Univention Bugzilla – Bug 40186
Improve reliability of sysvol-sync
Last modified: 2016-08-23 14:47:04 CEST
There has been at least one report of broken fACLs in sysvol. The primary suspect is sysvol-sync. There might be issues coming from concurrent reads from and writes to /var/lib/samba/sysvol. There are at least threee ideas on how to improve this: a) Lock the sysvol while operating on it (e.g. man flock) b) First check with "rsync -au --dry-run" if copying is required at all c) Generate a consistent sysvol copy for the reading rsync processes
Regarding locking: We already create a local exclusive (write) lock in the sysvol-sync script. Using this lock file to coordinate locking remotely could possibly be done this way: ================================================ LOCKFILE="/var/lock/sysvol-sync" SYSVOL_SYNCDIR='/var/cache/univention-samba4/sysvol-sync' importdir="${SYSVOL_SYNCDIR}/.$remote_hostname" chgrp 'DC Slave Hosts' /var/loc /sysvol-sync chmod g+w /var/lock/sysvol-sync ## create local write lock (This step is already done in the current script) ( flock -n 9 || exit 0 ## add a trap to release the shared (read) lock created in the next step below trap "ssh -S '~/.ssh/control-%r@%h:%p' -O exit '$hostname\$@$remote_hostname'" ## try to create remote shared (read) lock, background multiplex ssh and wait { univention-ssh --no-split /etc/machine.secret \ -M -S '~/.ssh/control-%r@%h:%p' \ "$hostname\$@$remote_hostname" \ "sh -c '(flock -s -n 8 || exit 1; echo GO; read WAIT;) 8>\"$LOCKFILE\"'" & } | read GO ## rsync if multiplex master is established if ssh -S '~/.ssh/control-%r@%h:%p' -O check "$hostname\$@$remote_hostname"; then rsync /etc/machine.secret -aAX --delete \ -e 'ssh -S "~/.ssh/control-%r@%h:%p"' \ "$hostname\$@$remote_hostname:/var/lib/samba/sysvol" "$importdir" fi ## release local write lock ) 9>"$LOCKFILE" ================================================ I'm just unsure about concurrency behaviour with this kind of locking. Maybe when attempting to acquire the read lock we should block until we get it.
Unfortunately ssh multiplexing currently doesn't work with the univention-ssh wrapper, so the code above needed a bit of modification. The sysvol-sync script has been adjusted to > a) Lock the sysvol while operating on it (e.g. man flock) > b) First check with "rsync -au --dry-run" if copying is required at all Advisory: univention-samba4.yaml
OK - check if there are changes before the sync OK - exclusive lock while writing into local sysvol OK - remote read lock while reading remote sysvol OK - remote lock gets removed on destination if source becomes unavailable OK - sshd/config/ClientAliveInterval (60s, sshd reload) OK - univention-samba4.yaml
<http://errata.software-univention.de/ucs/4.1/40.html>