Fixing_max_open_files_for_open_and_indexies_DS389

CESNET · Nov 10, 2024 · 5607c5e · 5607c5e
1 parent e0b39a7
commit 5607c5e
Show file tree

Hide file tree

Showing 3 changed files with 149 additions and 89 deletions.
diff --git a/defaults/main.yml b/defaults/main.yml
@@ -39,4 +39,8 @@ perun_ldap_ds389_aci_content:
 perun_ldap_backup_hostel: no
 perun_ldap_daily_backup_hour: 20
 perun_ldap_daily_backup_minute: 45
+#set var for max open file limit for LS
+perun_ldap_max_open_files_limits: false
+
+
 
diff --git a/tasks/perun_ds389_config.yml b/tasks/perun_ds389_config.yml
@@ -1,6 +1,6 @@
 # # # # ################################  Custom schema application part #############
 
-- name: "assert variables"
+- name: "Assert variables"
   assert:
     that:
       - perun_ldap_schemas_perun_version is defined
@@ -123,7 +123,7 @@
       chdir: /tmp/schemas
   register: result
 
-- name: "read schema"
+- name: "Read schema"
   community.general.ldap_search:
     server_uri: "ldaps://{{ perun_ldap_ds389_server_name }}:636"
     bind_dn: "{{ perun_ldap_data_admin_dn }}"
@@ -187,50 +187,59 @@
           "{{ perun_ldap_ds389_aci_content }}"
      state: exact
 
-- name: "Check and add missing LDAP indexes"
-  shell: |
-    indexes="
-    cn eq
-    uid eq
-    member eq
-    memberUid eq
-    objectClass eq
-    uidNumber eq
-    gidNumber eq
-    perunVoId eq
-    eduPersonPrincipalNames eq
-    entryCSN eq
-    entryUUID eq
-    login eq
-    memberOfPerunVo eq
-    userCertificateSubject eq
-    entityID eq
-    assignedToResourceId eq
-    userIdentities eq
-    OIDCClientID eq
-    perunFacilityId eq
-    perunFacilityDn eq
-    perunUserId eq
-    perunGroupId eq
-    assignedGroupId eq
-    internalUserIdentifiers eq"
-  
-    echo "$indexes" | while read -r line; do
-      attrs=$(echo $line | cut -d' ' -f1)
-      types=$(echo $line | cut -d' ' -f2)
-      for attr in $(echo $attrs | tr ',' ' '); do
-        if ! dsconf {{ perun_ldap_ds389_instance_name }} backend index list userroot | grep  "cn=$attr"; then
-          dsconf {{ perun_ldap_ds389_instance_name }} backend index add --index-type $types --attr $attr userroot
-        fi
-      done
-    done
-  register: add_indexes_output
+- name: "Check if the indexies exist"
+  community.general.ldap_attrs:
+    dn: "cn={{ item }},cn=index,cn=userroot,cn=ldbm database,cn=plugins,cn=config"
+    attributes:
+      objectClass:
+        - "top"
+        - "nsIndex"
+      cn: "{{ item }}"
+    state: present
+    bind_dn: "{{ perun_ldap_data_admin_dn }}"
+    bind_pw: "{{ perun_ldap_data_password }}"
+    server_uri: "ldaps://{{ perun_ldap_ds389_server_name }}:636"
+  loop:
+        - "cn"
+        - "uid"
+        - "member"
+        - "memberUid"
+        - "objectClass"
+        - "uidNumber"
+        - "gidNumber"
+        - "perunVoId"
+        - "eduPersonPrincipalNames"
+        - "entryCSN"
+        - "entryUUID"
+        - "login"
+        - "memberOfPerunVo"
+        - "userCertificateSubject"
+        - "entityID"
+        - "assignedToResourceId"
+        - "userIdentities"
+        - "OIDCClientID"
+        - "perunFacilityId"
+        - "perunFacilityDn"
+        - "perunUserId"
+        - "perunGroupId"
+        - "assignedGroupId"
+        - "internalUserIdentifiers"
+  ignore_errors: true
+  register: create_index_results
+
+- name: "If indexies missing, crate a index object"
+  ansible.builtin.command:
+    cmd: "dsconf {{ perun_ldap_ds389_instance_name }} backend index add --index-type eq --attr {{ item }} userroot"
+  loop: "{{ create_index_results.results | selectattr('failed', 'defined') | selectattr('failed', 'eq', true) | map(attribute='item') | list }}"
+  register: create_dsconf_index
+  when: create_index_results.failed
+  ignore_errors: true
 
 - name: "Reindex missing indexes"
-  when: add_indexes_output.changed
+  when: create_dsconf_index.changed
   shell: |
     dsconf {{ perun_ldap_ds389_instance_name }} backend index reindex userroot
-  
+
 - name: "Create a cron job for LDAP backup"
   cron:
        name: "Everyday do backup of the LDAP hostel branch"

diff --git a/tasks/perun_openldap_config.yml b/tasks/perun_openldap_config.yml
@@ -132,51 +132,98 @@
   when: ansible_facts.services['slapd'] is not defined
   service_facts:
 
-- name: "Add limits to /etc/security/limits.conf"
-  lineinfile:
-        path: /etc/security/limits.conf
-        state: present
-        line: "{{ item }}"
-  loop:
-    - 'openldap soft nofile 20480'
-    - 'openldap hard nofile 40960'
-  notify: Reload limits
-
-- name: "Add system limit to /etc/sysctl.conf"
-  lineinfile:
-        path: /etc/sysctl.conf
-        state: present
-        line: 'fs.file-max = 500000'
-  notify: Reload sysctl
-
-- name: "Create systemd override config directory if it does not exist"
-  file:
-        path: /etc/systemd/system/slapd.service.d
-        state: directory
-        mode: '0755'
-
-- name: "Add LimitNOFILE to /etc/systemd/system/slapd.service.d/override.conf"
-  blockinfile:
-        path: /etc/systemd/system/slapd.service.d/override.conf
-        create: yes
-        block: |
-          [Service]
-          LimitNOFILE=40960
-  notify: Reload systemd
-
-- name: "Check open file limit using ulimit"
-  command: bash -c 'ulimit -n'
-  register: ulimit_result
-  changed_when: false
-
-- name: "Check system open file limit using sysctl"
-  command: sysctl fs.file-max
-  register: sysctl_result
-  changed_when: false
-
-- name: "Display results of limit checks"
-  debug:
-        msg:
-          - "Current open file limit (ulimit -n): {{ ulimit_result.stdout }}"
-          - "System max open files limit (fs.file-max): {{ sysctl_result.stdout }}"
 
+- name: "set up limits for max open files for LS instance and display it"
+  block:
+    - name: "set soft open file limit for openldap user"
+      when: perun_ldap_max_open_files_limits
+      community.general.pam_limits:
+            domain: openldap
+            limit_type: soft
+            limit_item: nofile
+            value: "{{ perun_ldap_max_open_hard_files_user_ldap_value }}"
+      register: soft_limit
+
+    - name: "set hard open file limit for openldap user"
+      when: perun_ldap_max_open_files_limits
+      community.general.pam_limits:
+            domain: openldap
+            limit_type: hard
+            limit_item: nofile
+            value: "{{ perun_ldap_max_open_hard_files_user_ldap_value }}"
+      register: hard_limit
+
+    - name: "set system-wide open files limit"
+      when: perun_ldap_max_open_files_limits
+      ansible.posix.sysctl:
+            name: fs.file-max
+            value: "{{ perun_ldap_max_open_system_files_value }}"
+      register: fs_file_max
+
+    - name: "create systemd override config directory if it does not exist"
+      when: perun_ldap_max_open_files_limits
+      ansible.builtin.file:
+            path: /etc/systemd/system/slapd.service.d
+            state: directory
+            mode: '0755'
+
+    - name: "add LimitNOFILE to systemd override configuration for slapd"
+      when: parun_ldap_max_open_files_limits
+      blockinfile:
+            path: /etc/systemd/system/slapd.service.d/override.conf
+            create: yes
+            block: |
+              [Service]
+              LimitNOFILE="{{ perun_ldap_no_file_limit_value }}"
+      register: ldap_nofile_limit
+
+    - name: "reload systemd to apply override changes"
+      when: perun_ldap_max_open_files_limits and soft_limit.changed and hard_limit.changed and fs_file_max
+      ansible.builtin.systemd:
+            daemon_reload: true
+
+    - name: "restart slapd service to apply new limits"
+      when: ldap_nofile_limit.changed
+      ansible.builtin.service:
+            name: slapd
+            state: restarted
+
+    - name: "get soft open file limit for openldap"
+      ansible.builtin.command: "grep '^openldap.*soft.*nofile' /etc/security/limits.conf"
+      register: ulimit_soft_result
+      when: soft_limit.changed
+
+    - name: "get hard open file limit for openldap"
+      ansible.builtin.command: "grep '^openldap.*hard.*nofile' /etc/security/limits.conf"
+      register: ulimit_hard_result
+      when: hard_limit.changed
+
+    - name: "get system max open files limit"
+      ansible.builtin.command: "sysctl fs.file-max"
+      register: sysctl_result
+      when: fs_file_max.changed
+
+    - name: "get slapd LimitNOFILE setting"
+      ansible.builtin.command: "systemctl show -p LimitNOFILE slapd"
+      register: limitnofile_result
+      when: ldap_nofile_limit.changed
+
+    - name: "display configured soft open file limit for openldap"
+      when: soft_limit.changed
+      debug:
+        msg: "Configured soft open file limit for openldap: {{ ulimit_soft_result.stdout }}"
+
+    - name: "display configured hard open file limit for openldap"
+      when: hard_limit.changed
+      debug:
+        msg: "Configured hard open file limit for openldap: {{ ulimit_hard_result.stdout }}"
+
+    - name: "display system max open files limit (fs.file-max)"
+      when: fs_file_max.changed
+      debug:
+        msg: "System max open files limit (fs.file-max): {{ sysctl_result.stdout }}"
+
+    - name: "display slapd LimitNOFILE setting"
+      when: ldap_nofile_limit.changed
+      debug:
+        msg: "slapd LimitNOFILE setting: {{ limitnofile_result.stdout }}"