Currently the IPA server uses multiple threads in each forked process. Each thread may create NSSConnection objects and the NSSConnection's constructor accepts a database directory parameter which later may be used to initialize the NSS database. This seem to imply that multiple NSS databases can be used at the same time.
class NSSConnection(httplib.HTTPConnection, NSSAddressFamilyFallback): default_port = httplib.HTTPSConnection.default_port def __init__(self, host, port=None, strict=None, dbdir=None, family=socket.AF_UNSPEC, no_init=False): ...
However, the current NSS library doesn't allow multiple concurrent database access in a single process. Even when NSS context is used, it's still limited to one database at a time.
The current code works fine because IPA server uses only one database (/etc/httpd/alias) and the IPA client also uses one database (/etc/ipa/nssdb), but it has a potential to be wrong if it's not used correctly.
Proposed solution: The NSS database initialization should be moved out of the NSSConnection class and centralized into the main program before spawning the threads. The NSSConnection should just use the NSS database that is currently open.
See also the following tickets:
I just learned there is a mechanism in NSS to allow multiple simultaneous databases to be opened and closed. The NSS calls to perform this are:
SECMOD_OpenUserDB; SECMOD_CloseUserDB;
Currently python-nss does not export any of the SECMOD_* calls, they would have to be added to python-nss before we could try this.
Also, I could only find very minimal documentation on using SECMOD_OpenUserDB :-(
So there are two possible options:
Either of these options probably require a significant amount of work, so it probably should be addressed in version 4.3 at the earliest. Ticket #4638, however, is required by IPA vault in version 4.2.
Replying to [comment:2 edewata]: ...
Ok, I am moving the ticket to 4.3. We will work it from there.
Metadata Update from @edewata: - Issue assigned to someone - Issue set to the milestone: FreeIPA 4.5 backlog
We got rid of python-nss so this ill behavior has been dealt with.
Metadata Update from @stlaz: - Issue close_status updated to: None
Metadata Update from @stlaz: - Issue close_status updated to: fixed - Issue status updated to: Closed (was: Open)
Login to comment on this ticket.