Patch for ticket 3964 changed the installer so that it does not always wait for CA if the proxy is not configured. However, it was found out that it may freeze an installation when a step subsequent after CA restart call the CA and receives no reply.
Change the wait so that it always waits for CA to start up. If HTTP proxy is already configured, it should wait on port 443. If not, it should wait on local PKI port 8443. https://fedorahosted.org/freeipa/ticket/3973 -- Martin Kosek <mko...@redhat.com> Supervisor, Software Engineering - Identity Management Team Red Hat Inc.
From d1ee8e86c50ff35f3a22e8377e969ceb7c7d19ec Mon Sep 17 00:00:00 2001 From: Martin Kosek <mko...@redhat.com> Date: Wed, 16 Oct 2013 09:58:23 +0200 Subject: [PATCH] Installer should always wait until CA starts up Patch for ticket 3964 changed the installer so that it does not always wait for CA if the proxy is not configured. However, it was found out that it may freeze an installation when a step subsequent after CA restart call the CA and receives no reply. Change the wait so that it always waits for CA to start up. If HTTP proxy is already configured, it should wait on port 443. If not, it should wait on local PKI port 8443. https://fedorahosted.org/freeipa/ticket/3973 --- ipapython/dogtag.py | 10 +++++++--- ipapython/platform/fedora16/service.py | 7 ++++--- 2 files changed, 11 insertions(+), 6 deletions(-) diff --git a/ipapython/dogtag.py b/ipapython/dogtag.py index ec3f2beb8d4feb283570b8cc21be8ee08f89c983..ea769b0275c4642d5da457996165e5a348cb7299 100644 --- a/ipapython/dogtag.py +++ b/ipapython/dogtag.py @@ -184,7 +184,7 @@ def get_ca_certchain(ca_host=None, dogtag_constants=None): return chain -def ca_status(ca_host=None): +def ca_status(ca_host=None, use_proxy=True): """Return the status of the CA, and the httpd proxy in front of it The returned status can be: @@ -194,9 +194,13 @@ def ca_status(ca_host=None): """ if ca_host is None: ca_host = api.env.ca_host - # Use port 443 to test the proxy as well + if use_proxy: + # Use port 443 to test the proxy as well + ca_port = 443 + else: + ca_port = 8443 status, reason, headers, body = unauthenticated_https_request( - ca_host, 443, '/ca/admin/ca/getStatus') + ca_host, ca_port, '/ca/admin/ca/getStatus') if status == 503: # Service temporarily unavailable return reason diff --git a/ipapython/platform/fedora16/service.py b/ipapython/platform/fedora16/service.py index 36e7a31c41307e16178a9bb5ec9491063d3d7213..edf2d7ff824399171f59a72a9b8fb49b1c4b08df 100644 --- a/ipapython/platform/fedora16/service.py +++ b/ipapython/platform/fedora16/service.py @@ -143,17 +143,18 @@ def __wait_until_running(self): # Unfortunately, knownservices.httpd.is_installed() can return # false positives, so check for existence of our configuration file. # TODO: Use a cleaner solution + use_proxy = True if not (os.path.exists('/etc/httpd/conf.d/ipa.conf') and os.path.exists('/etc/httpd/conf.d/ipa-pki-proxy.conf')): root_logger.debug( - 'The httpd proxy is not installed, skipping wait for CA') - return + 'The httpd proxy is not installed, wait on local port') + use_proxy = False root_logger.debug('Waiting until the CA is running') timeout = api.env.startup_timeout op_timeout = time.time() + timeout while time.time() < op_timeout: try: - status = dogtag.ca_status() + status = dogtag.ca_status(use_proxy=use_proxy) except Exception: status = 'check interrupted' root_logger.debug('The CA status is: %s' % status) -- 1.8.3.1
_______________________________________________ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
