Uploaded image for project: 'RHEL'
  1. RHEL
  2. RHEL-113942

bind: Avoid costly reload of IdM named due to logrotate operation [rhel-9]

Linking RHIVOS CVEs to...Migration: Automation ...SWIFT: POC ConversionSync from "Extern...XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Unresolved
    • Icon: Undefined Undefined
    • rhel-9.7.z
    • rhel-9.6, rhel-10.0
    • bind
    • None
    • bind-9.16.23-33.el9_7
    • No
    • Important
    • 1
    • rhel-net-perf
    • 2
    • False
    • False
    • Hide

      None

      Show
      None
    • None
    • _N&P-Refined_
    • Unspecified
    • Unspecified
    • Unspecified
    • None

      What were you trying to do that didn't work?

      There is a useless reload of BIND in IdM that is causing a downtime because it is a costly operation. The solution proposed next works for both named: our IdM named and our RHEL normal named

      What is the impact of this issue to you?

      In IdM BIND this reload operation is costly, because in IdM it reloads all the LDAP zones always, not only the updates (as it does the normal BIND).

      In normal bind it would reload just zones it have not loaded before, so in normal BIND is efficient operation. But because of current design of IdM DNS it reloads all zones from LDAP always, this causes the mentioned service interruption until load has finished.

      To provide more details, in the special IdM BIND default_debug channel defined in named.conf is not mentioned from any category. IPA ships own log definitions and makes no message fall into that debug channel. That is why the named.run file is always empty without exception, and this named.run is the file that is monitored by the logrotate process launched every day at 00.

      To solve it add in /etc/logrotate.d/named a line with "notifempty". This will avoid the costly reload and will suffices. Additionally it would be useful for both ipa and normal named  and should efficiently disable unneeded reloading, when the file is not used anyways, so it is a better solution.

      Please provide the package NVR for which the bug is seen:

      Every bind is affected

      How reproducible is this bug?:

      Always, specially in IdM BIND with huge named populated zones, the downtime can reach 15-20 seconds easily every day

      Steps to reproduce

      1. Wait till logrotation is launched every day at 00, it executes a postrotate command that will reload the BIND service, e.g:
      2. Have weekly or daily keyword in /etc/logrotate.conf, doing log rotation based only on time of previous log rotation

      /var/named/data/named.run

      {
     missingok
     su named named
     create 0644 named named
     postrotate
         /usr/bin/systemctl reload named.service > /dev/null 2>&1 || true
         /usr/bin/systemctl reload named-chroot.service > /dev/null 2>&1 || true
         /usr/bin/systemctl reload named-sdb.service > /dev/null 2>&1 || true
         /usr/bin/systemctl reload named-sdb-chroot.service > /dev/null 2>&1 || true
         /usr/bin/systemctl reload named-pkcs11.service > /dev/null 2>&1 || true
     endscript
     }

      Expected results

      In IdM BIND this reload is useless because all the logs are rotated using integrated BIND rotation procedure and will be enough to not full the partitions. So just skip the logrotate in IdM bind by adding a line with "notifempty" in logrotate.d/named. The named.run in IdM is always empty, in this way the reload can be avoided

      Actual results

      Service downtime every day at 00 due to BIND reload in IdM

              pemensik@redhat.com Petr Mensik
              rh-ee-jfont Josep Andreu Font
              Petr Mensik Petr Mensik
              Petr Sklenar Petr Sklenar
              Votes:
              0 Vote for this issue
              Watchers:
              5 Start watching this issue

                Created:
                Updated: