|
|
95ea96 |
From 4d99ab7ce65064aacf2a7429d8ebc956c5b43b34 Mon Sep 17 00:00:00 2001
|
|
|
2737e7 |
From: Christian Heimes <cheimes@redhat.com>
|
|
|
2737e7 |
Date: Tue, 3 Jul 2018 19:40:05 +0200
|
|
|
2737e7 |
Subject: [PATCH] Tune DS replication settings
|
|
|
2737e7 |
|
|
|
2737e7 |
Tune 389-DS replication settings to improve performance and avoid
|
|
|
2737e7 |
timeouts. During installation of a replica, the value of
|
|
|
2737e7 |
nsDS5ReplicaBindDnGroupCheckInterval is reduced to 2 seconds. At the end
|
|
|
2737e7 |
of the installation, the value is increased sensible production
|
|
|
2737e7 |
settings. This avoids long delays during replication.
|
|
|
2737e7 |
|
|
|
2737e7 |
See: https://pagure.io/freeipa/issue/7617
|
|
|
2737e7 |
Signed-off-by: Christian Heimes <cheimes@redhat.com>
|
|
|
2737e7 |
Reviewed-By: Tibor Dudlak <tdudlak@redhat.com>
|
|
|
95ea96 |
Reviewed-By: Tibor Dudlak <tdudlak@redhat.com>
|
|
|
2737e7 |
---
|
|
|
95ea96 |
ipaserver/install/cainstance.py | 8 +-
|
|
|
95ea96 |
ipaserver/install/dsinstance.py | 48 ++++++----
|
|
|
95ea96 |
ipaserver/install/replication.py | 92 +++++++++++++++----
|
|
|
95ea96 |
ipaserver/install/server/replicainstall.py | 2 +
|
|
|
95ea96 |
ipaserver/install/server/upgrade.py | 12 ++-
|
|
|
95ea96 |
ipatests/test_integration/test_external_ca.py | 21 +++++
|
|
|
95ea96 |
6 files changed, 140 insertions(+), 43 deletions(-)
|
|
|
2737e7 |
|
|
|
2737e7 |
diff --git a/ipaserver/install/cainstance.py b/ipaserver/install/cainstance.py
|
|
|
95ea96 |
index 51fdbe9c61e06ab9d72d78aee8786f9bceca137b..8193f3da854b3a20d175de523fbc453f5c5104d8 100644
|
|
|
2737e7 |
--- a/ipaserver/install/cainstance.py
|
|
|
2737e7 |
+++ b/ipaserver/install/cainstance.py
|
|
|
95ea96 |
@@ -410,6 +410,9 @@ class CAInstance(DogtagInstance):
|
|
|
95ea96 |
self.teardown_admin)
|
|
|
95ea96 |
self.step("starting certificate server instance",
|
|
|
95ea96 |
self.start_instance)
|
|
|
2737e7 |
+ if promote:
|
|
|
2737e7 |
+ self.step("Finalize replication settings",
|
|
|
2737e7 |
+ self.finalize_replica_config)
|
|
|
2737e7 |
# Step 1 of external is getting a CSR so we don't need to do these
|
|
|
2737e7 |
# steps until we get a cert back from the external CA.
|
|
|
2737e7 |
if self.external != 1:
|
|
|
95ea96 |
@@ -1245,13 +1248,16 @@ class CAInstance(DogtagInstance):
|
|
|
2737e7 |
api.Backend.ldap2.add_entry(entry)
|
|
|
2737e7 |
|
|
|
2737e7 |
def __setup_replication(self):
|
|
|
2737e7 |
-
|
|
|
2737e7 |
repl = replication.CAReplicationManager(self.realm, self.fqdn)
|
|
|
2737e7 |
repl.setup_cs_replication(self.master_host)
|
|
|
2737e7 |
|
|
|
2737e7 |
# Activate Topology for o=ipaca segments
|
|
|
2737e7 |
self.__update_topology()
|
|
|
2737e7 |
|
|
|
2737e7 |
+ def finalize_replica_config(self):
|
|
|
2737e7 |
+ repl = replication.CAReplicationManager(self.realm, self.fqdn)
|
|
|
2737e7 |
+ repl.finalize_replica_config(self.master_host)
|
|
|
2737e7 |
+
|
|
|
2737e7 |
def __enable_instance(self):
|
|
|
2737e7 |
basedn = ipautil.realm_to_suffix(self.realm)
|
|
|
2737e7 |
if not self.clone:
|
|
|
2737e7 |
diff --git a/ipaserver/install/dsinstance.py b/ipaserver/install/dsinstance.py
|
|
|
95ea96 |
index 06c1273dc21a88f99a0f543cfd12bb6563c7e214..eefbde3356e1077d490d09c4ea47d961ce3ce8e6 100644
|
|
|
2737e7 |
--- a/ipaserver/install/dsinstance.py
|
|
|
2737e7 |
+++ b/ipaserver/install/dsinstance.py
|
|
|
95ea96 |
@@ -418,6 +418,20 @@ class DsInstance(service.Service):
|
|
|
2737e7 |
|
|
|
2737e7 |
self.start_creation(runtime=30)
|
|
|
2737e7 |
|
|
|
2737e7 |
+ def _get_replication_manager(self):
|
|
|
2737e7 |
+ # Always connect to self over ldapi
|
|
|
2737e7 |
+ ldap_uri = ipaldap.get_ldap_uri(protocol='ldapi', realm=self.realm)
|
|
|
2737e7 |
+ conn = ipaldap.LDAPClient(ldap_uri)
|
|
|
2737e7 |
+ conn.external_bind()
|
|
|
2737e7 |
+ repl = replication.ReplicationManager(
|
|
|
2737e7 |
+ self.realm, self.fqdn, self.dm_password, conn=conn
|
|
|
2737e7 |
+ )
|
|
|
2737e7 |
+ if self.dm_password is not None and not self.promote:
|
|
|
2737e7 |
+ bind_dn = DN(('cn', 'Directory Manager'))
|
|
|
2737e7 |
+ bind_pw = self.dm_password
|
|
|
2737e7 |
+ else:
|
|
|
2737e7 |
+ bind_dn = bind_pw = None
|
|
|
2737e7 |
+ return repl, bind_dn, bind_pw
|
|
|
2737e7 |
|
|
|
2737e7 |
def __setup_replica(self):
|
|
|
2737e7 |
"""
|
|
|
95ea96 |
@@ -434,26 +448,24 @@ class DsInstance(service.Service):
|
|
|
2737e7 |
self.realm,
|
|
|
2737e7 |
self.dm_password)
|
|
|
2737e7 |
|
|
|
2737e7 |
- # Always connect to self over ldapi
|
|
|
2737e7 |
- ldap_uri = ipaldap.get_ldap_uri(protocol='ldapi', realm=self.realm)
|
|
|
2737e7 |
- conn = ipaldap.LDAPClient(ldap_uri)
|
|
|
2737e7 |
- conn.external_bind()
|
|
|
2737e7 |
- repl = replication.ReplicationManager(self.realm,
|
|
|
2737e7 |
- self.fqdn,
|
|
|
2737e7 |
- self.dm_password, conn=conn)
|
|
|
2737e7 |
-
|
|
|
2737e7 |
- if self.dm_password is not None and not self.promote:
|
|
|
2737e7 |
- bind_dn = DN(('cn', 'Directory Manager'))
|
|
|
2737e7 |
- bind_pw = self.dm_password
|
|
|
2737e7 |
- else:
|
|
|
2737e7 |
- bind_dn = bind_pw = None
|
|
|
2737e7 |
-
|
|
|
2737e7 |
- repl.setup_promote_replication(self.master_fqdn,
|
|
|
2737e7 |
- r_binddn=bind_dn,
|
|
|
2737e7 |
- r_bindpw=bind_pw,
|
|
|
2737e7 |
- cacert=self.ca_file)
|
|
|
2737e7 |
+ repl, bind_dn, bind_pw = self._get_replication_manager()
|
|
|
2737e7 |
+ repl.setup_promote_replication(
|
|
|
2737e7 |
+ self.master_fqdn,
|
|
|
2737e7 |
+ r_binddn=bind_dn,
|
|
|
2737e7 |
+ r_bindpw=bind_pw,
|
|
|
2737e7 |
+ cacert=self.ca_file
|
|
|
2737e7 |
+ )
|
|
|
2737e7 |
self.run_init_memberof = repl.needs_memberof_fixup()
|
|
|
2737e7 |
|
|
|
2737e7 |
+ def finalize_replica_config(self):
|
|
|
2737e7 |
+ repl, bind_dn, bind_pw = self._get_replication_manager()
|
|
|
2737e7 |
+ repl.finalize_replica_config(
|
|
|
2737e7 |
+ self.master_fqdn,
|
|
|
2737e7 |
+ r_binddn=bind_dn,
|
|
|
2737e7 |
+ r_bindpw=bind_pw,
|
|
|
2737e7 |
+ cacert=self.ca_file
|
|
|
2737e7 |
+ )
|
|
|
2737e7 |
+
|
|
|
2737e7 |
def __configure_sasl_mappings(self):
|
|
|
2737e7 |
# we need to remove any existing SASL mappings in the directory as otherwise they
|
|
|
2737e7 |
# they may conflict.
|
|
|
2737e7 |
diff --git a/ipaserver/install/replication.py b/ipaserver/install/replication.py
|
|
|
95ea96 |
index 5ce8fa689c1a6fd3b9d4cbddbd5454d36334b729..d0f92c76c108d237104a81c72567250583ac4ff1 100644
|
|
|
2737e7 |
--- a/ipaserver/install/replication.py
|
|
|
2737e7 |
+++ b/ipaserver/install/replication.py
|
|
|
95ea96 |
@@ -75,6 +75,20 @@ STRIP_ATTRS = ('modifiersName',
|
|
|
2737e7 |
'internalModifiersName',
|
|
|
2737e7 |
'internalModifyTimestamp')
|
|
|
2737e7 |
|
|
|
2737e7 |
+# settings for cn=replica,cn=$DB,cn=mapping tree,cn=config
|
|
|
2737e7 |
+# during replica installation
|
|
|
2737e7 |
+REPLICA_CREATION_SETTINGS = {
|
|
|
2737e7 |
+ "nsds5ReplicaReleaseTimeout": ["20"],
|
|
|
2737e7 |
+ "nsds5ReplicaBackoffMax": ["3"],
|
|
|
2737e7 |
+ "nsDS5ReplicaBindDnGroupCheckInterval": ["2"]
|
|
|
2737e7 |
+}
|
|
|
2737e7 |
+# after replica installation
|
|
|
2737e7 |
+REPLICA_FINAL_SETTINGS = {
|
|
|
2737e7 |
+ "nsds5ReplicaReleaseTimeout": ["60"],
|
|
|
2737e7 |
+ "nsds5ReplicaBackoffMax": ["300"], # default
|
|
|
2737e7 |
+ "nsDS5ReplicaBindDnGroupCheckInterval": ["60"]
|
|
|
2737e7 |
+}
|
|
|
2737e7 |
+
|
|
|
2737e7 |
|
|
|
2737e7 |
def replica_conn_check(master_host, host_name, realm, check_ca,
|
|
|
2737e7 |
dogtag_master_ds_port, admin_password=None,
|
|
|
95ea96 |
@@ -201,9 +215,13 @@ def wait_for_entry(connection, dn, timeout, attr=None, attrvalue='*',
|
|
|
2737e7 |
|
|
|
2737e7 |
|
|
|
2737e7 |
class ReplicationManager(object):
|
|
|
2737e7 |
- """Manage replication agreements between DS servers, and sync
|
|
|
2737e7 |
- agreements with Windows servers"""
|
|
|
2737e7 |
- def __init__(self, realm, hostname, dirman_passwd, port=PORT, starttls=False, conn=None):
|
|
|
2737e7 |
+ """Manage replication agreements
|
|
|
2737e7 |
+
|
|
|
2737e7 |
+ between DS servers, and sync agreements with Windows servers
|
|
|
2737e7 |
+ """
|
|
|
2737e7 |
+
|
|
|
2737e7 |
+ def __init__(self, realm, hostname, dirman_passwd=None, port=PORT,
|
|
|
2737e7 |
+ starttls=False, conn=None):
|
|
|
2737e7 |
self.hostname = hostname
|
|
|
2737e7 |
self.port = port
|
|
|
2737e7 |
self.dirman_passwd = dirman_passwd
|
|
|
95ea96 |
@@ -481,22 +499,16 @@ class ReplicationManager(object):
|
|
|
2737e7 |
except errors.NotFound:
|
|
|
2737e7 |
pass
|
|
|
2737e7 |
else:
|
|
|
2737e7 |
- managers = {DN(m) for m in entry.get('nsDS5ReplicaBindDN', [])}
|
|
|
2737e7 |
-
|
|
|
2737e7 |
- mods = []
|
|
|
2737e7 |
- if replica_binddn not in managers:
|
|
|
2737e7 |
+ binddns = entry.setdefault('nsDS5ReplicaBindDN', [])
|
|
|
2737e7 |
+ if replica_binddn not in {DN(m) for m in binddns}:
|
|
|
2737e7 |
# Add the new replication manager
|
|
|
2737e7 |
- mods.append(
|
|
|
2737e7 |
- (ldap.MOD_ADD, 'nsDS5ReplicaBindDN', replica_binddn)
|
|
|
2737e7 |
- )
|
|
|
2737e7 |
- if 'nsds5replicareleasetimeout' not in entry:
|
|
|
2737e7 |
- # See https://pagure.io/freeipa/issue/7488
|
|
|
2737e7 |
- mods.append(
|
|
|
2737e7 |
- (ldap.MOD_ADD, 'nsds5replicareleasetimeout', ['60'])
|
|
|
2737e7 |
- )
|
|
|
2737e7 |
-
|
|
|
2737e7 |
- if mods:
|
|
|
2737e7 |
- conn.modify_s(dn, mods)
|
|
|
2737e7 |
+ binddns.append(replica_binddn)
|
|
|
2737e7 |
+ for key, value in REPLICA_CREATION_SETTINGS.items():
|
|
|
2737e7 |
+ entry[key] = value
|
|
|
2737e7 |
+ try:
|
|
|
2737e7 |
+ conn.update_entry(entry)
|
|
|
2737e7 |
+ except errors.EmptyModlist:
|
|
|
2737e7 |
+ pass
|
|
|
2737e7 |
|
|
|
2737e7 |
self.set_replica_binddngroup(conn, entry)
|
|
|
2737e7 |
|
|
|
95ea96 |
@@ -515,9 +527,8 @@ class ReplicationManager(object):
|
|
|
2737e7 |
nsds5flags=["1"],
|
|
|
2737e7 |
nsds5replicabinddn=[replica_binddn],
|
|
|
2737e7 |
nsds5replicabinddngroup=[self.repl_man_group_dn],
|
|
|
2737e7 |
- nsds5replicabinddngroupcheckinterval=["60"],
|
|
|
2737e7 |
- nsds5replicareleasetimeout=["60"],
|
|
|
2737e7 |
nsds5replicalegacyconsumer=["off"],
|
|
|
2737e7 |
+ **REPLICA_CREATION_SETTINGS
|
|
|
2737e7 |
)
|
|
|
2737e7 |
conn.add_entry(entry)
|
|
|
2737e7 |
|
|
|
95ea96 |
@@ -543,6 +554,47 @@ class ReplicationManager(object):
|
|
|
2737e7 |
except errors.DuplicateEntry:
|
|
|
2737e7 |
return
|
|
|
2737e7 |
|
|
|
2737e7 |
+ def _finalize_replica_settings(self, conn):
|
|
|
2737e7 |
+ """Change replica settings to final values
|
|
|
2737e7 |
+
|
|
|
2737e7 |
+ During replica installation, some settings are configured for faster
|
|
|
2737e7 |
+ replication.
|
|
|
2737e7 |
+ """
|
|
|
2737e7 |
+ dn = self.replica_dn()
|
|
|
2737e7 |
+ entry = conn.get_entry(dn)
|
|
|
2737e7 |
+ for key, value in REPLICA_FINAL_SETTINGS.items():
|
|
|
2737e7 |
+ entry[key] = value
|
|
|
2737e7 |
+ try:
|
|
|
2737e7 |
+ conn.update_entry(entry)
|
|
|
2737e7 |
+ except errors.EmptyModlist:
|
|
|
2737e7 |
+ pass
|
|
|
2737e7 |
+
|
|
|
2737e7 |
+ def finalize_replica_config(self, r_hostname, r_binddn=None,
|
|
|
2737e7 |
+ r_bindpw=None, cacert=paths.IPA_CA_CRT):
|
|
|
2737e7 |
+ """Apply final cn=replica settings
|
|
|
2737e7 |
+
|
|
|
2737e7 |
+ replica_config() sets several attribute to fast cache invalidation
|
|
|
2737e7 |
+ and fast reconnects to optimize replicat installation. For
|
|
|
2737e7 |
+ production, longer timeouts and less aggressive cache invalidation
|
|
|
2737e7 |
+ is sufficient. finalize_replica_config() sets the values on new
|
|
|
2737e7 |
+ replica and the master.
|
|
|
2737e7 |
+
|
|
|
2737e7 |
+ When installing multiple replicas in parallel, one replica may
|
|
|
2737e7 |
+ finalize the values while another is still installing.
|
|
|
2737e7 |
+
|
|
|
2737e7 |
+ See https://pagure.io/freeipa/issue/7617
|
|
|
2737e7 |
+ """
|
|
|
2737e7 |
+ self._finalize_replica_settings(self.conn)
|
|
|
2737e7 |
+
|
|
|
2737e7 |
+ ldap_uri = ipaldap.get_ldap_uri(r_hostname)
|
|
|
2737e7 |
+ r_conn = ipaldap.LDAPClient(ldap_uri, cacert=cacert)
|
|
|
2737e7 |
+ if r_bindpw:
|
|
|
2737e7 |
+ r_conn.simple_bind(r_binddn, r_bindpw)
|
|
|
2737e7 |
+ else:
|
|
|
2737e7 |
+ r_conn.gssapi_bind()
|
|
|
2737e7 |
+ self._finalize_replica_settings(r_conn)
|
|
|
2737e7 |
+ r_conn.close()
|
|
|
2737e7 |
+
|
|
|
2737e7 |
def setup_chaining_backend(self, conn):
|
|
|
2737e7 |
chaindn = DN(('cn', 'chaining database'), ('cn', 'plugins'), ('cn', 'config'))
|
|
|
2737e7 |
benamebase = "chaindb"
|
|
|
2737e7 |
diff --git a/ipaserver/install/server/replicainstall.py b/ipaserver/install/server/replicainstall.py
|
|
|
95ea96 |
index 542e1d4d145f266d6fd9ad8e0eaffcb12e8f6bc6..8826da232a90380084b0e4f3dca783125a5500da 100644
|
|
|
2737e7 |
--- a/ipaserver/install/server/replicainstall.py
|
|
|
2737e7 |
+++ b/ipaserver/install/server/replicainstall.py
|
|
|
95ea96 |
@@ -1506,6 +1506,8 @@ def install(installer):
|
|
|
2737e7 |
# Apply any LDAP updates. Needs to be done after the replica is synced-up
|
|
|
2737e7 |
service.print_msg("Applying LDAP updates")
|
|
|
2737e7 |
ds.apply_updates()
|
|
|
2737e7 |
+ service.print_msg("Finalize replication settings")
|
|
|
2737e7 |
+ ds.finalize_replica_config()
|
|
|
2737e7 |
|
|
|
2737e7 |
if kra_enabled:
|
|
|
2737e7 |
kra.install(api, config, options, custodia=custodia)
|
|
|
2737e7 |
diff --git a/ipaserver/install/server/upgrade.py b/ipaserver/install/server/upgrade.py
|
|
|
95ea96 |
index ee3cedd78a2f45f33665bf562e9426cf68325544..4e5096e598cd10e3bd98f91946b4d26377d0de6e 100644
|
|
|
2737e7 |
--- a/ipaserver/install/server/upgrade.py
|
|
|
2737e7 |
+++ b/ipaserver/install/server/upgrade.py
|
|
|
95ea96 |
@@ -45,6 +45,7 @@ from ipaserver.install import dnskeysyncinstance
|
|
|
2737e7 |
from ipaserver.install import dogtaginstance
|
|
|
2737e7 |
from ipaserver.install import krbinstance
|
|
|
2737e7 |
from ipaserver.install import adtrustinstance
|
|
|
2737e7 |
+from ipaserver.install import replication
|
|
|
2737e7 |
from ipaserver.install.upgradeinstance import IPAUpgrade
|
|
|
2737e7 |
from ipaserver.install.ldapupdate import BadSyntax
|
|
|
2737e7 |
|
|
|
95ea96 |
@@ -1645,11 +1646,14 @@ def update_replica_config(db_suffix):
|
|
|
2737e7 |
except ipalib.errors.NotFound:
|
|
|
2737e7 |
return # entry does not exist until a replica is installed
|
|
|
2737e7 |
|
|
|
2737e7 |
- if 'nsds5replicareleasetimeout' not in entry:
|
|
|
2737e7 |
- # See https://pagure.io/freeipa/issue/7488
|
|
|
95ea96 |
- logger.info("Adding nsds5replicaReleaseTimeout=60 to %s", dn)
|
|
|
2737e7 |
- entry['nsds5replicareleasetimeout'] = '60'
|
|
|
2737e7 |
+ for key, value in replication.REPLICA_FINAL_SETTINGS.items():
|
|
|
2737e7 |
+ entry[key] = value
|
|
|
2737e7 |
+ try:
|
|
|
2737e7 |
api.Backend.ldap2.update_entry(entry)
|
|
|
2737e7 |
+ except ipalib.errors.EmptyModlist:
|
|
|
2737e7 |
+ pass
|
|
|
2737e7 |
+ else:
|
|
|
95ea96 |
+ logger.info("Updated entry %s", dn)
|
|
|
2737e7 |
|
|
|
2737e7 |
|
|
|
2737e7 |
def upgrade_configuration():
|
|
|
2737e7 |
diff --git a/ipatests/test_integration/test_external_ca.py b/ipatests/test_integration/test_external_ca.py
|
|
|
95ea96 |
index d21e6d543f51dcee1e548e322cbe01fbe0c13d48..2fc2478ae8bb49d95f7ec60270fb5bb6e582d6f5 100644
|
|
|
2737e7 |
--- a/ipatests/test_integration/test_external_ca.py
|
|
|
2737e7 |
+++ b/ipatests/test_integration/test_external_ca.py
|
|
|
95ea96 |
@@ -130,6 +130,27 @@ class TestExternalCA(IntegrationTest):
|
|
|
2737e7 |
result = self.master.run_command(['ipa', 'user-show', 'admin'])
|
|
|
2737e7 |
assert 'User login: admin' in result.stdout_text
|
|
|
95ea96 |
|
|
|
2737e7 |
+ # check that we can also install replica
|
|
|
2737e7 |
+ tasks.install_replica(self.master, self.replicas[0])
|
|
|
2737e7 |
+
|
|
|
2737e7 |
+ # check that nsds5ReplicaReleaseTimeout option was set
|
|
|
2737e7 |
+ result = self.master.run_command([
|
|
|
2737e7 |
+ 'ldapsearch',
|
|
|
2737e7 |
+ '-x',
|
|
|
2737e7 |
+ '-D',
|
|
|
2737e7 |
+ 'cn=directory manager',
|
|
|
2737e7 |
+ '-w', self.master.config.dirman_password,
|
|
|
2737e7 |
+ '-b', 'cn=mapping tree,cn=config',
|
|
|
2737e7 |
+ '(cn=replica)',
|
|
|
2737e7 |
+ '-LLL',
|
|
|
2737e7 |
+ '-o',
|
|
|
2737e7 |
+ 'ldif-wrap=no'])
|
|
|
2737e7 |
+ # case insensitive match
|
|
|
2737e7 |
+ text = result.stdout_text.lower()
|
|
|
2737e7 |
+ # see ipaserver.install.replication.REPLICA_FINAL_SETTINGS
|
|
|
2737e7 |
+ assert 'nsds5ReplicaReleaseTimeout: 60'.lower() in text
|
|
|
2737e7 |
+ assert 'nsDS5ReplicaBindDnGroupCheckInterval: 60'.lower() in text
|
|
|
95ea96 |
+
|
|
|
95ea96 |
def test_client_installation_with_otp(self):
|
|
|
95ea96 |
# Test for issue 7526: client installation fails with one-time
|
|
|
95ea96 |
# password when the master is installed with an externally signed
|
|
|
2737e7 |
--
|
|
|
2737e7 |
2.17.1
|
|
|
2737e7 |
|