On 2015-07-07 15:41, Simo Sorce wrote:
> On Tue, 2015-07-07 at 08:48 -0400, Nathaniel McCallum wrote:
>>> On Jul 6, 2015, at 11:35 AM, Christian Heimes <chei...@redhat.com> wrote:
>>> Hello,
>>> I like to ask for your opinion regarding the pre-exec hook
>>> 'ipa-httpd-kdcproxy' in httpd.service. Alex has asked me to handle error
>>> cases like LDAP connection timeout more gracefully. At the moment any
>>> error causes the script to return a non-zero exit code. This breaks the
>>> service and apparently also offline RPM upgrades.
>>> How should I handle error cases? I can change httpd.service to simply
>>> ignore the exit code of ipa-httpd-kdcproxy. But that might lead to an
>>> invalid state. I could modify the script to catch connection errors and
>>> to disable kdcproxy in case of an error.
>>> The options are:
>>> 1) httpd.service ignores exit code of ipa-httpd-kdcproxy
>>> 2) ipa-httpd-kdcproxy removes kdcproxy config file in case of a
>>> connection error
>>> 3) 1 + 2
>>> What do you think?
>> If ipa-httpd-kdcproxy cannot contact LDAP, kdcproxy MUST NOT be
>> enabled. So #2.
>> However, ipa-httpd-kdcproxy should leave error codes to real
>> catastrophic failures and http.service should be aware of these. So
>> not #1.
>> Nathaniel
> IMO it is ok for httpd to fail to start if the kdc-proxy cannot contact
> LDAP, because other stuff will fail too if that's the case anyway.
> In fact I had to change my replica promotion patches to account for this
> as it was failing here, for various reasons, on one restart during the
> install. :-)

Without LDAP non of the IPA services in Apache are usable. From that
perspective it doesn't make much of a difference.

However Alexander is worried about a different thing. When LDAP isn't
running or GSSAPI fails, then the service can't be restarted and offline
RPM update fails. We can either fix the offline update problem in the
spec file (ignore systemctl failures) or in the ipa-httpd-kdcproxy script.

Since my script is new and changes behavior, I'm reluctant to say that
I'm to blame. :)


Attachment: signature.asc
Description: OpenPGP digital signature

Manage your subscription for the Freeipa-devel mailing list:
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Reply via email to