#4925 Enable 389 DS global write lock for upgrade
Closed: Fixed None Opened 7 years ago by mkosek.

In some cases, when multiple write operations to different backends are combined, 389 DS backend can deadlock ([example 1], https://fedorahosted.org/freeipa/ticket/4635 example 2).

As the deadlock cannot be fully prevented until the DS backend locking mechanism receive a larger overhaul, FreeIPA should take advantage of the planned locking mechanism (DS ticket #47936) and enable the serialization for the upgrade run (and disable it again in the end).

Slight performance loss for the upgrade itself is better than having upgrade stuck or broken.

The DS global lock implements a global lock protecting updates on all 'ldbm database' ($SUFFIX, o=ipaca, cn=changelog) and 'frontend-internal' ('cn=config', 'cn=schema'). The global lock is reentrant.

By default the global lock is disabled. It can be enabled with the following update:

dn: cn=config
changetype: modify
replace: nsslapd-global-backend-lock
nsslapd-global-backend-lock: on

DS needs to be restarted to take into account any changes.

Performance impact of the global lock can reduce throughput (ADD/MOD/DEL) up to one third.
Now, due to high impacts of IPA plugins and ACI, it is likely that the performance impact of global lock will not be significant.

Can be part of upgrader work.


  • 522cbb2 move realm_to_serverid to installutils module
  • 882ce85 Server Upgrade: use LDIF parser to modify DSE.ldif
  • 5db962d Server Upgrade: enable DS global lock during upgrade

Metadata Update from @mkosek:
- Issue assigned to mbasti
- Issue set to the milestone: FreeIPA 4.2

5 years ago

Login to comment on this ticket.