Bug #17998
closed
LDAP index inconsistency on update cause error with allowed networks
Description
After some Rudder upgrade to 6.1, allowed networks are not available anymore with the following error:
An error occured when trying to get the list of existing allowed networks
Error message was: Error when saving new allowed networks for policy server ${policyServerId.value}
Workaround¶
You can redo LDAP index (which should have been done during upgrade) on the rudder root server:
$ systemctl stop rudder-slapd $ su - rudder-slapd -s /bin/sh -c "/opt/rudder/sbin/slapindex" $ systemctl start rudder-slapd
Updated by François ARMAND almost 4 years ago
- Related to Bug #17967: Missing interpolator in error message for allowed networks added
Updated by Vincent MEMBRÉ over 3 years ago
- Target version changed from 6.1.2 to 6.1.3
Updated by François ARMAND over 3 years ago
- Target version changed from 6.1.3 to 6.1.4
Updated by Nicolas CHARLES over 3 years ago
on debian, it happens most probably when during the upgrade, slapd.conf file is replaced by packaging file by user (option -y, or y at all questions)
file is replaced, has the index lines, and so the migration script doesn't see any change
Updated by Nicolas CHARLES over 3 years ago
we could detect that when update_credentials need to update the credential - in this case we can force the reindex when upgrading to 6.1 from 6.0, but i'm not sure we can detect from which version we upgrade
An idea would be to check the file before upgrade /opt/rudder/etc/openldap/slapd.conf.dpkg-old (on debian) to see if index were there, and if not, reindex (but only if file is not too old)
Also, when credential are changed in update_credentials, we need to restart at least slapd as password used to start it is invalid
Postgresql checks are also invalid:
INFO: Checking PostgreSQL service status............ FAILED
because PGPASSWORD is exported with default password
Updated by Nicolas CHARLES over 3 years ago
we can get last modification date with
stat -c '%Y' /opt/rudder/etc/openldap/slapd.conf.dpkg-old
and then compare to current time. If < 1 hour, then compare content and reindex if necessary
Updated by Nicolas CHARLES over 3 years ago
- Status changed from New to In progress
- Assignee set to Nicolas CHARLES
Updated by Nicolas CHARLES over 3 years ago
- Status changed from In progress to Pending technical review
- Assignee changed from Nicolas CHARLES to Benoît PECCATTE
- Pull Request set to https://github.com/Normation/rudder-packages/pull/2361
Updated by Nicolas CHARLES over 3 years ago
- Status changed from Pending technical review to Pending release
Applied in changeset rudder-packages|e6c7b416026a8135af07080ee38b298d60a1091c.
Updated by François ARMAND over 3 years ago
- Fix check changed from To do to Error - Blocking
This is still happening on migration from 6.0.8 to 6.1.4 on debian 9
Updated by Vincent MEMBRÉ over 3 years ago
- Fix check changed from Error - Blocking to Error - Fixed
Updated by Vincent MEMBRÉ over 3 years ago
- Status changed from Pending release to Released
This bug has been fixed in Rudder 6.1.4 which was released today.
Updated by François ARMAND over 3 years ago
- Related to Enhancement #18817: Monitor unreference software size added
Updated by François ARMAND over 3 years ago
So, the problem in 6.2 seems to be due to changes related to openldap:
- removing indexes on modifyTimestamp helps a lot, on software helps a bit
But even with that, we have a 10x performance lost.
But if we took a web app 6.2 and put it on a 6.1 openldap/vm, it is fast. So something changed with openldap configuration or binaries.