Deprecation warning for dirsrv@.service in Fedora 29 rawhide:
Aug 01 11:54:12 ipaserver5.test4.local systemd[1]: /usr/lib/systemd/system/dirsrv@.service:40: .include directives are deprecated, and support for them will be removed in a future version of systemd. Please use drop-in files instead.
# rpm -qa "*389*" "*ipa*" | sort -u 389-ds-base-1.4.0.13-1.fc29.x86_64 389-ds-base-legacy-tools-1.4.0.13-1.fc29.x86_64 389-ds-base-libs-1.4.0.13-1.fc29.x86_64 freeipa-client-4.7.0-1.fc29.x86_64 freeipa-client-common-4.7.0-1.fc29.noarch freeipa-common-4.7.0-1.fc29.noarch freeipa-server-4.7.0-1.fc29.x86_64 freeipa-server-common-4.7.0-1.fc29.noarch freeipa-server-dns-4.7.0-1.fc29.noarch libipa_hbac-1.16.2-6.fc29.x86_64 python2-iniparse-0.4-32.fc29.noarch python3-iniparse-0.4-32.fc29.noarch python3-ipaclient-4.7.0-1.fc29.noarch python3-ipalib-4.7.0-1.fc29.noarch python3-ipaserver-4.7.0-1.fc29.noarch python3-lib389-1.4.0.13-1.fc29.noarch python3-libipa_hbac-1.16.2-6.fc29.x86_64 sssd-ipa-1.16.2-6.fc29.x86_64
Metadata Update from @mreynolds: - Custom field component adjusted to None - Custom field origin adjusted to None - Custom field reviewstatus adjusted to None - Custom field type adjusted to None - Custom field version adjusted to None - Issue set to the milestone: 1.4.0
Do you have documentation as to what and how this is doing for systemd? I think would be a change to lib389 to do the "correct thing". There is also a risk that we'll break existing deployments too because we don't have the ability to "on upgrade" anymore ....
Is there links to a change that systemd have provided here too?
I think we need more info ....
-- Sincerely,
William
All I have so far is the warning in the system log.
But with a quick look into /usr/lib/systemd/system/dirsrv@.service I can see a .include /etc/sysconfig/dirsrv.systemd. Maybe you can use an environment file for this, but i am not sure about this.
/usr/lib/systemd/system/dirsrv@.service
.include /etc/sysconfig/dirsrv.systemd
@twoerner My concern is upgrades. How are we going to migrate existing services and deployments to use this? I think this is a breaking change, and it won't be easy to resolve :(
We may need a systemd-fixup task in the CLI that fixes it somehow when an admin notices etc. It's just a mess to see a change like this being pushed on us :(
@twoerner My concern is upgrades. How are we going to migrate existing services and deployments to use this? I think this is a breaking change, and it won't be easy to resolve :( We may need a systemd-fixup task in the CLI that fixes it somehow when an admin notices etc.
# ls -la /etc/systemd/system/dirsrv.target.wants total 16 drwxr-xr-x. 1 root root 4096 Aug 11 06:24 . drwxr-xr-x. 1 root root 4096 Aug 9 06:10 .. lrwxrwxrwx. 1 root root 39 Aug 11 06:24 dirsrv@server.service -> /usr/lib/systemd/system/dirsrv@.service # rpm -qf /usr/lib/systemd/system/dirsrv@.service 389-ds-base-1.4.0.13-1.fc28.x86_64
It's a symlink, that belongs to our rpm package. Whatever we change in our service file will be reflected in the existing installations.
It's just a mess to see a change like this being pushed on us :(
It's not a sudden change. .include directive was deprecated for a long time (few years now?) and was removed from documentation. systemd started to actively mention this in the logs since https://github.com/systemd/systemd/commit/41b283d0f1f4abd85d0bbeeb7f71bb30f87cfab9 which was committed in February.
.include
I just found that this crept in RHEL8 Beta.
Metadata Update from @vashirov: - Custom field rhbz adjusted to https://bugzilla.redhat.com/show_bug.cgi?id=1654056
Currently /etc/sysconfig/dirsrv.systemd contains the following options: https://pagure.io/389-ds-base/blob/master/f/wrappers/systemd.template.sysconfig But the values that we provide 1. Are lower than the defaults:
/etc/sysconfig/dirsrv.systemd
# systemctl show dirsrv | grep 'LimitCORE\|LimitNOFILE' LimitCORE=infinity LimitCORESoft=infinity LimitNOFILE=1048576 LimitNOFILESoft=1048576
While in config we have LimitCore=68719476736 and LimitNOFILE=16384 2. They are not taken into account at all. The output above was taken from F29 and RHEL8.
LimitCore=68719476736
LimitNOFILE=16384
File /etc/sysconfig/dirsrv.systemd contains other useful options that the users might adjust, but they are commented out. I propose to : 1. Move /etc/sysconfig/dirsrv.systemd to drop-in config file [1] under /etc/systemd/system/dirsrv\@.service.d/ See dnf provides "/etc/systemd/system/*.service.d/*conf" for the examples how other packages configure their limits. 2. Comment out LimitCore and LimitNOFILE since system defaults are more sane now.
/etc/systemd/system/dirsrv\@.service.d/
dnf provides "/etc/systemd/system/*.service.d/*conf"
LimitCore
LimitNOFILE
Thoughts?
[1] https://www.freedesktop.org/software/systemd/man/systemd.unit.html
I agree with Viktor. We should move current file containing limits to the drop-in location. We can handle upgrades by ensuring the file is where it should be, and by ensuring the .include is not in the .service file, in a SPEC file scriptlet. And given the infinity defaults, we can comment these out as suggested.
.service
infinity
@mhonek, yeah works for me, would you like to work on this one? If so please assign it to yourself. Thanks!
Metadata Update from @mhonek: - Issue assigned to mhonek
@mhonek looks like we are getting some community pressure to get this fixed upstream. Are you still working on it?
We should retain LimitNOFILE in these files.
Additionally, if we change /etc/sysconfig we need to maek sure lib389 is changed to detect instances by looking for /etc/dirsrv/slapd-instance/dse.ldif or a similar marker.
https://pagure.io/389-ds-base/issue/50208
Metadata Update from @firstyear: - Issue marked as depending on: #50208
Does this also mean we should stop writing out the /etc/sysconfig file? I'm worried this change will trash every freeipa instance in a single fell swoop, as we'll break the krb ccache environment variable ....
Okay, for now as part of https://pagure.io/389-ds-base/issue/50208 I'm going to make lib389 stop writing the /etc/sysconfig file, and I will ask @cheimes to review the ipa installer and how they are writing the krb5 ccache env vars to make sure this works properly.
IPA code contains references to three sysconfig files:
SYSCONFIG_DIRSRV = "/etc/sysconfig/dirsrv" SYSCONFIG_DIRSRV_INSTANCE = "/etc/sysconfig/dirsrv-%s" SYSCONFIG_DIRSRV_SYSTEMD = "/etc/sysconfig/dirsrv.systemd"
I was worried that would be the case where KRB5_KTNAME is set via env. We'll need to have a way to migrate that somehow in ipa I think if we are going to stop writing out the sysconfig file on future installs.
@mhonek, what is the status of this bug? Ticket 50208 was merged so can we proceed on this bug?
Commit 10bffac relates to this ticket
Metadata Update from @mhonek: - Issue close_status updated to: fixed - Issue status updated to: Closed (was: Open)
389-ds-base is moving from Pagure to Github. This means that new issues and pull requests will be accepted only in 389-ds-base's github repository.
This issue has been cloned to Github and is available here: - https://github.com/389ds/389-ds-base/issues/2934
If you want to receive further updates on the issue, please navigate to the github issue and click on subscribe button.
subscribe
Thank you for understanding. We apologize for all inconvenience.
Metadata Update from @spichugi: - Issue close_status updated to: wontfix (was: fixed)
Login to comment on this ticket.