Fix clone CA issue on upstream CI

[fmarco76]

Ldif file for reindex task have been update to be compatible with latest DS version.

@edewata Instead of rebuild the index with a command after the installation I tried with the parameter pki_clone_reindex_data but it does not work as I was expecting. I tried also to modify the code using this parameter but there were side effect so I gave up for the moment and add the manual step. We could consider to add the index build in pkispawn for this specific case.

Additionally, when removing the secondary CA I start to get error in the DS log from the replica manager plugin and it becomes not accessible after a while. Adding a restart to DS before re-installing the CA mitigate the problem.

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarCloud

[edewata]

@fmarco76 @tbordaz Is the change to the index rebuild task in DS documented somewhere? I'm wondering which other platforms are affected by this change.

The changes to the test looks fine so feel free to merge. We do need to figure out why the original procedure no longer works, otherwise we would need to update the docs to include these additional steps.

[fmarco76]

Is the change to the index rebuild task in DS documented somewhere?

I did not find specific documentation but just looking at the what the command dsconf localhost backend index reindex ca --waitwas doing. It was working properly. Not sure if this is intended. I am leaving open for now waiting for some DS feedback.

[tbordaz]

Unfortunately you are right the only example of vlv reindex task is in GUI part

You may trigger reindex with CLI like

dsconf supplier2 backend vlv-index list userroot
dn: cn=vlvSrch,cn=userRoot,cn=ldbm database,cn=plugins,cn=config
cn: vlvSrch
vlvbase: dc=example,dc=com
vlvscope: 2
vlvfilter: (|(objectclass=*)(objectclass=ldapsubentry))
Sorts:
 - dn: cn=vlvIdx,cn=vlvSrch,cn=userRoot,cn=ldbm database,cn=plugins,cn=config
 - cn: vlvIdx
 - vlvsort: cn ou sn
 - vlvenabled: 1
 - vlvuses: 0

dsconf supplier2 backend vlv-index reindex --index-name vlvIdx --parent-name vlvSrch  userRoot

[fmarco76]

Unfortunately you are right the only example of vlv reindex task is in [GUI]

@tbordaz The problem was not with vlv index but with normal index. The reindex task submitted by PKI was not working unless I modify the ldif as in this PR. Is this correct or there are other issuees?

[tbordaz]

Unfortunately you are right the only example of vlv reindex task is in [GUI]

@tbordaz The problem was not with vlv index but with normal index. The reindex task submitted by PKI was not working unless I modify the ldif as in this PR. Is this correct or there are other issuees?

Reindex of a backend is common administration task, heavily tested by CI so you may be hitting a corner case.
Could you provide the logs (errors) when the failure or noop occurs.

[fmarco76]

@tbordaz if I use the current ldif file for reindex (https://github.com/dogtagpki/pki/blob/master/base/ca/database/ds/indextasks.ldif) in the db log I get the following message and the following queries do not work because indexes are not built.

[02/Sep/2024:08:49:44.993803671 +0000] - INFO - dbmdb_import_monitor_threads - reindex ca: Import writer thread usage: run: 2.46% read: 53.14% write: 44.23% pause: 0.18% txnbegin: 0.00% txncommit: 0.00% 
[02/Sep/2024:08:49:45.092449395 +0000] - INFO - dbmdb_import_monitor_threads - reindex ca: Workers finished; cleaning up...
[02/Sep/2024:08:49:45.096163607 +0000] - INFO - dbmdb_import_monitor_threads - reindex ca: Workers cleaned up.
[02/Sep/2024:08:49:45.098847647 +0000] - INFO - dbmdb_public_dbmdb_import_main - reindex ca: Indexing complete.  Post-processing...
[02/Sep/2024:08:49:45.101127248 +0000] - INFO - dbmdb_public_dbmdb_import_main - reindex ca: Flushing caches...
[02/Sep/2024:08:49:45.103145810 +0000] - INFO - dbmdb_public_dbmdb_import_main - reindex ca: Closing files...
[02/Sep/2024:08:49:45.105895845 +0000] - INFO - dbmdb_public_dbmdb_import_main - reindex ca: Reindexing complete.  Processed 70 entries in 1 seconds. (70.00 entries/sec)
[02/Sep/2024:08:49:45.130205745 +0000] - INFO - dbmdb_import_all_done - Backend ca is now online.
[02/Sep/2024:08:49:45.133568825 +0000] - INFO - dbmdb_task_finish - ca: Finished indexing task 'cn=index1160589770,cn=index,cn=tasks,cn=config'. Exit code is 0

If I modify the file like in this PR (leaving only the index names and removing the index types) I get the following logs:

[02/Sep/2024:08:55:47.883076985 +0000] - INFO - dbmdb_db2index - ca: Indexing attribute: subjectname
[02/Sep/2024:08:55:47.889263272 +0000] - INFO - dbmdb_db2index - ca: Indexing attribute: status
[02/Sep/2024:08:55:47.894696226 +0000] - INFO - dbmdb_db2index - ca: Indexing attribute: serialno
[02/Sep/2024:08:55:47.900042813 +0000] - INFO - dbmdb_db2index - ca: Indexing attribute: revokedon
[02/Sep/2024:08:55:47.904958115 +0000] - INFO - dbmdb_db2index - ca: Indexing attribute: revokedby
[02/Sep/2024:08:55:47.911155993 +0000] - INFO - dbmdb_db2index - ca: Indexing attribute: revinfo
[02/Sep/2024:08:55:47.916476378 +0000] - INFO - dbmdb_db2index - ca: Indexing attribute: requesttype
[02/Sep/2024:08:55:47.921031058 +0000] - INFO - dbmdb_db2index - ca: Indexing attribute: requeststate
[02/Sep/2024:08:55:47.925464812 +0000] - INFO - dbmdb_db2index - ca: Indexing attribute: requestsourceid
[02/Sep/2024:08:55:47.930976118 +0000] - INFO - dbmdb_db2index - ca: Indexing attribute: requestowner
[02/Sep/2024:08:55:47.935470323 +0000] - INFO - dbmdb_db2index - ca: Indexing attribute: requestid
[02/Sep/2024:08:55:47.940117515 +0000] - INFO - dbmdb_db2index - ca: Indexing attribute: publickeydata
[02/Sep/2024:08:55:47.945230473 +0000] - INFO - dbmdb_db2index - ca: Indexing attribute: ownername
[02/Sep/2024:08:55:47.951991695 +0000] - INFO - dbmdb_db2index - ca: Indexing attribute: notbefore
[02/Sep/2024:08:55:47.956841587 +0000] - INFO - dbmdb_db2index - ca: Indexing attribute: notafter
[02/Sep/2024:08:55:47.962291897 +0000] - INFO - dbmdb_db2index - ca: Indexing attribute: metainfo
[02/Sep/2024:08:55:47.967599187 +0000] - INFO - dbmdb_db2index - ca: Indexing attribute: issuername
[02/Sep/2024:08:55:47.974648781 +0000] - INFO - dbmdb_db2index - ca: Indexing attribute: issuedby
[02/Sep/2024:08:55:47.980805761 +0000] - INFO - dbmdb_db2index - ca: Indexing attribute: extension
[02/Sep/2024:08:55:47.987500457 +0000] - INFO - dbmdb_db2index - ca: Indexing attribute: duration
[02/Sep/2024:08:55:47.994376095 +0000] - INFO - dbmdb_db2index - ca: Indexing attribute: description
[02/Sep/2024:08:55:48.002486732 +0000] - INFO - dbmdb_db2index - ca: Indexing attribute: dateofcreate
[02/Sep/2024:08:55:48.009101779 +0000] - INFO - dbmdb_db2index - ca: Indexing attribute: datatype
[02/Sep/2024:08:55:48.015128115 +0000] - INFO - dbmdb_db2index - ca: Indexing attribute: clientid
[02/Sep/2024:08:55:48.021341632 +0000] - INFO - dbmdb_db2index - ca: Indexing attribute: certstatus
[02/Sep/2024:08:55:48.027404833 +0000] - INFO - dbmdb_db2index - ca: Indexing attribute: archivedby
[02/Sep/2024:08:55:48.033366486 +0000] - INFO - dbmdb_db2index - ca: Indexing attribute: acmestatus
[02/Sep/2024:08:55:48.039453470 +0000] - INFO - dbmdb_db2index - ca: Indexing attribute: acmeidentifier
[02/Sep/2024:08:55:48.046674312 +0000] - INFO - dbmdb_db2index - ca: Indexing attribute: acmeexpires
[02/Sep/2024:08:55:48.052469981 +0000] - INFO - dbmdb_db2index - ca: Indexing attribute: acmecertificateid
[02/Sep/2024:08:55:48.059032300 +0000] - INFO - dbmdb_db2index - ca: Indexing attribute: acmeauthorizationwildcard
[02/Sep/2024:08:55:48.065690762 +0000] - INFO - dbmdb_db2index - ca: Indexing attribute: acmeauthorizationid
[02/Sep/2024:08:55:48.072519063 +0000] - INFO - dbmdb_db2index - ca: Indexing attribute: acmeaccountid
[02/Sep/2024:08:55:48.292210932 +0000] - INFO - dbmdb_import_monitor_threads - reindex ca: Import writer thread usage: run: 30.72% read: 2.41% write: 59.88% pause: 0.31% txnbegin: 0.12% txncommit: 6.56% 
[02/Sep/2024:08:55:48.379582515 +0000] - INFO - dbmdb_import_monitor_threads - reindex ca: Workers finished; cleaning up...
[02/Sep/2024:08:55:48.383347537 +0000] - INFO - dbmdb_import_monitor_threads - reindex ca: Workers cleaned up.
[02/Sep/2024:08:55:48.385665500 +0000] - INFO - dbmdb_public_dbmdb_import_main - reindex ca: Indexing complete.  Post-processing...
[02/Sep/2024:08:55:48.387846498 +0000] - INFO - dbmdb_public_dbmdb_import_main - reindex ca: Flushing caches...
[02/Sep/2024:08:55:48.390042264 +0000] - INFO - dbmdb_public_dbmdb_import_main - reindex ca: Closing files...
[02/Sep/2024:08:55:48.392959669 +0000] - INFO - dbmdb_public_dbmdb_import_main - reindex ca: Reindexing complete.  Processed 70 entries in 1 seconds. (70.00 entries/sec)
[02/Sep/2024:08:55:48.417213723 +0000] - INFO - dbmdb_import_all_done - Backend ca is now online.
[02/Sep/2024:08:55:48.420897089 +0000] - INFO - dbmdb_task_finish - ca: Finished indexing task 'cn=index1160589770,cn=index,cn=tasks,cn=config'. Exit code is 0

In this second case the following queries are working properly.

[tbordaz]

Something not clear to me is that in both indexing the exit code is 0. Why do you think it fails in the first case ?
Is it because /var/lib/dirsrv/slapd-instance/db only contains the data.mdb file and not index files ?

With mdb, all databases (domain, ca, and their related indexes) are located in a single file (data.mdb) but they still exist.
You may list them with the command: dbscan -D mdb -L /var/lib/dirsrv/slapd-instance/db

[fmarco76]

Something not clear to me is that in both indexing the exit code is 0. Why do you think it fails in the first case ? Is it because /var/lib/dirsrv/slapd-instance/db only contains the data.mdb file and not index files ?

With mdb, all databases (domain, ca, and their related indexes) are located in a single file (data.mdb) but they still exist. You may list them with the command: dbscan -D mdb -L /var/lib/dirsrv/slapd-instance/db

The problem starts with the query:

ldapsearch -H ldaps://primaryds.example.com:3636 -D "cn=Directory Manager" -w Secret.123 -b ou=people,dc=ca,dc=pki,dc=example,dc=com '(description=2;21299251422451616335932242827468297309;CN=CA Signing Certificate,OU=pki-tomcat,O=EXAMPLE;CN=PKI Administrator,[email protected],OU=pki-tomcat,O=EXAMPLE*)' dn

It was not working because the description field was not indexed (there was log in my previous container but I can recreate if needed). If I update the indexes with the first ldif file then the query still does not work. If I update with the second it start to work so I think there is something not working in the first case.

Reindex with the command dsconf localhost backend index reindex ca --wait produce a similar log of the second case where all indexes are reported and analysing the generated task it does not contain index type so I did the same change and it is working.

[tbordaz]

So my understand is that if you run this task (https://github.com/dogtagpki/pki/blob/master/base/ca/database/ds/indextasks.ldif) the search fails

If you reindex (the full db) using the definitions in dse.ldif then it works

The seach is using the filter '(description=2;21299251...*)'. The final wildchar use substring index, if it exists. Could you retry the task https://github.com/dogtagpki/pki/blob/master/base/ca/database/ds/indextasks.ldif replacing 'nsIndexAttribute: description:eq,pres' with 'nsIndexAttribute: description:eq,pres,sub'

[fmarco76]

The seach is using the filter '(description=2;21299251...*)'. The final wildchar use substring index, if it exists. Could you retry the task https://github.com/dogtagpki/pki/blob/master/base/ca/database/ds/indextasks.ldif replacing 'nsIndexAttribute: description:eq,pres' with 'nsIndexAttribute: description:eq,pres,sub'

Sorry, I copied the wrong line. The query has not the final "*". If I run this I get the result and in the DS log I get that index are not used.

[fmarco76]

Since the DS issue generating the problem has been fixed this PR is not needed.