On Tue, 2015-07-07 at 08:48 -0400, Nathaniel McCallum wrote: > > On Jul 6, 2015, at 11:35 AM, Christian Heimes <chei...@redhat.com> wrote: > > > > Hello, > > > > I like to ask for your opinion regarding the pre-exec hook > > 'ipa-httpd-kdcproxy' in httpd.service. Alex has asked me to handle error > > cases like LDAP connection timeout more gracefully. At the moment any > > error causes the script to return a non-zero exit code. This breaks the > > service and apparently also offline RPM upgrades. > > > > How should I handle error cases? I can change httpd.service to simply > > ignore the exit code of ipa-httpd-kdcproxy. But that might lead to an > > invalid state. I could modify the script to catch connection errors and > > to disable kdcproxy in case of an error. > > > > The options are: > > > > 1) httpd.service ignores exit code of ipa-httpd-kdcproxy > > 2) ipa-httpd-kdcproxy removes kdcproxy config file in case of a > > connection error > > 3) 1 + 2 > > > > What do you think? > > If ipa-httpd-kdcproxy cannot contact LDAP, kdcproxy MUST NOT be > enabled. So #2. > > However, ipa-httpd-kdcproxy should leave error codes to real > catastrophic failures and http.service should be aware of these. So > not #1. > > Nathaniel >
IMO it is ok for httpd to fail to start if the kdc-proxy cannot contact LDAP, because other stuff will fail too if that's the case anyway. In fact I had to change my replica promotion patches to account for this as it was failing here, for various reasons, on one restart during the install. :-) Simo. -- Simo Sorce * Red Hat, Inc * New York -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code