Re: [Freeipa-devel] [PATCH 0293] Allow to set number of DB locks during install
Hi Martin, imho, nsslapd-db-locks is an advanced parameter and should be set by customer at RHDS level, not at replica creation. The problem we have had at customer site is that the default was not enough to do the replication total update. So, replica creation was failing and we couldn't workaround it but by changing the dse template. What I was thinking, since any node in IPA is rather identical, and keeps the same database, is that some settings could be copied from master replica. To explain a little bit my idea, if I configure a master node with, for instance, some cache settings or maximum number of locks, it's clear that I would like all the other nodes with similar settings since the db they will contain is the same. So, if I configure master to have some particular number of db-locks or particular cache size, why not helping the customer to have the same values in all their nodes ? Ok, we could think that he could have a different hardware/resources by node but in general, it would be reasonable to keep those settings through all the nodes. The problem of the initial value for db-locks is not still solved (Ludwig could probably give a hint here) but having this sort of configuration copy, in a future situation, we could ask the customer to, eventually, change the db locks at master node side, and this will be propagated to all nodes to have, in this case, total update succeessful. Of course, I don't know the internals and scenarios enough to see if this could be reasonable to implement or if there's any drawback. Thanks and regards, German. - Original Message - From: Martin Basti mba...@redhat.com To: freeipa-devel freeipa-devel@redhat.com, German Parente gpare...@redhat.com Sent: Wednesday, July 22, 2015 3:56:37 PM Subject: [PATCH 0293] Allow to set number of DB locks during install Hello all, I attached WIP patch to solve https://fedorahosted.org/freeipa/ticket/4949 I received several suggestions: 1) (implemented in patch) is to add the option --db-locks to installer (maybe as hidden option) 2) Configure the nsslapd-db-locks to higher value as default (what is the right value?) 3) Combination of 1and 2: set default higher value and also have hidden option to allow configure higher number of locks during install Comments are more than welcome :-) -- Martin Basti -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCH 0293] Allow to set number of DB locks during install
On 22/07/15 17:13, German Parente wrote: Hi Martin, imho, nsslapd-db-locks is an advanced parameter and should be set by customer at RHDS level, not at replica creation. The problem we have had at customer site is that the default was not enough to do the replication total update. So, replica creation was failing and we couldn't workaround it but by changing the dse template. What I was thinking, since any node in IPA is rather identical, and keeps the same database, is that some settings could be copied from master replica. To explain a little bit my idea, if I configure a master node with, for instance, some cache settings or maximum number of locks, it's clear that I would like all the other nodes with similar settings since the db they will contain is the same. So, if I configure master to have some particular number of db-locks or particular cache size, why not helping the customer to have the same values in all their nodes ? Ok, we could think that he could have a different hardware/resources by node but in general, it would be reasonable to keep those settings through all the nodes. The problem of the initial value for db-locks is not still solved (Ludwig could probably give a hint here) but having this sort of configuration copy, in a future situation, we could ask the customer to, eventually, change the db locks at master node side, and this will be propagated to all nodes to have, in this case, total update succeessful. We do not support this kind of central configuration (yet?). Changes in cn=config tree are local only, and currently IPA has no way how to change that on all replicas at once, so that value will not be in sync with other replicas. And also DS must be in shutdown state to be able to change the db locks value, this is even level above. Of course, I don't know the internals and scenarios enough to see if this could be reasonable to implement or if there's any drawback. Thanks and regards, German. I would wait for Ludwig investigation/recommendation, which solution use. - Original Message - From: Martin Basti mba...@redhat.com To: freeipa-devel freeipa-devel@redhat.com, German Parente gpare...@redhat.com Sent: Wednesday, July 22, 2015 3:56:37 PM Subject: [PATCH 0293] Allow to set number of DB locks during install Hello all, I attached WIP patch to solve https://fedorahosted.org/freeipa/ticket/4949 I received several suggestions: 1) (implemented in patch) is to add the option --db-locks to installer (maybe as hidden option) 2) Configure the nsslapd-db-locks to higher value as default (what is the right value?) 3) Combination of 1and 2: set default higher value and also have hidden option to allow configure higher number of locks during install Comments are more than welcome :-) -- Martin Basti -- Martin Basti -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCH 0293] Allow to set number of DB locks during install
On 07/22/2015 04:54 PM, Martin Basti wrote: On 22/07/15 16:52, Ludwig Krispenz wrote: On 07/22/2015 03:56 PM, Martin Basti wrote: Hello all, I attached WIP patch to solve https://fedorahosted.org/freeipa/ticket/4949 I received several suggestions: 1) (implemented in patch) is to add the option --db-locks to installer (maybe as hidden option) 2) Configure the nsslapd-db-locks to higher value as default (what is the right value?) this is a good question, I just looked into the ticket and the BZ, but don't understand WHY it is running out of locks. I think adding the option is ok to be prepared, but I would not change the default before undestanding the reason for the lock consumtion and a relation to the data. Maybe we can also reduce the number of locks needed - do you have a setup to show this failure ? I don't have any setup, Petr1 did any testing with huge amount of user, he may have got some VMs. This happened during ipa-replica-install in installation with 160K users. during replica initialization, there were: libdb: BDB2055 Lock table is out of available lock entries idl_new.c BAD 2, err=12 Cannot allocate memory database index operation failed BAD 1050, err=12 errors in log. I don't know anymore details, but increasing the number of locks in /usr/share/dirsrv/data/template-dse.ldif template worked as a workaround. Not sure if I remember it correctly, other instance of db locks error was when I was adding a group of 30K users as a member of other group. I think memberof plugin caused it. 3) Combination of 1and 2: set default higher value and also have hidden option to allow configure higher number of locks during install Comments are more than welcome :-) -- Petr Vobornik -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [PATCH 0293] Allow to set number of DB locks during install
Hello all, I attached WIP patch to solve https://fedorahosted.org/freeipa/ticket/4949 I received several suggestions: 1) (implemented in patch) is to add the option --db-locks to installer (maybe as hidden option) 2) Configure the nsslapd-db-locks to higher value as default (what is the right value?) 3) Combination of 1and 2: set default higher value and also have hidden option to allow configure higher number of locks during install Comments are more than welcome :-) -- Martin Basti From 9511569db1ba44dde077cfb28eeb3334c6b7e9bc Mon Sep 17 00:00:00 2001 From: Martin Basti mba...@redhat.com Date: Wed, 22 Jul 2015 14:42:56 +0200 Subject: [PATCH] Allow to set up nsslapd-db-locks during install Option --db-lock allows to specify number of database locks. Works for ipa-server-install, ipa-replica-install https://fedorahosted.org/freeipa/ticket/4949 --- ipaserver/install/dsinstance.py| 36 +- ipaserver/install/server/install.py| 15 - ipaserver/install/server/replicainstall.py | 18 --- 3 files changed, 64 insertions(+), 5 deletions(-) diff --git a/ipaserver/install/dsinstance.py b/ipaserver/install/dsinstance.py index d561ca5b6d0d586cb1c27ec1c495413dad102e69..c55bb195968e6b21878bcfd573c711696af9a957 100644 --- a/ipaserver/install/dsinstance.py +++ b/ipaserver/install/dsinstance.py @@ -26,6 +26,7 @@ import re import time import tempfile import stat +import ldif from ipapython.ipa_log_manager import * from ipapython import ipautil, sysrestore, ipaldap @@ -189,7 +190,7 @@ info: IPA V2.0 class DsInstance(service.Service): def __init__(self, realm_name=None, domain_name=None, dm_password=None, - fstore=None, domainlevel=None): + fstore=None, domainlevel=None, db_locks=None): service.Service.__init__(self, dirsrv, service_desc=directory server, dm_password=dm_password, @@ -213,6 +214,7 @@ class DsInstance(service.Service): self.open_ports = [] self.run_init_memberof = True self.domainlevel = domainlevel +self.db_locks = db_locks if realm_name: self.suffix = ipautil.realm_to_suffix(self.realm) self.__setup_sub_dict() @@ -231,6 +233,9 @@ class DsInstance(service.Service): self.step(creating directory server user, create_ds_user) self.step(creating directory server instance, self.__create_instance) +if self.db_locks: +self.step(configuring number of LDAP database locks, + self.__configure_db_locks) self.step(adding default schema, self.__add_default_schemas) self.step(enabling memberof plugin, self.__add_memberof_module) self.step(enabling winsync plugin, self.__add_winsync_module) @@ -458,6 +463,35 @@ class DsInstance(service.Service): inf_fd.close() os.remove(paths.DIRSRV_BOOT_LDIF) +def __configure_db_locks(self): +assert self.db_locks and self.db_locks 0 +# DS must be turned off before we can set number of DS locks +self.stop(self.serverid) + +# update nsslapd-db-locks in DSE.ldif +dse_path = '%s/%s' % (paths.ETC_DIRSRV_SLAPD_INSTANCE_TEMPLATE % + self.serverid, upgradeinstance.DSE) +fd = tempfile.NamedTemporaryFile() +ldif_writer = ldif.LDIFWriter(fd) +with open(dse_path, rb) as in_file: +parser = upgradeinstance.ModifyLDIF(in_file, ldif_writer) + +parser.remove_value( +cn=config,cn=ldbm database,cn=plugins,cn=config, +nsslapd-db-locks +) +parser.add_value(cn=config,cn=ldbm database,cn=plugins,cn=config, + nsslapd-db-locks, str(self.db_locks)) +parser.parse() + +# update content of dse.ldif +fd.flush() +shutil.copy2(fd.name, dse_path) +fd.close() + +# start DS +self.start(self.serverid) + def __add_default_schemas(self): pent = pwd.getpwnam(DS_USER) for schema_fname in IPA_SCHEMA_FILES: diff --git a/ipaserver/install/server/install.py b/ipaserver/install/server/install.py index b9bf3f34bdb7c32115e5c6a7038f11f901ab06b8..441f9aeb307300982a89e18bc7165a7c7c710756 100644 --- a/ipaserver/install/server/install.py +++ b/ipaserver/install/server/install.py @@ -732,7 +732,8 @@ def install(installer): hbac_allow=not options.no_hbac_allow) else: ds = dsinstance.DsInstance(fstore=fstore, - domainlevel=options.domainlevel) + domainlevel=options.domainlevel, + db_locks=options.db_locks) installer._ds = ds ds.create_instance(realm_name, host_name, domain_name, dm_password, @@
Re: [Freeipa-devel] [PATCH 0293] Allow to set number of DB locks during install
Dne 22.7.2015 v 15:56 Martin Basti napsal(a): Hello all, I attached WIP patch to solve https://fedorahosted.org/freeipa/ticket/4949 I received several suggestions: 1) (implemented in patch) is to add the option --db-locks to installer (maybe as hidden option) 2) Configure the nsslapd-db-locks to higher value as default (what is the right value?) 3) Combination of 1and 2: set default higher value and also have hidden option to allow configure higher number of locks during install Comments are more than welcome :-) Name the option --ds-db-locks please. +cli_name='db-locks', This is the default cli_name, no need to set it explicitly. +if value 0: +raise ValueError(Number of database locks must be positive number) 0 is not positive. -- Jan Cholasta -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCH 0293] Allow to set number of DB locks during install
On 07/22/2015 03:56 PM, Martin Basti wrote: Hello all, I attached WIP patch to solve https://fedorahosted.org/freeipa/ticket/4949 I received several suggestions: 1) (implemented in patch) is to add the option --db-locks to installer (maybe as hidden option) 2) Configure the nsslapd-db-locks to higher value as default (what is the right value?) this is a good question, I just looked into the ticket and the BZ, but don't understand WHY it is running out of locks. I think adding the option is ok to be prepared, but I would not change the default before undestanding the reason for the lock consumtion and a relation to the data. Maybe we can also reduce the number of locks needed - do you have a setup to show this failure ? 3) Combination of 1and 2: set default higher value and also have hidden option to allow configure higher number of locks during install Comments are more than welcome :-) -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCH 0293] Allow to set number of DB locks during install
On 22/07/15 16:52, Ludwig Krispenz wrote: On 07/22/2015 03:56 PM, Martin Basti wrote: Hello all, I attached WIP patch to solve https://fedorahosted.org/freeipa/ticket/4949 I received several suggestions: 1) (implemented in patch) is to add the option --db-locks to installer (maybe as hidden option) 2) Configure the nsslapd-db-locks to higher value as default (what is the right value?) this is a good question, I just looked into the ticket and the BZ, but don't understand WHY it is running out of locks. I think adding the option is ok to be prepared, but I would not change the default before undestanding the reason for the lock consumtion and a relation to the data. Maybe we can also reduce the number of locks needed - do you have a setup to show this failure ? I don't have any setup, Petr1 did any testing with huge amount of user, he may have got some VMs. 3) Combination of 1and 2: set default higher value and also have hidden option to allow configure higher number of locks during install Comments are more than welcome :-) -- Martin Basti -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
