RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Description of problem:

in ipa environments, we need the least delay in replication, particularly when we install a replica. We have seen that in environments of only 4 replicas, the monopolization of consumers is already taking place and sometimes preventing the replica to be installed.

Particularly we can see failures in custodia component that adds keys in one node and checks the keys have been updated in the other node. This is failing by timeout.

We can workaround this issue by setting "nsds5ReplicaReleaseTimeout: 60" at replica level in all the replicas. 

We need this set by default. I could provide more details if needed.


Version-Release number of selected component (if applicable): RHEL7.4


How reproducible: at least two customers are having this issue while installing a replica.

The solution is to add this attribute at replica level.

More information here:

http://directory.fedoraproject.org/docs/389ds/design/repl-conv-design.html

Upstream ticket: https://pagure.io/freeipa/issue/7488

Fixed upstream
master:
https://pagure.io/freeipa/c/afc0d4b62d043cd568ce87400f60e8fa8273495f

The patch adds nsds5ReplicaReleaseTimeout on installation and server upgrade to replication settings on all databases.

Fixed upstream
ipa-4-5:
https://pagure.io/freeipa/c/8a0d4fe4bf687c4bd8d31a04e62a117b6cc25338
https://pagure.io/freeipa/c/cec72336df35a5b789fd75a6f10bb76b7be35d1e
ipa-4-6:
https://pagure.io/freeipa/c/0f7acc34d1edcdb9d297dd21e7c86e1d7b876932
https://pagure.io/freeipa/c/34078ca90b8ef556d9709ae3ee784b131d4b46e5

Ganna has created an integration test for the issue, https://pagure.io/freeipa/c/84ae625fe2c3786f7c5430f23a55c171ff54e110

Ganna added a reproducer test to upstream in commit https://github.com/freeipa/freeipa/commit/84ae625fe2c3786f7c5430f23a55c171ff54e110#diff-f6f37f4dcea301557db7e120b956c7f2

Proposing for 7.5.z as 7.4.z hotfix is being requested by Nokia.

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2018:3187