Bug 1893870

Summary: PR_WaitCondVar() issue causes replication delay when clock jumps backwards
Product: Red Hat Enterprise Linux 8 Reporter: mreynolds
Component: 389-ds-baseAssignee: mreynolds
Status: CLOSED ERRATA QA Contact: RHDS QE <ds-qe-bugs>
Severity: high Docs Contact:
Priority: unspecified    
Version: 8.4CC: jachapma, sgouvern, spichugi, tbordaz, vashirov
Target Milestone: rcKeywords: Triaged
Target Release: 8.0Flags: pm-rhel: mirror+
Hardware: Unspecified   
OS: Unspecified   
Whiteboard: sync-to-jira
Fixed In Version: 389-ds-1.4-8040020210113163752-866effaa Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2021-05-18 15:45:43 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description mreynolds 2020-11-02 20:08:11 UTC 
Description of problem:

See issue is explained in detailed on FreeeIPA upstream bug https://pagure.io/freeipa/issue/8544.

The root cause of the problem is NSPR's PR_WaitCondVar() implementation. On pthread platforms the function is built on top of pthread_cond_timedwait. The function takes an absolute time. Both pthread_cond_timedwait and PR_WaitCondVar internal helper pt_TimedWait default to realtime clock which is subject to clock changes. pthread_condattr_setclock with CLOCK_MONOTONIC could be used to change the clock source from real to monotonic clock. This fix would require changes internal APIs or even a new API in NSPR.

Summary:

    FreeIPA server with DNS role use local BIND DNS instance as only DNS server.
    DNS facilities are not available until 389-DS, KDC, and BIND DNS are up and working.
    chronyd cannot synchronize clocks until DNS is up.
    Kerberos / GSSAPI doesn't work correctly when clocks of two hosts are way out of sync.
    When chronyd eventually syncs time, a backward jump confuses the sleep timer of the thread sync condition. This can extend a timed condition wait from a few seconds to several hours.

Package Version and Platform:

    Platform: Fedora
    Package and version: 389-ds-base-1.4.3.12-1.fc32.x86_64

Steps to Reproduce
Steps to reproduce the behavior:

    Install IPA cluster with multiple replications and DNS on each server
    change hardware clock on one server so chronyd has to adjust clock by 2 hours on boot
    reboot server

Expected results
Replication session backing off timer is not affected by clock jumps. For example a wait timeout of 60 seconds is not shortened or prolonged by real time clock changes. Instead it uses a monotonic, stable clock source.

Logs with replication debug information

Replication connection fails with GSSAPI auth problem because remote server does not like our Kerboers ticket. This is expected behavior. 389-DS retries a couple of times with increasing back off time:

[18/Oct/2020:20:05:57.131884318 +0200] - DEBUG - NSMMReplicationPlugin - bind_and_check_pwp - agmt="cn=meTovm-178.ipa.example" (vm-178:389) - Replication bind with GSSAPI auth failed: LDAP error 49 (Invalid credentials) (SASL(-13): authentication failure: GSSAPI Failure: gss_accept_sec_context)
[18/Oct/2020:20:05:57.134281879 +0200] - DEBUG - NSMMReplicationPlugin - close_connection_internal - agmt="cn=meTovm-178.ipa.example" (vm-178:389) - Disconnected from the consumer
[18/Oct/2020:20:05:57.135706884 +0200] - DEBUG - NSMMReplicationPlugin - conn_start_linger -agmt="cn=meTovm-178.ipa.example" (vm-178:389) - Beginning linger on the connection
[18/Oct/2020:20:05:57.137076558 +0200] - DEBUG - NSMMReplicationPlugin - conn_start_linger - agmt="cn=meTovm-178.ipa.example" (vm-178:389) - No linger on the closed conn
[18/Oct/2020:20:05:57.138557059 +0200] - DEBUG - NSMMReplicationPlugin - repl5_inc_run - agmt="cn=meTovm-178.ipa.example" (vm-178:389): Replication session backing off for 48 seconds

Seconds after last back off chronyd successfully connects to a NTP server and adjusts the clock by almost 2 hours.

[18/Oct/2020:18:06:04.871577135 +0200] ...

For over 2 hours there is no log entry related to the meTovm-178 agreement. Over 2 hours later the retry timer kicks in and resumes replication:

[18/Oct/2020:20:06:45.899245023 +0200] - INFO - NSMMReplicationPlugin - bind_and_check_pwp - agmt="cn=vm-171-245.ipa.example-to-vm-171-180.ipa.example" (vm-171-180:389): Replication bind with GSSAPI auth resumed
...
[18/Oct/2020:20:06:45.947839525 +0200] - DEBUG - NSMMReplicationPlugin - acquire_replica - agmt="cn=meTovm-178.ipa.example" (vm-178:389): Replica was successfully acquired.
[18/Oct/2020:20:06:45.949733829 +0200] - DEBUG - NSMMReplicationPlugin - repl5_inc_run - agmt="cn=meTovm-178.ipa.example" (vm-178:389): State: backoff -> sending_updates
Comment 1 mreynolds 2020-11-02 20:10:07 UTC 
Upstream Ticket

https://github.com/389ds/389-ds-base/issues/4384

There is more commentary in this ticket
Comment 2 sgouvern 2020-12-18 10:52:58 UTC 
ITM strip suspended during end of year break -> moving to ITM 10
Comment 4 sgouvern 2021-01-22 10:18:03 UTC 
Non regression with tier0, tier1, tier2 and tier3 tests run on build 8.4.0-389-ds-base-1.4.3.16-8.module+el8.4.0+9441+bd0f8b1f
No failure related to this fix detected 
-> marking verified:tested / SanityOnly
Comment 7 sgouvern 2021-01-22 10:46:52 UTC 
As per comment 4, moving to VERIFIED on build 389-ds-base-1.4.3.16-8.module+el8.4.0+9441+bd0f8b1f.x86_64
Comment 9 errata-xmlrpc 2021-05-18 15:45:43 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (389-ds:1.4 bug fix and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2021:1835