[Pkg-freeipa-devel] [Git][freeipa-team/389-ds-base][master] 13 commits: Bump version to 2.4.4

Timo Aaltonen (@tjaalton) gitlab at salsa.debian.org
Mon Apr 15 16:49:30 BST 2024 


Timo Aaltonen pushed to branch master at FreeIPA packaging / 389-ds-base


Commits:
5830b143 by James Chapman at 2023-11-15T14:01:23+00:00
Bump version to 2.4.4

- - - - -
fd4d4ba2 by progier389 at 2023-11-17T14:47:44+01:00
Issue 5984 - Crash when paged result search are abandoned (#5985)

* Issue 5984 - Crash when paged result search are abandoned

Problem:
  Fix #4551 has changed the lock that protects the paged result data
  within a connection. But the abandon operation attempts to free
  the paged search result with the connection lock.
  This leads to race condition and double free causing an heap
  corruption and a SIGSEGV.

  Solution:
   - Get a copy of the operation data that needs to be logged.
   - Unlock the connection mutex (to avoid deadlock risk)
   - Free the paged result while holding the paged result lock.

Issue: 5984

Reviewed by: @tbordaz (Thanks!)

(cherry picked from commit 06bd0862956672eb76276cab5c1dd906fe5a7eec)

- - - - -
1b89a337 by progier389 at 2023-11-21T12:01:19+01:00
Issue 5984 - Crash when paged result search are abandoned - fix2 (#5987)

Chasing several rabbits at the same time is a bad idea !
and I mixed branches and unwillingly pushed one commit for #5980 in #5984
just before the PR #5985 merge ! -:(
Hopefully it does not break anything but just logs some useless crap if instance fails to starts.
Anyway This commit reverts the change about __init.py
and also do a minor code cleanup (removed a trailing space) in abandon.c

Issue #5984

Reviewed by: @tbordaz Thanks !

(cherry picked from commit df7dd8320424f7ab616c9ad8086a6874ff8bf859)

- - - - -
cd7fc221 by Viktor Ashirov at 2023-12-11T16:16:12+01:00
Issue 5954 - Disable Transparent Huge Pages

Bug Description:
THP can have negative effects on DS performance when large caches are
used.

Fix Description:
* Add a new variable for `ns-slapd` THP_DISABLE.
  When THP_DISABLE is set to 1, THP is disabled for `ns-slapd` process
  via `prctl(2)`. With any other value, THP settings are untouched.

Before:
```
$ grep THP /proc/$(pidof ns-slapd)/status
THP_enabled:    1
```

After
```
$ grep THP /proc/$(pidof ns-slapd)/status
THP_enabled:    0
```

* Add a new healthcheck linter, that checks if THP is disabled system-wide
  or per instance. In case THP is enabled for both the system and the
  process, it prints recommendations how to disable THP.

Fixes: https://github.com/389ds/389-ds-base/issues/5954

Reviewed-by: @tbordaz, @Firstyear, @droideck (Thank you all!)

- - - - -
f9d09a90 by tbordaz at 2023-12-11T18:02:50+01:00
Issue 5944 - Reversion of the entry cache should be limited to BETXN plugin failures (#5994)

Bug description:
	During an update if an BETXN plugin fails the full TXN is aborted and
	the DB returns to the previous state. However potential internal
	updates, done by BETXN plugins, are also applied on the entry cache.
	Some entries in the entry cache are left in a state that does not
	reflect the DB state. To prevent this mismatch, upon BETXN failure,
	the fix https://pagure.io/389-ds-base/issue/50260 reverts some entries
	in the entry cache .

	The problem is that reversion is not limited to the cases of BETXN
	failures that was the initial goal. So a "regular" error like schema
	violation could trigger revert_cache

Fix description:
	The fix flags if the failure is due to BETXN failures and
	trigger revert_cache only in that case

relates: #5944

Reviewed by: Pierre Rogier (Thanks!)
- - - - -
75b026b4 by tbordaz at 2023-12-12T12:59:10+01:00
Issue 5939 - During an update, if the target entry is reverted in the entry cache, the server should not retry to lock it (#6007)

Bug description:
	During an update if an BETXN plugin fails the full TXN is aborted and the DB
	returns to the previous state.
	However potential internal updates, done by BETXN plugins, are also applied
	on the entry cache.
	Even if the TXN is aborted some entries in the entry cache are left in a state
	that does not reflect the DB state.
	The fix https://pagure.io/389-ds-base/issue/50260 "reverts" those
	entries, setting their state to INVALID.

	A problem is that reverted entries stay in the entry cache, until refcnt is 0.
	During that period, an update targeting that entry fails to retrieve the
	entry from the entry cache and fails to add it again as it already exist
	the entry.
	The update iterates 1000 times, trying to read the entry and to fetch it
	from DB.
	This is a pure waste as the reverted entry stays too long.

	The signature of this issue is a message in the error log: "Retry count exceeded"

Fix description:
	The fix consiste in the loops (fetch on DN or NSUNIQUEID) to test if the
        entry state is INVALID.
	In such case it aborts the loop and return a failure.

relates: #5939

Reviewed by: Pierre Rogier, Simon Pichugin (Thanks !!)
- - - - -
e8dd5836 by tbordaz at 2024-01-12T11:15:39+01:00
Issue 5989 - RFE support of inChain Matching Rule (#5990)

Bug description:
	Computation of membership (like 'memberof') is a common issue.
	The issue is more expensive to solve when there are nested membership.
	For example "gives me all the groups this entry belongs to" or "gives me
	all subordinates having this manager".
	Either the LDAP client computes the values or dedicated plugin (like 'memberof')
	maintains direct membership attribute for the LDAP client.
	InChain Matching Rule allow a LDAP client to request the server to compute this membership.

Fix description:
	The implementation is designed https://www.port389.org/docs/389ds/design/matching-rule-in-chain.html

	A specific fix in aclanom.c because inChain MR adds a acl DENY
        on 'cn=config'. There was a bug that cleared anonymous aci
        if the it existed a DENY acl anywhere (except a specific
        list of entries like 'cn=monitor'). It triggered a failure
	on chaining backend suite

relates: #5989

Reviewed by: William Brown, Mark Reynolds, Pierre Rogier, Simon Pichugin (Thanks !)
- - - - -
33c0e011 by James Chapman at 2024-01-12T12:39:55+00:00
Bump version to 2.4.5

- - - - -
e2c88b91 by Timo Aaltonen at 2024-02-11T16:30:12+02:00
control: Migrate to libldap-dev, and drop obsolete B/R/P.

- - - - -
d4257b0e by Timo Aaltonen at 2024-04-14T20:45:42+03:00
Merge tag '389-ds-base-2.4.4' into m

- - - - -
274f4f8d by Timo Aaltonen at 2024-04-14T20:46:11+03:00
Merge branch 'master' into m

- - - - -
02247c70 by Timo Aaltonen at 2024-04-15T18:45:30+03:00
version bump

- - - - -
be5e970c by Timo Aaltonen at 2024-04-15T18:48:44+03:00
releasing package 389-ds-base version 2.4.5+dfsg1-1

- - - - -


30 changed files:

- Makefile.am
- VERSION.sh
- debian/changelog
- debian/control
- dirsrvtests/tests/suites/betxns/betxn_test.py
- + dirsrvtests/tests/suites/filter/inchain_test.py
- + dirsrvtests/tests/suites/healthcheck/health_tunables_test.py
- dirsrvtests/tests/suites/healthcheck/healthcheck_test.py
- dirsrvtests/tests/suites/paged_results/paged_results_test.py
- ldap/ldif/template-dse-minimal.ldif.in
- ldap/ldif/template-dse.ldif.in
- ldap/servers/plugins/acl/aclanom.c
- + ldap/servers/plugins/syntaxes/inchain.c
- ldap/servers/slapd/abandon.c
- ldap/servers/slapd/back-ldbm/cache.c
- ldap/servers/slapd/back-ldbm/filterindex.c
- ldap/servers/slapd/back-ldbm/findentry.c
- ldap/servers/slapd/back-ldbm/index.c
- ldap/servers/slapd/back-ldbm/ldbm_add.c
- ldap/servers/slapd/back-ldbm/ldbm_delete.c
- ldap/servers/slapd/back-ldbm/ldbm_modify.c
- ldap/servers/slapd/back-ldbm/ldbm_modrdn.c
- ldap/servers/slapd/back-ldbm/proto-back-ldbm.h
- ldap/servers/slapd/main.c
- ldap/servers/slapd/opshared.c
- ldap/servers/slapd/pagedresults.c
- ldap/servers/slapd/proto-slap.h
- ldap/servers/slapd/slap.h
- ldap/servers/slapd/slapi-memberof.c
- src/lib389/lib389/cli_ctl/health.py


The diff was not included because it is too large.


View it on GitLab: https://salsa.debian.org/freeipa-team/389-ds-base/-/compare/1bbc74c4898db324eb4098cd52399e411a02e6a3...be5e970c4714a794cbf4bfbe04fc363d490b32b1

-- 
View it on GitLab: https://salsa.debian.org/freeipa-team/389-ds-base/-/compare/1bbc74c4898db324eb4098cd52399e411a02e6a3...be5e970c4714a794cbf4bfbe04fc363d490b32b1
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/pkg-freeipa-devel/attachments/20240415/a464aa91/attachment-0001.htm>

More information about the Pkg-freeipa-devel mailing list