Port providers to New Failover WIP#8532
Draft
justin-stephenson wants to merge 18 commits intoSSSD:masterfrom
Draft
Port providers to New Failover WIP#8532justin-stephenson wants to merge 18 commits intoSSSD:masterfrom
justin-stephenson wants to merge 18 commits intoSSSD:masterfrom
Conversation
(cherry picked from commit 0f5f3b6)
so it can be directly modified
So it can be modified later.
This crafts and implements the new failover interface, it does not provide complete implementation of the failover mechanism yet. It brings the code to a state were the public and private interfaces are stable, working and testable so the following tasks can be split and work on in parallel. What is missing at this state: - server configuration and discovery (failover_server_group/batch/vtable_op) - server selection mechanism (sss_failover_vtable_op_server_next) - kerberos authentication - sharing servers between IPA/AD LDAP and KDC - online/offline callbacks (resolve callback should not be needed) But especially it is possible to start refactoring SSSD code to start using the new failover implementation.
![gemini-code-assist[bot]](https://avatars.githubusercontent.com/in/956858?s=60&v=4){kind=small}
There was a problem hiding this comment.
Code Review
This pull request introduces a new failover mechanism for SSSD providers, exemplified by a new 'minimal' provider. The changes involve significant refactoring of error handling in existing LDAP and AD providers, removing dp_error parameters and related macros, and integrating a new sss_failover_transaction for connection management. The new failover logic is also integrated into various LDAP and IPA components for tasks like account info, enumeration, and sudo rules. However, several critical issues were identified: test hooks that intentionally trigger server failures are present in production code paths (ldap_id.c, minimal_id_services.c) and should be removed or guarded. Additionally, key failover options, DNS discovery domains, and server URIs are hardcoded (failover.c, failover_group.c, failover_srv.c, ldap_init.c), limiting configurability and dynamic behavior, which is unsuitable for a production-ready feature.
justin-stephenson
force-pushed
the
failover_justin_v1_1
branch
from
e345d10 to
90d41a1
Compare
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
|
|
||
| count = talloc_array_length(fctx->groups); | ||
|
|
||
| for (slot = 0; fctx->groups[slot] != NULL && slot < count; slot++) { |
Check failure
Code scanning / CodeQL
Array offset used before range check High
| } | ||
|
|
||
| if (state->sdap_ret == ENOENT && state->noexist_delete == true) { | ||
| if (ret == ENOENT && state->noexist_delete == true) { |
Check warning
Code scanning / CodeQL
Comparison result is always the same Warning
Comment on lines
+3091
to
+3093
| /* FIXME: Placeholder to be updated when | ||
| * AD is moved to new Failover | ||
| * Set to state->conn */ |
Check notice
Code scanning / CodeQL
FIXME comment Note
justin-stephenson
force-pushed
the
failover_justin_v1_1
branch
8 times, most recently
from
d56510c to
6d953d4
Compare
Assisted by: Claude code (Sonnet 4.6)
The data provider handler methods now return a single output argument. Remove 'dp_error/dp_err' and 'error_message' usage across provider code. The getAccountDomain method still needs to return 'domain_name' string. Assisted by: Claude code (Sonnet 4.6)
- Servers are hardcoded
justin-stephenson
force-pushed
the
failover_justin_v1_1
branch
4 times, most recently
from
8540239 to
410fced
Compare
This will be done differently inside the failover code
To allow system tests to run in upstream PRCI
justin-stephenson
force-pushed
the
failover_justin_v1_1
branch
from
410fced to
517f6dd
Compare
** Temporary commit as each provider is ported to new failover ** These provider tests will often fail because they have not yet been ported to the new failover code, and they call into ldap functions which are utilizing the new failover. For example crash in : #0 0x00007fdb8d72cb41 in sss_failover_transaction_ex_send () from /usr/lib64/sssd/libsss_ldap_common.so #1 0x00007fdb8d72ccbd in sss_failover_transaction_send () from /usr/lib64/sssd/libsss_ldap_common.so #2 0x00007fdb8d6e367b in groups_by_user_send () from /usr/lib64/sssd/libsss_ldap_common.so #3 0x00007fdb8d6e6a88 in sdap_handle_acct_req_send () from /usr/lib64/sssd/libsss_ldap_common.so #4 0x00007fdb8d799076 in ipa_id_get_account_info_get_original_step () from /usr/lib64/sssd/libsss_ipa.so #5 0x00007fdb8d7a038b in ipa_id_get_account_info_send () from /usr/lib64/sssd/libsss_ipa.so #6 0x00007fdb8d7a2560 in ipa_account_info_send () from /usr/lib64/sssd/libsss_ipa.so #7 0x00007fdb8d7a2877 in ipa_account_info_handler_send () from /usr/lib64/sssd/libsss_ipa.so
justin-stephenson
force-pushed
the
failover_justin_v1_1
branch
from
517f6dd to
62796d5
Compare
* test_failover tests are expected to fail due to failover interface changes. * test_logging 'offline' tests and test_autofs__propagate_offline_status_for_multiple_domains fail because they are asserting offline related log messages which are not in the new failover code. tests/test_autofs.py::test_autofs__propagate_offline_status_for_multiple_domains (ldap) FAILED [ 35%] tests/test_failover.py::test_failover__reactivation_timeout_is_honored[None-31] (ldap) FAILED [ 39%] tests/test_failover.py::test_failover__reactivation_timeout_is_honored[15-31] (ldap) FAILED [ 39%] tests/test_failover.py::test_failover__reactivation_timeout_is_honored[60-60] (ldap) FAILED [ 39%] tests/test_failover.py::test_failover__connect_using_ipv4_second_family (ldap) FAILED [ 40%] tests/test_logging.py::test_logging__default_settings_logs_offline_errors (ldap) FAILED [ 60%] tests/test_logging.py::test_logging__default_settings_logs_to_syslog_when_ldap_is_offline (ldap) FAILED [ 60%]
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
No description provided.