Bug #17998
closed
LDAP index inconsistency on update cause error with allowed networks
Added by François ARMAND over 4 years ago.
Updated almost 4 years ago.
Category:
System integration
Description
After some Rudder upgrade to 6.1, allowed networks are not available anymore with the following error:
An error occured when trying to get the list of existing allowed networks
Error message was: Error when saving new allowed networks for policy server ${policyServerId.value}
Workaround¶
You can redo LDAP index (which should have been done during upgrade) on the rudder root server:
$ systemctl stop rudder-slapd
$ su - rudder-slapd -s /bin/sh -c "/opt/rudder/sbin/slapindex"
$ systemctl start rudder-slapd
- Related to Bug #17967: Missing interpolator in error message for allowed networks added
- Description updated (diff)
- Description updated (diff)
- Target version changed from 6.1.2 to 6.1.3
- Target version changed from 6.1.3 to 6.1.4
on debian, it happens most probably when during the upgrade, slapd.conf file is replaced by packaging file by user (option -y, or y at all questions)
file is replaced, has the index lines, and so the migration script doesn't see any change
we could detect that when update_credentials need to update the credential - in this case we can force the reindex when upgrading to 6.1 from 6.0, but i'm not sure we can detect from which version we upgrade
An idea would be to check the file before upgrade /opt/rudder/etc/openldap/slapd.conf.dpkg-old (on debian) to see if index were there, and if not, reindex (but only if file is not too old)
Also, when credential are changed in update_credentials, we need to restart at least slapd as password used to start it is invalid
Postgresql checks are also invalid:
INFO: Checking PostgreSQL service status............ FAILED
because PGPASSWORD is exported with default password
we can get last modification date with
stat -c '%Y' /opt/rudder/etc/openldap/slapd.conf.dpkg-old
and then compare to current time. If < 1 hour, then compare content and reindex if necessary
- Status changed from New to In progress
- Assignee set to Nicolas CHARLES
- Status changed from In progress to Pending technical review
- Assignee changed from Nicolas CHARLES to Benoît PECCATTE
- Pull Request set to https://github.com/Normation/rudder-packages/pull/2361
- Status changed from Pending technical review to Pending release
- Fix check changed from To do to Error - Blocking
This is still happening on migration from 6.0.8 to 6.1.4 on debian 9
- Fix check changed from Error - Blocking to Error - Fixed
- Status changed from Pending release to Released
This bug has been fixed in Rudder 6.1.4 which was released today.
So, the problem in 6.2 seems to be due to changes related to openldap:
- removing indexes on modifyTimestamp helps a lot, on software helps a bit
But even with that, we have a 10x performance lost.
But if we took a web app 6.2 and put it on a 6.1 openldap/vm, it is fast. So something changed with openldap configuration or binaries.
Also available in: Atom
PDF
Updated by 
Updated by 
Updated by