Issue #8920: ipa-healthcheck reports RIPluginCheck CRITICAL error for DSRILE0002 - freeipa

freeipa

#8920 ipa-healthcheck reports RIPluginCheck CRITICAL error for DSRILE0002

Closed: fixed 2 years ago by frenaud. Opened 2 years ago by frenaud.

The nightly tests for ipa-healthcheck are reporting a new issue related to RIPluginCheck:

{
    "source": "ipahealthcheck.ds.ds_plugins",
    "check": "RIPluginCheck",
    "result": "CRITICAL",
    "uuid": "010d4500-6824-4a47-94ef-77c68bc08d17",
    "when": "20210710011100Z",
    "duration": "0.177313",
    "kw": {
      "key": "DSRILE0002",
      "items": [
        "cn=referential integrity postoperation,cn=plugins,cn=config",
        "dc=ipa,dc=test",
        "member"
      ],
      "msg": "The referential integrity plugin is configured to use an attribute (member)\nthat does not have an \"equality\" index in backend (dc=ipa,dc=test).\nFailure to have the proper indexing will lead to unindexed searches which\ncause high CPU and can significantly slow the server down."
    }
  },

This is visible in PR#1029 in the following tests:
in fedora-latest/test_ipahealthcheck
- test_ipahealthcheck.py::TestIpaHealthCheck::test_ipa_healthcheck_after_certupdate
- test_ipahealthcheck.py::TestIpaHealthCheck::test_ipa_healthcheck_no_errors
- test_ipahealthcheck.py::TestIpaHealthCheck::test_ipahealthcheck_ds_riplugincheck
in fedora-latest/test_ipahealthcheck_cli_fsspace:
- test_ipahealthcheck.py::TestIpaHealthCLI::test_indent
- test_ipahealthcheck.py::TestIpaHealthCLI::test_severity
- test_ipahealthcheck.py::TestIpaHealthCLI::test_input_file

rcritten commented 2 years ago

@mreynolds we're seeing a failure in a DS healthcheck plugin periodically.

The logs can be found at http://freeipa-org-pr-ci.s3-website.eu-central-1.amazonaws.com/jobs/94a309c8-e118-11eb-8ef2-fa163ec53c61/

I don't have a package version but this is 389-Directory/2.0.6 B2021.174.0000

I'm not sure what would trigger this RIP failure.

mreynolds commented 2 years ago

Well the error is straight forward. The healthcheck looks at all the backends to make sure that the attributes configured in the RI plugin have an equality index. The check is just querying cn=config. Could the healthcheck be being run too quickly after an install? Some sort of testing race condition?

mpolovka commented 2 years ago

Also present in [testing_master_previous] Nightly PR #1038 , report

rcritten commented 2 years ago

In some tests yes it is run immediately after an install, e.g. test_ipa_healthcheck_no_errors.

Others do not, like test_ipa_healthcheck_after_certupdate, which runs the IPA command ipa-certupdate which queries certs out of LDAP and applies them to the system databases. This operation isn't particularly fast so I'd be surprised if it was racing with a DS plugin.

I wonder if we need an instrumented build to gather more information, I'm just not sure what would be useful. Would be running dsconf as well provide more info?

frenaud commented 2 years ago

dse.ldif contains the following definitions:

# ldapsearch -LLL -o ldif-wrap=no -D cn=directory\ manager -w Secret123 -b cn=config "cn=member"
dn: cn=member,cn=index,cn=changelog,cn=ldbm database,cn=plugins,cn=config
objectClass: top
objectClass: nsIndex
cn: member
nsSystemIndex: false
nsIndexType: eq

dn: cn=member,cn=default indexes,cn=config,cn=ldbm database,cn=plugins,cn=config
cn: member
nsIndexType: eq
nsSystemIndex: false
objectClass: top
objectClass: nsIndex

dn: cn=member,cn=index,cn=ipaca,cn=ldbm database,cn=plugins,cn=config
cn: member
nsIndexType: eq
nsSystemIndex: false
objectClass: top
objectClass: nsIndex

dn: cn=member,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config
cn: member
nsIndexType: eq
nsIndexType: pres
nsIndexType: sub
nsSystemIndex: false
objectClass: top
objectClass: nsIndex

dn: cn=memberOf,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config
cn: member
nsIndexType: eq
nsIndexType: sub
nsSystemIndex: false
objectClass: top
objectClass: nsIndex

Note the last entry: dn: cn=memberOf... but the attribute has cn:member
Manually fixing dse.ldif also fixes the ipa-healthcheck output.

The index was added as part of subuid feature, probably a copy-paste error.

Metadata Update from @frenaud:
- Issue assigned to frenaud

2 years ago

Metadata Update from @frenaud:
- Custom field on_review adjusted to https://github.com/freeipa/freeipa/pull/5901

2 years ago

Metadata Update from @frenaud:
- Custom field rhbz adjusted to https://bugzilla.redhat.com/show_bug.cgi?id=1952028, https://bugzilla.redhat.com/show_bug.cgi?id=1981322

2 years ago

frenaud commented 2 years ago

master:

cb37f49 Index: Fix definition for memberOf

frenaud commented 2 years ago

ipa-4-9:

b132956 Index: Fix definition for memberOf

Metadata Update from @frenaud:
- Issue close_status updated to: fixed
- Issue status updated to: Closed (was: Open)

2 years ago

Metadata

Assignee

frenaud

Tags

Blocking

None

Depending on

None

Priority

None

Milestone

None

affects_doc

None

source

None

knownissue

None

type

None

blockedby

None

test_case

None

component

None

blocking

None

on_review

https://github.com/freeipa/freeipa/pull/5901

keywords

None

test_coverage

None

reviewer

None

external_tracker

None

rhbz

https://bugzilla.redhat.com/show_bug.cgi?id=1952028, https://bugzilla.redhat.com/show_bug.cgi?id=1981322

tester

None

changelog

None

design

None

freeipa

Source Code

#8920 ipa-healthcheck reports RIPluginCheck CRITICAL error for DSRILE0002 Closed: fixed 2 years ago by frenaud. Opened 2 years ago by frenaud.

Metadata

tests test-failure

#8920 ipa-healthcheck reports RIPluginCheck CRITICAL error for DSRILE0002

Closed: fixed 2 years ago by frenaud. Opened 2 years ago by frenaud.