New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Regression related to sync_repl in ipa nightly tests #5289
Comments
FYI: We also have a regression in 389ds test related to this commit, @Firstyear is working on it through |
The PR #5285 fixed a few issues but not all of them. We still have the problem with sync_repl. |
@flo-renaud Just trying to understand what the "sync-repl" failure actually is. Is this the search filter that fails:
And do you have an example of the entry that should match this filter? |
The first filter used is the following (with LDAP_SYNC_REFRESH_ONLY):
Then subsequent call is using the filter you provided (with LDAP_SYNC_REFRESH_AND_PERSIST):
|
@flo-renaud to confirm, which filter is not working? The first one, the second, or both? I need to reproduce this outside of IPA so I need to know exactly what is failing. |
@mreynolds389 |
I think I've worked it out. the fault isn't in the filter optimiser, it's a fault in freeipa. What's occuring is that the query optimiser is re-arranging the logically equivalent query from:
Note the promotion of idnsserverid in the second or condition. This means it get evaluated first. This value is NOT found in the indexes OR our schema, which means it gets rejected. I turned up logging and added some extra info:
Previously, what would have occurred is that you were relying on a quirk and a lot of luck. The query would evaluate However in this case because idnsserverid is promoted and does not exist in the schema, then the default schema protection policy applies to prevent denial of service attacks per SLAPI_WARN_SAFE. This means that it actually also would have triggered a warning in the results and access log per schema.c: "slapi_pblock_set_result_text_if_empty(pb, "Invalid attribute in filter - results may not be complete.");" And as we have here - the results are not complete, because the schema is likely missing the attribute idnsserverid, and thus we can not index it or safely search for it. Had you had a situation where you had more than 10 idnsServerConfigObject's, you also would have silently begun to lose results even pre-filter optimisation. |
Which means btw, the resolution is that you need to check that you have everything in the ipa schema correctly setup and defined, because it looks like in this situation we are correctly rejecting the query as that attribute is undefined to our schemas knowledge. |
Or alternately, you need to globally set freeipa to have "warn-invalid" https://access.redhat.com/documentation/en-us/red_hat_directory_server/11/html-single/configuration_command_and_file_reference/index#cnconfig-nsslapd-verify-filter-schema If you want to go the other way, set reject-invalid, and do your full CI suite to detect all the invalid queries that have been assumed to work. :) |
Hi @Firstyear |
Yes it would. Because 389-ds' backend can not distinguish between "no index" and "empty index" so it always returns an empty result set. Can you trying indexing that attribute? |
(At least, that's what I remember, I'm not looking at the code right now, so yes, please try indexing it) |
@Firstyear
but I still get the same result. Without the index and with |
@flo-renaud tonight's COPR build should have new "search filter" logging in it. Would it be possible to enable filter logging (see below) and run the test again with that new build:
|
Having a hard time getting IPA to install on a beaker system using a custom hostname :-( If I leave things as is, using the default beaker hostname, but use "--domain ipa.test --realm IPA.TEST" everything works fine:
If I try hacking /etc/hosts to use server.ipa.test, the IPA server install fails immediately. Looks like the beaker system is now hosed as everything is failing now. Spent 2 hours on this already and to have to start all over again is a bit frustrating... So I don't know if its my setup, or what. Perhaps I need someone from the IPA to reproduce this and give me access to their machine so I can investigate it? @flo-renaud thoughts? |
Hi @mreynolds389
Please let me know if it helps installing IPA. |
Thanks @flo-renaud that did the trick (I was missing the hostnamectl part)! So I could reproduce the error from the description of this ticket, but when I run that "host" command it's not even hitting the directory server. DS is completely idle, and zero operations are sent against it. No binds, no searches, nothing. So I'm not seeing a DS problem - perhaps IPA is not working as needed to reproduce the DS issue on a lab machine? |
Ok, so the search that is causing issues happens at server startup, not when "host" is called. Investigating... |
The latest IPA CI run doesn't show the issue any more, closing this issue as fixed. |
Issue Description
FreeIPA nightly tests detected a regression introduced with commit 90d8474. See for instance the PR #1695 with the test
389ds-fedora/test_backup_and_restore_TestBackupAndRestore
(logs, report).Package Version and Platform:
Steps to Reproduce
Steps to reproduce the behavior:
On a host with hostname = server.ipa.test
1, install freeipa-server-dns:
dnf install -y freeipa-server-dns
2. Enable 389ds copr repo:
dnf copr enable @389ds/389-ds-base-nightly
3. update 389ds to the faulty version:
dnf update 389-ds-base-2.2.0-202205050142git90d847426.fc35
4. install ipa server:
ipa-server-install --domain ipa.test --realm IPA.TEST --setup-dns --auto-forwarders --no-dnssec-validation -a Secret123 -p Secret123 -U
5. query the DNS for the server name:
host server.ipa.test localhost
The query fails:
Expected results
The DNS server should answer with the server IP adress:
The DNS server logs show issues related to sync_repl: /var/named/data/database.log
The DNS server relies heavily on sync_repl as it performs queries to find the DNS-related objects in the LDAP database. If sync_repl fails, the DNS server cannot load/update the entries.
Companion issue logged against freeipa: https://pagure.io/freeipa/issue/9153
The text was updated successfully, but these errors were encountered: