From 9b5d33d513906bf5e2134d182347fe14ea79dfa2 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Fran=C3=A7ois=20Cami?= <fcami@redhat.com>
Date: Mon, 31 Aug 2020 14:11:00 +0200
Subject: [PATCH] 389-DS BDB: switch deadlock behavior to DB_LOCK_MINWRITE
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Some IPA updates are expensive in term of processing and #page hit.
The likelihood to generate a DS Berkeley DB database deadlock can be high
for some common operations.

When a deadlock is detected one deadlocking thread needs to be
rejected to let the other(s) complete.
DB_LOCK_YOUNGEST (9) is the DS default: it  means the most recent operation
fails in favor to the oldest one.
DB_LOCK_MINWRITE (6) means the reader(s) are rejected in favor
of the writers even if the reader(s) are older.

Switch the default for FreeIPA to DB_LOCK_MINWRITE for new installs and
also existing installs at update time.
This depends on the backend redesign (https://pagure.io/389-ds-base/issue/49476)
and therefore is valid on 389-DS 1.4.2.3 and higher.

Explanation provided by Thierry Bordaz.

Fixes: https://pagure.io/freeipa/issue/8479
Signed-off-by: François Cami <fcami@redhat.com>
---
 freeipa.spec.in                               |  6 +++++
 .../10-nsslapd-db-deadlock-policy.update      | 22 +++++++++++++++++++
 install/updates/Makefile.am                   |  1 +
 3 files changed, 29 insertions(+)
 create mode 100644 install/updates/10-nsslapd-db-deadlock-policy.update

diff --git a/freeipa.spec.in b/freeipa.spec.in
index 0e7a51f445..dee67ef58e 100755
--- a/freeipa.spec.in
+++ b/freeipa.spec.in
@@ -104,6 +104,12 @@
 %global ds_version 1.4.0.21
 %endif
 
+# Configuring nsslapd-db-deadlock-policy to DB_LOCK_MINWRITE
+# requires 389-DS 1.4.2.3 and higher.
+%if 0%{?fedora} >= 31
+%global ds_version 1.4.2.3
+%endif
+
 # Fix for TLS 1.3 PHA, RHBZ#1775146
 %if 0%{?fedora} >= 31
 %global httpd_version 2.4.41-9
diff --git a/install/updates/10-nsslapd-db-deadlock-policy.update b/install/updates/10-nsslapd-db-deadlock-policy.update
new file mode 100644
index 0000000000..0f621b7849
--- /dev/null
+++ b/install/updates/10-nsslapd-db-deadlock-policy.update
@@ -0,0 +1,22 @@
+# Configure 389-DS BDB backend to use DB_LOCK_MINWRITE.
+# 
+# Some IPA updates are expensive in term of processing and #page hit.
+# The likelihood to generate a DS Berkeley DB database deadlock can be high
+# for some common operations.
+#
+# When a deadlock is detected one deadlocking thread needs to be
+# rejected to let the other(s) complete.
+# DB_LOCK_YOUNGEST (9) is the DS default: it  means the most recent operation
+# fails in favor to the oldest one.
+# DB_LOCK_MINWRITE (6) means the reader(s) are rejected in favor
+# of the writers even if the reader(s) are older.
+# 
+# Switch the default for FreeIPA to DB_LOCK_MINWRITE.
+# This depends on the backend redesign (https://pagure.io/389-ds-base/issue/49476)
+# and therefore is valid on 389-DS 1.4.2.3 and higher.
+# 
+# BDB header:
+# https://github.com/berkeleydb/libdb/blob/5b7b02ae052442626af54c176335b67ecc613a30/src/dbinc/db.in#L287
+# 
+dn: cn=bdb,cn=config,cn=ldbm database,cn=plugins,cn=config
+replace: nsslapd-db-deadlock-policy:9::6
diff --git a/install/updates/Makefile.am b/install/updates/Makefile.am
index 8a4d9cc6cf..e1c5559ac7 100644
--- a/install/updates/Makefile.am
+++ b/install/updates/Makefile.am
@@ -6,6 +6,7 @@ app_DATA =				\
 	10-config.update		\
 	10-enable-betxn.update		\
 	10-ipapwd.update		\
+	10-nsslapd-db-deadlock-policy.update \
 	10-selinuxusermap.update	\
 	10-rootdse.update		\
 	10-uniqueness.update		\
