In some cases, when multiple write operations to different backends are combined, 389 DS backend can deadlock ([example 1], https://fedorahosted.org/freeipa/ticket/4635 example 2).
As the deadlock cannot be fully prevented until the DS backend locking mechanism receive a larger overhaul, FreeIPA should take advantage of the planned locking mechanism (DS ticket #47936) and enable the serialization for the upgrade run (and disable it again in the end).
Slight performance loss for the upgrade itself is better than having upgrade stuck or broken.
The DS global lock implements a global lock protecting updates on all 'ldbm database' ($SUFFIX, o=ipaca, cn=changelog) and 'frontend-internal' ('cn=config', 'cn=schema'). The global lock is reentrant.
By default the global lock is disabled. It can be enabled with the following update:
dn: cn=config changetype: modify replace: nsslapd-global-backend-lock nsslapd-global-backend-lock: on
DS needs to be restarted to take into account any changes.
Performance impact of the global lock can reduce throughput (ADD/MOD/DEL) up to one third. Now, due to high impacts of IPA plugins and ACI, it is likely that the performance impact of global lock will not be significant.
Can be part of upgrader work.
master:
Metadata Update from @mkosek: - Issue assigned to mbasti - Issue set to the milestone: FreeIPA 4.2
Login to comment on this ticket.