#4662 Centralizing NSS database initialization
Closed: fixed 6 years ago Opened 9 years ago by edewata.

Currently the IPA server uses multiple threads in each forked process. Each thread may create NSSConnection objects and the NSSConnection's constructor accepts a database directory parameter which later may be used to initialize the NSS database. This seem to imply that multiple NSS databases can be used at the same time.

class NSSConnection(httplib.HTTPConnection, NSSAddressFamilyFallback):
    default_port = httplib.HTTPSConnection.default_port

    def __init__(self, host, port=None, strict=None,
                 dbdir=None, family=socket.AF_UNSPEC, no_init=False):
        ...

However, the current NSS library doesn't allow multiple concurrent database access in a single process. Even when NSS context is used, it's still limited to one database at a time.

The current code works fine because IPA server uses only one database (/etc/httpd/alias) and the IPA client also uses one database (/etc/ipa/nssdb), but it has a potential to be wrong if it's not used correctly.

Proposed solution: The NSS database initialization should be moved out of the NSSConnection class and centralized into the main program before spawning the threads. The NSSConnection should just use the NSS database that is currently open.

See also the following tickets:

  • Ticket #3227: handle NSS initialization and shutdown better, use context's
  • Ticket #4638: NSSConnection shutting down existing database

I just learned there is a mechanism in NSS to allow multiple simultaneous databases to be opened and closed. The NSS calls to perform this are:

SECMOD_OpenUserDB;
SECMOD_CloseUserDB;

Currently python-nss does not export any of the SECMOD_* calls, they would have to be added to python-nss before we could try this.

Also, I could only find very minimal documentation on using SECMOD_OpenUserDB :-(

So there are two possible options:

  • centralize the NSS database initialization as suggested by this ticket, and continue to limit one database open at a time
  • keep the current decentralized NSS database initializations, but use a new python-nss that supports concurrent database access

Either of these options probably require a significant amount of work, so it probably should be addressed in version 4.3 at the earliest. Ticket #4638, however, is required by IPA vault in version 4.2.

Replying to [comment:2 edewata]:
...

Either of these options probably require a significant amount of work, so it probably should be addressed in version 4.3 at the earliest. Ticket #4638, however, is required by IPA vault in version 4.2.

Ok, I am moving the ticket to 4.3. We will work it from there.

Metadata Update from @edewata:
- Issue assigned to someone
- Issue set to the milestone: FreeIPA 4.5 backlog

7 years ago

We got rid of python-nss so this ill behavior has been dealt with.

Metadata Update from @stlaz:
- Issue close_status updated to: None

6 years ago

Metadata Update from @stlaz:
- Issue close_status updated to: fixed
- Issue status updated to: Closed (was: Open)

6 years ago

Login to comment on this ticket.

Metadata