diff --git a/README.debrand b/README.debrand deleted file mode 100644 index 01c46d2..0000000 --- a/README.debrand +++ /dev/null @@ -1,2 +0,0 @@ -Warning: This package was configured for automatic debranding, but the changes -failed to apply. diff --git a/SOURCES/0021-Fix-nsslapd-db-lock-tuning-of-BDB-backend_rhbz#1882472.patch b/SOURCES/0021-Fix-nsslapd-db-lock-tuning-of-BDB-backend_rhbz#1882472.patch new file mode 100644 index 0000000..8fe58a4 --- /dev/null +++ b/SOURCES/0021-Fix-nsslapd-db-lock-tuning-of-BDB-backend_rhbz#1882472.patch @@ -0,0 +1,215 @@ +Adapted patch for ipatests/test_integration/test_installation.py due to +missing commit 930f4b3d1dc03f9e365b007b027d65e146a08f05 (Prevent local account +takeover). + +From 87e5c0500b76b7cbeecedc0c28d44095c7063186 Mon Sep 17 00:00:00 2001 +From: Christian Heimes +Date: Thu, 24 Sep 2020 12:32:37 +0200 +Subject: [PATCH] Fix nsslapd-db-lock tuning of BDB backend + +nsslapd-db-lock was moved from cn=config,cn=ldbm database,cn=plugins,cn=config +entry to cn=bdb subentry. Manual patching of dse.ldif was no longer +working. Installations with 389-DS 1.4.3 and newer are affected. + +Low lock count can affect performance during high load, e.g. mass-import +of users or lots of concurrent connections. + +Bump minimal DS version to 1.4.3. Fedora 32 and RHEL 8.3 have 1.4.3. + +Fixes: https://pagure.io/freeipa/issue/8515 +See: https://pagure.io/freeipa/issue/5914 +Signed-off-by: Christian Heimes +Reviewed-By: Francois Cami +Reviewed-By: Francois Cami +--- + freeipa.spec.in | 17 ++++++----------- + install/share/Makefile.am | 1 + + install/share/ldbm-tuning.ldif | 4 ++++ + install/updates/10-db-locks.update | 10 ++++++++++ + install/updates/Makefile.am | 1 + + ipapython/ipaldap.py | 1 + + ipaserver/install/dsinstance.py | 9 ++++----- + .../test_customized_ds_config_install.py | 3 ++- + .../test_integration/test_installation.py | 19 +++++++++++++++++++ + 9 files changed, 48 insertions(+), 17 deletions(-) + create mode 100644 install/share/ldbm-tuning.ldif + create mode 100644 install/updates/10-db-locks.update + +diff --git a/freeipa.spec.in b/freeipa.spec.in +index 1db7d6457..8e6736b60 100755 +--- a/freeipa.spec.in ++++ b/freeipa.spec.in +@@ -55,10 +55,9 @@ + %global selinux_policy_version 3.14.3-21 + %global slapi_nis_version 0.56.1-4 + %global python_ldap_version 3.1.0-1 +-# python3-lib389 +-# Fix for "Installation fails: Replica Busy" +-# https://pagure.io/389-ds-base/issue/49818 +-%global ds_version 1.4.0.16 ++# 1.4.3 moved nsslapd-db-locks to cn=bdb sub-entry ++# https://pagure.io/freeipa/issue/8515 ++%global ds_version 1.4.3 + # Fix for TLS 1.3 PHA, RHBZ#1775158 + %global httpd_version 2.4.37-21 + +@@ -89,13 +88,9 @@ + + # fix for segfault in python3-ldap, https://pagure.io/freeipa/issue/7324 + %global python_ldap_version 3.1.0-1 +-# Fix for create suffix +-# https://pagure.io/389-ds-base/issue/49984 +-%if 0%{?fedora} >= 30 +-%global ds_version 1.4.1.1 +-%else +-%global ds_version 1.4.0.21 +-%endif ++# 1.4.3 moved nsslapd-db-locks to cn=bdb sub-entry ++# https://pagure.io/freeipa/issue/8515 ++%global ds_version 1.4.3 + + # Fix for TLS 1.3 PHA, RHBZ#1775146 + %if 0%{?fedora} >= 31 +diff --git a/install/share/Makefile.am b/install/share/Makefile.am +index 53bd8f5d5..53485edfa 100644 +--- a/install/share/Makefile.am ++++ b/install/share/Makefile.am +@@ -102,6 +102,7 @@ dist_app_DATA = \ + ipaca_default.ini \ + ipaca_customize.ini \ + ipaca_softhsm2.ini \ ++ ldbm-tuning.ldif \ + $(NULL) + + kdcproxyconfdir = $(IPA_SYSCONF_DIR)/kdcproxy +diff --git a/install/share/ldbm-tuning.ldif b/install/share/ldbm-tuning.ldif +new file mode 100644 +index 000000000..765ccb01a +--- /dev/null ++++ b/install/share/ldbm-tuning.ldif +@@ -0,0 +1,4 @@ ++dn: cn=bdb,cn=config,cn=ldbm database,cn=plugins,cn=config ++changetype: modify ++replace: nsslapd-db-locks ++nsslapd-db-locks: 50000 +diff --git a/install/updates/10-db-locks.update b/install/updates/10-db-locks.update +new file mode 100644 +index 000000000..31d2e4352 +--- /dev/null ++++ b/install/updates/10-db-locks.update +@@ -0,0 +1,10 @@ ++# Fix nsslapd-db-locks move ++# https://pagure.io/freeipa/issue/8515 ++ ++# replace 389-DS default with 50000 locks ++dn: cn=bdb,cn=config,cn=ldbm database,cn=plugins,cn=config ++replace: nsslapd-db-locks:10000::50000 ++ ++# remove setting from old location ++dn: cn=config,cn=ldbm database,cn=plugins,cn=config ++remove: nsslapd-db-locks: 50000 +diff --git a/install/updates/Makefile.am b/install/updates/Makefile.am +index 8a4d9cc6c..957ad4fa2 100644 +--- a/install/updates/Makefile.am ++++ b/install/updates/Makefile.am +@@ -4,6 +4,7 @@ appdir = $(IPA_DATA_DIR)/updates + app_DATA = \ + 05-pre_upgrade_plugins.update \ + 10-config.update \ ++ 10-db-locks.update \ + 10-enable-betxn.update \ + 10-ipapwd.update \ + 10-selinuxusermap.update \ +diff --git a/ipapython/ipaldap.py b/ipapython/ipaldap.py +index 3eac95a87..5c43413cc 100644 +--- a/ipapython/ipaldap.py ++++ b/ipapython/ipaldap.py +@@ -753,6 +753,7 @@ class LDAPClient: + 'nsslapd-anonlimitsdn': True, + 'nsslapd-minssf-exclude-rootdse': True, + 'nsslapd-enable-upgrade-hash': True, ++ 'nsslapd-db-locks': True, + }) + + time_limit = -1.0 # unlimited +diff --git a/ipaserver/install/dsinstance.py b/ipaserver/install/dsinstance.py +index 3fc0de371..065c6f78f 100644 +--- a/ipaserver/install/dsinstance.py ++++ b/ipaserver/install/dsinstance.py +@@ -226,6 +226,7 @@ class DsInstance(service.Service): + + self.step("creating directory server instance", self.__create_instance) + self.step("configure autobind for root", self.__root_autobind) ++ self.step("tune ldbm plugin", self.__tune_ldbm) + self.step("stopping directory server", self.__stop_instance) + self.step("updating configuration in dse.ldif", self.__update_dse_ldif) + self.step("starting directory server", self.__start_instance) +@@ -592,6 +593,9 @@ class DsInstance(service.Service): + # Done! + logger.debug("completed creating DS instance") + ++ def __tune_ldbm(self): ++ self._ldap_mod("ldbm-tuning.ldif") ++ + def __update_dse_ldif(self): + """ + This method updates dse.ldif right after instance creation. This is +@@ -610,11 +614,6 @@ class DsInstance(service.Service): + temp_filename = new_dse_ldif.name + with open(dse_filename, "r") as input_file: + parser = installutils.ModifyLDIF(input_file, new_dse_ldif) +- parser.replace_value( +- 'cn=config,cn=ldbm database,cn=plugins,cn=config', +- 'nsslapd-db-locks', +- [b'50000'] +- ) + if self.config_ldif: + # parse modifications from ldif file supplied by the admin + with open(self.config_ldif, "r") as config_ldif: +diff --git a/ipatests/test_integration/test_customized_ds_config_install.py b/ipatests/test_integration/test_customized_ds_config_install.py +index a2fcc7dd2..95195a014 100644 +--- a/ipatests/test_integration/test_customized_ds_config_install.py ++++ b/ipatests/test_integration/test_customized_ds_config_install.py +@@ -4,7 +4,8 @@ from ipatests.pytest_ipa.integration import tasks + + DIRSRV_CONFIG_MODS = """ + # https://fedorahosted.org/freeipa/ticket/4949 +-dn: cn=config,cn=ldbm database,cn=plugins,cn=config ++# https://pagure.io/freeipa/issue/8515 ++dn: cn=bdb,cn=config,cn=ldbm database,cn=plugins,cn=config + changetype: modify + replace: nsslapd-db-locks + nsslapd-db-locks: 100000 +diff --git a/ipatests/test_integration/test_installation.py b/ipatests/test_integration/test_installation.py +index c939c6450..ec826edb7 100644 +--- a/ipatests/test_integration/test_installation.py ++++ b/ipatests/test_integration/test_installation.py +@@ -972,6 +972,25 @@ class TestInstallMaster(IntegrationTest): + ) + assert "nsslapd-enable-upgrade-hash: off" in result.stdout_text + ++ def test_ldbm_tuning(self): ++ # check db-locks in new cn=bdb subentry (1.4.3+) ++ result = tasks.ldapsearch_dm( ++ self.master, ++ "cn=bdb,cn=config,cn=ldbm database,cn=plugins,cn=config", ++ ["nsslapd-db-locks"], ++ scope="base" ++ ) ++ assert "nsslapd-db-locks: 50000" in result.stdout_text ++ ++ # no db-locks configuration in old global entry ++ result = tasks.ldapsearch_dm( ++ self.master, ++ "cn=config,cn=ldbm database,cn=plugins,cn=config", ++ ["nsslapd-db-locks"], ++ scope="base" ++ ) ++ assert "nsslapd-db-locks" not in result.stdout_text ++ + + class TestInstallMasterKRA(IntegrationTest): + +-- +2.26.2 + diff --git a/SPECS/ipa.spec b/SPECS/ipa.spec index c1ea27a..c8616f9 100644 --- a/SPECS/ipa.spec +++ b/SPECS/ipa.spec @@ -149,7 +149,7 @@ Name: %{package_name} Version: %{IPA_VERSION} -Release: 12%{?dist} +Release: 13%{?dist} Summary: The Identity, Policy and Audit system License: GPLv3+ @@ -184,6 +184,7 @@ Patch0017: 0017-SELinux-Policy-let-custodia-replicate-keys_rhbz#1868432.pat Patch0018: 0018-dogtaginstance.py-add-debug-to-pkispawn_rhbz#1879604.patch Patch0019: 0019-SELinux-add-dedicated-policy-for-ipa-pki-retrieve-key-ipatests-enhance-TestSubCAkeyReplication_rhbz#1870202.patch Patch0020: 0020-SELinux-do-not-double-define-node_t-and-pki_tomcat_c_rhbz#1870202.patch +Patch0021: 0021-Fix-nsslapd-db-lock-tuning-of-BDB-backend_rhbz#1882472.patch Patch1001: 1001-Change-branding-to-IPA-and-Identity-Management.patch Patch1002: 1002-4.8.0-Remove-csrgen.patch Patch1003: 1003-Revert-WebUI-use-python3-rjsmin-to-minify-JavaScript.patch @@ -1534,6 +1535,10 @@ fi %changelog +* Thu Oct 08 2020 Thomas Woerner - 4.8.7-13 +- Fix nsslapd-db-lock tuning of BDB backend + Resolves: RHBZ#1882472 + * Wed Sep 23 2020 Thomas Woerner - 4.8.7-12 - Require selinux sub package in the proper version Related: RHBZ#1868432