[Freeipa-devel] [PATCH] 005 Deadlock in schema compat plugin (between automember_update_membership task and dse update)

Alexander Bokovoy abokovoy at redhat.com
Wed Nov 5 14:19:38 UTC 2014 

On Thu, 30 Oct 2014, thierry bordaz wrote:
>https://fedorahosted.org/freeipa/ticket/4635
>

>From 0a72220fc2b8af160b20085f372ab55d997546b4 Mon Sep 17 00:00:00 2001
>From: "Thierry bordaz (tbordaz)" <tbordaz at redhat.com>
>Date: Wed, 29 Oct 2014 16:23:03 +0100
>Subject: [PATCH] Deadlock in schema compat plugin (between
> automember_update_membership task and dse update)
>
>	Defining schema-compat-ignore-subtree values for schema compat plugin config entries removes the
>	default value (ignore: cn=tasks,cn=config). This default value prevented deadlocks.
>	Schema plugin needs to scope the $SUFFIX and also any updates to its configuration.
>	This change restrict the schema compat to those subtrees. It replaces the definition of ignored subtrees
>	that would be too long for cn=config (tasks, mapping tree, replication, snmp..)
>
>https://fedorahosted.org/freeipa/ticket/4635
>---
> install/updates/10-schema_compat.update | 30 ++++++++++++++++++++----------
> 1 file changed, 20 insertions(+), 10 deletions(-)
>
>diff --git a/install/updates/10-schema_compat.update b/install/updates/10-schema_compat.update
>index 7b75ba532612bbdaf9c85f8c88b0c8b8454e5969..b8c79012d121116f9cf53908fbe4eeeebe9d3d82 100644
>--- a/install/updates/10-schema_compat.update
>+++ b/install/updates/10-schema_compat.update
>@@ -18,15 +18,19 @@ add: schema-compat-entry-attribute: 'sudoRunAsUser=%ifeq("ipaSudoRunAsUserCatego
> add: schema-compat-entry-attribute: 'sudoRunAsUser=%ifeq("ipaSudoRunAsUserCategory","all","ALL","%deref_f(\"ipaSudoRunAs\",\"(objectclass=posixAccount)\",\"uid\")")'
> add: schema-compat-entry-attribute: 'sudoRunAsGroup=%ifeq("ipaSudoRunAsGroupCategory","all","ALL","%{ipaSudoRunAsExtGroup}")'
> add: schema-compat-entry-attribute: 'sudoRunAsGroup=%ifeq("ipaSudoRunAsGroupCategory","all","ALL","%deref_f(\"ipaSudoRunAsGroup\",\"(objectclass=posixGroup)\",\"cn\")")'
>-add: schema-compat-ignore-subtree: cn=changelog
>-add: schema-compat-ignore-subtree: o=ipaca
>+remove: schema-compat-ignore-subtree: cn=changelog
>+remove: schema-compat-ignore-subtree: o=ipaca
>+add: schema-compat-restrict-subtree: '$SUFFIX'
>+add: schema-compat-restrict-subtree: 'cn=Schema Compatibility,cn=plugins,cn=config'
> 
> # Change padding for host and userCategory so the pad returns the same value
> # as the original, '' or -.
> dn: cn=ng,cn=Schema Compatibility,cn=plugins,cn=config
> replace: schema-compat-entry-attribute:'nisNetgroupTriple=(%link("%ifeq(\"hostCategory\",\"all\",\"\",\"%collect(\\\"%{externalHost}\\\",\\\"%deref(\\\\\\\"memberHost\\\\\\\",\\\\\\\"fqdn\\\\\\\")\\\",\\\"%deref_r(\\\\\\\"member\\\\\\\",\\\\\\\"fqdn\\\\\\\")\\\",\\\"%deref_r(\\\\\\\"memberHost\\\\\\\",\\\\\\\"member\\\\\\\",\\\\\\\"fqdn\\\\\\\")\\\")\")","-",",","%ifeq(\"userCategory\",\"all\",\"\",\"%collect(\\\"%deref(\\\\\\\"memberUser\\\\\\\",\\\\\\\"uid\\\\\\\")\\\",\\\"%deref_r(\\\\\\\"member\\\\\\\",\\\\\\\"uid\\\\\\\")\\\",\\\"%deref_r(\\\\\\\"memberUser\\\\\\\",\\\\\\\"member\\\\\\\",\\\\\\\"uid\\\\\\\")\\\")\")","-"),%{nisDomainName:-})::nisNetgroupTriple=(%link("%ifeq(\"hostCategory\",\"all\",\"\",\"%collect(\\\"%{externalHost}\\\",\\\"%deref(\\\\\\\"memberHost\\\\\\\",\\\\\\\"fqdn\\\\\\\")\\\",\\\"%deref_r(\\\\\\\"member\\\\\\\",\\\\\\\"fqdn\\\\\\\")\\\",\\\"%deref_r(\\\\\\\"memberHost\\\\\\\",\\\\\\\"member\\\\\\\",\\\\\\\"fqdn\\\\\\\")\\\")\")","%ifeq(\"hostCategory\",\"all\",\"\",\"-\")",",","%ifeq(\"userCategory\",\"all\",\"\",\"%collect(\\\"%deref(\\\\\\\"memberUser\\\\\\\",\\\\\\\"uid\\\\\\\")\\\",\\\"%deref_r(\\\\\\\"member\\\\\\\",\\\\\\\"uid\\\\\\\")\\\",\\\"%deref_r(\\\\\\\"memberUser\\\\\\\",\\\\\\\"member\\\\\\\",\\\\\\\"uid\\\\\\\")\\\")\")","%ifeq(\"userCategory\",\"all\",\"\",\"-\")"),%{nisDomainName:-})'
>-add: schema-compat-ignore-subtree: cn=changelog
>-add: schema-compat-ignore-subtree: o=ipaca
>+remove: schema-compat-ignore-subtree: cn=changelog
>+remove: schema-compat-ignore-subtree: o=ipaca
>+add: schema-compat-restrict-subtree: '$SUFFIX'
>+add: schema-compat-restrict-subtree: 'cn=Schema Compatibility,cn=plugins,cn=config'
> 
> dn: cn=computers, cn=Schema Compatibility, cn=plugins, cn=config
> default:objectClass: top
>@@ -41,19 +45,25 @@ default:schema-compat-entry-attribute: objectclass=device
> default:schema-compat-entry-attribute: objectclass=ieee802Device
> default:schema-compat-entry-attribute: cn=%{fqdn}
> default:schema-compat-entry-attribute: macAddress=%{macAddress}
>-add: schema-compat-ignore-subtree: cn=changelog
>-add: schema-compat-ignore-subtree: o=ipaca
>+remove: schema-compat-ignore-subtree: cn=changelog
>+remove: schema-compat-ignore-subtree: o=ipaca
>+add: schema-compat-restrict-subtree: '$SUFFIX'
>+add: schema-compat-restrict-subtree: 'cn=Schema Compatibility,cn=plugins,cn=config'
> 
> dn: cn=sudoers,cn=Schema Compatibility,cn=plugins,cn=config
> add:schema-compat-entry-attribute: sudoOrder=%{sudoOrder}
> 
> dn: cn=users,cn=Schema Compatibility,cn=plugins,cn=config
>-add: schema-compat-ignore-subtree: cn=changelog
>-add: schema-compat-ignore-subtree: o=ipaca
>+remove: schema-compat-ignore-subtree: cn=changelog
>+remove: schema-compat-ignore-subtree: o=ipaca
>+add: schema-compat-restrict-subtree: '$SUFFIX'
>+add: schema-compat-restrict-subtree: 'cn=Schema Compatibility,cn=plugins,cn=config'
> 
> dn: cn=groups,cn=Schema Compatibility,cn=plugins,cn=config
>-add: schema-compat-ignore-subtree: cn=changelog
>-add: schema-compat-ignore-subtree: o=ipaca
>+remove: schema-compat-ignore-subtree: cn=changelog
>+remove: schema-compat-ignore-subtree: o=ipaca
>+add: schema-compat-restrict-subtree: '$SUFFIX'
>+add: schema-compat-restrict-subtree: 'cn=Schema Compatibility,cn=plugins,cn=config'
> 
> dn: cn=Schema Compatibility,cn=plugins,cn=config
> # We need to run schema-compat pre-bind callback before

Conditional ACK -- did you check upgrades from 3.3 version?

-- 
/ Alexander Bokovoy

More information about the Freeipa-devel mailing list