RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
Bug 1882340 - nsslapd-db-locks patching no longer works
Summary: nsslapd-db-locks patching no longer works
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 8
Classification: Red Hat
Component: ipa
Version: 8.3
Hardware: Unspecified
OS: Unspecified
urgent
unspecified
Target Milestone: rc
: 8.3
Assignee: Thomas Woerner
QA Contact: ipa-qe
lmcgarry
URL:
Whiteboard:
: 1883708 (view as bug list)
Depends On:
Blocks: 1882472
TreeView+ depends on / blocked
 
Reported: 2020-09-24 10:47 UTC by Christian Heimes
Modified: 2023-12-15 19:30 UTC (History)
11 users (show)

Fixed In Version: ipa-4.9.0-0.1.rc1
Doc Type: Known Issue
Doc Text:
Cause: A recent change to 389-DS database backend moved the location of the performance tuning option nsslapd-db-locks. Because IPA patched the dse.ldif file in offline mode, 389-DS migration code did not migrate the setting. Consequence: 389-DS runs with 10,000 instead of 50,000 DB locks. Fewer locks can negatively impact performance of servers under high load or impede mass-import of users. Workaround (if any): Run these commands as root on every affected IPA server: # cat > db-locks.update << EOF dn: cn=bdb,cn=config,cn=ldbm database,cn=plugins,cn=config replace: nsslapd-db-locks:10000::50000 EOF # ipa-ldap-updater db-locks.update Result: 389-DS is now configured with 50,000 DB locks.
Clone Of:
: 1882472 (view as bug list)
Environment:
Last Closed: 2021-05-18 15:48:21 UTC
Type: Bug
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Fedora Pagure freeipa issue 5914 0 None None None 2020-09-24 12:07:41 UTC
Fedora Pagure freeipa issue 8515 0 None None None 2020-09-24 10:47:37 UTC
Github 389ds 389-ds-base issues 4341 0 None closed Unable to set nsslapd-db-locks: Object class violation 2021-02-11 18:35:51 UTC
Github freeipa freeipa pull 5145 0 None closed Fix nsslapd-db-lock tuning of BDB backend 2021-02-11 18:35:51 UTC
Red Hat Bugzilla 1298288 0 high CLOSED [RFE] Improve performance in large environments. 2021-02-22 00:41:40 UTC
Red Hat Issue Tracker FREEIPA-9606 0 None None None 2023-03-27 04:57:14 UTC

Description Christian Heimes 2020-09-24 10:47:38 UTC 
Description of problem:
The installer manually patches dse.ldif in offline mode to inject nsslapd-db-locks attribute with 50,000 locks into cn=config,cn=ldbm database,cn=plugins,cn=config. This used to work until DS' backends were redesigned. DS 1.4.3 split the backends and keeps BDB specific configuration in cn=bdb,cn=config,cn=ldbm database,cn=plugins,cn=config. There is code to transparently forward attribute updates fromcn=config,... to cn=bdb,cn=config,.... However manual patching of dse.ldif does not trigger this.

nsslapd-db-locks defaults to 10,000 locks. This setting affects systems under high load and with lots of connections negatively.

Version-Release number of selected component (if applicable):
389-ds-base-1.4.3 and newer (1.4.2 is not affected)
all current versions of IPA

How reproducible:
always

Steps to Reproduce:
1. ldapsearch -LLL -D "cn=Directory Manager" -w $PASSWORD -b "cn=config,cn=ldbm database,cn=plugins,cn=config" nsslapd-db-locks | grep -B1 db-locks

Actual results:
dn: cn=config,cn=ldbm database,cn=plugins,cn=config
nsslapd-db-locks: 50000
--
dn: cn=bdb,cn=config,cn=ldbm database,cn=plugins,cn=config
nsslapd-db-locks: 10000

Expected results:
dn: cn=bdb,cn=config,cn=ldbm database,cn=plugins,cn=config
nsslapd-db-locks: 50000

Additional info:
https://www.port389.org/docs/389ds/design/backend-redesign.html#database-subtype
https://github.com/389ds/389-ds-base/issues/4341
Comment 2 Christian Heimes 2020-09-24 11:27:22 UTC 
The issue is a performance regression. The fix includes update code and a regression test.
Comment 4 Christian Heimes 2020-09-24 12:07:42 UTC 
nsslapd-db-locks setting was increased to 50,000 as part of RHBZ #1298288 "Improve performance in large environments" for RHEL 7.2. The upstream ticket https://pagure.io/freeipa/issue/5914 contains more information.
Comment 6 Christian Heimes 2020-09-24 15:03:48 UTC 
Fixed upstream
master:
https://pagure.io/freeipa/c/69ebe41525116639ec512205319197dd278e15e6
Comment 7 Christian Heimes 2020-09-24 16:08:19 UTC 
Fixed upstream
ipa-4-8:
https://pagure.io/freeipa/c/87e5c0500b76b7cbeecedc0c28d44095c7063186
Comment 13 François Cami 2020-10-27 13:05:00 UTC 
*** Bug 1883708 has been marked as a duplicate of this bug. ***
Comment 19 Kaleem 2020-12-18 13:52:13 UTC 
Verified with nightly compose based on following details

IPA version: (snip from runner.log):
------------------------------------
2020-12-18T12:20:29+0000 ok: [master.testrelm.test] => (item=ipa-server) => 
2020-12-18T12:20:29+0000   msg:
2020-12-18T12:20:29+0000   - arch: x86_64
2020-12-18T12:20:29+0000     epoch: null
2020-12-18T12:20:29+0000     name: ipa-server
2020-12-18T12:20:29+0000     release: 0.5.rc3.module+el8.4.0+9124+ced20601
2020-12-18T12:20:29+0000     source: rpm
2020-12-18T12:20:29+0000     version: 4.9.0

Test results: (snip from test-result.txt):
-----------------------------------------

Test "test_integration/test_installation.py::TestInstallMaster::test_ldbm_tuning" for this bugzilla is successful as per following details from the test run.

============================= test session starts ==============================
platform linux -- Python 3.6.8, pytest-3.10.1, py-1.10.0, pluggy-0.13.1 -- /usr/libexec/platform-python
cachedir: /home/cloud-user/.pytest_cache
metadata: {'Python': '3.6.8', 'Platform': 'Linux-4.18.0-262.el8.x86_64-x86_64-with-redhat-8.4-Ootpa', 'Packages': {'pytest': '3.10.1', 'py': '1.10.0', 'pluggy': '0.13.1'}, 'Plugins': {'metadata': '1.11.0', 'html': '1.22.1', 'multihost': '3.0', 'sourceorder': '0.5'}}
rootdir: /usr/lib/python3.6/site-packages/ipatests, inifile:
plugins: metadata-1.11.0, html-1.22.1, multihost-3.0, sourceorder-0.5
collecting ... collected 20 items

test_integration/test_installation.py::TestInstallMaster::test_install_master PASSED [  5%]
test_integration/test_installation.py::TestInstallMaster::test_schema_compat_attribute_and_tree_disable PASSED [ 10%]
test_integration/test_installation.py::TestInstallMaster::test_install_kra PASSED [ 15%]
test_integration/test_installation.py::TestInstallMaster::test_install_dns PASSED [ 20%]
test_integration/test_installation.py::TestInstallMaster::test_ipactl_restart_pki_tomcat PASSED [ 25%]
test_integration/test_installation.py::TestInstallMaster::test_ipactl_scenario_check PASSED [ 30%]
test_integration/test_installation.py::TestInstallMaster::test_WSGI_worker_process PASSED [ 35%]
test_integration/test_installation.py::TestInstallMaster::test_error_for_yubikey PASSED [ 40%]
test_integration/test_installation.py::TestInstallMaster::test_pki_certs PASSED [ 45%]
test_integration/test_installation.py::TestInstallMaster::test_http_cert PASSED [ 50%]
test_integration/test_installation.py::TestInstallMaster::test_p11_kit_softhsm2 PASSED [ 55%]
test_integration/test_installation.py::TestInstallMaster::test_selinux_avcs PASSED [ 60%]
test_integration/test_installation.py::TestInstallMaster::test_file_permissions PASSED [ 65%]
test_integration/test_installation.py::TestInstallMaster::test_ds_disable_upgrade_hash PASSED [ 70%]
test_integration/test_installation.py::TestInstallMaster::test_ldbm_tuning PASSED [ 75%]
test_integration/test_installation.py::TestInstallMaster::test_admin_root_alias_CVE_2020_10747 PASSED [ 80%]
test_integration/test_installation.py::TestInstallMaster::test_dirsrv_no_ssca PASSED [ 85%]
test_integration/test_installation.py::TestInstallMaster::test_ipa_custodia_check PASSED [ 90%]
test_integration/test_installation.py::TestInstallMaster::test_ipa_selinux_policy PASSED [ 95%]
test_integration/test_installation.py::TestInstallMaster::test_ipaca_no_redirect PASSED [100%]

..
...
=================== 20 passed, 4 warnings in 935.88 seconds ====================
Comment 31 errata-xmlrpc 2021-05-18 15:48:21 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Moderate: idm:DL1 and idm:client security, bug fix, and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2021:1846
Comment 32 Red Hat Bugzilla 2023-09-18 00:22:33 UTC 
The needinfo request[s] on this closed bug have been removed as they have been unresolved for 120 days
Note You need to log in before you can comment on or make changes to this bug.