATA = \ uuid.ldif \ modrdn-krbprinc.ldif \ entryusn.ldif \ - root-autobind.ldif \ pw-logging-conf.ldif \ sudobind.ldif \ automember.ldif \ diff --git a/install/share/root-autobind.ldif b/install/share/root-autobind.ldif deleted file mode 100644 index ecce11511d..0000000000 --- a/install/share/root-autobind.ldif +++ /dev/null @@ -1,19 +0,0 @@ -# root-autobind, config -dn: cn=root-autobind,cn=config -changetype: add -objectClass: extensibleObject -objectClass: top -cn: root-autobind -uidNumber: 0 -gidNumber: 0 - -dn: cn=config -changetype: modify -replace: nsslapd-ldapiautobind -nsslapd-ldapiautobind: on - -dn: cn=config -changetype: modify -replace: nsslapd-ldapimaptoentries -nsslapd-ldapimaptoentries: on - diff --git a/install/updates/10-config.update b/install/updates/10-config.update index dec42c0254..8e930ee365 100644 --- a/install/updates/10-config.update +++ b/install/updates/10-config.update @@ -73,3 +73,7 @@ only:nsslapd-ioblocktimeout:10000 # on LDAP bind, see https://pagure.io/freeipa/issue/8315 dn: cn=config only: nsslapd-enable-upgrade-hash:off + +# lib389 configures 389-DS for root-autobind. Then entry is no longer needed. +dn: cn=root-autobind,cn=config +deleteentry: cn=root-autobind,cn=config diff --git a/ipaserver/install/dsinstance.py b/ipaserver/install/dsinstance.py index 915a7473f5..2453bc2436 100644 --- a/ipaserver/install/dsinstance.py +++ b/ipaserver/install/dsinstance.py @@ -224,7 +224,6 @@ def __init__(self, realm_name=None, domain_name=None, fstore=None, def __common_setup(self): self.step("creating directory server instance", self.__create_instance) - self.step("configure autobind for root", self.__root_autobind) self.step("tune ldbm plugin", self.__tune_ldbm) self.step("stopping directory server", self.__stop_instance) self.step("updating configuration in dse.ldif", self.__update_dse_ldif) @@ -566,17 +565,16 @@ def __create_instance(self): inst.local_simple_allocate( serverid=self.serverid, ldapuri=ipaldap.get_ldap_uri(realm=self.realm, protocol='ldapi'), - password=self.dm_password ) # local_simple_allocate() configures LDAPI but doesn't set up the # DirSrv object to use LDAPI. Modify the DirSrv() object to use - # LDAPI with password bind. autobind is not available, yet. + # LDAPI with with autobind. inst.ldapi_enabled = 'on' + inst.ldapi_autobind = 'on' inst.ldapi_socket = paths.SLAPD_INSTANCE_SOCKET_TEMPLATE % ( self.serverid ) - inst.ldapi_autobind = 'off' # This actually opens the conn and binds. inst.open() @@ -1247,14 +1245,6 @@ def add_ca_cert(self, cacert_fname, cacert_name=''): return status - def __root_autobind(self): - self._ldap_mod( - "root-autobind.ldif", - ldap_uri=ipaldap.get_ldap_uri(realm=self.realm, protocol='ldapi'), - # must simple bind until auto bind is configured - dm_password=self.dm_password - ) - def __add_sudo_binduser(self): self._ldap_mod("sudobind.ldif", self.sub_dict) From 7870d576702cc2af30b94ab46ecf338d6cec1872 Mon Sep 17 00:00:00 2001 From: Christian Heimes <chei...@redhat.com> Date: Mon, 21 Sep 2020 16:25:53 +0200 Subject: [PATCH 2/3] Remove magic sleep from create_index_task 11 years ago 5ad91a0781 added a magic sleep to work around a rare deadlock bug in memberOf plugin. Thierry is not aware of any outstanding issues with memberOf plugin that could lead to a deadlock. Related: https://pagure.io/freeipa/issue/8521 Signed-off-by: Christian Heimes <chei...@redhat.com> --- ipaserver/install/ldapupdate.py | 4 ---- 1 file changed, 4 deletions(-) diff --git a/ipaserver/install/ldapupdate.py b/ipaserver/install/ldapupdate.py index 87c74a053d..15c0ccb508 100644 --- a/ipaserver/install/ldapupdate.py +++ b/ipaserver/install/ldapupdate.py @@ -511,10 +511,6 @@ def emit_plugin_update(update): def create_index_task(self, *attributes): """Create a task to update an index for attributes""" - - # Sleep a bit to ensure previous operations are complete - time.sleep(5) - cn_uuid = uuid.uuid1() # cn_uuid.time is in nanoseconds, but other users of LDAPUpdate expect # seconds in 'TIME' so scale the value down From ab2234c3dc444be2a9444881bfdb3ba432f61e39 Mon Sep 17 00:00:00 2001 From: Christian Heimes <chei...@redhat.com> Date: Thu, 24 Sep 2020 15:11:09 +0200 Subject: [PATCH 3/3] Skip offline dse.ldif patching by default The installer now stop and patches dse.ldif only when the option --dirsrv-config-file is used. LDBM nsslapd-db-locks are increased in a new step. This speeds up installer by 4 or more seconds on a fast system. Related: https://pagure.io/freeipa/issue/8521 Signed-off-by: Christian Heimes <chei...@redhat.com> --- ipaserver/install/dsinstance.py | 12 ++++++++---- 1 file changed, 8 insertions(+), 4 deletions(-) diff --git a/ipaserver/install/dsinstance.py b/ipaserver/install/dsinstance.py index 2453bc2436..dcd72bfb88 100644 --- a/ipaserver/install/dsinstance.py +++ b/ipaserver/install/dsinstance.py @@ -225,9 +225,12 @@ def __common_setup(self): self.step("creating directory server instance", self.__create_instance) self.step("tune ldbm plugin", self.__tune_ldbm) - self.step("stopping directory server", self.__stop_instance) - self.step("updating configuration in dse.ldif", self.__update_dse_ldif) - self.step("starting directory server", self.__start_instance) + if self.config_ldif is not None: + self.step("stopping directory server", self.__stop_instance) + self.step( + "updating configuration in dse.ldif", self.__update_dse_ldif + ) + self.step("starting directory server", self.__start_instance) self.step("adding default schema", self.__add_default_schemas) self.step("enabling memberof plugin", self.__add_memberof_module) self.step("enabling winsync plugin", self.__add_winsync_module) @@ -663,7 +666,8 @@ def stop(self, instance_name="", capture_output=True): ) def restart(self, instance_name="", capture_output=True, wait=True): - api.Backend.ldap2.disconnect() + if api.Backend.ldap2.isconnected(): + api.Backend.ldap2.disconnect() try: super(DsInstance, self).restart( instance_name, capture_output=capture_output, wait=wait
_______________________________________________ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-devel@lists.fedorahosted.org