Uploaded image for project: 'RHEL'
  1. RHEL
  2. RHEL-60787

VLV errors in Fedora 40 with RSNv3 and pruning enabled

Linking RHIVOS CVEs to...Migration: Automation ...SWIFT: POC ConversionSync from "Extern...XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Done-Errata
    • Icon: Critical Critical
    • rhel-10.0
    • None
    • 389-ds-base
    • None
    • 389-ds-base-3.0.5-2.el10
    • No
    • Critical
    • rhel-idm-ds
    • ssg_idm
    • 0
    • QE ack, Dev ack
    • False
    • False
    • Hide

      None

      Show
      None
    • No
    • None
    • None

      Try to enable RSNv3 and certificate pruning in IPA is causing a ton of vlv errors and tracebacks within PKi that result in cert-find operations failing.

       

      2024-09-17 18:54:05 [ajp-nio-0:0:0:0:0:0:0:1-8009-exec-3] INFO: PKIService: JSON request:
{"certTypeInUse": "false", "issuedByInUse": "false", "issuedOnInUse": "false", "matchExactly": "false", "revocationReasonInUse": "false", "revokedByInUse": "false", "revokedOnInUse": "false", "serialNumberRangeInUse": "true", "subjectInUse": "false", "validNotAfterInUse": "false", "validNotBeforeInUse": "false", "validityLengthInUse": "false"}
2024-09-17 18:54:05 [ajp-nio-0:0:0:0:0:0:0:1-8009-exec-3] INFO: Search filter: (certstatus=*)
2024-09-17 18:54:05 [ajp-nio-0:0:0:0:0:0:0:1-8009-exec-3] INFO: LDAPVirtualList: Searching ou=certificateRepository, ou=ca,o=ipaca
2024-09-17 18:54:05 [ajp-nio-0:0:0:0:0:0:0:1-8009-exec-3] INFO: LDAPVirtualList: filter: (certStatus=*)
2024-09-17 18:54:05 [ajp-nio-0:0:0:0:0:0:0:1-8009-exec-3] SEVERE: Operation Error - Operations error
netscape.ldap.LDAPException: Operations error (1)
        at netscape.ldap.LDAPConnection.checkMsg(LDAPConnection.java:4933)
        at netscape.ldap.LDAPConnection.checkSearchMsg(LDAPConnection.java:2686)
        at netscape.ldap.LDAPConnection.search(LDAPConnection.java:2658)
        at com.netscape.cmscore.dbs.LDAPVirtualList.getEntries(LDAPVirtualList.java:469)
        at com.netscape.cmscore.dbs.LDAPVirtualList.getJumpToPage(LDAPVirtualList.java:543)
        at com.netscape.cmscore.dbs.LDAPVirtualList.getSize(LDAPVirtualList.java:383)
        at com.netscape.cmscore.dbs.CertRecordList.getSize(CertRecordList.java:60)
        at org.dogtagpki.server.ca.rest.CertService.searchCerts(CertService.java:213)
        at java.base/jdk.internal.reflect.DirectMethodHandleAccessor.invoke(DirectMethodHandleAccessor.java:103)
        at java.base/java.lang.reflect.Method.invoke(Method.java:580)
        at org.jboss.resteasy.core.MethodInjectorImpl.invoke(MethodInjectorImpl.java:140)
        at org.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTarget(ResourceMethodInvoker.java:295)
        at org.jboss.resteasy.core.ResourceMethodInvoker.invoke(ResourceMethodInvoker.java:249)
        at org.jboss.resteasy.core.ResourceMethodInvoker.invoke(ResourceMethodInvoker.java:236)
        at org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:406)
        at org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:213)
        at org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.service(ServletContainerDispatcher.java:228)
        at org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:56)
        at org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:51)
        at javax.servlet.http.HttpServlet.service(HttpServlet.java:623)
        at java.base/jdk.internal.reflect.DirectMethodHandleAccessor.invoke(DirectMethodHandleAccessor.java:103)
        at java.base/java.lang.reflect.Method.invoke(Method.java:580)
        at org.apache.catalina.security.SecurityUtil.lambda$execute$0(SecurityUtil.java:222)
        at java.base/java.security.AccessController.doPrivileged(AccessController.java:714)
        at java.base/javax.security.auth.Subject.doAsPrivileged(Subject.java:670)
        at org.apache.catalina.security.SecurityUtil.execute(SecurityUtil.java:250)
        at org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:142)
        at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:207)
        at org.apache.catalina.core.ApplicationFilterChain.lambda$doFilter$0(ApplicationFilterChain.java:137)
        at java.base/java.security.AccessController.doPrivileged(AccessController.java:571)
        at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:136)
        at org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:51)
        at java.base/jdk.internal.reflect.DirectMethodHandleAccessor.invoke(DirectMethodHandleAccessor.java:103)
        at java.base/java.lang.reflect.Method.invoke(Method.java:580)
        at org.apache.catalina.security.SecurityUtil.lambda$execute$0(SecurityUtil.java:222)
        at java.base/java.security.AccessController.doPrivileged(AccessController.java:714)
        at java.base/javax.security.auth.Subject.doAsPrivileged(Subject.java:670)
        at org.apache.catalina.security.SecurityUtil.execute(SecurityUtil.java:250)
        at org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:202)
        at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:176)
        at org.apache.catalina.core.ApplicationFilterChain.lambda$doFilter$0(ApplicationFilterChain.java:137)
        at java.base/java.security.AccessController.doPrivileged(AccessController.java:571)
        at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:136)
        at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:168)
        at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:90)
        at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:481)
        at com.netscape.cms.tomcat.ExternalAuthenticationValve.invoke(ExternalAuthenticationValve.java:83)
        at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:130)
        at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:93)
        at org.apache.catalina.valves.rewrite.RewriteValve.invoke(RewriteValve.java:545)
        at org.apache.catalina.valves.AbstractAccessLogValve.invoke(AbstractAccessLogValve.java:670)
        at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:74)
        at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:342)
        at org.apache.coyote.ajp.AjpProcessor.service(AjpProcessor.java:424)
        at org.apache.coyote.AbstractProcessorLight.process(AbstractProcessorLight.java:63)
        at org.apache.coyote.AbstractProtocol$ConnectionHandler.process(AbstractProtocol.java:928)
        at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1794)
        at org.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcessorBase.java:52)
        at org.apache.tomcat.util.threads.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1191)
        at org.apache.tomcat.util.threads.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:659)
        at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
        at java.base/java.lang.Thread.run(Thread.java:1583)
2024-09-17 18:54:05 [ajp-nio-0:0:0:0:0:0:0:1-8009-exec-3] INFO: Search results: -1
2024-09-17 18:54:05 [ajp-nio-0:0:0:0:0:0:0:1-8009-exec-3] INFO: PKIService: Response format: application/json
2024-09-17 18:54:05 [ajp-nio-0:0:0:0:0:0:0:1-8009-exec-3] INFO: PKIService: Response class: CertDataInfos

      The operations error is logged in the 389-ds error log

      [17/Sep/2024:18:54:05.250571209 +0000] - ERR - vlv_build_idl - Can't follow db cursor (err -12797)

      VLV indexing appears to be enabled:

      Indexing VLV: vlv#allcertspkitomcatindex
Indexing VLV: vlv#allexpiredcertspkitomcatindex
Indexing VLV: vlv#allinvalidcertsnotbeforepkitomcatindex
Indexing VLV: vlv#allinvalidcertspkitomcatindex
Indexing VLV: vlv#allnonrevokedcertspkitomcatindex
Indexing VLV: vlv#allrevokedcacertspkitomcatindex
Indexing VLV: vlv#allrevokedcertsnotafterpkitomcatindex
Indexing VLV: vlv#allrevokedcertspkitomcatindex
Indexing VLV: vlv#allrevokedexpiredcertspkitomcatindex
Indexing VLV: vlv#allrevokedorrevokedexpiredcacertspkitomcatindex
Indexing VLV: vlv#allrevokedorrevokedexpiredcertspkitomcatindex
Indexing VLV: vlv#allvalidcertsnotafterpkitomcatindex
Indexing VLV: vlv#allvalidcertspkitomcatindex
Indexing VLV: vlv#allvalidorrevokedcertspkitomcatindex
Indexing VLV: vlv#caallpkitomcatindex
Indexing VLV: vlv#cacanceledenrollmentpkitomcatindex
Indexing VLV: vlv#cacanceledpkitomcatindex
Indexing VLV: vlv#cacanceledrenewalpkitomcatindex
Indexing VLV: vlv#cacanceledrevocationpkitomcatindex
Indexing VLV: vlv#cacompleteenrollmentpkitomcatindex
Indexing VLV: vlv#cacompletepkitomcatindex
Indexing VLV: vlv#cacompleterenewalpkitomcatindex
Indexing VLV: vlv#cacompleterevocationpkitomcatindex
Indexing VLV: vlv#caenrollmentpkitomcatindex
Indexing VLV: vlv#capendingenrollmentpkitomcatindex
Indexing VLV: vlv#capendingpkitomcatindex
Indexing VLV: vlv#capendingrenewalpkitomcatindex
Indexing VLV: vlv#capendingrevocationpkitomcatindex
Indexing VLV: vlv#carejectedenrollmentpkitomcatindex
Indexing VLV: vlv#carejectedpkitomcatindex
Indexing VLV: vlv#carejectedrenewalpkitomcatindex
Indexing VLV: vlv#carejectedrevocationpkitomcatindex
Indexing VLV: vlv#carenewalpkitomcatindex
Indexing VLV: vlv#carevocationpkitomcatindex

      The backend is lmdb.

      We are seeing this in a PR where we are trying to enable pruning by default. We only see these errors when that code is in place. When it is disabled, the current default, there are no VLV issues.

      What exactly triggers the issue is unclear but it appears related to pruning. The only configuration changes made were to enable the job scheduler and the pruning job. No other defaults were touched.

              tbordaz@redhat.com Thierry Bordaz
              rhn-engineering-rcrit Rob Crittenden
              IdM DS Dev IdM DS Dev
              IdM DS QE IdM DS QE
              Evgenia Martyniuk Evgenia Martyniuk
              Votes:
              0 Vote for this issue
              Watchers:
              8 Start watching this issue

                Created:
                Updated:
                Resolved: