[Freeipa-devel] [PATCH] 005 Deadlock in schema compat plugin (between automember_update_membership task and dse update)

Martin Basti mbasti at redhat.com
Wed Nov 5 14:47:53 UTC 2014 

On 05/11/14 15:37, thierry bordaz wrote:
> On 11/05/2014 03:19 PM, Alexander Bokovoy wrote:
>> On Thu, 30 Oct 2014, thierry bordaz wrote:
>>> https://fedorahosted.org/freeipa/ticket/4635
>>>
>>
>>> From 0a72220fc2b8af160b20085f372ab55d997546b4 Mon Sep 17 00:00:00 2001
>>> From: "Thierry bordaz (tbordaz)" <tbordaz at redhat.com>
>>> Date: Wed, 29 Oct 2014 16:23:03 +0100
>>> Subject: [PATCH] Deadlock in schema compat plugin (between
>>> automember_update_membership task and dse update)
>>>
>>>     Defining schema-compat-ignore-subtree values for schema compat 
>>> plugin config entries removes the
>>>     default value (ignore: cn=tasks,cn=config). This default value 
>>> prevented deadlocks.
>>>     Schema plugin needs to scope the $SUFFIX and also any updates to 
>>> its configuration.
>>>     This change restrict the schema compat to those subtrees. It 
>>> replaces the definition of ignored subtrees
>>>     that would be too long for cn=config (tasks, mapping tree, 
>>> replication, snmp..)
>>>
>>> https://fedorahosted.org/freeipa/ticket/4635
>>> ---
>>> install/updates/10-schema_compat.update | 30 
>>> ++++++++++++++++++++----------
>>> 1 file changed, 20 insertions(+), 10 deletions(-)
>>>
>>> diff --git a/install/updates/10-schema_compat.update 
>>> b/install/updates/10-schema_compat.update
>>> index 
>>> 7b75ba532612bbdaf9c85f8c88b0c8b8454e5969..b8c79012d121116f9cf53908fbe4eeeebe9d3d82 
>>> 100644
>>> --- a/install/updates/10-schema_compat.update
>>> +++ b/install/updates/10-schema_compat.update
>>> @@ -18,15 +18,19 @@ add: schema-compat-entry-attribute: 
>>> 'sudoRunAsUser=%ifeq("ipaSudoRunAsUserCatego
>>> add: schema-compat-entry-attribute: 
>>> 'sudoRunAsUser=%ifeq("ipaSudoRunAsUserCategory","all","ALL","%deref_f(\"ipaSudoRunAs\",\"(objectclass=posixAccount)\",\"uid\")")'
>>> add: schema-compat-entry-attribute: 
>>> 'sudoRunAsGroup=%ifeq("ipaSudoRunAsGroupCategory","all","ALL","%{ipaSudoRunAsExtGroup}")'
>>> add: schema-compat-entry-attribute: 
>>> 'sudoRunAsGroup=%ifeq("ipaSudoRunAsGroupCategory","all","ALL","%deref_f(\"ipaSudoRunAsGroup\",\"(objectclass=posixGroup)\",\"cn\")")'
>>> -add: schema-compat-ignore-subtree: cn=changelog
>>> -add: schema-compat-ignore-subtree: o=ipaca
>>> +remove: schema-compat-ignore-subtree: cn=changelog
>>> +remove: schema-compat-ignore-subtree: o=ipaca
>>> +add: schema-compat-restrict-subtree: '$SUFFIX'
>>> +add: schema-compat-restrict-subtree: 'cn=Schema 
>>> Compatibility,cn=plugins,cn=config'
>>>
>>> # Change padding for host and userCategory so the pad returns the 
>>> same value
>>> # as the original, '' or -.
>>> dn: cn=ng,cn=Schema Compatibility,cn=plugins,cn=config
>>> replace: 
>>> schema-compat-entry-attribute:'nisNetgroupTriple=(%link("%ifeq(\"hostCategory\",\"all\",\"\",\"%collect(\\\"%{externalHost}\\\",\\\"%deref(\\\\\\\"memberHost\\\\\\\",\\\\\\\"fqdn\\\\\\\")\\\",\\\"%deref_r(\\\\\\\"member\\\\\\\",\\\\\\\"fqdn\\\\\\\")\\\",\\\"%deref_r(\\\\\\\"memberHost\\\\\\\",\\\\\\\"member\\\\\\\",\\\\\\\"fqdn\\\\\\\")\\\")\")","-",",","%ifeq(\"userCategory\",\"all\",\"\",\"%collect(\\\"%deref(\\\\\\\"memberUser\\\\\\\",\\\\\\\"uid\\\\\\\")\\\",\\\"%deref_r(\\\\\\\"member\\\\\\\",\\\\\\\"uid\\\\\\\")\\\",\\\"%deref_r(\\\\\\\"memberUser\\\\\\\",\\\\\\\"member\\\\\\\",\\\\\\\"uid\\\\\\\")\\\")\")","-"),%{nisDomainName:-})::nisNetgroupTriple=(%link("%ifeq(\"hostCategory\",\"all\",\"\",\"%collect(\\\"%{externalHost}\\\",\\\"%deref(\\\\\\\"memberHost\\\\\\\",\\\\\\\"fqdn\\\\\\\")\\\",\\\"%deref_r(\\\\\\\"member\\\\\\\",\\\\\\\"fqdn\\\\\\\")\\\",\\\"%deref_r(\\\\\\\"memberHost\\\\\\\",\\\\\\\"member\\\\\\\",\\\\\\\"fqdn\\\\\\\")\\\")\")","%ifeq(\"hostCategory\",\! 
>>> "all\",\"\ 
>>> ",\"-\")",",","%ifeq(\"userCategory\",\"all\",\"\",\"%collect(\\\"%deref(\\\\\\\"memberUser\\\\\\\",\\\\\\\"uid\\\\\\\")\\\",\\\"%deref_r(\\\\\\\"member\\\\\\\",\\\\\\\"uid\\\\\\\")\\\",\\\"%deref_r(\\\\\\\"memberUser\\\\\\\",\\\\\\\"member\\\\\\\",\\\\\\\"uid\\\\\\\")\\\")\")","%ifeq(\"userCategory\",\"all\",\"\",\"-\")"),%{nisDomainName:-})'
>>> -add: schema-compat-ignore-subtree: cn=changelog
>>> -add: schema-compat-ignore-subtree: o=ipaca
>>> +remove: schema-compat-ignore-subtree: cn=changelog
>>> +remove: schema-compat-ignore-subtree: o=ipaca
>>> +add: schema-compat-restrict-subtree: '$SUFFIX'
>>> +add: schema-compat-restrict-subtree: 'cn=Schema 
>>> Compatibility,cn=plugins,cn=config'
>>>
>>> dn: cn=computers, cn=Schema Compatibility, cn=plugins, cn=config
>>> default:objectClass: top
>>> @@ -41,19 +45,25 @@ default:schema-compat-entry-attribute: 
>>> objectclass=device
>>> default:schema-compat-entry-attribute: objectclass=ieee802Device
>>> default:schema-compat-entry-attribute: cn=%{fqdn}
>>> default:schema-compat-entry-attribute: macAddress=%{macAddress}
>>> -add: schema-compat-ignore-subtree: cn=changelog
>>> -add: schema-compat-ignore-subtree: o=ipaca
>>> +remove: schema-compat-ignore-subtree: cn=changelog
>>> +remove: schema-compat-ignore-subtree: o=ipaca
>>> +add: schema-compat-restrict-subtree: '$SUFFIX'
>>> +add: schema-compat-restrict-subtree: 'cn=Schema 
>>> Compatibility,cn=plugins,cn=config'
>>>
>>> dn: cn=sudoers,cn=Schema Compatibility,cn=plugins,cn=config
>>> add:schema-compat-entry-attribute: sudoOrder=%{sudoOrder}
>>>
>>> dn: cn=users,cn=Schema Compatibility,cn=plugins,cn=config
>>> -add: schema-compat-ignore-subtree: cn=changelog
>>> -add: schema-compat-ignore-subtree: o=ipaca
>>> +remove: schema-compat-ignore-subtree: cn=changelog
>>> +remove: schema-compat-ignore-subtree: o=ipaca
>>> +add: schema-compat-restrict-subtree: '$SUFFIX'
>>> +add: schema-compat-restrict-subtree: 'cn=Schema 
>>> Compatibility,cn=plugins,cn=config'
>>>
>>> dn: cn=groups,cn=Schema Compatibility,cn=plugins,cn=config
>>> -add: schema-compat-ignore-subtree: cn=changelog
>>> -add: schema-compat-ignore-subtree: o=ipaca
>>> +remove: schema-compat-ignore-subtree: cn=changelog
>>> +remove: schema-compat-ignore-subtree: o=ipaca
>>> +add: schema-compat-restrict-subtree: '$SUFFIX'
>>> +add: schema-compat-restrict-subtree: 'cn=Schema 
>>> Compatibility,cn=plugins,cn=config'
>>>
>>> dn: cn=Schema Compatibility,cn=plugins,cn=config
>>> # We need to run schema-compat pre-bind callback before
>>
>> Conditional ACK -- did you check upgrades from 3.3 version?
>>
>
I did upgrade from 3.3.5 to 4.1 and it worked

-- 
Martin Basti

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20141105/60c0e08f/attachment.htm>

More information about the Freeipa-devel mailing list