Crash with SEGV after compacting
by Niklas Schmatloch
Hi
My organisation is using a replicated 389-dirsrv. Lately, it has been crashing
each time after compacting.
It is replicable on our instances by lowering the compactdb-interval to
trigger the compacting:
dsconf -D "cn=Directory Manager" ldap://127.0.0.1 -w 'PASSWORD_HERE' backend config set --compactdb-interval 300
This is the log:
[03/Aug/2022:16:06:38.552781605 +0200] - NOTICE - checkpoint_threadmain - Compacting DB start: userRoot
[03/Aug/2022:16:06:38.752592692 +0200] - NOTICE - bdb_db_compact_one_db - compactdb: compact userRoot - 8 pages freed
[03/Aug/2022:16:06:44.172233009 +0200] - NOTICE - bdb_db_compact_one_db - compactdb: compact userRoot - 888 pages freed
[03/Aug/2022:16:06:44.179315345 +0200] - NOTICE - checkpoint_threadmain - Compacting DB start: changelog
[03/Aug/2022:16:13:18.020881527 +0200] - NOTICE - bdb_db_compact_one_db - compactdb: compact changelog - 458 pages freed
dirsrv(a)auth-alpha.service: Main process exited, code=killed, status=11/SEGV
dirsrv(a)auth-alpha.service: Failed with result 'signal'.
dirsrv(a)auth-alpha.service: Consumed 2d 6h 22min 1.122s CPU time.
The first steps are done very quickly, but the step before the 458 pages of the
retro-changelog are freed, takes several minutes. In this time the dirsrv writes
more than 10 G and reads more than 7 G (according to iotop).
After this line is printed the dirsrv crashes within seconds.
What I also noticed is, that even though it said it freed a lot of pages the
retro-changelog does not seem to change in size.
The file `/var/lib/dirsrv/slapd-auth-alpha/db/changelog/id2entry.db` is 7.2 G
before and after the compacting.
Debian 11.4
389-ds-base/stable,now 1.4.4.11-2 amd64
Does someone have an idea how to debug / fix this?
Thanks
4 months, 2 weeks
Builds for EL8 have a new home
by Viktor Ashirov
Hello,
epel-modular repository for EL8 was discontinued:
https://pagure.io/epel/issue/198
On February 15, 2023 EPEL 8 modules will be archived and removed:
https://lists.centos.org/pipermail/centos-devel/2022-October/120635.html
See the forwarded email below for more details.
This means we can no longer provide new upstream builds of 389-ds-base
through the EPEL repository.
Good news is that our copr repositories now have builds for EL8:
https://copr.fedorainfracloud.org/coprs/g/389ds/389-directory-server
https://copr.fedorainfracloud.org/coprs/g/389ds/389-directory-server-next
And if you have an existing installation using 389-directory-server module
from EPEL, you can switch to our copr repositories and reset the old module:
# dnf copr enable @389ds/389-directory-server
# dnf update 389-ds-base cockpit-389-ds
# dnf module reset 389-directory-server
In case of any issues, please let us know or open an issue at
https://github.com/389ds/389-ds-base/issues/new/choose
Thanks.
--
Viktor
---------- Forwarded message ---------
From: Troy Dawson <tdawson(a)redhat.com>
Date: Thu, Sep 29, 2022 at 12:10 AM
Subject: [CentOS-devel] EPEL 8 Modules get the axe on Halloween 2022
To: The CentOS developers mailing list. <centos-devel(a)centos.org>
When EPEL-8 was launched, it came with some support for modules with the
hope that a module ecosystem could be built from Fedora packages using RHEL
modules as an underlying tool. This has never happened and we have ended up
with a muddle of modular packages which will 'build' but may not install or
even run on an EL-8 system. Attempts to fix this and work within how EPEL
is normally built have been tried for several years by different people but
have not worked.
At this point we are saying that this experiment with modules in EPEL has
not worked and we will focus our resources on what does work.
Schedule of EPEL 8 Module Retirement:
Next Week:
- epel-release will be updated.
-- epel-modular will set enabled = 0
-- epel-modular full name will have "Deprecated" in it
October 31 2022:
- The EPEL 8 modules will be archived and removed.
-- The mirror manager will be pointed to the archive.
- Packagers will no longer be able to build EPEL 8 modules.
After October 31st (Actual date to be determined):
- epel-release will be updated again.
-- epel-modular repo configs will be removed.
Questions and Answers:
Question: Will I still be able to access the modules after October 31st?
Answer: It is not recommended, because the modules will not get any
security or bug fixes, but yes. They will be in the Fedora archives,
and the mirror managers will point at them.
Question: What will you be dressed as on Halloween?
Answer (Troy): A Penguin
EPEL Steering Committee
[1] - https://pagure.io/epel/issue/198
_______________________________________________
CentOS-devel mailing list
CentOS-devel(a)centos.org
https://lists.centos.org/mailman/listinfo/centos-devel
11 months, 2 weeks
Wrong password hash algorithm returned
by Julian Kippels
Hi,
We have a radius server that reads the userPassword-attribute from ldap
to authenticate users. There is a strange phenomenon where sometimes the
answer from the ldap-server gives the wrong password hash algorithm. Our
global password policy storage scheme is set to SSHA. When I perform a
ldapsearch as directory manager I see that the password hash for a given
user is {SSHA}inserthashedpasswordhere. But when I run tcpdump to see
what our radius is being served I see {PBKDF2_SHA256}someotherhash
around 50% of the time. Sometime another request from radius a few
seconds after the first one gives the correct {SSHA} response.
This happened right after we updated from 389ds 1.2.2 to 1.4.4.
I am a bit stumped.
Thanks in advance,
Julian
1 year
Announcing 389 Directory Server 2.2.4
by Mark Reynolds
389 Directory Server 2.2.4
The 389 Directory Server team is proud to announce 389-ds-base version 2.2.4
Fedora packages are available on Fedora 37
https://koji.fedoraproject.org/koji/taskinfo?taskID=94297859
<https://koji.fedoraproject.org/koji/taskinfo?taskID=94297859>
https://bodhi.fedoraproject.org/updates/FEDORA-2022-b75606c765
<https://bodhi.fedoraproject.org/updates/FEDORA-2022-b75606c765> - Bohdi
The new packages and versions are:
* 389-ds-base-2.2.4-1
Source tarballs are available for download at Download
389-ds-base Source
<https://github.com/389ds/389-ds-base/archive/389-ds-base-2.2.4.tar.gz>
Highlights in 2.2.4
* Enhancements, and Bug fixes
Installation and Upgrade
See Download <https://www.port389.org/docs/389ds/download.html> for
information about setting up your yum repositories.
To install the server use *dnf install 389-ds-base*
To install the Cockpit UI plugin use *dnf install cockpit-389-ds*
After rpm install completes, run *dscreate interactive*
For upgrades, simply install the package. There are no further
steps required.
There are no upgrade steps besides installing the new rpms
See Install_Guide
<https://www.port389.org/docs/389ds/howto/howto-install-389.html> for
more information about the initial installation and setup
See Source <https://www.port389.org/docs/389ds/development/source.html>
for information about source tarballs and SCM (git) access.
Feedback
We are very interested in your feedback!
Please provide feedback and comments to the 389-users mailing list:
https://lists.fedoraproject.org/admin/lists/389-users.lists.fedoraproject...
If you find a bug, or would like to see a new feature, file it in our
GitHub project: https://github.com/389ds/389-ds-base
* Bump version to 2.2.4
* Issue 5532 - Make db compaction TOD day more robust.
* Issue 3729 - RFE Extend log of operations statistics in access
log (#5508)
* Issue 5529 - UI - Fix npm vulnerability in loader-utils
* Issue 3555 - UI - fix audit issue with npm loader-utils (#5514)
* Issue 5162 - Fix dsctl tls ca-certfiicate add-cert arg requirement
* Issue 5510 - remove twalk_r dependency to build on RHEL8 (#5516)
* Issue 5162 - RFE - CLI allow adding CA certificate bundles
* Issue 5440 - memberof is slow on update/fixup if there are several
‘groupattr’ (#5455)
* Issue 5512 - BUG - skip pwdPolicyChecker OC in migration (#5513)
* Issue 5429 - healthcheck - add checks for MemberOf group attrs
being indexed
* Issue 5502 - RFE - Add option to display entry attributes in audit log
* Issue 5495 - BUG - Minor fix to dds skip, inconsistent attrs caused
errors (#5501)
* Issue 5367 - RFE - store full DN in database record
* Issue 5495 - RFE - skip dds during migration. (#5496)
* Issue 5491 - UI - Add rework and finish jpegPhoto functionality (#5492)
* Issue 5368 - Retro Changelog trimming does not work (#5486)
* Issue 5487 - Fix various issues with logconv.pl
* Issue 5482 - lib389 - Can not enable replication with a mixed
case suffix
* Issue 5478 - Random crash in connection code during server
shutdown (#5479)
* Issue 3061 - RFE - Add password policy debug log level
* Issue 4324 - Revert recursive pthread mutex usage in factory.c
* Issue 5262 - high contention in find_entry_internal_dn on mixed
load (#5264)
* Issue 4324 - Revert recursive pthread mutex change (#5463)
* Issue 5465 - Fix dbscan linking (#5466)
* Issue 5271 - Serialization of pam_passthrough causing high
etimes (#5272)
* Issue 5453 - UI/CLI - Changing Root DN breaks UI
* Issue 5446 - Fix some covscan issues (#5451)
* Issue 4308 - checking if an entry is a referral is expensive
* Issue 5447 - UI - add NDN max cache size to UI
* Issue 5443 - UI - disable save button while saving
* Issue 5413 - Allow only one MemberOf fixup task at a time
* Issue 5158 - entryuuid fixup tasks fails in replicated topology (#5439)
* Issue 4592 - dscreate error with custom dir_path (#5434)
--
Directory Server Development Team
1 year
Announcing 389 Directory Server 2.0.17
by Mark Reynolds
389 Directory Server 2.0.17
The 389 Directory Server team is proud to announce 389-ds-base version
2.0.17
Fedora packages are available on Fedora 35
Fedora 35:
https://koji.fedoraproject.org/koji/taskinfo?taskID=94300237
<https://koji.fedoraproject.org/koji/taskinfo?taskID=94300237> - Koji
https://bodhi.fedoraproject.org/updates/FEDORA-2022-0c22c46d13
<https://bodhi.fedoraproject.org/updates/FEDORA-2022-0c22c46d13> - Bodhi
The new packages and versions are:
* 389-ds-base-2.0.17-1
Source tarballs are available for download at Download
389-ds-base Source
<https://github.com/389ds/389-ds-base/archive/389-ds-base-2.0.17.tar.gz>
Highlights in 2.0.17
* Enhancements, Bugs and Security fixes
Installation and Upgrade
See Download <https://www.port389.org/docs/389ds/download.html> for
information about setting up your yum repositories.
To install the server use *dnf install 389-ds-base*
To install the Cockpit UI plugin use *dnf install cockpit-389-ds*
After rpm install completes, run *dscreate interactive*
For upgrades, simply install the package. There are no further
steps required.
There are no upgrade steps besides installing the new rpms
See Install_Guide
<https://www.port389.org/docs/389ds/howto/howto-install-389.html> for
more information about the initial installation and setup
See Source <https://www.port389.org/docs/389ds/development/source.html>
for information about source tarballs and SCM (git) access.
Feedback
We are very interested in your feedback!
Please provide feedback and comments to the 389-users mailing list:
https://lists.fedoraproject.org/admin/lists/389-users.lists.fedoraproject...
If you find a bug, or would like to see a new feature, file it in our
GitHub project: https://github.com/389ds/389-ds-base
* Bump version to 2.0.17
* Issue 5534 - Add copyright text to the repository files
* Issue 5532 - Make db compaction TOD day more robust.
* Issue 5529 - UI - Fix npm vulnerability in loader-utils
* Issue 3555 - UI - fix audit issue with npm loader-utils (#5514)
* Issue 5162 - Fix dsctl tls ca-certfiicate add-cert arg requirement
* Issue 5162 - RFE - CLI allow adding CA certificate bundles
* Issue 5440 - memberof is slow on update/fixup if there are several
‘groupattr’ (#5455)
* Issue 5512 - BUG - skip pwdPolicyChecker OC in migration (#5513)
* Issue 5429 - healthcheck - add checks for MemberOf group attrs
being indexed
* Issue 5502 - RFE - Add option to display entry attributes in audit log
* Issue 5495 - BUG - Minor fix to dds skip, inconsistent attrs caused
errors (#5501)
* Issue 5495 - RFE - skip dds during migration. (#5496)
* Issue 5491 - UI - Add rework and finish jpegPhoto functionality (#5492)
* Issue 5368 - Retro Changelog trimming does not work (#5486)
* Issue 5487 - Fix various issues with logconv.pl
* Issue 5482 - lib389 - Can not enable replication with a mixed
case suffix
* Issue 4776 - Fix entryuuid fixup task (#5483)
* Issue 5356 - Update Cargo.lock and bootstrap PBKDF2-SHA512 (#5480)
* Issue 3061 - RFE - Add password policy debug log level
* Issue 5462 - RFE - add missing default indexes (#5464)
* Issue 4324 - Revert recursive pthread mutex usage in factory.c
* Issue 5262 - high contention in find_entry_internal_dn on mixed
load (#5264)
* Issue 4324 - Revert recursive pthread mutex change (#5463)
* Issue 5305 - OpenLDAP version autodetection doesn’t work
* Issue 5032 - Fix OpenLDAP version check (#5091)
* Issue 5032 - OpenLDAP is not shipped with non-threaded version of
libldap (#5033) (#5456)
* Issue 5254 - dscreate create-template regression due to
5a3bdc336 (#5255)
* Issue 5271 - Serialization of pam_passthrough causing high
etimes (#5272)
* Issue 5453 - UI/CLI - Changing Root DN breaks UI
* Issue 5446 - Fix some covscan issues (#5451)
* Issue 5294 - Report Portal 5 is not processing an XML file with (#5358)
* Issue 4588 - Gost yescrypt may fail to build on some older versions
of glibc
* Issue 4308 - checking if an entry is a referral is expensive
* Issue 5447 - UI - add NDN max cache size to UI
* Issue 5443 - UI - disable save button while saving
* Issue 5077 - UI - Add retrocl exclude attribute functionality (#5078)
* Issue 5413 - Allow only one MemberOf fixup task at a time
* Issue 5158 - entryuuid fixup tasks fails in replicated topology (#5439)
* Issue 4592 - dscreate error with custom dir_path (#5434)
* Issue 5397 - Fix memory leak with the intent filter
* Issue 5356 - For RUST build update the default password storage scheme
* Issue 5423 - Fix missing ‘not’ in description
* Issue 5421 - CI - makes
replication/acceptance_test.py::test_modify_entry more robust (#5422)
* Issue 3903 - fix repl keep alive event interval
* Issue 5418 - Sync_repl may crash while managing invalid cookie (#5420)
* Issue 5415 - Hostname when set to localhost causing failures in
other tests
* Issue 5412 - lib389 - do not set backend name to lowercase
* Issue 3903 - keep alive update event starts too soon
* Issue 5397 - Fix various memory leaks
* Issue 5399 - UI - LDAP Editor is not updated when we switch
instances (#5400)
* Issue 3903 - Supplier should do periodic updates
* Issue 5392 - dscreate fails when using alternative ports in the
SELinux hi_reserved_port_t label range
* Issue 5386 - BUG - Update sudoers schema to correctly support
UTF-8 (#5387)
* Issue 5383 - UI - Various fixes and RFE’s for UI
* Issue 4656 - Remove problematic language from source code
* Issue 5380 - Separate cleanAllRUV code into new file
* Issue 5322 - optime & wtime on rejected connections is not properly set
* Issue 5375 - CI - disable TLS hostname checking
* Issue 5373 - dsidm user get_dn fails with search_ext() argument 1
must be str, not function
* Issue 5371 - Update npm and cargo packages
* Issue 3069 - Support ECDSA private keys for TLS (#5365)
--
Directory Server Development Team
1 year
Announcing 389 Directory Server 2.1.6
by Mark Reynolds
389 Directory Server 2.1.6
The 389 Directory Server team is proud to announce 389-ds-base version 2.1.6
Fedora packages are available on Fedora 36
https://koji.fedoraproject.org/koji/taskinfo?taskID=94299041
<https://koji.fedoraproject.org/koji/taskinfo?taskID=94299041>
https://bodhi.fedoraproject.org/updates/FEDORA-2022-103c244fb8
<https://bodhi.fedoraproject.org/updates/FEDORA-2022-103c244fb8> - Bodhi
The new packages and versions are:
* 389-ds-base-2.1.6-1
Source tarballs are available for download at Download
389-ds-base Source
<https://github.com/389ds/389-ds-base/archive/389-ds-base-2.1.6.tar.gz>
Highlights in 2.1.6
* Bug fixes & enhancements
Installation and Upgrade
See Download <https://www.port389.org/docs/389ds/download.html> for
information about setting up your yum repositories.
To install the server use *dnf install 389-ds-base*
To install the Cockpit UI plugin use *dnf install cockpit-389-ds*
After rpm install completes, run *dscreate interactive*
For upgrades, simply install the package. There are no further
steps required.
There are no upgrade steps besides installing the new rpms
See Install_Guide
<https://www.port389.org/docs/389ds/howto/howto-install-389.html> for
more information about the initial installation and setup
See Source <https://www.port389.org/docs/389ds/development/source.html>
for information about source tarballs and SCM (git) access.
Feedback
We are very interested in your feedback!
Please provide feedback and comments to the 389-users mailing list:
https://lists.fedoraproject.org/admin/lists/389-users.lists.fedoraproject...
If you find a bug, or would like to see a new feature, file it in our
GitHub project: https://github.com/389ds/389-ds-base
* Bump version to 2.1.6
* Issue 5534 - Add copyright text to the repository files
* Issue 5532 - Make db compaction TOD day more robust.
* Issue 5529 - UI - Fix npm vulnerability in loader-utils
* Issue 3555 - UI - fix audit issue with npm loader-utils (#5514)
* Issue 5162 - Fix dsctl tls ca-certfiicate add-cert arg requirement
* Issue 5510 - remove twalk_r dependency to build on RHEL8 (#5516)
* Issue 5162 - RFE - CLI allow adding CA certificate bundles
* Issue 5440 - memberof is slow on update/fixup if there are several
‘groupattr’ (#5455)
* Issue 5512 - BUG - skip pwdPolicyChecker OC in migration (#5513)
* Issue 5429 - healthcheck - add checks for MemberOf group attrs
being indexed
* Issue 5502 - RFE - Add option to display entry attributes in audit log
* Issue 5495 - BUG - Minor fix to dds skip, inconsistent attrs caused
errors (#5501)
* Issue 5495 - RFE - skip dds during migration. (#5496)
* Issue 5491 - UI - Add rework and finish jpegPhoto functionality (#5492)
* Issue 5368 - Retro Changelog trimming does not work (#5486)
* Issue 5487 - Fix various issues with logconv.pl
* Issue 5482 - lib389 - Can not enable replication with a mixed
case suffix
* Issue 5356 - Update Cargo.lock and bootstrap PBKDF2-SHA512 (#5480)
* Issue 3061 - RFE - Add password policy debug log level
* Issue 5462 - RFE - add missing default indexes (#5464)
* Issue 5305 - OpenLDAP version autodetection doesn’t work
* Issue 4324 - Revert recursive pthread mutex usage in factory.c
* Issue 5262 - high contention in find_entry_internal_dn on mixed
load (#5264)
* Issue 4324 - Revert recursive pthread mutex change (#5463)
* Issue 5465 - Fix dbscan linking (#5466)
* Issue 5254 - dscreate create-template regression due to
5a3bdc336 (#5255)
* Issue 5271 - Serialization of pam_passthrough causing high
etimes (#5272)
* Issue 5453 - UI/CLI - Changing Root DN breaks UI
* Issue 5446 - Fix some covscan issues (#5451)
* Issue 5294 - Report Portal 5 is not processing an XML file with (#5358)
* Issue 4588 - Gost yescrypt may fail to build on some older versions
of glibc
* Issue 4308 - checking if an entry is a referral is expensive
* Issue 5447 - UI - add NDN max cache size to UI
* Issue 5443 - UI - disable save button while saving
* Issue 5413 - Allow only one MemberOf fixup task at a time
* Issue 5158 - entryuuid fixup tasks fails in replicated topology (#5439)
* Issue 4592 - dscreate error with custom dir_path (#5434)
* Issue 5397 - Fix memory leak with the intent filter
* Issue 5356 - For RUST build update the default password storage scheme
--
Directory Server Development Team
1 year
Announcing 389 Directory Server 2.3.1
by Mark Reynolds
389 Directory Server 2.3.1
The 389 Directory Server team is proud to announce 389-ds-base version 2.3.1
Fedora packages are available on Rawhide (f38)
Rawhide:
https://koji.fedoraproject.org/koji/taskinfo?taskID=94296874
<https://koji.fedoraproject.org/koji/taskinfo?taskID=94296874>
The new packages and versions are:
* 389-ds-base-2.3.1-1
Source tarballs are available for download at Download
389-ds-base Source
<https://github.com/389ds/389-ds-base/archive/389-ds-base-2.3.1.tar.gz>
Highlights in 2.3.1
* Enhancements, and Bug fixes
Installation and Upgrade
See Download <https://www.port389.org/docs/389ds/download.html> for
information about setting up your yum repositories.
To install the server use *dnf install 389-ds-base*
To install the Cockpit UI plugin use *dnf install cockpit-389-ds*
After rpm install completes, run *dscreate interactive*
For upgrades, simply install the package. There are no further
steps required.
There are no upgrade steps besides installing the new rpms
See Install_Guide
<https://www.port389.org/docs/389ds/howto/howto-install-389.html> for
more information about the initial installation and setup
See Source <https://www.port389.org/docs/389ds/development/source.html>
for information about source tarballs and SCM (git) access.
Feedback
We are very interested in your feedback!
Please provide feedback and comments to the 389-users mailing list:
https://lists.fedoraproject.org/admin/lists/389-users.lists.fedoraproject...
If you find a bug, or would like to see a new feature, file it in our
GitHub project: https://github.com/389ds/389-ds-base
* Bump version to 2.3.1
* Issue 5532 - Make db compaction TOD day more robust.
* Issue 3729 - RFE Extend log of operations statistics in access
log (#5508)
* Issue 5529 - UI - Fix npm vulnerability in loader-utils
* Issue 5490 - tombstone in entryrdn index with lmdb but not with
bdb (#5498)
* Issue 5162 - Fix dsctl tls ca-certfiicate add-cert arg requirement
* Issue 5510 - remove twalk_r dependency to build on RHEL8 (#5516)
* Issue 5162 - RFE - CLI allow adding CA certificate bundles
* Issue 5440 - memberof is slow on update/fixup if there are several
‘groupattr’ (#5455)
* Issue 5512 - BUG - skip pwdPolicyChecker OC in migration (#5513)
* Issue 3555 - UI - fix audit issue with npm loader-utils (#5514)
* Issue 5505 - Fix compiler warning (#5506)
* Issue 5469 - Increase the default value of nsslapd-conntablesize (#5472)
* Issue 5408 - lmdb import is slow (#5481)
* Issue 5429 - healthcheck - add checks for MemberOf group attrs
being indexed
* Issue 5502 - RFE - Add option to display entry attributes in audit log
* Issue 5495 - BUG - Minor fix to dds skip, inconsistent attrs caused
errors (#5501)
* Issue 5367 - RFE - store full DN in database record
* Issue 5495 - RFE - skip dds during migration. (#5496)
* Issue 5491 - UI - Add rework and finish jpegPhoto functionality (#5492)
* Issue 5368 - Retro Changelog trimming does not work (#5486)
* Issue 5487 - Fix various issues with logconv.pl
* Issue 5476 - RFE - add memberUid read aci by default (#5477)
* Issue 5482 - lib389 - Can not enable replication with a mixed
case suffix
* Issue 5478 - Random crash in connection code during server
shutdown (#5479)
* Issue 3061 - RFE - Add password policy debug log level
* Issue 5302 - Release tarballs don’t contain cockpit webapp
* Issue 5262 - high contention in find_entry_internal_dn on mixed
load (#5264)
* Issue 4324 - Revert recursive pthread mutex change (#5463)
* Issue 5462 - RFE - add missing default indexes (#5464)
* Issue 5465 - Fix dbscan linking (#5466)
* Issue 5271 - Serialization of pam_passthrough causing high
etimes (#5272)
* Issue 5453 - UI/CLI - Changing Root DN breaks UI
* Issue 5446 - Fix some covscan issues (#5451)
* Issue 4308 - checking if an entry is a referral is expensive
* Issue 5447 - UI - add NDN max cache size to UI
* Issue 5443 - UI - disable save button while saving
* Issue 5413 - Allow only one MemberOf fixup task at a time
* Issue 4592 - dscreate error with custom dir_path (#5434)
* Issue 5158 - entryuuid fixup tasks fails in replicated topology (#5439)
--
Directory Server Development Team
1 year
Re: FileDescriptors exhausted
by Mark Reynolds
On 11/18/22 9:07 AM, Tobias Ernstberger wrote:
> We are using 1.3.8.4 - any remarks regarding this version?
This is a very old version. It might even be using the "nunc-stans"
connection handler which was removed in newer versions because of
stability issues. Check this setting under cn=config:
nsslapd-enable-nunc-stans
If it is set to "on", try setting it to "off", which requires a restart,
and see how the server behaves.
Note the 1.3.x series is no longer maintained. At least try and go to
1.3.10 if you must stay on 1.3.x, but you should seriously look into
389-ds-base-2.x series...
HTH,
Mark
>
> To avoid idle/stale connections we've set nslapd-ideltimeout and we see now a lower average number of open connections, so this is a first improvement.
> We also plan to look into nslapd-ioblocktimeout.
>
>
> Mit freundlichen Grüßen / Kind regards
>
> Tobias Ernstberger
> IT-Architect Identity and Access Management
> IBM Security Expert Labs
> +49 151 15138929
> tobias.ernstberger(a)de.ibm.com
>
> IBM Security
>
> IBM Deutschland GmbH
> Vorsitzender des Aufsichtsrats: Sebastian Krause
> Geschäftsführung: Gregor Pillen (Vorsitzender), Nicole Reimer, Gabriele Schwarenthorer, Christine Rupp, Frank Theisen
> Sitz der Gesellschaft: Ehningen / Registergericht: Amtsgericht Stuttgart, HRB 14562 / WEEE-Reg.-Nr. DE 99369940
> https://www.ibm.com/privacy/us/en/
>
> -----Original Message-----
> From: Mark Reynolds<mareynol(a)redhat.com>
> Sent: Samstag, 12. November 2022 22:29
> To: General discussion list for the 389 Directory server project.<389-users(a)lists.fedoraproject.org>; Tobias Ernstberger<tobias.ernstberger(a)de.ibm.com>
> Subject: [EXTERNAL] Re: [389-users] FileDescriptors exhausted
>
> What version of 389-ds-base are you using?
>
> In newer versions we automatically set the server FD limit to the maximum allowed per process. This can be seen in the errors log at server startup:
>
> For example:
>
> [09/Nov/2022:16:23:07.100244932 -0500] - INFO - main - Setting the maximum file descriptor limit to: 524288
>
> 389-ds also has no issues with handling 1000's of concurrent connections. So I suspect this is just a tuning issue, but let us know what version you are running so we can give you the proper tuning advice.
>
> Now if you have issues with idle/stale connections, or bad clients, then look into tuning nsslapd-ioblocktimeout (e.g. 10000 => 10 seconds), and maybe nslapd-idletimeout.
>
> Mark
>
>
> On 11/11/22 9:25 AM, Tobias Ernstberger wrote:
>> Hello,
>>
>> we're observing the following error message:
>> "ERR - accept_and_configure - PR_Accept() failed, Netscape Portable Runtime error -5971 (Process open FD table is full.)"
>> Looks like the file descriptors are exhausted, probably mainly used by incoming TCP Connections (based on our investigation regarding open FDs).
>> We've set (and checked using the runtime information in
>> /proc/PID/limits) the ulimits and the nsslapd-maxdescriptors to many
>> thousands (while having about 1000 open connection regularly)
>>
>> We are investigating in multiple directions here, and have some questions - any input is appreciated:
>>
>> 1) We acknowledge that exhausted FDs prevent additional connections to be opened. But we also see, that existing connections are getting unusable, too. Is this a known behaviour? Can this be avoided?
>> 2) Is there any chance to limit the number of open connections (lower
>> than the max FDs)? (trying to achieve that existing connections still
>> work)
>> 3) What are best practice to prevent the ldap server from getting completely useless (until restart) if a client opens many connections?
>> 4) Any additional remarks to prevent this situation?
>>
>>
>> Kind regards
>>
>> Tobias Ernstberger
>> IBM Security
>>
>> IBM Deutschland GmbH
>> Vorsitzender des Aufsichtsrats: Sebastian Krause
>> Geschäftsführung: Gregor Pillen (Vorsitzender), Nicole Reimer,
>> Gabriele Schwarenthorer, Christine Rupp, Frank Theisen Sitz der
>> Gesellschaft: Ehningen / Registergericht: Amtsgericht Stuttgart, HRB
>> 14562 / WEEE-Reg.-Nr. DE 99369940https://www.ibm.com/privacy/us/en/
>> _______________________________________________
>> 389-users mailing list --389-users(a)lists.fedoraproject.org To
>> unsubscribe send an email to389-users-leave(a)lists.fedoraproject.org
>> Fedora Code of Conduct:
>> INVALID URI REMOVED
>> t.org_en-2DUS_project_code-2Dof-2Dconduct_&d=DwIDaQ&c=jf_iaSHvJObTbx-s
>> iA1ZOg&r=QvSqS0gPOnxXMMO9G-eW10oOiG0sRPGfH9BtVh8hhnU&m=DMcmEB9W7URvfQb
>> HvIjH7QUwVBMYM4zrzEUoukXTViUo_rPc8hdPmOLfpSDFOzwp&s=nl0Y6bzC4oV7Fq65kK
>> 7mta567ymyCTlvchXpD0lpfFI&e= List Guidelines:
>> INVALID URI REMOVED
>> _wiki_Mailing-5Flist-5Fguidelines&d=DwIDaQ&c=jf_iaSHvJObTbx-siA1ZOg&r=
>> QvSqS0gPOnxXMMO9G-eW10oOiG0sRPGfH9BtVh8hhnU&m=DMcmEB9W7URvfQbHvIjH7QUw
>> VBMYM4zrzEUoukXTViUo_rPc8hdPmOLfpSDFOzwp&s=amrVoneRH3WfaEhePWxL_VqAjZb
>> Va4T7DQmwg3u1pAg&e= List Archives:
>> INVALID URI REMOVED
>> ct.org_archives_list_389-2Dusers-40lists.fedoraproject.org&d=DwIDaQ&c=
>> jf_iaSHvJObTbx-siA1ZOg&r=QvSqS0gPOnxXMMO9G-eW10oOiG0sRPGfH9BtVh8hhnU&m
>> =DMcmEB9W7URvfQbHvIjH7QUwVBMYM4zrzEUoukXTViUo_rPc8hdPmOLfpSDFOzwp&s=9R
>> 1JhXk09rfm36xJCxqGK_IWV2xcxHge0HfTDPNyY0s&e=
>> Do not reply to spam, report it:
>> INVALID URI REMOVED
>> 2Dinfrastructure_new-5Fissue&d=DwIDaQ&c=jf_iaSHvJObTbx-siA1ZOg&r=QvSqS
>> 0gPOnxXMMO9G-eW10oOiG0sRPGfH9BtVh8hhnU&m=DMcmEB9W7URvfQbHvIjH7QUwVBMYM
>> 4zrzEUoukXTViUo_rPc8hdPmOLfpSDFOzwp&s=519Dp4E1pshVxNLpfuS0Cr3H0j8WpKYQ
>> RbBGujE7X1U&e=
> --
> Directory Server Development Team
>
> _______________________________________________
> 389-users mailing list --389-users(a)lists.fedoraproject.org
> To unsubscribe send an email to389-users-leave(a)lists.fedoraproject.org
> Fedora Code of Conduct:https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> List Guidelines:https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives:https://lists.fedoraproject.org/archives/list/389-users@lists.fe...
> Do not reply to spam, report it:https://pagure.io/fedora-infrastructure/new_issue
--
Directory Server Development Team
1 year
Re: FileDescriptors exhausted
by Mark Reynolds
What version of 389-ds-base are you using?
In newer versions we automatically set the server FD limit to the
maximum allowed per process. This can be seen in the errors log at
server startup:
For example:
[09/Nov/2022:16:23:07.100244932 -0500] - INFO - main - Setting the
maximum file descriptor limit to: 524288
389-ds also has no issues with handling 1000's of concurrent
connections. So I suspect this is just a tuning issue, but let us know
what version you are running so we can give you the proper tuning advice.
Now if you have issues with idle/stale connections, or bad clients, then
look into tuning nsslapd-ioblocktimeout (e.g. 10000 => 10 seconds), and
maybe nslapd-idletimeout.
Mark
On 11/11/22 9:25 AM, Tobias Ernstberger wrote:
> Hello,
>
> we're observing the following error message:
> "ERR - accept_and_configure - PR_Accept() failed, Netscape Portable Runtime error -5971 (Process open FD table is full.)"
> Looks like the file descriptors are exhausted, probably mainly used by incoming TCP Connections (based on our investigation regarding open FDs).
> We've set (and checked using the runtime information in /proc/PID/limits) the ulimits and the nsslapd-maxdescriptors to many thousands (while having about 1000 open connection regularly)
>
> We are investigating in multiple directions here, and have some questions - any input is appreciated:
>
> 1) We acknowledge that exhausted FDs prevent additional connections to be opened. But we also see, that existing connections are getting unusable, too. Is this a known behaviour? Can this be avoided?
> 2) Is there any chance to limit the number of open connections (lower than the max FDs)? (trying to achieve that existing connections still work)
> 3) What are best practice to prevent the ldap server from getting completely useless (until restart) if a client opens many connections?
> 4) Any additional remarks to prevent this situation?
>
>
> Kind regards
>
> Tobias Ernstberger
> IBM Security
>
> IBM Deutschland GmbH
> Vorsitzender des Aufsichtsrats: Sebastian Krause
> Geschäftsführung: Gregor Pillen (Vorsitzender), Nicole Reimer, Gabriele Schwarenthorer, Christine Rupp, Frank Theisen
> Sitz der Gesellschaft: Ehningen / Registergericht: Amtsgericht Stuttgart, HRB 14562 / WEEE-Reg.-Nr. DE 99369940
> https://www.ibm.com/privacy/us/en/
> _______________________________________________
> 389-users mailing list -- 389-users(a)lists.fedoraproject.org
> To unsubscribe send an email to 389-users-leave(a)lists.fedoraproject.org
> Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives: https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproje...
> Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
--
Directory Server Development Team
1 year
