The nightly tests for ipa-healthcheck are reporting a new issue related to RIPluginCheck:
{ "source": "ipahealthcheck.ds.ds_plugins", "check": "RIPluginCheck", "result": "CRITICAL", "uuid": "010d4500-6824-4a47-94ef-77c68bc08d17", "when": "20210710011100Z", "duration": "0.177313", "kw": { "key": "DSRILE0002", "items": [ "cn=referential integrity postoperation,cn=plugins,cn=config", "dc=ipa,dc=test", "member" ], "msg": "The referential integrity plugin is configured to use an attribute (member)\nthat does not have an \"equality\" index in backend (dc=ipa,dc=test).\nFailure to have the proper indexing will lead to unindexed searches which\ncause high CPU and can significantly slow the server down." } },
This is visible in PR#1029 in the following tests: in fedora-latest/test_ipahealthcheck - test_ipahealthcheck.py::TestIpaHealthCheck::test_ipa_healthcheck_after_certupdate - test_ipahealthcheck.py::TestIpaHealthCheck::test_ipa_healthcheck_no_errors - test_ipahealthcheck.py::TestIpaHealthCheck::test_ipahealthcheck_ds_riplugincheck in fedora-latest/test_ipahealthcheck_cli_fsspace: - test_ipahealthcheck.py::TestIpaHealthCLI::test_indent - test_ipahealthcheck.py::TestIpaHealthCLI::test_severity - test_ipahealthcheck.py::TestIpaHealthCLI::test_input_file
test_ipahealthcheck.py::TestIpaHealthCheck::test_ipa_healthcheck_after_certupdate
test_ipahealthcheck.py::TestIpaHealthCheck::test_ipa_healthcheck_no_errors
test_ipahealthcheck.py::TestIpaHealthCheck::test_ipahealthcheck_ds_riplugincheck
test_ipahealthcheck.py::TestIpaHealthCLI::test_indent
test_ipahealthcheck.py::TestIpaHealthCLI::test_severity
test_ipahealthcheck.py::TestIpaHealthCLI::test_input_file
@mreynolds we're seeing a failure in a DS healthcheck plugin periodically.
The logs can be found at http://freeipa-org-pr-ci.s3-website.eu-central-1.amazonaws.com/jobs/94a309c8-e118-11eb-8ef2-fa163ec53c61/
I don't have a package version but this is 389-Directory/2.0.6 B2021.174.0000
I'm not sure what would trigger this RIP failure.
Well the error is straight forward. The healthcheck looks at all the backends to make sure that the attributes configured in the RI plugin have an equality index. The check is just querying cn=config. Could the healthcheck be being run too quickly after an install? Some sort of testing race condition?
Also present in [testing_master_previous] Nightly PR #1038 , report
In some tests yes it is run immediately after an install, e.g. test_ipa_healthcheck_no_errors.
Others do not, like test_ipa_healthcheck_after_certupdate, which runs the IPA command ipa-certupdate which queries certs out of LDAP and applies them to the system databases. This operation isn't particularly fast so I'd be surprised if it was racing with a DS plugin.
I wonder if we need an instrumented build to gather more information, I'm just not sure what would be useful. Would be running dsconf as well provide more info?
dse.ldif contains the following definitions:
# ldapsearch -LLL -o ldif-wrap=no -D cn=directory\ manager -w Secret123 -b cn=config "cn=member" dn: cn=member,cn=index,cn=changelog,cn=ldbm database,cn=plugins,cn=config objectClass: top objectClass: nsIndex cn: member nsSystemIndex: false nsIndexType: eq dn: cn=member,cn=default indexes,cn=config,cn=ldbm database,cn=plugins,cn=config cn: member nsIndexType: eq nsSystemIndex: false objectClass: top objectClass: nsIndex dn: cn=member,cn=index,cn=ipaca,cn=ldbm database,cn=plugins,cn=config cn: member nsIndexType: eq nsSystemIndex: false objectClass: top objectClass: nsIndex dn: cn=member,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config cn: member nsIndexType: eq nsIndexType: pres nsIndexType: sub nsSystemIndex: false objectClass: top objectClass: nsIndex dn: cn=memberOf,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config cn: member nsIndexType: eq nsIndexType: sub nsSystemIndex: false objectClass: top objectClass: nsIndex
Note the last entry: dn: cn=memberOf... but the attribute has cn:member Manually fixing dse.ldif also fixes the ipa-healthcheck output.
The index was added as part of subuid feature, probably a copy-paste error.
Metadata Update from @frenaud: - Issue assigned to frenaud
Metadata Update from @frenaud: - Custom field on_review adjusted to https://github.com/freeipa/freeipa/pull/5901
Metadata Update from @frenaud: - Custom field rhbz adjusted to https://bugzilla.redhat.com/show_bug.cgi?id=1952028, https://bugzilla.redhat.com/show_bug.cgi?id=1981322
master:
ipa-4-9:
Metadata Update from @frenaud: - Issue close_status updated to: fixed - Issue status updated to: Closed (was: Open)
Log in to comment on this ticket.