Bug 48970 - translog erratum resets LDAP indices to default
translog erratum resets LDAP indices to default
Status: CLOSED FIXED
Product: UCS
Classification: Unclassified
Component: LDAP
UCS 4.3
Other Linux
: P5 normal (vote)
: UCS 4.3-3-errata
Assigned To: Philipp Hahn
Jürn Brodersen
:
Depends on:
Blocks: 48971
  Show dependency treegraph
 
Reported: 2019-03-12 14:56 CET by Sönke Schwardt-Krummrich
Modified: 2019-03-13 14:41 CET (History)
5 users (show)

See Also:
What kind of report is it?: Bug Report
What type of bug is this?: 5: Major Usability: Impairs usability in key scenarios
Who will be affected by this bug?: 4: Will affect most installed domains
How will those affected feel about the bug?: 5: Blocking further progress on the daily work
User Pain: 0.571
Enterprise Customer affected?: Yes
School Customer affected?: Yes
ISV affected?:
Waiting Support: Yes
Flags outvoted (downgraded) after PO Review:
Ticket number: 2019031221000246
Bug group (optional):
Max CVSS v3 score:


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Sönke Schwardt-Krummrich univentionstaff 2019-03-12 14:56:46 CET
The last update of univention-ldap introduced an ugly problem:

The UCR variables for LDAP indices are reset to defaults. All custom indices for UCS@school, customer packages etc are removed.

univention-ldap-server.postinst contains the following code:
---[cut]---
if [ "$server_role" = "domaincontroller_master" ] || [ "$server_role" = "domaincontroller_backup" ]; then
	JOIN_FORCE="$([ "$1" = configure ] && dpkg --compare-versions "$2" lt-nl 14.0.2-37 && echo 1)" \
	/usr/lib/univention-install/01univention-ldap-server-init.inst || true
	/usr/lib/univention-install/10univention-ldap-server.inst || true
	[ "$1" = configure ] && dpkg --compare-versions "$2" lt-nl 11.0.12-5 && upgrade_license || :
fi
---[cut]---

And 01univention-ldap-server-init.inst contains the command
"/usr/share/univention-ldap/ldap_setup_index --force-defaults"

So, if a domaincontroller is updated from a version without translog to a version with translog, the joinscript is forced to be executed again via JOIN_FORCE="1".
The joinscript then calls "ldap_setup_index --force-defaults" and resets hereby the UCR variables back to defaults.



First idea for recovery:
parse config-registry.replog{,*.gz} and set the old values
Comment 1 Philipp Hahn univentionstaff 2019-03-12 15:24:57 CET
[4.3-3] c3e70c3330 Bug #48970 ldap: Fix regression in translog setup
 management/univention-ldap/debian/changelog                       | 6 ++++++
 management/univention-ldap/debian/univention-ldap-server.postinst | 2 +-
 2 files changed, 7 insertions(+), 1 deletion(-)

Package: univention-ldap
Version: 14.0.2-46A~4.3.0.201903121509
Branch: ucs_4.3-0
Scope: errata4.3-3

(In reply to Sönke Schwardt-Krummrich from comment #0)
> First idea for recovery:
> parse config-registry.replog{,*.gz} and set the old values

Yes, use the values from:
 find /var/log/univention/config-registry.replog.* -type f \( -name \*.gz -exec zcat {} \; -o -not -name \*.gz -exec cat {} \; \) | grep ldap/index/ | sort -n | grep --color old:
Comment 2 Christian Völker univentionstaff 2019-03-12 15:59:16 CET
The suggested "find" command does not seem to be perfect.
At least on a test system it does not print any changes but syslog shows couple of warnings regarding indexing:
==================================================
Feb 13 16:19:22 master slapd[1405]: <= mdb_equality_candidates: (univentionComputerPortal) not indexed
Feb 14 10:29:56 master slapd[1524]: <= mdb_equality_candidates: (univentionNagiosParent) not indexed
Feb 14 12:04:22 master slapd[1524]: <= mdb_equality_candidates: (name) not indexed
Feb 14 14:06:43 master slapd[630]: <= mdb_equality_candidates: (univentionShareHost) not indexed
==================================================


While the find command (and my manual search not either) did not show any changes in replog.
Comment 3 Philipp Hahn univentionstaff 2019-03-12 16:33:27 CET
[4.3-3] 3b98b0e622 Bug #48970: Recover U@s LDAP attributes to index
 management/univention-ldap/debian/changelog        |  6 ++++++
 .../debian/univention-ldap-server.postinst         | 25 ++++++++++++++++++++++
 2 files changed, 31 insertions(+)

Package: univention-ldap
Version: 14.0.2-47A~4.3.0.201903121624
Branch: ucs_4.3-0
Scope: errata4.3-3

[4.3-3] 29a7bb6407 Bug #48970: univention-ldap 14.0.2-47A~4.3.0.201903121624
 doc/errata/staging/univention-ldap.yaml | 10 ++++++++--
 1 file changed, 8 insertions(+), 2 deletions(-)
Comment 4 Jürn Brodersen univentionstaff 2019-03-12 18:03:59 CET
Small fix for the version detection:
[4.3-3 d878c62426] Bug #48970: fix U@s version detection

The version was otherwise an empty string on singlemaster systems
Comment 5 Arvid Requate univentionstaff 2019-03-12 19:13:06 CET
Regarding Comment 2:

A quick search through our code didn't show up any locations where we dynamically add an index for univentionComputerPortal, univentionNagiosParent, name or univentionShareHost dynamically. The "ldap_setup_index" script only has "name" in the RECOMMENDED_LDAP_INDEX for 'pres' and 'sub'. Maybe we could extend the list, let's discuss the specific scenario via email (can't access the ticket right now due to <reasons>).


But grepping for "ldap_setup_index" shows two attributes that we index, that might have been lost: univentionAppID univentionUDMPropertyCopyable
Comment 6 Jürn Brodersen univentionstaff 2019-03-12 23:58:09 CET
If you are fine with these changes just set it to resolved again:
[4.3-3 d878c62426] Bug #48970: fix U@s version detection

[4.3-3 ef4b08ddf9] Bug #48970: yaml
I tried to make it a bit more clear that systems that never updated to e426 are not affected and that this only affected the indices.

otherwise it looks good

What I tested:
Singleschool indices are repaired -> OK
Multischoool indices are repaired -> OK
Non school systems don't get school indices added -> OK
Indices are not reset to the default any more if update e426 was not installed prior to upgrade -> OK
Comment 7 Philipp Hahn univentionstaff 2019-03-13 08:57:38 CET
(In reply to Jürn Brodersen from comment #6)
> If you are fine with these changes just set it to resolved again:
> [4.3-3 d878c62426] Bug #48970: fix U@s version detection

Thanks.
The change to the list of U@S packages I can not comment.

> [4.3-3 ef4b08ddf9] Bug #48970: yaml
> I tried to make it a bit more clear that systems that never updated to e426
> are not affected and that this only affected the indices.

Thanks.
Comment 8 Jürn Brodersen univentionstaff 2019-03-13 10:16:56 CET
(In reply to Philipp Hahn from comment #7)
> (In reply to Jürn Brodersen from comment #6)
> > If you are fine with these changes just set it to resolved again:
> > [4.3-3 d878c62426] Bug #48970: fix U@s version detection
> 
> Thanks.
> The change to the list of U@S packages I can not comment.

That didn't broke any thing but the slave packages should never be installed on master or backups anyway.

-> Verified
Comment 9 Arvid Requate univentionstaff 2019-03-13 14:22:17 CET
<http://errata.software-univention.de/ucs/4.3/456.html>
Comment 10 Florian Best univentionstaff 2019-03-13 14:41:18 CET
*** Bug 48835 has been marked as a duplicate of this bug. ***