Many of services uses custom ldap2 connection which has low time limit by default and can cause LimitsExceeded error.
In past the LDAP updater was fixed to use default timeout 30sec. this should be also applied for services in upgrade_configuration function.
example of traceback:
2015-12-22T15:46:08Z DEBUG Created connection context.ldap2_153668624 2015-12-22T15:46:08Z DEBUG flushing ldapi://%2fvar%2frun%2fslapd-EXAMPLE-COM.socket from SchemaCache 2015-12-22T15:46:08Z DEBUG retrieving schema for SchemaCache url=ldapi://%2fvar%2frun%2fslapd-EXAMPLE-COM.socket conn=<ldap.ldapobject.SimpleLDAPObject instance at 0x61fc4d0> 2015-12-22T15:46:20Z ERROR IPA server upgrade failed: Inspect /var/log/ipaupgrade.log and run command ipa-server-upgrade manually. 2015-12-22T15:46:20Z DEBUG File "/usr/lib/python2.7/site-packages/ipapython/admintool.py", line 171, in execute return_value = self.run() File "/usr/lib/python2.7/site-packages/ipaserver/install/ipa_server_upgrade.py", line 48, in run server.upgrade() File "/usr/lib/python2.7/site-packages/ipaserver/install/server/upgrade.py", line 1611, in upgrade upgrade_configuration() File "/usr/lib/python2.7/site-packages/ipaserver/install/server/upgrade.py", line 1531, in upgrade_configuration ca_configure_profiles_acl(ca), File "/usr/lib/python2.7/site-packages/ipaserver/install/server/upgrade.py", line 302, in ca_configure_profiles_acl return cainstance.configure_profiles_acl() File "/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py", line 1708, in configure_profiles_acl cur_rules = conn.get_entry(dn).get('resourceACLS', []) File "/usr/lib/python2.7/site-packages/ipapython/ipaldap.py", line 1415, in get_entry raise errors.LimitsExceeded()
Shouldn't we disable limits during upgrade completely? IMHO it is better if the system hangs because we at least have a chance to attach debugger and find out what went wrong.
Timeouts are needed because this could hang the rpm transaction where upgrades are done.
consider for general refactoring in 4.4
Metadata Update from @mbasti: - Issue assigned to someone - Issue set to the milestone: FreeIPA 4.5 backlog
Login to comment on this ticket.