URL: https://github.com/freeipa/freeipa/pull/3045 Author: abbra Title: #3045: CA instances: make sure that an instance actually usable after a restart Action: opened
PR body: """ Restarting CA instance might take time. Dogtag doesn't report status of its own services to init system. However, in most cases where we expect CA to start, we actually want to use its HTTP or HTTPS end-points. Wait until CA status can be retrieved over HTTP end-point. This allows us to operate in both provisioned and pre-provision environments when certificates aren't available yet so we cannot rely on TLS. Fixes: https://github.com/freeipa/ansible-freeipa/issues/72 """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/3045/head:pr3045 git checkout pr3045
From c223468a07db49a500c325434801c245fe8af5ba Mon Sep 17 00:00:00 2001 From: Alexander Bokovoy <aboko...@redhat.com> Date: Tue, 16 Apr 2019 19:27:41 +0300 Subject: [PATCH] CA instances: make sure that an instance actually usable after a restart Restarting CA instance might take time. Dogtag doesn't report status of its own services to init system. However, in most cases where we expect CA to start, we actually want to use its HTTP or HTTPS end-points. Wait until CA status can be retrieved over HTTP end-point. This allows us to operate in both provisioned and pre-provision environments when certificates aren't available yet so we cannot rely on TLS. Fixes: https://github.com/freeipa/ansible-freeipa/issues/72 --- ipaserver/install/dogtaginstance.py | 14 ++++++++++++++ 1 file changed, 14 insertions(+) diff --git a/ipaserver/install/dogtaginstance.py b/ipaserver/install/dogtaginstance.py index 620b7c899e..3aa0fb5f50 100644 --- a/ipaserver/install/dogtaginstance.py +++ b/ipaserver/install/dogtaginstance.py @@ -50,6 +50,7 @@ from ipaserver.install import sysupgrade from ipaserver.install import replication from ipaserver.install.installutils import stopped_service +from ipapython.dogtag import ca_status @@ -187,6 +188,19 @@ def clean_pkispawn_files(self): def restart_instance(self): self.restart('pki-tomcat') + # Wait for dogtag to come back after a restart + for tries in range(1, 10): + try: + status = ca_status() + except (IndexError, errors.RemoteRetrieveError): + time.sleep(api.env.http_timeout) + else: + break + finally: + if status is None: + logger.critical( + "Unable to access pki-tomcat HTTP end-point " + "after %d retries", tries) def start_instance(self): self.start('pki-tomcat')
_______________________________________________ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-devel@lists.fedorahosted.org
