[Freeipa-devel] [PATCH] 005 Deadlock in schema compat plugin (between automember_update_membership task and dse update)

thierry bordaz tbordaz at redhat.com
Wed Nov 5 14:37:44 UTC 2014 

On 11/05/2014 03:19 PM, Alexander Bokovoy wrote:
> On Thu, 30 Oct 2014, thierry bordaz wrote:
>> https://fedorahosted.org/freeipa/ticket/4635
>>
>
>> From 0a72220fc2b8af160b20085f372ab55d997546b4 Mon Sep 17 00:00:00 2001
>> From: "Thierry bordaz (tbordaz)" <tbordaz at redhat.com>
>> Date: Wed, 29 Oct 2014 16:23:03 +0100
>> Subject: [PATCH] Deadlock in schema compat plugin (between
>> automember_update_membership task and dse update)
>>
>>     Defining schema-compat-ignore-subtree values for schema compat 
>> plugin config entries removes the
>>     default value (ignore: cn=tasks,cn=config). This default value 
>> prevented deadlocks.
>>     Schema plugin needs to scope the $SUFFIX and also any updates to 
>> its configuration.
>>     This change restrict the schema compat to those subtrees. It 
>> replaces the definition of ignored subtrees
>>     that would be too long for cn=config (tasks, mapping tree, 
>> replication, snmp..)
>>
>> https://fedorahosted.org/freeipa/ticket/4635
>> ---
>> install/updates/10-schema_compat.update | 30 
>> ++++++++++++++++++++----------
>> 1 file changed, 20 insertions(+), 10 deletions(-)
>>
>> diff --git a/install/updates/10-schema_compat.update 
>> b/install/updates/10-schema_compat.update
>> index 
>> 7b75ba532612bbdaf9c85f8c88b0c8b8454e5969..b8c79012d121116f9cf53908fbe4eeeebe9d3d82 
>> 100644
>> --- a/install/updates/10-schema_compat.update
>> +++ b/install/updates/10-schema_compat.update
>> @@ -18,15 +18,19 @@ add: schema-compat-entry-attribute: 
>> 'sudoRunAsUser=%ifeq("ipaSudoRunAsUserCatego
>> add: schema-compat-entry-attribute: 
>> 'sudoRunAsUser=%ifeq("ipaSudoRunAsUserCategory","all","ALL","%deref_f(\"ipaSudoRunAs\",\"(objectclass=posixAccount)\",\"uid\")")'
>> add: schema-compat-entry-attribute: 
>> 'sudoRunAsGroup=%ifeq("ipaSudoRunAsGroupCategory","all","ALL","%{ipaSudoRunAsExtGroup}")'
>> add: schema-compat-entry-attribute: 
>> 'sudoRunAsGroup=%ifeq("ipaSudoRunAsGroupCategory","all","ALL","%deref_f(\"ipaSudoRunAsGroup\",\"(objectclass=posixGroup)\",\"cn\")")'
>> -add: schema-compat-ignore-subtree: cn=changelog
>> -add: schema-compat-ignore-subtree: o=ipaca
>> +remove: schema-compat-ignore-subtree: cn=changelog
>> +remove: schema-compat-ignore-subtree: o=ipaca
>> +add: schema-compat-restrict-subtree: '$SUFFIX'
>> +add: schema-compat-restrict-subtree: 'cn=Schema 
>> Compatibility,cn=plugins,cn=config'
>>
>> # Change padding for host and userCategory so the pad returns the 
>> same value
>> # as the original, '' or -.
>> dn: cn=ng,cn=Schema Compatibility,cn=plugins,cn=config
>> replace: 
>> schema-compat-entry-attribute:'nisNetgroupTriple=(%link("%ifeq(\"hostCategory\",\"all\",\"\",\"%collect(\\\"%{externalHost}\\\",\\\"%deref(\\\\\\\"memberHost\\\\\\\",\\\\\\\"fqdn\\\\\\\")\\\",\\\"%deref_r(\\\\\\\"member\\\\\\\",\\\\\\\"fqdn\\\\\\\")\\\",\\\"%deref_r(\\\\\\\"memberHost\\\\\\\",\\\\\\\"member\\\\\\\",\\\\\\\"fqdn\\\\\\\")\\\")\")","-",",","%ifeq(\"userCategory\",\"all\",\"\",\"%collect(\\\"%deref(\\\\\\\"memberUser\\\\\\\",\\\\\\\"uid\\\\\\\")\\\",\\\"%deref_r(\\\\\\\"member\\\\\\\",\\\\\\\"uid\\\\\\\")\\\",\\\"%deref_r(\\\\\\\"memberUser\\\\\\\",\\\\\\\"member\\\\\\\",\\\\\\\"uid\\\\\\\")\\\")\")","-"),%{nisDomainName:-})::nisNetgroupTriple=(%link("%ifeq(\"hostCategory\",\"all\",\"\",\"%collect(\\\"%{externalHost}\\\",\\\"%deref(\\\\\\\"memberHost\\\\\\\",\\\\\\\"fqdn\\\\\\\")\\\",\\\"%deref_r(\\\\\\\"member\\\\\\\",\\\\\\\"fqdn\\\\\\\")\\\",\\\"%deref_r(\\\\\\\"memberHost\\\\\\\",\\\\\\\"member\\\\\\\",\\\\\\\"fqdn\\\\\\\")\\\")\")","%ifeq(\"hostCategory\",\"all\",\"\",\"-\")",",","%ifeq(\"userCategory\",\"all\",\"\",\"%collect(\\\"%deref(\\\\\\\"memberUser\\\\\\\",\\\\\\\"uid\\\\\\\")\\\",\\\"%deref_r(\\\\\\\"member\\\\\\\",\\\\\\\"uid\\\\\\\")\\\",\\\"%deref_r(\\\\\\\"memberUser\\\\\\\",\\\\\\\"member\\\\\\\",\\\\\\\"uid\\\\\\\")\\\")\")","%ifeq(\"userCategory\",\"all\",\"\",\"-\")"),%{nisDomainName:-})'
>> -add: schema-compat-ignore-subtree: cn=changelog
>> -add: schema-compat-ignore-subtree: o=ipaca
>> +remove: schema-compat-ignore-subtree: cn=changelog
>> +remove: schema-compat-ignore-subtree: o=ipaca
>> +add: schema-compat-restrict-subtree: '$SUFFIX'
>> +add: schema-compat-restrict-subtree: 'cn=Schema 
>> Compatibility,cn=plugins,cn=config'
>>
>> dn: cn=computers, cn=Schema Compatibility, cn=plugins, cn=config
>> default:objectClass: top
>> @@ -41,19 +45,25 @@ default:schema-compat-entry-attribute: 
>> objectclass=device
>> default:schema-compat-entry-attribute: objectclass=ieee802Device
>> default:schema-compat-entry-attribute: cn=%{fqdn}
>> default:schema-compat-entry-attribute: macAddress=%{macAddress}
>> -add: schema-compat-ignore-subtree: cn=changelog
>> -add: schema-compat-ignore-subtree: o=ipaca
>> +remove: schema-compat-ignore-subtree: cn=changelog
>> +remove: schema-compat-ignore-subtree: o=ipaca
>> +add: schema-compat-restrict-subtree: '$SUFFIX'
>> +add: schema-compat-restrict-subtree: 'cn=Schema 
>> Compatibility,cn=plugins,cn=config'
>>
>> dn: cn=sudoers,cn=Schema Compatibility,cn=plugins,cn=config
>> add:schema-compat-entry-attribute: sudoOrder=%{sudoOrder}
>>
>> dn: cn=users,cn=Schema Compatibility,cn=plugins,cn=config
>> -add: schema-compat-ignore-subtree: cn=changelog
>> -add: schema-compat-ignore-subtree: o=ipaca
>> +remove: schema-compat-ignore-subtree: cn=changelog
>> +remove: schema-compat-ignore-subtree: o=ipaca
>> +add: schema-compat-restrict-subtree: '$SUFFIX'
>> +add: schema-compat-restrict-subtree: 'cn=Schema 
>> Compatibility,cn=plugins,cn=config'
>>
>> dn: cn=groups,cn=Schema Compatibility,cn=plugins,cn=config
>> -add: schema-compat-ignore-subtree: cn=changelog
>> -add: schema-compat-ignore-subtree: o=ipaca
>> +remove: schema-compat-ignore-subtree: cn=changelog
>> +remove: schema-compat-ignore-subtree: o=ipaca
>> +add: schema-compat-restrict-subtree: '$SUFFIX'
>> +add: schema-compat-restrict-subtree: 'cn=Schema 
>> Compatibility,cn=plugins,cn=config'
>>
>> dn: cn=Schema Compatibility,cn=plugins,cn=config
>> # We need to run schema-compat pre-bind callback before
>
> Conditional ACK -- did you check upgrades from 3.3 version?
>
No I did not. I will do it :)

thanks
thierry
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20141105/02da7a49/attachment.htm>

More information about the Freeipa-devel mailing list