https://fedorahosted.org/freeipa/ticket/3084
See ticket & commit message.
Please tell me of a better way to extend the Services.
What's interesting is that usually the CA is "running" right after the
ports are opened, but if not, it takes *exactly* one minute between the
ports being open and the time I stop getting 503 "Service Temporarily
Unavailable" from ca/admin/ca/getStatus. Is there a sleep somewhere in
pki? or httpd? or IPΑ?
--
Petr³
From d4f275bed5a4cf39d6345935ef7ec293dac8f667 Mon Sep 17 00:00:00 2001
From: Petr Viktorin <pvikt...@redhat.com>
Date: Tue, 25 Sep 2012 09:57:03 -0400
Subject: [PATCH] Make sure the CA is running when starting services
- Provide a function for determinig the CA status using Dogtag 10's new
getStatus endpoint.
This must be done over HTTPS, but since our client certificate may not be set
up yet, we need HTTPS without client authentication.
Rather than copying from the existing http_request and https_request
function, shared code is factored out to a common helper.
- Call the new function when restarting the CA service. Since our Service
can only be extended in platform-specific code, do this for Fedora only.
Also, the status is only checked with Dogtag 10+.
- In the install code, the CA is restarted before the httpd proxy is set up,
so the technique can't be used. To maintain backwards compatibility, use
a value of 'no-proxy' for the wait argument: it is true in a boolean context,
so other Service implementations should be unaffected.
- When a restart call in cainstance failed, users were refered to the
installation log, but no info was actually logged. Log the exception.
https://fedorahosted.org/freeipa/ticket/3084
---
ipapython/dogtag.py | 156 +++++++++++++++++++++++++---------------
ipapython/platform/fedora16.py | 42 ++++++++++-
ipaserver/install/cainstance.py | 11 ++-
3 files changed, 147 insertions(+), 62 deletions(-)
diff --git a/ipapython/dogtag.py b/ipapython/dogtag.py
index 907cebc613127288554378d516eb456f421455ba..2e2323100540a141b53378572800912e3e05d509 100644
--- a/ipapython/dogtag.py
+++ b/ipapython/dogtag.py
@@ -130,6 +130,15 @@ def configured_constants(api=None):
return Dogtag9Constants
+def error_from_xml(doc, message_template):
+ try:
+ item_node = doc.getElementsByTagName("Error")
+ reason = item_node[0].childNodes[0].data
+ return errors.RemoteRetrieveError(reason=reason)
+ except Exception, e:
+ return errors.RemoteRetrieveError(reason=message_template % e)
+
+
def get_ca_certchain(ca_host=None):
"""
Retrieve the CA Certificate chain from the configured Dogtag server.
@@ -151,48 +160,110 @@ def get_ca_certchain(ca_host=None):
item_node = doc.getElementsByTagName("ChainBase64")
chain = item_node[0].childNodes[0].data
except IndexError:
- try:
- item_node = doc.getElementsByTagName("Error")
- reason = item_node[0].childNodes[0].data
- raise errors.RemoteRetrieveError(reason=reason)
- except Exception, e:
- raise errors.RemoteRetrieveError(
- reason=_("Retrieving CA cert chain failed: %s") % e)
+ raise error_from_xml(
+ doc, _("Retrieving CA cert chain failed: %s"))
finally:
if doc:
doc.unlink()
else:
raise errors.RemoteRetrieveError(
reason=_("request failed with HTTP status %d") % res.status)
return chain
+
+def ca_status(ca_host=None):
+ if ca_host is None:
+ ca_host = api.env.ca_host
+ status, reason, headers, body = unauthenticated_https_request(
+ ca_host, 443, '/ca/admin/ca/getStatus')
+ if status == 503:
+ # Service temporarily unavailable
+ return reason
+ elif status != 200:
+ raise errors.RemoteRetrieveError(
+ reason=_("Retrieving CA status failed: %s") % reason)
+ doc = xml.dom.minidom.parseString(body)
+ try:
+ item_node = doc.getElementsByTagName("XMLResponse")[0]
+ item_node = item_node.getElementsByTagName("Status")[0]
+ return item_node.childNodes[0].data
+ except IndexError:
+ raise error_from_xml(doc, _("Retrieving CA status failed: %s"))
+
+
def https_request(host, port, url, secdir, password, nickname, **kw):
"""
- :param url: The URL to post to.
+ :param url: The path (not complete URL!) to post to.
:param kw: Keyword arguments to encode into POST body.
:return: (http_status, http_reason_phrase, http_headers, http_body)
as (integer, unicode, dict, str)
Perform a client authenticated HTTPS request
"""
- if isinstance(host, unicode):
- host = host.encode('utf-8')
- uri = 'https://%s%s' % (ipautil.format_netloc(host, port), url)
- post = urlencode(kw)
- root_logger.debug('https_request %r', uri)
- root_logger.debug('https_request post %r', post)
- request_headers = {"Content-type": "application/x-www-form-urlencoded",
- "Accept": "text/plain"}
- try:
+
+ def connection_factory(host, port):
conn = nsslib.NSSConnection(host, port, dbdir=secdir)
conn.set_debuglevel(0)
conn.connect()
- conn.sock.set_client_auth_data_callback(nsslib.client_auth_data_callback,
- nickname,
- password, nss.get_default_certdb())
- conn.request("POST", url, post, request_headers)
+ conn.sock.set_client_auth_data_callback(
+ nsslib.client_auth_data_callback,
+ nickname, password, nss.get_default_certdb())
+ return conn
+ body = urlencode(kw)
+ return _httplib_request(
+ 'https', host, port, url, connection_factory, body)
+
+
+def http_request(host, port, url, **kw):
+ """
+ :param url: The path (not complete URL!) to post to.
+ :param kw: Keyword arguments to encode into POST body.
+ :return: (http_status, http_reason_phrase, http_headers, http_body)
+ as (integer, unicode, dict, str)
+
+ Perform an HTTP request.
+ """
+ body = urlencode(kw)
+ return _httplib_request(
+ 'http', host, port, url, httplib.HTTPConnection, body)
+
+
+def unauthenticated_https_request(host, port, url, **kw):
+ """
+ :param url: The path (not complete URL!) to post to.
+ :param kw: Keyword arguments to encode into POST body.
+ :return: (http_status, http_reason_phrase, http_headers, http_body)
+ as (integer, unicode, dict, str)
+
+ Perform an unauthenticated HTTPS request.
+ """
+ body = urlencode(kw)
+ return _httplib_request(
+ 'https', host, port, url, httplib.HTTPSConnection, body)
+
+
+def _httplib_request(
+ protocol, host, port, path, connection_factory, request_body):
+ """
+ :param request_body: Request body
+ :param connection_factory: Connection class to use. Will be called
+ with the host and port arguments.
+
+ Perform a HTTP(s) request.
+ """
+ if isinstance(host, unicode):
+ host = host.encode('utf-8')
+ uri = '%s://%s%s' % (protocol, ipautil.format_netloc(host, port), path)
+ root_logger.info('request %r', uri)
+ root_logger.debug('request body %r', request_body)
+ try:
+ conn = connection_factory(host, port)
+ conn.request('POST', uri,
+ body=request_body,
+ headers={'Content-type': 'application/x-www-form-urlencoded'},
+ )
res = conn.getresponse()
http_status = res.status
@@ -203,42 +274,9 @@ def https_request(host, port, url, secdir, password, nickname, **kw):
except Exception, e:
raise NetworkError(uri=uri, error=str(e))
+ root_logger.debug('request status %d', http_status)
+ root_logger.debug('request reason_phrase %r', http_reason_phrase)
+ root_logger.debug('request headers %s', http_headers)
+ root_logger.debug('request body %r', http_body)
+
return http_status, http_reason_phrase, http_headers, http_body
-
-def http_request(host, port, url, **kw):
- """
- :param url: The URL to post to.
- :param kw: Keyword arguments to encode into POST body.
- :return: (http_status, http_reason_phrase, http_headers, http_body)
- as (integer, unicode, dict, str)
-
- Perform an HTTP request.
- """
- if isinstance(host, unicode):
- host = host.encode('utf-8')
- uri = 'http://%s%s' % (ipautil.format_netloc(host, port), url)
- post = urlencode(kw)
- root_logger.info('request %r', uri)
- root_logger.debug('request post %r', post)
- conn = httplib.HTTPConnection(host, port)
- try:
- conn.request('POST', url,
- body=post,
- headers={'Content-type': 'application/x-www-form-urlencoded'},
- )
- res = conn.getresponse()
-
- http_status = res.status
- http_reason_phrase = unicode(res.reason, 'utf-8')
- http_headers = res.msg.dict
- http_body = res.read()
- conn.close()
- except NSPRError, e:
- raise NetworkError(uri=uri, error=str(e))
-
- root_logger.debug('request status %d', http_status)
- root_logger.debug('request reason_phrase %r', http_reason_phrase)
- root_logger.debug('request headers %s', http_headers)
- root_logger.debug('request body %r', http_body)
-
- return http_status, http_reason_phrase, http_headers, http_body
diff --git a/ipapython/platform/fedora16.py b/ipapython/platform/fedora16.py
index 794c39e2091f9402282e18fbe162d40892cb1e0d..2e8ec3fb8aee1d45805b5409d1ece0105f3a82a6 100644
--- a/ipapython/platform/fedora16.py
+++ b/ipapython/platform/fedora16.py
@@ -17,9 +17,13 @@
# along with this program. If not, see <http://www.gnu.org/licenses/>.
#
-from ipapython import ipautil
-from ipapython.platform import base, redhat, systemd
import os
+import time
+
+from ipapython import ipautil, dogtag
+from ipapython.platform import base, redhat, systemd
+from ipapython.ipa_log_manager import root_logger
+from ipalib import api
# All what we allow exporting directly from this module
# Everything else is made available through these symbols when they are
@@ -128,15 +132,49 @@ class Fedora16SSHService(Fedora16Service):
def get_config_dir(self, instance_name=""):
return '/etc/ssh'
+
+class Fedora16CAService(Fedora16Service):
+ def __wait_until_running(self):
+ if dogtag.install_constants.DOGTAG_VERSION < 10:
+ # The server status information isn't available on DT 9
+ return
+ root_logger.debug('Waiting until the CA is running')
+ timeout = api.env.startup_timeout
+ op_timeout = time.time() + timeout
+ while time.time() < op_timeout:
+ status = dogtag.ca_status()
+ root_logger.debug('The CA status is: %s' % status)
+ if status == 'running':
+ break
+ root_logger.debug('Waiting for CA to start...')
+ time.sleep(1)
+ else:
+ raise RuntimeError('CA did not start in %ss' % timeout)
+
+ def start(self, instance_name="", capture_output=True, wait=True):
+ super(Fedora16CAService, self).start(
+ instance_name, capture_output=capture_output, wait=wait)
+ if wait and wait != 'no-proxy':
+ self.__wait_until_running()
+
+ def restart(self, instance_name="", capture_output=True, wait=True):
+ super(Fedora16CAService, self).restart(
+ instance_name, capture_output=capture_output, wait=wait)
+ if wait and wait != 'no-proxy':
+ self.__wait_until_running()
+
+
# Redirect directory server service through special sub-class due to its
# special handling of instances
def f16_service(name):
if name == 'dirsrv':
return Fedora16DirectoryService(name)
if name == 'ipa':
return Fedora16IPAService(name)
if name == 'sshd':
return Fedora16SSHService(name)
+ if name in ('pki-cad', 'pki_cad', 'pki-tomcatd', 'pki_tomcatd'):
+ return Fedora16CAService(name)
return Fedora16Service(name)
class Fedora16Services(base.KnownServices):
diff --git a/ipaserver/install/cainstance.py b/ipaserver/install/cainstance.py
index f2ac840aef1a52ec78b6232c94029cf6a009c501..5e4642711dc4fbc670e3f3454ad83eb03e97c91d 100644
--- a/ipaserver/install/cainstance.py
+++ b/ipaserver/install/cainstance.py
@@ -41,6 +41,7 @@
from ipalib import pkcs10, x509
from ipapython.dn import DN
import subprocess
+import traceback
from nss.error import NSPRError
import nss.nss as nss
@@ -390,6 +391,7 @@ def restart_instance(self):
sys.exit(1)
except Exception:
# TODO: roll back here?
+ root_logger.debug(traceback.format_exc())
root_logger.critical("Failed to restart the directory server. See the installation log for details.")
def uninstall(self):
@@ -854,9 +856,13 @@ def __configure_instance(self):
def __restart_instance(self):
try:
- self.restart(self.dogtag_constants.PKI_INSTANCE_NAME)
+ # The HTTP proxy for the getStatus endpoint is not set up yet,
+ # call with "no-proxy" so we don't try to wait for it
+ self.restart(
+ self.dogtag_constants.PKI_INSTANCE_NAME, wait='no-proxy')
except Exception:
# TODO: roll back here?
+ root_logger.debug(traceback.format_exc())
root_logger.critical("Failed to restart the certificate server. See the installation log for details.")
def __disable_nonce(self):
@@ -1541,6 +1547,9 @@ def install_replica_ca(config, postinstall=False):
master_host=config.master_host_name,
subject_base=config.subject_base)
+ # Restart httpd since we changed its config
+ ipaservices.knownservices.httpd.restart()
+
# The dogtag DS instance needs to be restarted after installation.
# The procedure for this is: stop dogtag, stop DS, start DS, start
# dogtag
--
1.7.11.7
_______________________________________________
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel
