[Freeipa-devel] [PATCH] 005 Deadlock in schema compat plugin (between automember_update_membership task and dse update)
thierry bordaz
tbordaz at redhat.com
Wed Nov 5 14:37:44 UTC 2014
On 11/05/2014 03:19 PM, Alexander Bokovoy wrote:
> On Thu, 30 Oct 2014, thierry bordaz wrote:
>> https://fedorahosted.org/freeipa/ticket/4635
>>
>
>> From 0a72220fc2b8af160b20085f372ab55d997546b4 Mon Sep 17 00:00:00 2001
>> From: "Thierry bordaz (tbordaz)" <tbordaz at redhat.com>
>> Date: Wed, 29 Oct 2014 16:23:03 +0100
>> Subject: [PATCH] Deadlock in schema compat plugin (between
>> automember_update_membership task and dse update)
>>
>> Defining schema-compat-ignore-subtree values for schema compat
>> plugin config entries removes the
>> default value (ignore: cn=tasks,cn=config). This default value
>> prevented deadlocks.
>> Schema plugin needs to scope the $SUFFIX and also any updates to
>> its configuration.
>> This change restrict the schema compat to those subtrees. It
>> replaces the definition of ignored subtrees
>> that would be too long for cn=config (tasks, mapping tree,
>> replication, snmp..)
>>
>> https://fedorahosted.org/freeipa/ticket/4635
>> ---
>> install/updates/10-schema_compat.update | 30
>> ++++++++++++++++++++----------
>> 1 file changed, 20 insertions(+), 10 deletions(-)
>>
>> diff --git a/install/updates/10-schema_compat.update
>> b/install/updates/10-schema_compat.update
>> index
>> 7b75ba532612bbdaf9c85f8c88b0c8b8454e5969..b8c79012d121116f9cf53908fbe4eeeebe9d3d82
>> 100644
>> --- a/install/updates/10-schema_compat.update
>> +++ b/install/updates/10-schema_compat.update
>> @@ -18,15 +18,19 @@ add: schema-compat-entry-attribute:
>> 'sudoRunAsUser=%ifeq("ipaSudoRunAsUserCatego
>> add: schema-compat-entry-attribute:
>> 'sudoRunAsUser=%ifeq("ipaSudoRunAsUserCategory","all","ALL","%deref_f(\"ipaSudoRunAs\",\"(objectclass=posixAccount)\",\"uid\")")'
>> add: schema-compat-entry-attribute:
>> 'sudoRunAsGroup=%ifeq("ipaSudoRunAsGroupCategory","all","ALL","%{ipaSudoRunAsExtGroup}")'
>> add: schema-compat-entry-attribute:
>> 'sudoRunAsGroup=%ifeq("ipaSudoRunAsGroupCategory","all","ALL","%deref_f(\"ipaSudoRunAsGroup\",\"(objectclass=posixGroup)\",\"cn\")")'
>> -add: schema-compat-ignore-subtree: cn=changelog
>> -add: schema-compat-ignore-subtree: o=ipaca
>> +remove: schema-compat-ignore-subtree: cn=changelog
>> +remove: schema-compat-ignore-subtree: o=ipaca
>> +add: schema-compat-restrict-subtree: '$SUFFIX'
>> +add: schema-compat-restrict-subtree: 'cn=Schema
>> Compatibility,cn=plugins,cn=config'
>>
>> # Change padding for host and userCategory so the pad returns the
>> same value
>> # as the original, '' or -.
>> dn: cn=ng,cn=Schema Compatibility,cn=plugins,cn=config
>> replace:
>> schema-compat-entry-attribute:'nisNetgroupTriple=(%link("%ifeq(\"hostCategory\",\"all\",\"\",\"%collect(\\\"%{externalHost}\\\",\\\"%deref(\\\\\\\"memberHost\\\\\\\",\\\\\\\"fqdn\\\\\\\")\\\",\\\"%deref_r(\\\\\\\"member\\\\\\\",\\\\\\\"fqdn\\\\\\\")\\\",\\\"%deref_r(\\\\\\\"memberHost\\\\\\\",\\\\\\\"member\\\\\\\",\\\\\\\"fqdn\\\\\\\")\\\")\")","-",",","%ifeq(\"userCategory\",\"all\",\"\",\"%collect(\\\"%deref(\\\\\\\"memberUser\\\\\\\",\\\\\\\"uid\\\\\\\")\\\",\\\"%deref_r(\\\\\\\"member\\\\\\\",\\\\\\\"uid\\\\\\\")\\\",\\\"%deref_r(\\\\\\\"memberUser\\\\\\\",\\\\\\\"member\\\\\\\",\\\\\\\"uid\\\\\\\")\\\")\")","-"),%{nisDomainName:-})::nisNetgroupTriple=(%link("%ifeq(\"hostCategory\",\"all\",\"\",\"%collect(\\\"%{externalHost}\\\",\\\"%deref(\\\\\\\"memberHost\\\\\\\",\\\\\\\"fqdn\\\\\\\")\\\",\\\"%deref_r(\\\\\\\"member\\\\\\\",\\\\\\\"fqdn\\\\\\\")\\\",\\\"%deref_r(\\\\\\\"memberHost\\\\\\\",\\\\\\\"member\\\\\\\",\\\\\\\"fqdn\\\\\\\")\\\")\")","%ifeq(\"hostCategory\",\"all\",\"\",\"-\")",",","%ifeq(\"userCategory\",\"all\",\"\",\"%collect(\\\"%deref(\\\\\\\"memberUser\\\\\\\",\\\\\\\"uid\\\\\\\")\\\",\\\"%deref_r(\\\\\\\"member\\\\\\\",\\\\\\\"uid\\\\\\\")\\\",\\\"%deref_r(\\\\\\\"memberUser\\\\\\\",\\\\\\\"member\\\\\\\",\\\\\\\"uid\\\\\\\")\\\")\")","%ifeq(\"userCategory\",\"all\",\"\",\"-\")"),%{nisDomainName:-})'
>> -add: schema-compat-ignore-subtree: cn=changelog
>> -add: schema-compat-ignore-subtree: o=ipaca
>> +remove: schema-compat-ignore-subtree: cn=changelog
>> +remove: schema-compat-ignore-subtree: o=ipaca
>> +add: schema-compat-restrict-subtree: '$SUFFIX'
>> +add: schema-compat-restrict-subtree: 'cn=Schema
>> Compatibility,cn=plugins,cn=config'
>>
>> dn: cn=computers, cn=Schema Compatibility, cn=plugins, cn=config
>> default:objectClass: top
>> @@ -41,19 +45,25 @@ default:schema-compat-entry-attribute:
>> objectclass=device
>> default:schema-compat-entry-attribute: objectclass=ieee802Device
>> default:schema-compat-entry-attribute: cn=%{fqdn}
>> default:schema-compat-entry-attribute: macAddress=%{macAddress}
>> -add: schema-compat-ignore-subtree: cn=changelog
>> -add: schema-compat-ignore-subtree: o=ipaca
>> +remove: schema-compat-ignore-subtree: cn=changelog
>> +remove: schema-compat-ignore-subtree: o=ipaca
>> +add: schema-compat-restrict-subtree: '$SUFFIX'
>> +add: schema-compat-restrict-subtree: 'cn=Schema
>> Compatibility,cn=plugins,cn=config'
>>
>> dn: cn=sudoers,cn=Schema Compatibility,cn=plugins,cn=config
>> add:schema-compat-entry-attribute: sudoOrder=%{sudoOrder}
>>
>> dn: cn=users,cn=Schema Compatibility,cn=plugins,cn=config
>> -add: schema-compat-ignore-subtree: cn=changelog
>> -add: schema-compat-ignore-subtree: o=ipaca
>> +remove: schema-compat-ignore-subtree: cn=changelog
>> +remove: schema-compat-ignore-subtree: o=ipaca
>> +add: schema-compat-restrict-subtree: '$SUFFIX'
>> +add: schema-compat-restrict-subtree: 'cn=Schema
>> Compatibility,cn=plugins,cn=config'
>>
>> dn: cn=groups,cn=Schema Compatibility,cn=plugins,cn=config
>> -add: schema-compat-ignore-subtree: cn=changelog
>> -add: schema-compat-ignore-subtree: o=ipaca
>> +remove: schema-compat-ignore-subtree: cn=changelog
>> +remove: schema-compat-ignore-subtree: o=ipaca
>> +add: schema-compat-restrict-subtree: '$SUFFIX'
>> +add: schema-compat-restrict-subtree: 'cn=Schema
>> Compatibility,cn=plugins,cn=config'
>>
>> dn: cn=Schema Compatibility,cn=plugins,cn=config
>> # We need to run schema-compat pre-bind callback before
>
> Conditional ACK -- did you check upgrades from 3.3 version?
>
No I did not. I will do it :)
thanks
thierry
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20141105/02da7a49/attachment.htm>
More information about the Freeipa-devel
mailing list