#167 Update Dogtag 10 to utilize the shared NSS database model
Closed: fixed 3 years ago Opened 9 years ago by mharmsen.

The existing NSS databases utilize the original pre-Sleepycat Berkeley DB model which is unsafe when being utilized by more than one process (e. g. - Tomcat AND Apache).

As a consequence, Dogtag 10 should strongly consider moving to use the shared NSS SQLite DB model documented at:

- https://wiki.mozilla.org/NSS_Shared_DB

Starting from NSS 3.15 the Berkeley database will be dropped and replaced with SQLite DB.

That "starting from NSS 3.15 the Berkeley database will be dropped and replaced with SQLite DB" is an overstatement that needs clarification. Let me clarify because someone has expressed concern to me at reading that comment. nss-3.13.5 would be the earliest release when that could occur but such decision has not been made. It is not one to be taken without considering its consequences and consulting with all stake-holders. NSS has a fairly good track record of binary compatibility and we want keep it that way.

Currently FUTURE, but since 389 has a similar ticket (https://fedorahosted.org/389/ticket/47681 - RFE: Utilize the shared NSS database model) we should probably sync these efforts (although not directly related, possibly when/if the F21 System Wide BerkleyDB 6 change is addressed?)

vakwetu suggested 10.3 since that puts it on the radar in the 10.3 timeframe.

Per discussions, targeted 10.3

Per CS/DS meeting of 04/28/2014 - 10.4.

Additionally, it was discussed in this meeting to also move PKI TRAC Ticket #974 - Multiple database access via JSS to 10.4.

Metadata Update from @mharmsen:
- Issue assigned to vakwetu
- Issue set to the milestone: UNTRIAGED

4 years ago

<rcrit> cfu, jmagne, mharmsen not sure if you saw this but Kaie is proposing to switch the NSS to default to sqlite format in F-27. https://fedoraproject.org/wiki/Changes/NSSDefaultFileFormatSql
<mharmsen> rcrit: thanks -- we were not aware of this, but we do have a long-standing ticket for it -- https://pagure.io/dogtagpki/issue/167
<rcrit> yeah, I figure it'll up the timetable on these
<rcrit> 389-ds has a similar ticket, https://pagure.io/389-ds-base/issue/48760
<mharmsen> rcrit: also https://pagure.io/389-ds-base/issue/47681
<rcrit> Ok, I'll let Mark know so he can close one as a dup
<mharmsen> rcrit: yep
<mharmsen> rcrit: just scanned Kaie's doc, but will they have a flag to create the old NSS db format?
<rcrit> you have to specify dbm:/path/to/nss/database

Metadata Update from @mharmsen:
- Custom field feature adjusted to ''
- Custom field proposedmilestone adjusted to ''
- Custom field proposedpriority adjusted to ''
- Custom field reviewer adjusted to ''
- Custom field version adjusted to ''
- Issue close_status updated to: None
- Issue priority set to: blocker (was: major)
- Issue set to the milestone: 0.0 NEEDS_TRIAGE (was: UNTRIAGED)

4 years ago

Metadata Update from @mharmsen:
- Custom field cc adjusted to mreynolds@redhat.com,rcrit@redhat.com

4 years ago

Metadata Update from @mharmsen:
- Issue set to the milestone: 10.5 (was: 0.0 NEEDS_TRIAGE)

4 years ago

Metadata Update from @mharmsen:
- Issue priority set to: critical (was: blocker)

4 years ago

Metadata Update from @mharmsen:
- Issue priority set to: major (was: critical)

4 years ago

[20171025] - Offline Triage ==> 10.6

Metadata Update from @mharmsen:
- Issue set to the milestone: 10.6 (was: 10.5)

4 years ago

Metadata Update from @mharmsen:
- Issue priority set to: blocker (was: major)

4 years ago

Kai's ticket "Document a recommended mechanism to perform explicit NSS database migration from dbm to sql using existing NSS tools" https://bugzilla.mozilla.org/show_bug.cgi?id=1415912

FreeIPA NSSDB migration: https://github.com/freeipa/freeipa/pull/1254

This is needed for ticket #2560 for Fedora 28.

The default NSS DB type can be defined as build time with -DPKI_NSS_DB_TYPE. https://review.gerrithub.io/c/400731/ is missing to use SQL format on F28 and to convert the NSS DB to SQL format.

Related commits

Metadata Update from @edewata:
- Issue assigned to cheimes (was: vakwetu)

3 years ago

Metadata Update from @cheimes:
- Assignee reset

3 years ago

The last patch has landed. 10.6 should support SQL NSS database and automatically migrate old DBM databases from Dogtag 10.5. The current approach has a bug. The backup method fails because freeIPA has created file that can't be copied as pkiuser:

# ls -la /var/lib/pki/pki-tomcat/ca/conf/
-rw-rw----. 1 root    root    84745 Feb 23 15:02 CS.cfg.ipabkp

and the backup script tries to chown files:

[pid 42588] mkdir("/var/log/pki/server/upgrade/10.5.5/1/oldfiles/var", 0777) = 0
[pid 42588] stat("/var", {st_mode=S_IFDIR|0755, st_size=4096, ...}) = 0
[pid 42588] utimensat(AT_FDCWD, "/var/log/pki/server/upgrade/10.5.5/1/oldfiles/var", [{tv_sec=1519650213, tv_nsec=956263542} /* 2018-02-26T14:03:33.95626350
[pid 42588] chmod("/var/log/pki/server/upgrade/10.5.5/1/oldfiles/var", 040755) = 0
[pid 42588] chown("/var/log/pki/server/upgrade/10.5.5/1/oldfiles/var", 0, 0) = -1 EPERM (Operation not permitted)
ERROR: [Errno 1] Operation not permitted: '/var/log/pki/server/upgrade/10.5.5/1/oldfiles/var'

Metadata Update from @edewata:
- Issue close_status updated to: fixed
- Issue set to the milestone: 10.6.0 (was: 10.6)
- Issue status updated to: Closed (was: Open)

3 years ago

Metadata Update from @mharmsen:
- Issue assigned to cheimes

3 years ago

Dogtag PKI is moving from Pagure issues to GitHub issues. This means that existing or new
issues will be reported and tracked through Dogtag PKI's GitHub Issue tracker.

This issue has been cloned to GitHub and is available here:
https://github.com/dogtagpki/pki/issues/739

If you want to receive further updates on the issue, please navigate to the
GitHub issue and click on Subscribe button.

Thank you for understanding, and we apologize for any inconvenience.

Login to comment on this ticket.

Metadata