From c79fef75e37b156377c017f38d6ae449a64af285 Mon Sep 17 00:00:00 2001 From: Matej Jostak Date: Sun, 10 Nov 2024 11:47:31 +0100 Subject: [PATCH 1/4] Fixing_max_open_files_for_open_and_indexies_DS389 --- defaults/main.yml | 4 + tasks/perun_ds389_config.yml | 93 +++++++++++---------- tasks/perun_openldap_config.yml | 142 +++++++++++++++++++++----------- 3 files changed, 150 insertions(+), 89 deletions(-) diff --git a/defaults/main.yml b/defaults/main.yml index ce6005b..24c3428 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -39,4 +39,8 @@ perun_ldap_ds389_aci_content: perun_ldap_backup_hostel: no perun_ldap_daily_backup_hour: 20 perun_ldap_daily_backup_minute: 45 +#set var for max open file limit for LS +perun_ldap_max_open_files_limits: false + + diff --git a/tasks/perun_ds389_config.yml b/tasks/perun_ds389_config.yml index 0a86bd4..96c91c6 100644 --- a/tasks/perun_ds389_config.yml +++ b/tasks/perun_ds389_config.yml @@ -1,6 +1,6 @@ # # # # ################################ Custom schema application part ############# -- name: "assert variables" +- name: "Assert variables" assert: that: - perun_ldap_schemas_perun_version is defined @@ -123,7 +123,7 @@ chdir: /tmp/schemas register: result -- name: "read schema" +- name: "Read schema" community.general.ldap_search: server_uri: "ldaps://{{ perun_ldap_ds389_server_name }}:636" bind_dn: "{{ perun_ldap_data_admin_dn }}" @@ -187,50 +187,59 @@ "{{ perun_ldap_ds389_aci_content }}" state: exact -- name: "Check and add missing LDAP indexes" - shell: | - indexes=" - cn eq - uid eq - member eq - memberUid eq - objectClass eq - uidNumber eq - gidNumber eq - perunVoId eq - eduPersonPrincipalNames eq - entryCSN eq - entryUUID eq - login eq - memberOfPerunVo eq - userCertificateSubject eq - entityID eq - assignedToResourceId eq - userIdentities eq - OIDCClientID eq - perunFacilityId eq - perunFacilityDn eq - perunUserId eq - perunGroupId eq - assignedGroupId eq - internalUserIdentifiers eq" - - echo "$indexes" | while read -r line; do - attrs=$(echo $line | cut -d' ' -f1) - types=$(echo $line | cut -d' ' -f2) - for attr in $(echo $attrs | tr ',' ' '); do - if ! dsconf {{ perun_ldap_ds389_instance_name }} backend index list userroot | grep "cn=$attr"; then - dsconf {{ perun_ldap_ds389_instance_name }} backend index add --index-type $types --attr $attr userroot - fi - done - done - register: add_indexes_output +- name: "Check if the indexies exist" + community.general.ldap_attrs: + dn: "cn={{ item }},cn=index,cn=userroot,cn=ldbm database,cn=plugins,cn=config" + attributes: + objectClass: + - "top" + - "nsIndex" + cn: "{{ item }}" + state: present + bind_dn: "{{ perun_ldap_data_admin_dn }}" + bind_pw: "{{ perun_ldap_data_password }}" + server_uri: "ldaps://{{ perun_ldap_ds389_server_name }}:636" + loop: + - "cn" + - "uid" + - "member" + - "memberUid" + - "objectClass" + - "uidNumber" + - "gidNumber" + - "perunVoId" + - "eduPersonPrincipalNames" + - "entryCSN" + - "entryUUID" + - "login" + - "memberOfPerunVo" + - "userCertificateSubject" + - "entityID" + - "assignedToResourceId" + - "userIdentities" + - "OIDCClientID" + - "perunFacilityId" + - "perunFacilityDn" + - "perunUserId" + - "perunGroupId" + - "assignedGroupId" + - "internalUserIdentifiers" + ignore_errors: true + register: create_index_results + +- name: "If indexies missing, crate a index object" + ansible.builtin.command: + cmd: "dsconf {{ perun_ldap_ds389_instance_name }} backend index add --index-type eq --attr {{ item }} userroot" + loop: "{{ create_index_results.results | selectattr('failed', 'defined') | selectattr('failed', 'eq', true) | map(attribute='item') | list }}" + register: create_dsconf_index + when: create_index_results.failed + ignore_errors: true - name: "Reindex missing indexes" - when: add_indexes_output.changed + when: create_dsconf_index.changed shell: | dsconf {{ perun_ldap_ds389_instance_name }} backend index reindex userroot - + - name: "Create a cron job for LDAP backup" cron: name: "Everyday do backup of the LDAP hostel branch" diff --git a/tasks/perun_openldap_config.yml b/tasks/perun_openldap_config.yml index b05a4df..97a07be 100644 --- a/tasks/perun_openldap_config.yml +++ b/tasks/perun_openldap_config.yml @@ -132,51 +132,99 @@ when: ansible_facts.services['slapd'] is not defined service_facts: -- name: "Add limits to /etc/security/limits.conf" - lineinfile: - path: /etc/security/limits.conf - state: present - line: "{{ item }}" - loop: - - 'openldap soft nofile 20480' - - 'openldap hard nofile 40960' - notify: Reload limits - -- name: "Add system limit to /etc/sysctl.conf" - lineinfile: - path: /etc/sysctl.conf - state: present - line: 'fs.file-max = 500000' - notify: Reload sysctl - -- name: "Create systemd override config directory if it does not exist" - file: - path: /etc/systemd/system/slapd.service.d - state: directory - mode: '0755' - -- name: "Add LimitNOFILE to /etc/systemd/system/slapd.service.d/override.conf" - blockinfile: - path: /etc/systemd/system/slapd.service.d/override.conf - create: yes - block: | - [Service] - LimitNOFILE=40960 - notify: Reload systemd - -- name: "Check open file limit using ulimit" - command: bash -c 'ulimit -n' - register: ulimit_result - changed_when: false - -- name: "Check system open file limit using sysctl" - command: sysctl fs.file-max - register: sysctl_result - changed_when: false - -- name: "Display results of limit checks" - debug: - msg: - - "Current open file limit (ulimit -n): {{ ulimit_result.stdout }}" - - "System max open files limit (fs.file-max): {{ sysctl_result.stdout }}" +- name: "set up limits for max open files for LS instance and display it" + when: perun_ldap_max_open_files_limits + block: + - name: "set soft open file limit for openldap user" + # when: perun_ldap_max_open_files_limits + community.general.pam_limits: + domain: openldap + limit_type: soft + limit_item: nofile + value: "{{ perun_ldap_max_open_hard_files_user_ldap_value }}" + register: soft_limit + + - name: "set hard open file limit for openldap user" + # when: perun_ldap_max_open_files_limits + community.general.pam_limits: + domain: openldap + limit_type: hard + limit_item: nofile + value: "{{ perun_ldap_max_open_hard_files_user_ldap_value }}" + register: hard_limit + + - name: "set system-wide open files limit" + # when: perun_ldap_max_open_files_limits + ansible.posix.sysctl: + name: fs.file-max + value: "{{ perun_ldap_max_open_system_files_value }}" + register: fs_file_max + + - name: "create systemd override config directory if it does not exist" + when: perun_ldap_max_open_files_limits + ansible.builtin.file: + path: /etc/systemd/system/slapd.service.d + state: directory + mode: '0755' + + - name: "add LimitNOFILE to systemd override configuration for slapd" + # when: parun_ldap_max_open_files_limits + blockinfile: + path: /etc/systemd/system/slapd.service.d/override.conf + create: yes + block: | + [Service] + LimitNOFILE="{{ perun_ldap_no_file_limit_value }}" + register: ldap_nofile_limit + + - name: "reload systemd to apply override changes" + when: perun_ldap_max_open_files_limits and soft_limit.changed and hard_limit.changed and fs_file_max + ansible.builtin.systemd: + daemon_reload: true + + - name: "restart slapd service to apply new limits" + when: ldap_nofile_limit.changed + ansible.builtin.service: + name: slapd + state: restarted + + - name: "get soft open file limit for openldap" + ansible.builtin.command: "grep '^openldap.*soft.*nofile' /etc/security/limits.conf" + register: ulimit_soft_result + when: soft_limit.changed + + - name: "get hard open file limit for openldap" + ansible.builtin.command: "grep '^openldap.*hard.*nofile' /etc/security/limits.conf" + register: ulimit_hard_result + when: hard_limit.changed + + - name: "get system max open files limit" + ansible.builtin.command: "sysctl fs.file-max" + register: sysctl_result + when: fs_file_max.changed + + - name: "get slapd LimitNOFILE setting" + ansible.builtin.command: "systemctl show -p LimitNOFILE slapd" + register: limitnofile_result + when: ldap_nofile_limit.changed + + - name: "display configured soft open file limit for openldap" + when: soft_limit.changed + debug: + msg: "Configured soft open file limit for openldap: {{ ulimit_soft_result.stdout }}" + + - name: "display configured hard open file limit for openldap" + when: hard_limit.changed + debug: + msg: "Configured hard open file limit for openldap: {{ ulimit_hard_result.stdout }}" + + - name: "display system max open files limit (fs.file-max)" + when: fs_file_max.changed + debug: + msg: "System max open files limit (fs.file-max): {{ sysctl_result.stdout }}" + + - name: "display slapd LimitNOFILE setting" + when: ldap_nofile_limit.changed + debug: + msg: "slapd LimitNOFILE setting: {{ limitnofile_result.stdout }}" From 1cda4ea576f71e3a416e852ff6a4b015d2ee2966 Mon Sep 17 00:00:00 2001 From: Matej Jostak Date: Mon, 11 Nov 2024 12:13:43 +0100 Subject: [PATCH 2/4] Added vars for max limit to defaults --- defaults/main.yml | 6 +++++- tasks/perun_openldap_config.yml | 4 ---- 2 files changed, 5 insertions(+), 5 deletions(-) diff --git a/defaults/main.yml b/defaults/main.yml index 24c3428..9fc857d 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -39,8 +39,12 @@ perun_ldap_ds389_aci_content: perun_ldap_backup_hostel: no perun_ldap_daily_backup_hour: 20 perun_ldap_daily_backup_minute: 45 + #set var for max open file limit for LS perun_ldap_max_open_files_limits: false - +perun_ldap_max_open_soft_files_user_ldap_value: "1024" # Výchozí měkký limit pro uživatele openLDAP +perun_ldap_max_open_hard_files_user_ldap_value: "4096" # Výchozí tvrdý limit pro uživatele openLDAP +perun_ldap_max_open_system_files_value: "1048576" # Výchozí limit pro celý systém +perun_ldap_no_file_limit_value: "4096" # Výchozí limit podobný tvrdému limitu pro uživatele diff --git a/tasks/perun_openldap_config.yml b/tasks/perun_openldap_config.yml index 97a07be..8a7facb 100644 --- a/tasks/perun_openldap_config.yml +++ b/tasks/perun_openldap_config.yml @@ -137,7 +137,6 @@ when: perun_ldap_max_open_files_limits block: - name: "set soft open file limit for openldap user" - # when: perun_ldap_max_open_files_limits community.general.pam_limits: domain: openldap limit_type: soft @@ -146,7 +145,6 @@ register: soft_limit - name: "set hard open file limit for openldap user" - # when: perun_ldap_max_open_files_limits community.general.pam_limits: domain: openldap limit_type: hard @@ -155,7 +153,6 @@ register: hard_limit - name: "set system-wide open files limit" - # when: perun_ldap_max_open_files_limits ansible.posix.sysctl: name: fs.file-max value: "{{ perun_ldap_max_open_system_files_value }}" @@ -169,7 +166,6 @@ mode: '0755' - name: "add LimitNOFILE to systemd override configuration for slapd" - # when: parun_ldap_max_open_files_limits blockinfile: path: /etc/systemd/system/slapd.service.d/override.conf create: yes From 7a04908807fce488e67df6b34c8c7e4b66ca2313 Mon Sep 17 00:00:00 2001 From: Matej Jostak Date: Wed, 27 Nov 2024 10:47:34 +0100 Subject: [PATCH 3/4] Added task for defaults limits and remove thm if needed --- defaults/main.yml | 10 +++++----- tasks/perun_openldap_config.yml | 32 ++++++++++++++++++++++++++++---- 2 files changed, 33 insertions(+), 9 deletions(-) diff --git a/defaults/main.yml b/defaults/main.yml index 9fc857d..dae7fed 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -40,11 +40,11 @@ perun_ldap_backup_hostel: no perun_ldap_daily_backup_hour: 20 perun_ldap_daily_backup_minute: 45 -#set var for max open file limit for LS +#set var for max open file limit for default value perun_ldap_max_open_files_limits: false -perun_ldap_max_open_soft_files_user_ldap_value: "1024" # Výchozí měkký limit pro uživatele openLDAP -perun_ldap_max_open_hard_files_user_ldap_value: "4096" # Výchozí tvrdý limit pro uživatele openLDAP -perun_ldap_max_open_system_files_value: "1048576" # Výchozí limit pro celý systém -perun_ldap_no_file_limit_value: "4096" # Výchozí limit podobný tvrdému limitu pro uživatele +perun_ldap_max_open_soft_files_user_ldap_value: "1024" # Default soft limit for openLDAP users +perun_ldap_max_open_hard_files_user_ldap_value: "4096" # Default hard limit for openLDAP users +perun_ldap_max_open_system_files_value: "1048576" # Default limit for the entire system +perun_ldap_no_file_limit_value: "4096" # Default limit similar to the hard limit for users diff --git a/tasks/perun_openldap_config.yml b/tasks/perun_openldap_config.yml index 8a7facb..2ac7ee2 100644 --- a/tasks/perun_openldap_config.yml +++ b/tasks/perun_openldap_config.yml @@ -133,7 +133,7 @@ service_facts: -- name: "set up limits for max open files for LS instance and display it" +- name: "set up limits for max open files for instance and display it" when: perun_ldap_max_open_files_limits block: - name: "set soft open file limit for openldap user" @@ -141,7 +141,7 @@ domain: openldap limit_type: soft limit_item: nofile - value: "{{ perun_ldap_max_open_hard_files_user_ldap_value }}" + value: "{{ perun_ldap_max_open_soft_files_user_ldap_value }}" register: soft_limit - name: "set hard open file limit for openldap user" @@ -159,7 +159,6 @@ register: fs_file_max - name: "create systemd override config directory if it does not exist" - when: perun_ldap_max_open_files_limits ansible.builtin.file: path: /etc/systemd/system/slapd.service.d state: directory @@ -175,7 +174,7 @@ register: ldap_nofile_limit - name: "reload systemd to apply override changes" - when: perun_ldap_max_open_files_limits and soft_limit.changed and hard_limit.changed and fs_file_max + when: soft_limit.changed or hard_limit.changed or fs_file_max ansible.builtin.systemd: daemon_reload: true @@ -224,3 +223,28 @@ when: ldap_nofile_limit.changed debug: msg: "slapd LimitNOFILE setting: {{ limitnofile_result.stdout }}" + + +- name: "set up defaults limits for max open files for instance" + when: not perun_ldap_max_open_files_limits + block: + - name: "remove soft and hard open file limits for openldap user" + ansible.builtin.lineinfile: + path: /etc/security/limits.conf + state: absent + regexp: '^openldap.*nofile' + + - name: "reset system-wide open files limit to default" + ansible.posix.sysctl: + name: fs.file-max + state: absent + + - name: "remove systemd override config directory for slapd" + ansible.builtin.file: + path: /etc/systemd/system/slapd.service.d/override.conf + state: absent + + - name: "remove systemd override directory if empty" + ansible.builtin.file: + path: /etc/systemd/system/slapd.service.d + state: absent \ No newline at end of file From 5d092cdfdfd81d87c5a48ff2173fcbbdc9f42a8f Mon Sep 17 00:00:00 2001 From: Matej Jostak Date: Fri, 13 Dec 2024 13:40:53 +0100 Subject: [PATCH 4/4] Added restart of service and correct vars --- tasks/perun_openldap_config.yml | 21 ++++++++++++++++++--- 1 file changed, 18 insertions(+), 3 deletions(-) diff --git a/tasks/perun_openldap_config.yml b/tasks/perun_openldap_config.yml index 2ac7ee2..ec7e54c 100644 --- a/tasks/perun_openldap_config.yml +++ b/tasks/perun_openldap_config.yml @@ -132,7 +132,6 @@ when: ansible_facts.services['slapd'] is not defined service_facts: - - name: "set up limits for max open files for instance and display it" when: perun_ldap_max_open_files_limits block: @@ -174,7 +173,7 @@ register: ldap_nofile_limit - name: "reload systemd to apply override changes" - when: soft_limit.changed or hard_limit.changed or fs_file_max + when: soft_limit.changed or hard_limit.changed or fs_file_max.changed or ldap_nofile_limit.changed ansible.builtin.systemd: daemon_reload: true @@ -233,18 +232,34 @@ path: /etc/security/limits.conf state: absent regexp: '^openldap.*nofile' + register: remove_hard_soft_limits - name: "reset system-wide open files limit to default" ansible.posix.sysctl: name: fs.file-max state: absent + register: fs_file_max_default - name: "remove systemd override config directory for slapd" ansible.builtin.file: path: /etc/systemd/system/slapd.service.d/override.conf state: absent + register: remove_conf - name: "remove systemd override directory if empty" + when: remove_conf.changed ansible.builtin.file: path: /etc/systemd/system/slapd.service.d - state: absent \ No newline at end of file + state: absent + register: remove_slapd_dir + + - name: "reload systemd to apply override changes" + when: remove_hard_soft_limits.changed or fs_file_max_default.changed or remove_conf.changed + ansible.builtin.systemd: + daemon_reload: true + + - name: "restart slapd service to apply new limits" + when: remove_conf.changed + ansible.builtin.service: + name: slapd + state: restarted