On 9.11.2015 16:51, Rob Crittenden wrote:
Jan Cholasta wrote:
Hi,
the attached patch fixes <https://fedorahosted.org/freeipa/ticket/5436>.
Honza
There be a note in renew_ra_cert that the lock is obtained in advance by
renew_ra_cert_pre.
Added comment.
It looks like it will silently fail if the lock cannot be acquired. Is
that desired?
All unhandled exceptions are logged to syslog in both renew_ra_cert_pre
and renew_ra_cert:
try:
main()
except Exception:
syslog.syslog(syslog.LOG_ERR, traceback.format_exc())
Updated patch attached.
--
Jan Cholasta
From a1beeccedf53678e1522002b366d2d7e7a4f447f Mon Sep 17 00:00:00 2001
From: Jan Cholasta <jchol...@redhat.com>
Date: Mon, 9 Nov 2015 10:53:02 +0100
Subject: [PATCH] cert renewal: make renewal of ipaCert atomic
This prevents errors when renewing other certificates during the renewal of
ipaCert.
https://fedorahosted.org/freeipa/ticket/5436
---
install/restart_scripts/Makefile.am | 1 +
install/restart_scripts/renew_ra_cert | 5 ++++-
install/restart_scripts/renew_ra_cert_pre | 18 ++++++++++++++++++
ipaserver/install/cainstance.py | 2 +-
ipaserver/install/server/upgrade.py | 4 ++--
5 files changed, 26 insertions(+), 4 deletions(-)
create mode 100755 install/restart_scripts/renew_ra_cert_pre
diff --git a/install/restart_scripts/Makefile.am b/install/restart_scripts/Makefile.am
index 58057aa..c4bf819 100644
--- a/install/restart_scripts/Makefile.am
+++ b/install/restart_scripts/Makefile.am
@@ -7,6 +7,7 @@ app_DATA = \
renew_ca_cert \
renew_ra_cert \
stop_pkicad \
+ renew_ra_cert_pre \
$(NULL)
EXTRA_DIST = \
diff --git a/install/restart_scripts/renew_ra_cert b/install/restart_scripts/renew_ra_cert
index cf770a9..9b5e231 100644
--- a/install/restart_scripts/renew_ra_cert
+++ b/install/restart_scripts/renew_ra_cert
@@ -77,8 +77,11 @@ def _main():
def main():
- with certs.renewal_lock:
+ try:
_main()
+ finally:
+ # lock acquired in renew_ra_cert_pre
+ certs.renewal_lock.release('renew_ra_cert')
try:
diff --git a/install/restart_scripts/renew_ra_cert_pre b/install/restart_scripts/renew_ra_cert_pre
new file mode 100755
index 0000000..d0f743c
--- /dev/null
+++ b/install/restart_scripts/renew_ra_cert_pre
@@ -0,0 +1,18 @@
+#!/usr/bin/python2 -E
+#
+# Copyright (C) 2015 FreeIPA Contributors see COPYING for license
+#
+
+import syslog
+import traceback
+
+from ipaserver.install import certs
+
+
+def main():
+ certs.renewal_lock.acquire('renew_ra_cert')
+
+try:
+ main()
+except Exception:
+ syslog.syslog(syslog.LOG_ERR, traceback.format_exc())
diff --git a/ipaserver/install/cainstance.py b/ipaserver/install/cainstance.py
index 23fdf30..1cbc0d0 100644
--- a/ipaserver/install/cainstance.py
+++ b/ipaserver/install/cainstance.py
@@ -1339,7 +1339,7 @@ class CAInstance(DogtagInstance):
pin=None,
pinfile=paths.ALIAS_PWDFILE_TXT,
secdir=paths.HTTPD_ALIAS_DIR,
- pre_command=None,
+ pre_command='renew_ra_cert_pre',
post_command='renew_ra_cert')
except RuntimeError as e:
self.log.error(
diff --git a/ipaserver/install/server/upgrade.py b/ipaserver/install/server/upgrade.py
index 4337995..b9621a3 100644
--- a/ipaserver/install/server/upgrade.py
+++ b/ipaserver/install/server/upgrade.py
@@ -806,7 +806,7 @@ def certificate_renewal_update(ca):
dogtag_constants = dogtag.configured_constants()
# bump version when requests is changed
- version = 3
+ version = 4
requests = (
(
dogtag_constants.ALIAS_DIR,
@@ -844,7 +844,7 @@ def certificate_renewal_update(ca):
paths.HTTPD_ALIAS_DIR,
'ipaCert',
'dogtag-ipa-ca-renew-agent',
- None,
+ 'renew_ra_cert_pre',
'renew_ra_cert',
None,
),
--
2.4.3
From d19a34271a779eee62f30c479b20adf502c751e5 Mon Sep 17 00:00:00 2001
From: Jan Cholasta <jchol...@redhat.com>
Date: Mon, 9 Nov 2015 10:53:02 +0100
Subject: [PATCH] cert renewal: make renewal of ipaCert atomic
This prevents errors when renewing other certificates during the renewal of
ipaCert.
https://fedorahosted.org/freeipa/ticket/5436
---
install/restart_scripts/Makefile.am | 1 +
install/restart_scripts/renew_ra_cert | 5 ++++-
install/restart_scripts/renew_ra_cert_pre | 18 ++++++++++++++++++
ipaserver/install/cainstance.py | 2 +-
ipaserver/install/server/upgrade.py | 4 ++--
5 files changed, 26 insertions(+), 4 deletions(-)
create mode 100755 install/restart_scripts/renew_ra_cert_pre
diff --git a/install/restart_scripts/Makefile.am b/install/restart_scripts/Makefile.am
index 58057aa..c4bf819 100644
--- a/install/restart_scripts/Makefile.am
+++ b/install/restart_scripts/Makefile.am
@@ -7,6 +7,7 @@ app_DATA = \
renew_ca_cert \
renew_ra_cert \
stop_pkicad \
+ renew_ra_cert_pre \
$(NULL)
EXTRA_DIST = \
diff --git a/install/restart_scripts/renew_ra_cert b/install/restart_scripts/renew_ra_cert
index 3a36f73..988ada9 100644
--- a/install/restart_scripts/renew_ra_cert
+++ b/install/restart_scripts/renew_ra_cert
@@ -77,8 +77,11 @@ def _main():
def main():
- with certs.renewal_lock:
+ try:
_main()
+ finally:
+ # lock acquired in renew_ra_cert_pre
+ certs.renewal_lock.release('renew_ra_cert')
try:
diff --git a/install/restart_scripts/renew_ra_cert_pre b/install/restart_scripts/renew_ra_cert_pre
new file mode 100755
index 0000000..d0f743c
--- /dev/null
+++ b/install/restart_scripts/renew_ra_cert_pre
@@ -0,0 +1,18 @@
+#!/usr/bin/python2 -E
+#
+# Copyright (C) 2015 FreeIPA Contributors see COPYING for license
+#
+
+import syslog
+import traceback
+
+from ipaserver.install import certs
+
+
+def main():
+ certs.renewal_lock.acquire('renew_ra_cert')
+
+try:
+ main()
+except Exception:
+ syslog.syslog(syslog.LOG_ERR, traceback.format_exc())
diff --git a/ipaserver/install/cainstance.py b/ipaserver/install/cainstance.py
index dfe023c..d230c9b 100644
--- a/ipaserver/install/cainstance.py
+++ b/ipaserver/install/cainstance.py
@@ -1305,7 +1305,7 @@ class CAInstance(DogtagInstance):
pin=None,
pinfile=paths.ALIAS_PWDFILE_TXT,
secdir=paths.HTTPD_ALIAS_DIR,
- pre_command=None,
+ pre_command='renew_ra_cert_pre',
post_command='renew_ra_cert')
except RuntimeError, e:
self.log.error(
diff --git a/ipaserver/install/server/upgrade.py b/ipaserver/install/server/upgrade.py
index e0a45a0..c8f744c 100644
--- a/ipaserver/install/server/upgrade.py
+++ b/ipaserver/install/server/upgrade.py
@@ -799,7 +799,7 @@ def certificate_renewal_update(ca):
dogtag_constants = dogtag.configured_constants()
# bump version when requests is changed
- version = 3
+ version = 4
requests = (
(
dogtag_constants.ALIAS_DIR,
@@ -837,7 +837,7 @@ def certificate_renewal_update(ca):
paths.HTTPD_ALIAS_DIR,
'ipaCert',
'dogtag-ipa-ca-renew-agent',
- None,
+ 'renew_ra_cert_pre',
'renew_ra_cert',
None,
),
--
2.4.3
--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code