Issue #5565: upgrade of servces may cause LimitsExceded LDAP error - freeipa

freeipa

#5565 upgrade of servces may cause LimitsExceded LDAP error

Opened 8 years ago by mbasti. Modified 7 years ago

Many of services uses custom ldap2 connection which has low time limit by default and can cause LimitsExceeded error.

In past the LDAP updater was fixed to use default timeout 30sec. this should be also applied for services in upgrade_configuration function.

example of traceback:

2015-12-22T15:46:08Z DEBUG Created connection context.ldap2_153668624
2015-12-22T15:46:08Z DEBUG flushing ldapi://%2fvar%2frun%2fslapd-EXAMPLE-COM.socket from SchemaCache
2015-12-22T15:46:08Z DEBUG retrieving schema for SchemaCache url=ldapi://%2fvar%2frun%2fslapd-EXAMPLE-COM.socket conn=<ldap.ldapobject.SimpleLDAPObject instance at 0x61fc4d0>
2015-12-22T15:46:20Z ERROR IPA server upgrade failed: Inspect /var/log/ipaupgrade.log and run command ipa-server-upgrade manually.
2015-12-22T15:46:20Z DEBUG   File "/usr/lib/python2.7/site-packages/ipapython/admintool.py", line 171, in execute
    return_value = self.run()
  File "/usr/lib/python2.7/site-packages/ipaserver/install/ipa_server_upgrade.py", line 48, in run
    server.upgrade()
  File "/usr/lib/python2.7/site-packages/ipaserver/install/server/upgrade.py", line 1611, in upgrade
    upgrade_configuration()
  File "/usr/lib/python2.7/site-packages/ipaserver/install/server/upgrade.py", line 1531, in upgrade_configuration
    ca_configure_profiles_acl(ca),
  File "/usr/lib/python2.7/site-packages/ipaserver/install/server/upgrade.py", line 302, in ca_configure_profiles_acl
    return cainstance.configure_profiles_acl()
  File "/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py", line 1708, in configure_profiles_acl
    cur_rules = conn.get_entry(dn).get('resourceACLS', [])
  File "/usr/lib/python2.7/site-packages/ipapython/ipaldap.py", line 1415, in get_entry
    raise errors.LimitsExceeded()

pspacek commented 8 years ago

Shouldn't we disable limits during upgrade completely? IMHO it is better if the system hangs because we at least have a chance to attach debugger and find out what went wrong.

rcritten commented 8 years ago

Timeouts are needed because this could hang the rpm transaction where upgrades are done.

pvoborni commented 8 years ago

consider for general refactoring in 4.4

Metadata Update from @mbasti:
- Issue assigned to someone
- Issue set to the milestone: FreeIPA 4.5 backlog

7 years ago

Metadata

Assignee

someone

Tags

None

Blocking

None

Depending on

None

Priority

normal

Milestone

FreeIPA 4.5 backlog

None

affects_doc

None

source

None

knownissue

None

type

defect

blockedby

None

test_case

None

component

Upgrade

blocking

None

on_review

keywords

None

test_coverage

None

reviewer

None

external_tracker

None

rhbz

tester

None

changelog

None

design

None

freeipa

Source Code

#5565 upgrade of servces may cause LimitsExceded LDAP error Opened 8 years ago by mbasti. Modified 7 years ago

Close issue as:

Metadata

#5565 upgrade of servces may cause LimitsExceded LDAP error

Opened 8 years ago by mbasti. Modified 7 years ago