URL: https://github.com/freeipa/freeipa/pull/1177 Author: tomaskrizek Title: #1177: [Backport][ipa-4-6] Increase dbus client timeouts during CA install Action: opened
PR body: """ This PR was opened automatically because PR #1170 was pushed to master and backport to ipa-4-6 is required. """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/1177/head:pr1177 git checkout pr1177
From 2370b4d9d66396a626f8321d894a6e9a103b14bd Mon Sep 17 00:00:00 2001 From: John Morris <j...@zultron.com> Date: Wed, 13 Sep 2017 11:27:48 -0500 Subject: [PATCH] Increase dbus client timeouts during CA install When running on memory-constrained systems, the `ipa-server-install` program often fails during the "Configuring certificate server (pki-tomcatd)" stage in FreeIPA 4.5 and 4.6. The memory-intensive dogtag service causes swapping on low-memory systems right after start-up, and especially new certificate operations requested via certmonger can exceed the dbus client default 25 second timeout. This patch changes dbus client timeouts for some such operations to 120 seconds (from the default 25 seconds, IIRC). See more discussion in FreeIPA PR #1078 [1] and FreeIPA container issue #157 [2]. Upstream ticket at [3]. [1]: https://github.com/freeipa/freeipa/pull/1078 [2]: https://github.com/freeipa/freeipa-container/issues/157 [3]: https://pagure.io/freeipa/issue/7213 --- ipalib/constants.py | 2 ++ ipalib/install/certmonger.py | 5 ++++- ipaserver/install/dogtaginstance.py | 5 ++++- 3 files changed, 10 insertions(+), 2 deletions(-) diff --git a/ipalib/constants.py b/ipalib/constants.py index dce0b152ad..7e1c72d588 100644 --- a/ipalib/constants.py +++ b/ipalib/constants.py @@ -287,6 +287,8 @@ IPA_CA_NICKNAME = 'caSigningCert cert-pki-ca' RENEWAL_CA_NAME = 'dogtag-ipa-ca-renew-agent' RENEWAL_REUSE_CA_NAME = 'dogtag-ipa-ca-renew-agent-reuse' +# How long dbus clients should wait for CA certificate RPCs [seconds] +CA_DBUS_TIMEOUT = 120 # regexp definitions PATTERN_GROUPUSER_NAME = '^[a-zA-Z0-9_.][a-zA-Z0-9_.-]*[a-zA-Z0-9_.$-]?$' diff --git a/ipalib/install/certmonger.py b/ipalib/install/certmonger.py index e52005c2a6..8179da6e76 100644 --- a/ipalib/install/certmonger.py +++ b/ipalib/install/certmonger.py @@ -32,6 +32,7 @@ import subprocess import tempfile from ipalib import api +from ipalib.constants import CA_DBUS_TIMEOUT from ipapython.dn import DN from ipaplatform.paths import paths from ipaplatform import services @@ -620,7 +621,9 @@ def modify_ca_helper(ca_name, helper): old_helper = ca_iface.Get('org.fedorahosted.certmonger.ca', 'external-helper') ca_iface.Set('org.fedorahosted.certmonger.ca', - 'external-helper', helper) + 'external-helper', helper, + # Give dogtag extra time to generate cert + timeout=CA_DBUS_TIMEOUT) return old_helper diff --git a/ipaserver/install/dogtaginstance.py b/ipaserver/install/dogtaginstance.py index 96f78cecfb..bcc9265de9 100644 --- a/ipaserver/install/dogtaginstance.py +++ b/ipaserver/install/dogtaginstance.py @@ -31,6 +31,7 @@ from ipalib import api, errors, x509 from ipalib.install import certmonger +from ipalib.constants import CA_DBUS_TIMEOUT from ipaplatform import services from ipaplatform.constants import constants from ipaplatform.paths import paths @@ -262,7 +263,9 @@ def configure_certmonger_renewal(self): iface.add_known_ca( name, command, - dbus.Array([], dbus.Signature('s'))) + dbus.Array([], dbus.Signature('s')), + # Give dogtag extra time to generate cert + timeout=CA_DBUS_TIMEOUT) def __get_pin(self): try:
_______________________________________________ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org
