Jan Cholasta wrote: > On 23.7.2014 12:23, Martin Kosek wrote: >> On 07/23/2014 10:49 AM, Jan Cholasta wrote: >>> On 23.7.2014 10:38, Martin Kosek wrote: >>>> On 07/23/2014 10:33 AM, Jan Cholasta wrote: >>>>> On 23.7.2014 10:12, Martin Kosek wrote: >>>>>> On 07/23/2014 09:56 AM, David Kupka wrote: >>>>>>> While solving ticket #4280 I noticed that we are messing with >>>>>>> certmonger's >>>>>>> files right under its hands. That can lead to some unpleasant >>>>>>> race condition >>>>>>> issues. >>>>>>> Is there any reason why not to call certmonger via DBus and ask >>>>>>> it to stop >>>>>>> tracking the requests? >>>>>> >>>>>> +1 for using the dbus API. When I saw the hacky way of parsing >>>>>> certmonger >>>>>> internal configuration files in ipapython/certmonger.py, I >>>>>> suggested the dbus >>>>>> way as IMO it would not be difficult to implement, it would make >>>>>> us more >>>>>> future >>>>>> proof and it would remove intermittent problems like #4280. >>>>> >>>>> I have already started using the API, e.g. for adding/removing of >>>>> the CA helper >>>>> in cainstance. Word of warning, the API apparently does not >>>>> exercised much and >>>>> there might be bugs (I found one causing certmonger to segfault >>>>> which Nalin >>>>> promptly fixed). >>>> >>>> Yup, this is the place where the inspiration came from :-) >>>> >>>>>> Certmonger API looked complete enough to pull this off: >>>>>> https://git.fedorahosted.org/cgit/certmonger.git/tree/doc/api.txt >>>>>> >>>>>> If I am wrong, please tell me. >>>>> >>>>> IIRC some of the properties in requests might not be accessible >>>>> using the API. >>>>> But I'm not sure if this is true or if it affects us. >>>> >>>> I did couple tests and it seems that getting properties works fine: >>>> >>>>>>> import dbus >>>>>>> bus = dbus.SystemBus() >>>>>>> obj = >>>> bus.get_object('org.fedorahosted.certmonger','/org/fedorahosted/certmonger') >>>> >>>>>>> iface = dbus.Interface(obj, 'org.fedorahosted.certmonger') >>>>>>> reqs = iface.get_requests() >>>>>>> req = bus.get_object('org.fedorahosted.certmonger', reqs[0]) >>>>>>> iface_request = dbus.Interface(req, >>>>>>> 'org.fedorahosted.certmonger.request') >>>>>>> iface_request.get_nickname() >>>> dbus.String(u'20140723081859') >>>>>>> iface_request.get_status() >>>> (dbus.String(u'MONITORING'), dbus.Boolean(False)) >>>>>>> iface_request.get_key_storage_info() >>>> (dbus.String(u'NSSDB'), dbus.String(u'/etc/pki/pki-tomcat/alias'), >>>> dbus.String(u'auditSigningCert cert-pki-ca'), dbus.String(u'NSS >>>> Certificate >>>> DB')) >>>>>>> iface_request.get_cert_data() >>>> dbus.String(u'-----BEGIN >>>> CERTIFICATE-----\nMIIDZzCCAk+gAwIBAgIBBTANBgkqhkiG9w0BAQsFADA/MR0wGwYDVQQKDBRNS09T\r\nRUstRkVET1JBMjAuVEVTVDEeMBwGA1UEAwwVQ2VydGlmaWNhdGUgQXV0aG9yaXR5\r\nMB4XDTE0MDcyMzA4MTc1OVoXDTE2MDcxMjA4MTc1OVowMjEdMBsGA1UECgwUTUtP\r\nU0VLLUZFRE9SQTIwLlRFU1QxETAPBgNVBAMMCENBIEF1ZGl0MIIBIjANBgkqhkiG\r\n9w0BAQEFAAOCAQ8AMIIBCgKCAQEAxHJ6iNEUOCLybjMsuC1X3ojJFDml91caAT6u\r\nvySSnz6S79Y2Z3CgpnS71p842SukEXtawkBH+4Vzv3EkiT2OEGFMIFPxtg0z6KJw\r\n64Kv7R6qP1N9iW091pSsui8CoypINtvOmdZtop6meqPEcbjqVzYqQxZ2nq4FI1Ed\r\ncPiirF33OkAJQ5CuvzJFotoZ7f7tAisTpUqghCBAr0kg5MtvcjtlB+hysdVWf+rf\r\nCpzsVA1DbXRNdwsZpOv07Lhm1EGIsJZ3/wZszBpycM1H+8mIuTa5mpNpluDHoDrG\r\ne51TzF5F/DQI7ctMoI6CGxPvyPGbammKcID/yDzyePx3XBnCaQIDAQABo3sweTAf\r\nBgNVHSMEGDAWgBQoqt6chwnASMhQa2DwaWvSF9C/GDAOBgNVHQ8BAf8EBAMCBsAw\r\nRgYIKwYBBQUHAQEEOjA4MDYGCCsGAQUFBzABhipodHRwOi8vaXBhLm1rb3Nlay1m\r\nZWRvcmEyMC50ZXN0OjgwL2NhL29jc3AwDQYJKoZIhvcNAQELBQADggEBAEDoy8AW\r\nJinIA4pYEDuTYG/mUBJvvaH+XR7a8pZtX0mnWOlS1mbI1gjlkCCBi7t//c2U3Nmx\r\nb+EiG8isXT0uro! w! >>>> > I! >> 3! >>>> >>> iB! >>>> jhOXyweJDF >>>> 7+Wa1kN57SRkMeJIhCTBWOVGEBYGA6nUUKb\r\nnULomV9XXE5Bj+yP3IRewe0AYL0Gyk5QnSNLCYUMA+u/oi4i+uloKv3yZd6On0Re\r\nuIVSvmwXNHMKgGPg2cKSu1fd9tZ7qvQo6Vblf/zYp17tg2Vgd/ESeqgclgJs8AaL\r\nRDED3RT0FaOR/6SCTrXTGymmRaAVA6gGCUScyWD+MaKldOu2qDBG32obPiSw9lm8\r\nnxQBR2IlqByyeDA=\n-----END >>>> >>>> >>>> CERTIFICATE-----\n\n') >>>> >>>> Martin >>>> >>> >>> When I said "some of the properties", I certainly did not mean the >>> absolute >>> basics, but rather stuff like "cert-presave-command". >> >> Ah, ok. Then I think this snippet will help: >> >>>>> properties_manager = dbus.Interface(req, >>>>> 'org.freedesktop.DBus.Properties') >>>>> properties_manager.Get('org.fedorahosted.certmonger.request', >> 'cert-presave-command') >> dbus.String(u'/usr/lib64/ipa/certmonger/stop_pkicad') >>>>> properties_manager.Get('org.fedorahosted.certmonger.request', >> 'cert-postsave-command') >> dbus.String(u'/usr/lib64/ipa/certmonger/renew_ca_cert "auditSigningCert >> cert-pki-ca"') >> >> Martin >> > > Nice, I think we are good to go then. >
+1 on DBus. And to answer David's second question, yes, it would be bad to stop tracking these requests automatically because we don't know what they are. A customer could be using certmonger for their own purposes. rob _______________________________________________ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
