On Thu, 17 Apr 2014 16:21:19 +0200
Martin Kosek <mko...@redhat.com> wrote:

> On 04/17/2014 04:10 PM, Rob Crittenden wrote:
> > Misnyovszki Adam wrote:
> >> Hi,
> >> this patch modifies ipa-server-install to warn the user, if there
> >> is a lack of entropy, also runs generate-rndc-key.sh before named
> >> restart, to ensure, that it can start before systemd timeouts.
> > 
> > I think the exception should be logged in check_entropy() in case
> > this every does fail (the file name changes, the format changes,
> > etc).
> > 
> > There should be a try/except around the run() call.
> > 
> > I noticed that /etc/rndc.key isn't removed on uninstall, which I
> > guess means the same key will be re-used. Should we be removing
> > that?
> > 
> > rob
> 
> Also, bare exceptions are bad!
> 
> +    except:
> +        service.print_msg("Could not determine entropy, possible
> long delays")
> 
> Next, you do all the checks in ipa-server-install, while they should
> be in service files, like krbinstance.py so that it is also checked
> in other installers, like ipa-replica-install.
> 
> Same for DNS, it should be a separate step in bindinstance.py so that
> when the installation is hanging, you can see
> 
>  [X/Y] Generating rndc key file
> 
> and know that it is hanging on that part.
> 
> I would not misuse "service.print_msg" for regular messages, I would
> only do the
> 
> service.print_msg("WARNING: Your system is running out of entropy,
> expect long delays!")
> 
> others can be either turn into separate installation step or debug
> log message.
> 
> Martin

Hi,
according to personal discussion with Martin, see the corrected patch!
Thanks
Adam
>From 13b267ed4a06c8c3a2f6ed74b2ef7d7ba55c0f36 Mon Sep 17 00:00:00 2001
From: Adam Misnyovszki <amisn...@redhat.com>
Date: Fri, 18 Apr 2014 15:44:11 +0200
Subject: [PATCH] Call generate-rndc-key.sh during ipa-server-install

Since systemd has by default a 2 minute timeout to start
a service, the end of ipa-server-install might fail
because starting named times out. This patch ensures that
generate-rndc-key.sh runs before named service restart.

Also, warning message is displayed before KDC install and
generate-rndc-key.sh, if there is a lack of entropy, to
notify the user that the process could take more time
than expected.

https://fedorahosted.org/freeipa/ticket/4210
---
 ipaserver/install/bindinstance.py |  7 +++++++
 ipaserver/install/installutils.py | 20 +++++++++++++++++++-
 ipaserver/install/krbinstance.py  |  2 ++
 3 files changed, 28 insertions(+), 1 deletion(-)

diff --git a/ipaserver/install/bindinstance.py b/ipaserver/install/bindinstance.py
index 613af5c9139a3f52102a6baadcff017d64b60c3e..c5ff76726ddd6d0c1abcec353badd636af81395e 100644
--- a/ipaserver/install/bindinstance.py
+++ b/ipaserver/install/bindinstance.py
@@ -523,6 +523,9 @@ class BindInstance(service.Service):
         if installutils.record_in_hosts(self.ip_address, self.fqdn) is None:
             installutils.add_record_to_hosts(self.ip_address, self.fqdn)
 
+        # Make sure generate-rndc-key.sh runs before named restart
+        self.step("generating rndc key file", self.__generate_rndc_key)
+
         if self.first_instance:
             self.step("adding DNS container", self.__setup_dns_container)
 
@@ -820,6 +823,10 @@ class BindInstance(service.Service):
         except IOError as e:
             root_logger.error('Could not write to resolv.conf: %s', e)
 
+    def __generate_rndc_key(self):
+        installutils.check_entropy()
+        ipautil.run(['/usr/libexec/generate-rndc-key.sh'])
+
     def add_master_dns_records(self, fqdn, ip_address, realm_name, domain_name,
                                reverse_zone, ntp=False, ca_configured=None):
         self.fqdn = fqdn
diff --git a/ipaserver/install/installutils.py b/ipaserver/install/installutils.py
index daf81e890c33e9a9bd30763ff8d0788313a1dbda..d2662046f569d99f4e2bffbddaa704628e6d1504 100644
--- a/ipaserver/install/installutils.py
+++ b/ipaserver/install/installutils.py
@@ -41,7 +41,7 @@ from ipalib.util import validate_hostname
 from ipapython import config
 from ipalib import errors
 from ipapython.dn import DN
-from ipaserver.install import certs
+from ipaserver.install import certs, service
 from ipapython import services as ipaservices
 
 # Used to determine install status
@@ -846,3 +846,21 @@ def stopped_service(service, instance_name=""):
         finally:
             root_logger.debug('Starting %s%s.', service, log_instance_name)
             ipaservices.knownservices[service].start(instance_name)
+
+def check_entropy():
+    '''
+    Checks if the system has enough entropy, if not, displays warning message
+    '''
+    try:
+        with open('/proc/sys/kernel/random/entropy_avail', 'r') as efname:
+            if int(efname.read()) < 200:
+                emsg = "WARNING: Your system is running out of entropy, expect long delays!"
+                service.print_msg(emsg)
+                root_logger.debug(emsg)
+    except IOError as e:
+        root_logger.debug("Could not open /proc/sys/kernel/random/entropy_avail: %s" % \
+            e)
+    except ValueError as e:
+        root_logger.debug("Invalid value in /proc/sys/kernel/random/entropy_avail %s" % \
+            e)
+
diff --git a/ipaserver/install/krbinstance.py b/ipaserver/install/krbinstance.py
index caa70a4477a93dc0158d8e6ea4138cfb800455fe..d46826aee7f68c34727014d71c18bf583837b9c9 100644
--- a/ipaserver/install/krbinstance.py
+++ b/ipaserver/install/krbinstance.py
@@ -156,6 +156,8 @@ class KrbInstance(service.Service):
             # It could have been not running
             pass
 
+        installutils.check_entropy()
+
     def __common_post_setup(self):
         self.step("starting the KDC", self.__start_instance)
         self.step("configuring KDC to start on boot", self.__enable)
-- 
1.9.0

_______________________________________________
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Reply via email to