Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Fixing_max_open_files_for_open_and_indexies_DS389 #3

Open
wants to merge 4 commits into
base: main
Choose a base branch
from
Open

Fixing_max_open_files_for_open_and_indexies_DS389 #3

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
4 commits
Select commit Hold shift + click to select a range
c79fef7
Fixing_max_open_files_for_open_and_indexies_DS389
Nov 10, 2024
1cda4ea
Added vars for max limit to defaults
Nov 11, 2024
7a04908
Added task for defaults limits and remove thm if needed
Nov 27, 2024
5d092cd
Added restart of service and correct vars
Dec 13, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
8 changes: 8 additions & 0 deletions defaults/main.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -40,3 +40,11 @@ perun_ldap_backup_hostel: no
perun_ldap_daily_backup_hour: 20
perun_ldap_daily_backup_minute: 45

#set var for max open file limit for default value
perun_ldap_max_open_files_limits: false
perun_ldap_max_open_soft_files_user_ldap_value: "1024" # Default soft limit for openLDAP users
perun_ldap_max_open_hard_files_user_ldap_value: "4096" # Default hard limit for openLDAP users
perun_ldap_max_open_system_files_value: "1048576" # Default limit for the entire system
perun_ldap_no_file_limit_value: "4096" # Default limit similar to the hard limit for users


93 changes: 51 additions & 42 deletions tasks/perun_ds389_config.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
# # # # ################################ Custom schema application part #############

- name: "assert variables"
- name: "Assert variables"
assert:
that:
- perun_ldap_schemas_perun_version is defined
Expand Down Expand Up @@ -123,7 +123,7 @@
chdir: /tmp/schemas
register: result

- name: "read schema"
- name: "Read schema"
community.general.ldap_search:
server_uri: "ldaps://{{ perun_ldap_ds389_server_name }}:636"
bind_dn: "{{ perun_ldap_data_admin_dn }}"
Expand Down Expand Up @@ -187,50 +187,59 @@
"{{ perun_ldap_ds389_aci_content }}"
state: exact

- name: "Check and add missing LDAP indexes"
shell: |
indexes="
cn eq
uid eq
member eq
memberUid eq
objectClass eq
uidNumber eq
gidNumber eq
perunVoId eq
eduPersonPrincipalNames eq
entryCSN eq
entryUUID eq
login eq
memberOfPerunVo eq
userCertificateSubject eq
entityID eq
assignedToResourceId eq
userIdentities eq
OIDCClientID eq
perunFacilityId eq
perunFacilityDn eq
perunUserId eq
perunGroupId eq
assignedGroupId eq
internalUserIdentifiers eq"

echo "$indexes" | while read -r line; do
attrs=$(echo $line | cut -d' ' -f1)
types=$(echo $line | cut -d' ' -f2)
for attr in $(echo $attrs | tr ',' ' '); do
if ! dsconf {{ perun_ldap_ds389_instance_name }} backend index list userroot | grep "cn=$attr"; then
dsconf {{ perun_ldap_ds389_instance_name }} backend index add --index-type $types --attr $attr userroot
fi
done
done
register: add_indexes_output
- name: "Check if the indexies exist"
community.general.ldap_attrs:
dn: "cn={{ item }},cn=index,cn=userroot,cn=ldbm database,cn=plugins,cn=config"
attributes:
objectClass:
- "top"
- "nsIndex"
cn: "{{ item }}"
state: present
bind_dn: "{{ perun_ldap_data_admin_dn }}"
bind_pw: "{{ perun_ldap_data_password }}"
server_uri: "ldaps://{{ perun_ldap_ds389_server_name }}:636"
loop:
- "cn"
- "uid"
- "member"
- "memberUid"
- "objectClass"
- "uidNumber"
- "gidNumber"
- "perunVoId"
- "eduPersonPrincipalNames"
- "entryCSN"
- "entryUUID"
- "login"
- "memberOfPerunVo"
- "userCertificateSubject"
- "entityID"
- "assignedToResourceId"
- "userIdentities"
- "OIDCClientID"
- "perunFacilityId"
- "perunFacilityDn"
- "perunUserId"
- "perunGroupId"
- "assignedGroupId"
- "internalUserIdentifiers"
ignore_errors: true
register: create_index_results

- name: "If indexies missing, crate a index object"
ansible.builtin.command:
cmd: "dsconf {{ perun_ldap_ds389_instance_name }} backend index add --index-type eq --attr {{ item }} userroot"
loop: "{{ create_index_results.results | selectattr('failed', 'defined') | selectattr('failed', 'eq', true) | map(attribute='item') | list }}"
register: create_dsconf_index
when: create_index_results.failed
ignore_errors: true

- name: "Reindex missing indexes"
when: add_indexes_output.changed
when: create_dsconf_index.changed
shell: |
dsconf {{ perun_ldap_ds389_instance_name }} backend index reindex userroot

- name: "Create a cron job for LDAP backup"
cron:
name: "Everyday do backup of the LDAP hostel branch"
Expand Down
177 changes: 130 additions & 47 deletions tasks/perun_openldap_config.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -132,51 +132,134 @@
when: ansible_facts.services['slapd'] is not defined
service_facts:

- name: "Add limits to /etc/security/limits.conf"
lineinfile:
path: /etc/security/limits.conf
state: present
line: "{{ item }}"
loop:
- 'openldap soft nofile 20480'
- 'openldap hard nofile 40960'
notify: Reload limits

- name: "Add system limit to /etc/sysctl.conf"
lineinfile:
path: /etc/sysctl.conf
state: present
line: 'fs.file-max = 500000'
notify: Reload sysctl

- name: "Create systemd override config directory if it does not exist"
file:
path: /etc/systemd/system/slapd.service.d
state: directory
mode: '0755'

- name: "Add LimitNOFILE to /etc/systemd/system/slapd.service.d/override.conf"
blockinfile:
path: /etc/systemd/system/slapd.service.d/override.conf
create: yes
block: |
[Service]
LimitNOFILE=40960
notify: Reload systemd

- name: "Check open file limit using ulimit"
command: bash -c 'ulimit -n'
register: ulimit_result
changed_when: false

- name: "Check system open file limit using sysctl"
command: sysctl fs.file-max
register: sysctl_result
changed_when: false

- name: "Display results of limit checks"
debug:
msg:
- "Current open file limit (ulimit -n): {{ ulimit_result.stdout }}"
- "System max open files limit (fs.file-max): {{ sysctl_result.stdout }}"
- name: "set up limits for max open files for instance and display it"
when: perun_ldap_max_open_files_limits
block:
- name: "set soft open file limit for openldap user"
community.general.pam_limits:
domain: openldap
limit_type: soft
limit_item: nofile
value: "{{ perun_ldap_max_open_soft_files_user_ldap_value }}"
register: soft_limit

- name: "set hard open file limit for openldap user"
community.general.pam_limits:
domain: openldap
limit_type: hard
limit_item: nofile
value: "{{ perun_ldap_max_open_hard_files_user_ldap_value }}"
register: hard_limit

- name: "set system-wide open files limit"
ansible.posix.sysctl:
name: fs.file-max
value: "{{ perun_ldap_max_open_system_files_value }}"
register: fs_file_max

- name: "create systemd override config directory if it does not exist"
ansible.builtin.file:
path: /etc/systemd/system/slapd.service.d
state: directory
mode: '0755'

- name: "add LimitNOFILE to systemd override configuration for slapd"
blockinfile:
path: /etc/systemd/system/slapd.service.d/override.conf
create: yes
block: |
[Service]
LimitNOFILE="{{ perun_ldap_no_file_limit_value }}"
register: ldap_nofile_limit

- name: "reload systemd to apply override changes"
when: soft_limit.changed or hard_limit.changed or fs_file_max.changed or ldap_nofile_limit.changed
ansible.builtin.systemd:
daemon_reload: true

- name: "restart slapd service to apply new limits"
when: ldap_nofile_limit.changed
ansible.builtin.service:
name: slapd
state: restarted

- name: "get soft open file limit for openldap"
ansible.builtin.command: "grep '^openldap.*soft.*nofile' /etc/security/limits.conf"
register: ulimit_soft_result
when: soft_limit.changed

- name: "get hard open file limit for openldap"
ansible.builtin.command: "grep '^openldap.*hard.*nofile' /etc/security/limits.conf"
register: ulimit_hard_result
when: hard_limit.changed

- name: "get system max open files limit"
ansible.builtin.command: "sysctl fs.file-max"
register: sysctl_result
when: fs_file_max.changed

- name: "get slapd LimitNOFILE setting"
ansible.builtin.command: "systemctl show -p LimitNOFILE slapd"
register: limitnofile_result
when: ldap_nofile_limit.changed

- name: "display configured soft open file limit for openldap"
when: soft_limit.changed
debug:
msg: "Configured soft open file limit for openldap: {{ ulimit_soft_result.stdout }}"

- name: "display configured hard open file limit for openldap"
when: hard_limit.changed
debug:
msg: "Configured hard open file limit for openldap: {{ ulimit_hard_result.stdout }}"

- name: "display system max open files limit (fs.file-max)"
when: fs_file_max.changed
debug:
msg: "System max open files limit (fs.file-max): {{ sysctl_result.stdout }}"

- name: "display slapd LimitNOFILE setting"
when: ldap_nofile_limit.changed
debug:
msg: "slapd LimitNOFILE setting: {{ limitnofile_result.stdout }}"


- name: "set up defaults limits for max open files for instance"
when: not perun_ldap_max_open_files_limits
block:
- name: "remove soft and hard open file limits for openldap user"
ansible.builtin.lineinfile:
path: /etc/security/limits.conf
state: absent
regexp: '^openldap.*nofile'
register: remove_hard_soft_limits

- name: "reset system-wide open files limit to default"
ansible.posix.sysctl:
name: fs.file-max
state: absent
register: fs_file_max_default

- name: "remove systemd override config directory for slapd"
ansible.builtin.file:
path: /etc/systemd/system/slapd.service.d/override.conf
state: absent
register: remove_conf

- name: "remove systemd override directory if empty"
when: remove_conf.changed
ansible.builtin.file:
path: /etc/systemd/system/slapd.service.d
state: absent
register: remove_slapd_dir

- name: "reload systemd to apply override changes"
when: remove_hard_soft_limits.changed or fs_file_max_default.changed or remove_conf.changed
ansible.builtin.systemd:
daemon_reload: true

- name: "restart slapd service to apply new limits"
when: remove_conf.changed
ansible.builtin.service:
name: slapd
state: restarted