Bug 1882340

Summary: nsslapd-db-locks patching no longer works
Product: Red Hat Enterprise Linux 8 Reporter: Christian Heimes <cheimes>
Component: ipaAssignee: Thomas Woerner <twoerner>
Status: CLOSED ERRATA QA Contact: ipa-qe <ipa-qe>
Severity: unspecified Docs Contact: lmcgarry
Priority: urgent    
Version: 8.3CC: fhanzelk, ksiddiqu, lmcgarry, msauton, ndehadra, pasik, pcech, rcritten, ssidhaye, tscherf, twoerner
Target Milestone: rcKeywords: Regression, TestCaseProvided, ZStream
Target Release: 8.3   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: ipa-4.9.0-0.1.rc1 Doc Type: Known Issue
Doc Text:
Cause: A recent change to 389-DS database backend moved the location of the performance tuning option nsslapd-db-locks. Because IPA patched the dse.ldif file in offline mode, 389-DS migration code did not migrate the setting. Consequence: 389-DS runs with 10,000 instead of 50,000 DB locks. Fewer locks can negatively impact performance of servers under high load or impede mass-import of users. Workaround (if any): Run these commands as root on every affected IPA server: # cat > db-locks.update << EOF dn: cn=bdb,cn=config,cn=ldbm database,cn=plugins,cn=config replace: nsslapd-db-locks:10000::50000 EOF # ipa-ldap-updater db-locks.update Result: 389-DS is now configured with 50,000 DB locks.
 Story Points: ---
Clone Of:
: 1882472 (view as bug list) Environment:
Last Closed: 2021-05-18 15:48:21 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1882472    

Description Christian Heimes 2020-09-24 10:47:38 UTC 
Description of problem:
The installer manually patches dse.ldif in offline mode to inject nsslapd-db-locks attribute with 50,000 locks into cn=config,cn=ldbm database,cn=plugins,cn=config. This used to work until DS' backends were redesigned. DS 1.4.3 split the backends and keeps BDB specific configuration in cn=bdb,cn=config,cn=ldbm database,cn=plugins,cn=config. There is code to transparently forward attribute updates fromcn=config,... to cn=bdb,cn=config,.... However manual patching of dse.ldif does not trigger this.

nsslapd-db-locks defaults to 10,000 locks. This setting affects systems under high load and with lots of connections negatively.

Version-Release number of selected component (if applicable):
389-ds-base-1.4.3 and newer (1.4.2 is not affected)
all current versions of IPA

How reproducible:
always

Steps to Reproduce:
1. ldapsearch -LLL -D "cn=Directory Manager" -w $PASSWORD -b "cn=config,cn=ldbm database,cn=plugins,cn=config" nsslapd-db-locks | grep -B1 db-locks

Actual results:
dn: cn=config,cn=ldbm database,cn=plugins,cn=config
nsslapd-db-locks: 50000
--
dn: cn=bdb,cn=config,cn=ldbm database,cn=plugins,cn=config
nsslapd-db-locks: 10000

Expected results:
dn: cn=bdb,cn=config,cn=ldbm database,cn=plugins,cn=config
nsslapd-db-locks: 50000

Additional info:
https://www.port389.org/docs/389ds/design/backend-redesign.html#database-subtype
https://github.com/389ds/389-ds-base/issues/4341
Comment 2 Christian Heimes 2020-09-24 11:27:22 UTC 
The issue is a performance regression. The fix includes update code and a regression test.
Comment 4 Christian Heimes 2020-09-24 12:07:42 UTC 
nsslapd-db-locks setting was increased to 50,000 as part of RHBZ #1298288 "Improve performance in large environments" for RHEL 7.2. The upstream ticket https://pagure.io/freeipa/issue/5914 contains more information.
Comment 6 Christian Heimes 2020-09-24 15:03:48 UTC 
Fixed upstream
master:
https://pagure.io/freeipa/c/69ebe41525116639ec512205319197dd278e15e6
Comment 7 Christian Heimes 2020-09-24 16:08:19 UTC 
Fixed upstream
ipa-4-8:
https://pagure.io/freeipa/c/87e5c0500b76b7cbeecedc0c28d44095c7063186
Comment 13 François Cami 2020-10-27 13:05:00 UTC 
*** Bug 1883708 has been marked as a duplicate of this bug. ***
Comment 19 Kaleem 2020-12-18 13:52:13 UTC 
Verified with nightly compose based on following details

IPA version: (snip from runner.log):
------------------------------------
2020-12-18T12:20:29+0000 ok: [master.testrelm.test] => (item=ipa-server) => 
2020-12-18T12:20:29+0000   msg:
2020-12-18T12:20:29+0000   - arch: x86_64
2020-12-18T12:20:29+0000     epoch: null
2020-12-18T12:20:29+0000     name: ipa-server
2020-12-18T12:20:29+0000     release: 0.5.rc3.module+el8.4.0+9124+ced20601
2020-12-18T12:20:29+0000     source: rpm
2020-12-18T12:20:29+0000     version: 4.9.0

Test results: (snip from test-result.txt):
-----------------------------------------

Test "test_integration/test_installation.py::TestInstallMaster::test_ldbm_tuning" for this bugzilla is successful as per following details from the test run.

============================= test session starts ==============================
platform linux -- Python 3.6.8, pytest-3.10.1, py-1.10.0, pluggy-0.13.1 -- /usr/libexec/platform-python
cachedir: /home/cloud-user/.pytest_cache
metadata: {'Python': '3.6.8', 'Platform': 'Linux-4.18.0-262.el8.x86_64-x86_64-with-redhat-8.4-Ootpa', 'Packages': {'pytest': '3.10.1', 'py': '1.10.0', 'pluggy': '0.13.1'}, 'Plugins': {'metadata': '1.11.0', 'html': '1.22.1', 'multihost': '3.0', 'sourceorder': '0.5'}}
rootdir: /usr/lib/python3.6/site-packages/ipatests, inifile:
plugins: metadata-1.11.0, html-1.22.1, multihost-3.0, sourceorder-0.5
collecting ... collected 20 items

test_integration/test_installation.py::TestInstallMaster::test_install_master PASSED [  5%]
test_integration/test_installation.py::TestInstallMaster::test_schema_compat_attribute_and_tree_disable PASSED [ 10%]
test_integration/test_installation.py::TestInstallMaster::test_install_kra PASSED [ 15%]
test_integration/test_installation.py::TestInstallMaster::test_install_dns PASSED [ 20%]
test_integration/test_installation.py::TestInstallMaster::test_ipactl_restart_pki_tomcat PASSED [ 25%]
test_integration/test_installation.py::TestInstallMaster::test_ipactl_scenario_check PASSED [ 30%]
test_integration/test_installation.py::TestInstallMaster::test_WSGI_worker_process PASSED [ 35%]
test_integration/test_installation.py::TestInstallMaster::test_error_for_yubikey PASSED [ 40%]
test_integration/test_installation.py::TestInstallMaster::test_pki_certs PASSED [ 45%]
test_integration/test_installation.py::TestInstallMaster::test_http_cert PASSED [ 50%]
test_integration/test_installation.py::TestInstallMaster::test_p11_kit_softhsm2 PASSED [ 55%]
test_integration/test_installation.py::TestInstallMaster::test_selinux_avcs PASSED [ 60%]
test_integration/test_installation.py::TestInstallMaster::test_file_permissions PASSED [ 65%]
test_integration/test_installation.py::TestInstallMaster::test_ds_disable_upgrade_hash PASSED [ 70%]
test_integration/test_installation.py::TestInstallMaster::test_ldbm_tuning PASSED [ 75%]
test_integration/test_installation.py::TestInstallMaster::test_admin_root_alias_CVE_2020_10747 PASSED [ 80%]
test_integration/test_installation.py::TestInstallMaster::test_dirsrv_no_ssca PASSED [ 85%]
test_integration/test_installation.py::TestInstallMaster::test_ipa_custodia_check PASSED [ 90%]
test_integration/test_installation.py::TestInstallMaster::test_ipa_selinux_policy PASSED [ 95%]
test_integration/test_installation.py::TestInstallMaster::test_ipaca_no_redirect PASSED [100%]

..
...
=================== 20 passed, 4 warnings in 935.88 seconds ====================
Comment 31 errata-xmlrpc 2021-05-18 15:48:21 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Moderate: idm:DL1 and idm:client security, bug fix, and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2021:1846
Comment 32 Red Hat Bugzilla 2023-09-18 00:22:33 UTC 
The needinfo request[s] on this closed bug have been removed as they have been unresolved for 120 days