Bug 829387

Summary: psearch code hardening
Product: Red Hat Enterprise Linux 6 Reporter: Dmitri Pal <dpal>
Component: bind-dyndb-ldapAssignee: Adam Tkac <atkac>
Status: CLOSED ERRATA QA Contact: Namita Soman <nsoman>
Severity: unspecified Docs Contact:
Priority: medium    
Version: 6.4CC: jgalipea, mkosek, ovasik, pspacek
Target Milestone: rc   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2013-02-21 08:58:03 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Dmitri Pal 2012-06-06 15:12:21 UTC 
This bug is created as a clone of upstream ticket:
https://fedorahosted.org/bind-dyndb-ldap/ticket/40

Currently error handling in psearch code is not so good. When we hit some error, we simply write msg like "run rndc reload" to the log and we are done.

It would be better to track which records/zones fail to update and then automatically refresh them after some time.
Comment 1 RHEL Program Management 2012-07-10 08:51:09 UTC 
This request was not resolved in time for the current release.
Red Hat invites you to ask your support representative to
propose this request, if still desired, for consideration in
the next release of Red Hat Enterprise Linux.
Comment 2 RHEL Program Management 2012-07-10 23:06:36 UTC 
This request was erroneously removed from consideration in Red Hat Enterprise Linux 6.4, which is currently under development.  This request will be evaluated for inclusion in Red Hat Enterprise Linux 6.4.
Comment 3 Jenny Severance 2012-07-13 14:35:07 UTC 
Please add steps to reproduce / verify all necessary scenarios
Comment 5 Petr Spacek 2012-09-24 07:31:28 UTC 
This bug covers a lot of small development tasks. Test should focus on doing changes in DB and look for following pattern in log:

"(psearch) failed"

This message indicates a bug, usually. 

Usual tests with zone/record addition/modification/deletion through IPA cli and DNS dynamic update should be enough.
Comment 8 Namita Soman 2012-12-20 02:10:42 UTC 
When testing, there are messages in logs like:
Dec 18 08:59:09 qe-blade-01 named[15750]: update_record (psearch) failed, dn 'idnsname=allll,idnsname=newzone,cn=dns,dc=testrelm,dc=com' change type 0x4. Records can be outdated, run `rndc reload`: not found
Dec 18 08:59:22 qe-blade-01 named[15750]: update_record (psearch) failed, dn 'idnsname=aa2,idnsname=newzone,cn=dns,dc=testrelm,dc=com' change type 0x4. Records can be outdated, run `rndc reload`: not found
Dec 18 08:59:37 qe-blade-01 named[15750]: update_record (psearch) failed, dn 'idnsname=aaaa,idnsname=newzone,cn=dns,dc=testrelm,dc=com' change type 0x4. Records can be outdated, run `rndc reload`: not found
Dec 18 09:00:00 qe-blade-01 named[15750]: update_record (psearch) failed, dn 'idnsname=afsdb,idnsname=newzone,cn=dns,dc=testrelm,dc=com' change type 0x4. Records can be outdated, run `rndc reload`: not found
Dec 18 09:00:11 qe-blade-01 named[15750]: update_record (psearch) failed, dn 'idnsname=cname,idnsname=newzone,cn=dns,dc=testrelm,dc=com' change type 0x4. Records can be outdated, run `rndc reload`: not found
Dec 18 09:00:28 qe-blade-01 named[15750]: update_record (psearch) failed, dn 'idnsname=txt,idnsname=newzone,cn=dns,dc=testrelm,dc=com' change type 0x4. Records can be outdated, run `rndc reload`: not found
Dec 18 09:01:35 qe-blade-01 named[15750]: update_record (psearch) failed, dn 'idnsname=8,idnsname=4.4.4.in-addr.arpa.,cn=dns,dc=testrelm,dc=com' change type 0x4. Records can be outdated, run `rndc reload`: not found
Dec 18 09:01:47 qe-blade-01 named[15750]: update_record (psearch) failed, dn 'idnsname=naptr,idnsname=newzone,cn=dns,dc=testrelm,dc=com' change type 0x4. Records can be outdated, run `rndc reload`: not found
Dec 18 09:01:59 qe-blade-01 named[15750]: update_record (psearch) failed, dn 'idnsname=dname,idnsname=newzone,cn=dns,dc=testrelm,dc=com' change type 0x4. Records can be outdated, run `rndc reload`: not found
Dec 18 09:02:16 qe-blade-01 named[15750]: update_record (psearch) failed, dn 'idnsname=cert,idnsname=newzone,cn=dns,dc=testrelm,dc=com' change type 0x4. Records can be outdated, run `rndc reload`: not found


Is the above indicating a bug or should the steps to verify this bug be revised?
Comment 9 Petr Spacek 2012-12-20 08:01:23 UTC 
This message is harmless in some specific cases, it depends ...

Did you delete whole zone in one shot or something similar? I would like to see which IPA command caused this message.
Comment 10 Namita Soman 2013-01-07 19:08:21 UTC 
The messages are showing up when deleting record, not a complete zone.

Steps taken:
Add a new zone:
# ipa dnszone-add --name-server=ipaqa64vma.testrelm.com. --admin-email=ipaqar.redhat.com --serial=2010010701 --refresh=303 --retry=101 --expire=1202 --minimum=33 --ttl=55 newzone
  Zone name: newzone
  Authoritative nameserver: ipaqa64vma.testrelm.com.
  Administrator e-mail address: ipaqar.redhat.com.
  SOA serial: 2010010702
  SOA refresh: 303
  SOA retry: 101
  SOA expire: 1202
  SOA minimum: 33
  SOA time to live: 55
  BIND update policy: grant TESTRELM.COM krb5-self * A; grant TESTRELM.COM krb5-self * AAAA; grant TESTRELM.COM krb5-self * SSHFP;
  Active zone: TRUE
  Dynamic update: FALSE
  Allow query: any;
  Allow transfer: none;


Add record type a 
# ipa dnsrecord-add newzone allll --a-rec 1.2.3.4
  Record name: allll
  A record: 1.2.3.4

Delete record type a 
# ipa dnsrecord-del newzone allll --a-rec 1.2.3.4
----------------------
Deleted record "allll"
----------------------

From this delete action, /var/log/messages has:
Jan  7 13:58:16 ipaqa64vma named[30416]: update_record (psearch) failed, dn 'idnsname=allll,idnsname=newzone,cn=dns,dc=testrelm,dc=com' change type 0x4. Records can be outdated, run `rndc reload`: not found

...and so on...as I go to next delete test:
# ipa dnsrecord-add newzone aa2 --a-rec 1.2.3.4,2.3.4.5
  Record name: aa2
  A record: 1.2.3.4, 2.3.4.5

# ipa dnsrecord-del newzone aa2 --a-rec 1.2.3.4,2.3.4.5
--------------------
Deleted record "aa2"
--------------------


From this delete action, /var/log/messages has:
Jan  7 13:58:21 ipaqa64vma named[30416]: update_record (psearch) failed, dn 'idnsname=aa2,idnsname=newzone,cn=dns,dc=testrelm,dc=com' change type 0x4. Records can be outdated, run `rndc reload`: not found
Comment 11 Petr Spacek 2013-01-08 09:35:52 UTC 
What is the timing of the commands?
Are you able to provide minimal working example which produces the error above?
Could you provide SSH access to the host?
Comment 12 Petr Spacek 2013-01-09 17:40:50 UTC 
Investigation results:
In this particular case is the message above harmless.

Command "ipa dnsrecord-del newzone allll --a-rec 1.2.3.4" causes IPA to delete attribute and the empty object in two separate steps. BIND receives Entry Change Notification about *change* and attempts to read new data from LDAP, but the whole object disappeared in a meanwhile (because it was deleted by IPA).

Optimizatin described in https://fedorahosted.org/bind-dyndb-ldap/ticket/41 should prevent this message from popping up.
Comment 13 Namita Soman 2013-01-09 18:07:28 UTC 
marking verified. ran automated tests and checked /var/log/messages for "(psearch) failed". verified using ipa-server-3.0.0-19.el6.x86_64
Comment 15 errata-xmlrpc 2013-02-21 08:58:03 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHBA-2013-0359.html