|
 |
5873fa |
From a6a52365df26edd4f6b0028056395d943344d787 Mon Sep 17 00:00:00 2001
|
|
|
5873fa |
From: Mark Reynolds <mreynolds@redhat.com>
|
|
|
5873fa |
Date: Thu, 11 Jun 2020 15:30:28 -0400
|
|
|
5873fa |
Subject: [PATCH] Issue 50791 - Healthcheck should look for notes=A/F in access
|
|
|
5873fa |
log
|
|
|
5873fa |
|
|
|
5873fa |
Description: Add checks for notes=A (fully unindexed search) and
|
|
|
5873fa |
notes=F (Unknown attribute in search filter) in the
|
|
|
5873fa |
current access log.
|
|
|
5873fa |
|
|
|
5873fa |
relates: https://pagure.io/389-ds-base/issue/50791
|
|
|
5873fa |
|
|
|
5873fa |
Reviewed by: firstyear(Thanks!)
|
|
|
5873fa |
---
|
|
|
5873fa |
src/lib389/lib389/cli_ctl/health.py | 4 +-
|
|
|
5873fa |
src/lib389/lib389/dirsrv_log.py | 72 +++++++++++++++++++++++++++--
|
|
|
5873fa |
src/lib389/lib389/lint.py | 26 ++++++++++-
|
|
|
5873fa |
3 files changed, 96 insertions(+), 6 deletions(-)
|
|
|
5873fa |
|
|
|
5873fa |
diff --git a/src/lib389/lib389/cli_ctl/health.py b/src/lib389/lib389/cli_ctl/health.py
|
|
|
5873fa |
index 6333a753a..89484a11b 100644
|
|
|
5873fa |
--- a/src/lib389/lib389/cli_ctl/health.py
|
|
|
5873fa |
+++ b/src/lib389/lib389/cli_ctl/health.py
|
|
|
5873fa |
@@ -1,5 +1,5 @@
|
|
|
5873fa |
# --- BEGIN COPYRIGHT BLOCK ---
|
|
|
5873fa |
-# Copyright (C) 2019 Red Hat, Inc.
|
|
|
5873fa |
+# Copyright (C) 2020 Red Hat, Inc.
|
|
|
5873fa |
# All rights reserved.
|
|
|
5873fa |
#
|
|
|
5873fa |
# License: GPL (version 3 or any later version).
|
|
|
5873fa |
@@ -18,6 +18,7 @@ from lib389.monitor import MonitorDiskSpace
|
|
|
5873fa |
from lib389.replica import Replica, Changelog5
|
|
|
5873fa |
from lib389.nss_ssl import NssSsl
|
|
|
5873fa |
from lib389.dseldif import FSChecks, DSEldif
|
|
|
5873fa |
+from lib389.dirsrv_log import DirsrvAccessLog
|
|
|
5873fa |
from lib389 import lint
|
|
|
5873fa |
from lib389 import plugins
|
|
|
5873fa |
from lib389._constants import DSRC_HOME
|
|
|
5873fa |
@@ -37,6 +38,7 @@ CHECK_OBJECTS = [
|
|
|
5873fa |
Changelog5,
|
|
|
5873fa |
DSEldif,
|
|
|
5873fa |
NssSsl,
|
|
|
5873fa |
+ DirsrvAccessLog,
|
|
|
5873fa |
]
|
|
|
5873fa |
|
|
|
5873fa |
|
|
|
5873fa |
diff --git a/src/lib389/lib389/dirsrv_log.py b/src/lib389/lib389/dirsrv_log.py
|
|
|
5873fa |
index baac2a3c9..7bed4bb17 100644
|
|
|
5873fa |
--- a/src/lib389/lib389/dirsrv_log.py
|
|
|
5873fa |
+++ b/src/lib389/lib389/dirsrv_log.py
|
|
|
5873fa |
@@ -1,5 +1,5 @@
|
|
|
5873fa |
# --- BEGIN COPYRIGHT BLOCK ---
|
|
|
5873fa |
-# Copyright (C) 2016 Red Hat, Inc.
|
|
|
5873fa |
+# Copyright (C) 2020 Red Hat, Inc.
|
|
|
5873fa |
# All rights reserved.
|
|
|
5873fa |
#
|
|
|
5873fa |
# License: GPL (version 3 or any later version).
|
|
|
5873fa |
@@ -9,12 +9,17 @@
|
|
|
5873fa |
"""Helpers for managing the directory server internal logs.
|
|
|
5873fa |
"""
|
|
|
5873fa |
|
|
|
5873fa |
+import copy
|
|
|
5873fa |
import re
|
|
|
5873fa |
import gzip
|
|
|
5873fa |
from dateutil.parser import parse as dt_parse
|
|
|
5873fa |
from glob import glob
|
|
|
5873fa |
from lib389.utils import ensure_bytes
|
|
|
5873fa |
-
|
|
|
5873fa |
+from lib389._mapped_object_lint import DSLint
|
|
|
5873fa |
+from lib389.lint import (
|
|
|
5873fa |
+ DSLOGNOTES0001, # Unindexed search
|
|
|
5873fa |
+ DSLOGNOTES0002, # Unknown attr in search filter
|
|
|
5873fa |
+)
|
|
|
5873fa |
|
|
|
5873fa |
# Because many of these settings can change live, we need to check for certain
|
|
|
5873fa |
# attributes all the time.
|
|
|
5873fa |
@@ -35,7 +40,7 @@ MONTH_LOOKUP = {
|
|
|
5873fa |
}
|
|
|
5873fa |
|
|
|
5873fa |
|
|
|
5873fa |
-class DirsrvLog(object):
|
|
|
5873fa |
+class DirsrvLog(DSLint):
|
|
|
5873fa |
"""Class of functions to working with the various DIrectory Server logs
|
|
|
5873fa |
"""
|
|
|
5873fa |
def __init__(self, dirsrv):
|
|
|
5873fa |
@@ -189,6 +194,67 @@ class DirsrvAccessLog(DirsrvLog):
|
|
|
5873fa |
self.full_regexs = [self.prog_m1, self.prog_con, self.prog_discon]
|
|
|
5873fa |
self.result_regexs = [self.prog_notes, self.prog_repl,
|
|
|
5873fa |
self.prog_result]
|
|
|
5873fa |
+ @classmethod
|
|
|
5873fa |
+ def lint_uid(cls):
|
|
|
5873fa |
+ return 'logs'
|
|
|
5873fa |
+
|
|
|
5873fa |
+ def _log_get_search_stats(self, conn, op):
|
|
|
5873fa |
+ lines = self.match(f".* conn={conn} op={op} SRCH base=.*")
|
|
|
5873fa |
+ if len(lines) != 1:
|
|
|
5873fa |
+ return None
|
|
|
5873fa |
+
|
|
|
5873fa |
+ quoted_vals = re.findall('"([^"]*)"', lines[0])
|
|
|
5873fa |
+ return {
|
|
|
5873fa |
+ 'base': quoted_vals[0],
|
|
|
5873fa |
+ 'filter': quoted_vals[1],
|
|
|
5873fa |
+ 'timestamp': re.findall('\[(.*)\]', lines[0])[0],
|
|
|
5873fa |
+ 'scope': lines[0].split(' scope=', 1)[1].split(' ',1)[0]
|
|
|
5873fa |
+ }
|
|
|
5873fa |
+
|
|
|
5873fa |
+ def _lint_notes(self):
|
|
|
5873fa |
+ """
|
|
|
5873fa |
+ Check for notes=A (fully unindexed searches), and
|
|
|
5873fa |
+ notes=F (unknown attribute in filter)
|
|
|
5873fa |
+ """
|
|
|
5873fa |
+ for pattern, lint_report in [(".* notes=A", DSLOGNOTES0001), (".* notes=F", DSLOGNOTES0002)]:
|
|
|
5873fa |
+ lines = self.match(pattern)
|
|
|
5873fa |
+ if len(lines) > 0:
|
|
|
5873fa |
+ count = 0
|
|
|
5873fa |
+ searches = []
|
|
|
5873fa |
+ for line in lines:
|
|
|
5873fa |
+ if ' RESULT err=' in line:
|
|
|
5873fa |
+ # Looks like a valid notes=A/F
|
|
|
5873fa |
+ conn = line.split(' conn=', 1)[1].split(' ',1)[0]
|
|
|
5873fa |
+ op = line.split(' op=', 1)[1].split(' ',1)[0]
|
|
|
5873fa |
+ etime = line.split(' etime=', 1)[1].split(' ',1)[0]
|
|
|
5873fa |
+ stats = self._log_get_search_stats(conn, op)
|
|
|
5873fa |
+ if stats is not None:
|
|
|
5873fa |
+ timestamp = stats['timestamp']
|
|
|
5873fa |
+ base = stats['base']
|
|
|
5873fa |
+ scope = stats['scope']
|
|
|
5873fa |
+ srch_filter = stats['filter']
|
|
|
5873fa |
+ count += 1
|
|
|
5873fa |
+ if lint_report == DSLOGNOTES0001:
|
|
|
5873fa |
+ searches.append(f'\n [{count}] Unindexed Search\n'
|
|
|
5873fa |
+ f' - date: {timestamp}\n'
|
|
|
5873fa |
+ f' - conn/op: {conn}/{op}\n'
|
|
|
5873fa |
+ f' - base: {base}\n'
|
|
|
5873fa |
+ f' - scope: {scope}\n'
|
|
|
5873fa |
+ f' - filter: {srch_filter}\n'
|
|
|
5873fa |
+ f' - etime: {etime}\n')
|
|
|
5873fa |
+ else:
|
|
|
5873fa |
+ searches.append(f'\n [{count}] Invalid Attribute in Filter\n'
|
|
|
5873fa |
+ f' - date: {timestamp}\n'
|
|
|
5873fa |
+ f' - conn/op: {conn}/{op}\n'
|
|
|
5873fa |
+ f' - filter: {srch_filter}\n')
|
|
|
5873fa |
+ if len(searches) > 0:
|
|
|
5873fa |
+ report = copy.deepcopy(lint_report)
|
|
|
5873fa |
+ report['items'].append(self._get_log_path())
|
|
|
5873fa |
+ report['detail'] = report['detail'].replace('NUMBER', str(count))
|
|
|
5873fa |
+ for srch in searches:
|
|
|
5873fa |
+ report['detail'] += srch
|
|
|
5873fa |
+ yield report
|
|
|
5873fa |
+
|
|
|
5873fa |
|
|
|
5873fa |
def _get_log_path(self):
|
|
|
5873fa |
"""Return the current log file location"""
|
|
|
5873fa |
diff --git a/src/lib389/lib389/lint.py b/src/lib389/lib389/lint.py
|
|
|
5873fa |
index a103feec7..4b1700b92 100644
|
|
|
5873fa |
--- a/src/lib389/lib389/lint.py
|
|
|
5873fa |
+++ b/src/lib389/lib389/lint.py
|
|
|
5873fa |
@@ -1,5 +1,5 @@
|
|
|
5873fa |
# --- BEGIN COPYRIGHT BLOCK ---
|
|
|
5873fa |
-# Copyright (C) 2019 Red Hat, Inc.
|
|
|
5873fa |
+# Copyright (C) 2020 Red Hat, Inc.
|
|
|
5873fa |
# All rights reserved.
|
|
|
5873fa |
#
|
|
|
5873fa |
# License: GPL (version 3 or any later version).
|
|
|
5873fa |
@@ -253,7 +253,7 @@ can use the CLI tool "dsconf" to resolve the conflict. Here is an example:
|
|
|
5873fa |
|
|
|
5873fa |
Remove conflict entry and keep only the original/counterpart entry:
|
|
|
5873fa |
|
|
|
5873fa |
- # dsconf slapd-YOUR_INSTANCE repl-conflict remove <DN of conflict entry>
|
|
|
5873fa |
+ # dsconf slapd-YOUR_INSTANCE repl-conflict delete <DN of conflict entry>
|
|
|
5873fa |
|
|
|
5873fa |
Replace the original/counterpart entry with the conflict entry:
|
|
|
5873fa |
|
|
|
5873fa |
@@ -418,3 +418,25 @@ until the time issues have been resolved:
|
|
|
5873fa |
Also look at https://access.redhat.com/documentation/en-us/red_hat_directory_server/11/html/administration_guide/managing_replication-troubleshooting_replication_related_problems
|
|
|
5873fa |
and find the paragraph "Too much time skew"."""
|
|
|
5873fa |
}
|
|
|
5873fa |
+
|
|
|
5873fa |
+DSLOGNOTES0001 = {
|
|
|
5873fa |
+ 'dsle': 'DSLOGNOTES0001',
|
|
|
5873fa |
+ 'severity': 'Medium',
|
|
|
5873fa |
+ 'description': 'Unindexed Search',
|
|
|
5873fa |
+ 'items': ['Performance'],
|
|
|
5873fa |
+ 'detail': """Found NUMBER fully unindexed searches in the current access log.
|
|
|
5873fa |
+Unindexed searches can cause high CPU and slow down the entire server's performance.\n""",
|
|
|
5873fa |
+ 'fix': """Examine the searches that are unindexed, and either properly index the attributes
|
|
|
5873fa |
+in the filter, increase the nsslapd-idlistscanlimit, or stop using that filter."""
|
|
|
5873fa |
+}
|
|
|
5873fa |
+
|
|
|
5873fa |
+DSLOGNOTES0002 = {
|
|
|
5873fa |
+ 'dsle': 'DSLOGNOTES0002',
|
|
|
5873fa |
+ 'severity': 'Medium',
|
|
|
5873fa |
+ 'description': 'Unknown Attribute In Filter',
|
|
|
5873fa |
+ 'items': ['Possible Performance Impact'],
|
|
|
5873fa |
+ 'detail': """Found NUMBER searches in the current access log that are using an
|
|
|
5873fa |
+unknown attribute in the search filter.\n""",
|
|
|
5873fa |
+ 'fix': """Stop using this these unknown attributes in the filter, or add the schema
|
|
|
5873fa |
+to the server and make sure it's properly indexed."""
|
|
|
5873fa |
+}
|
|
|
5873fa |
--
|
|
|
5873fa |
2.26.2
|
|
|
5873fa |
|