Re: [Freeipa-devel] [PATCH 3/3] Get list of service from LDAP only at startup
Simo Sorce wrote: On Mon, 2012-10-29 at 15:41 -0400, Rob Crittenden wrote: Simo Sorce wrote: On Fri, 2012-10-26 at 16:30 -0400, Rob Crittenden wrote: Simo Sorce wrote: From: Simo Sorce We check (possibly different) data from LDAP only at (re)start. This way we always shutdown exactly the services we started even if the list changed in the meanwhile (we avoid leaving a service running even if it was removed from LDAP as the admin decided it should not be started in future). This should also fix a problematic deadlock with systemd when we try to read the list of service from LDAP at shutdown. I'm thinking that in patch 2 we need to be sure the name is unique, for whatever reason, when starting a service. I'm not sure if it is related to this or not: ... Done configuring the web interface (httpd). Applying LDAP updates Restarting the directory server Restarting the KDC Sample zone file for bind has been created in /tmp/sample.zone.t1LC7e.db Restarting the web server Unexpected error - see /var/log/ipaserver-install.log for details: CalledProcessError: Command '/bin/systemctl restart ipa.service' returned non-zero exit status 1 [root@rawhide2 freeipa]# cat /var/run/ipa/services.list ["messagebus", "certmonger", "ntpd", "messagebus", "certmonger", "messagebus", "certmonger", "certmonger", "messagebus", "certmonger", "certmonger", "krb5kdc", "messagebus", "certmonger", "certmonger"] Maybe I should add code to remove entries on stop() ? I haven't considered the case where our own code stop instances outside of ipactl stop Now having duplicate instances shouldn't be fatal but maybe systemd is returning an error to signal the instance was already started ? Maybe converting the list to a set before starting would be enough. I can easily weed out duplicates, but I am relying on the order in this list in the code by using reverse() so that services are stopped in reverse order. However the fact you can restart single services will make this sorta break I guess. I am going to think about ordering and propose a solution that properly handles that, the main issue is that SERVICE_LIST cannot be used because it uses the original 'abstract' names, while the service class now uses this wellknown service name. I don't see any smoking gun in the install log: 2012-10-26T20:27:40Z DEBUG Starting external process 2012-10-26T20:27:40Z DEBUG args=/bin/systemctl restart ipa.service 2012-10-26T20:27:42Z DEBUG Process finished, return code=1 2012-10-26T20:27:42Z DEBUG stdout= 2012-10-26T20:27:42Z DEBUG stderr=Job for ipa.service failed. See 'systemctl status ipa.service' and 'journalctl' for details. 2012-10-26T20:27:42Z INFO File "/usr/lib/python2.7/site-packages/ipaserver/install/installutils.py", line 614, in run_script return_value = main_function() File "/usr/sbin/ipa-server-install", line 1100, in main ipaservices.knownservices.ipa.enable() File "/usr/lib/python2.7/site-packages/ipapython/platform/fedora16.py", line 129, in enable self.restart(instance_name) File "/usr/lib/python2.7/site-packages/ipapython/platform/systemd.py", line 104, in restart ipautil.run(["/bin/systemctl", "restart", self.service_instance(instance_name)], capture_output=capture_output) File "/usr/lib/python2.7/site-packages/ipapython/ipautil.py", line 323, in run raise CalledProcessError(p.returncode, arg_string) 2012-10-26T20:27:42Z INFO The ipa-server-install command failed, exception: CalledProcessError: Command '/bin/systemctl restart ipa.service' returned non-zero exit status 1 So it returned just 1 without any error message ? Simo. # /bin/systemctl status ipa.service ipa.service - Identity, Policy, Audit Loaded: loaded (/usr/lib/systemd/system/ipa.service; enabled) Active: failed (Result: exit-code) since Fri, 26 Oct 2012 16:27:42 -0400; 2 days ago Process: 17543 ExecStart=/usr/sbin/ipactl start (code=exited, status=1/FAILURE) CGroup: name=systemd:/system/ipa.service Oct 26 16:27:40 rawhide2.greyoak.com systemd[1]: Starting Identity, Policy, Audit... Oct 26 16:27:41 rawhide2.greyoak.com ipactl[17543]: IPA service already started! Oct 26 16:27:42 rawhide2.greyoak.com systemd[1]: Failed to start Identity, Policy, Audit. I don't think this depends on my patch. Simo. It seems to be. I can't install in F-18 at all with your 3 patches applied. rob ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [PATCH 3/3] Get list of service from LDAP only at startup
From: Simo Sorce We check (possibly different) data from LDAP only at (re)start. This way we always shutdown exactly the services we started even if the list changed in the meanwhile (we avoid leaving a service running even if it was removed from LDAP as the admin decided it should not be started in future). This should also fix a problematic deadlock with systemd when we try to read the list of service from LDAP at shutdown. --- freeipa.spec.in|2 + init/systemd/ipa.conf.tmpfiles |1 + install/tools/ipactl | 218 +--- 3 files changed, 160 insertions(+), 61 deletions(-) diff --git a/freeipa.spec.in b/freeipa.spec.in index af76118fd0294fa4d8934b747c254b891ae7f2cb..397d60b1d2a22b1d1eb26b8f567f381da526f282 100644 --- a/freeipa.spec.in +++ b/freeipa.spec.in @@ -447,6 +447,7 @@ install -m 0644 init/systemd/ipa.conf.tmpfiles %{buildroot}%{_sysconfdir}/tmpfil mkdir -p %{buildroot}%{_localstatedir}/run/ install -d -m 0700 %{buildroot}%{_localstatedir}/run/ipa_memcached/ +install -d -m 0700 %{buildroot}%{_localstatedir}/run/ipa/ mkdir -p %{buildroot}%{_libdir}/krb5/plugins/libkrb5 touch %{buildroot}%{_libdir}/krb5/plugins/libkrb5/winbind_krb5_locator.so @@ -624,6 +625,7 @@ fi %{_sysconfdir}/cron.d/ipa-compliance %config(noreplace) %{_sysconfdir}/sysconfig/ipa_memcached %dir %attr(0700,apache,apache) %{_localstatedir}/run/ipa_memcached/ +%dir %attr(0700,root,root) %{_localstatedir}/run/ipa/ %if 0%{?fedora} >= 15 %config %{_sysconfdir}/tmpfiles.d/ipa.conf %endif diff --git a/init/systemd/ipa.conf.tmpfiles b/init/systemd/ipa.conf.tmpfiles index e4b679a55d68a6b83991ac72dd520c32b2a0de50..1e7a896ed8df00c97f2d092504e2a65960bb341d 100644 --- a/init/systemd/ipa.conf.tmpfiles +++ b/init/systemd/ipa.conf.tmpfiles @@ -1 +1,2 @@ d /var/run/ipa_memcached 0700 apache apache +d /var/run/ipa 0700 root root diff --git a/install/tools/ipactl b/install/tools/ipactl index d4b2c0878f2b62fd12198f76bef01ef70e9f3de1..24e1df150566ee391798dc03043963ddc55545d5 100755 --- a/install/tools/ipactl +++ b/install/tools/ipactl @@ -34,6 +34,7 @@ try: import ldap.sasl import ldapurl import socket +import json except ImportError: print >> sys.stderr, """\ There was a problem importing one of the required Python modules. The @@ -162,11 +163,45 @@ def get_config(dirsrv): for p in entry[1]['ipaConfigString']: if p.startswith('startOrder '): order = p.split()[1] -svc_list.append((order, name)) +svc_list.append([order, name]) -return svc_list +ordered_list = [] +for (order, svc) in sorted(svc_list): +if svc in service.SERVICE_LIST: +ordered_list.append(service.SERVICE_LIST[svc][0]) +return ordered_list + +def get_config_from_file(): + +svc_list = [] + +try: +f = open(ipaservices.get_svc_list_file(), 'r') +svc_list = json.load(f) +except Exception, e: +raise IpactlError("Unknown error when retrieving list of services from file: " + str(e)) + +# the framework can start/stop a number of related services we are not +# authoritative for, so filter the list through SERVICES_LIST and order it +# accordingly too. + +def_svc_list = [] +for svc in service.SERVICE_LIST: +s = service.SERVICE_LIST[svc] +def_svc_list.append([s[1], s[0]]) + +ordered_list = [] +for (order, svc) in sorted(def_svc_list): +if svc in svc_list: +ordered_list.append(svc) + +return ordered_list def ipa_start(options): + +if os.path.isfile(ipaservices.get_svc_list_file()): +raise IpactlError("IPA service already started!") + dirsrv = ipaservices.knownservices.dirsrv try: print "Starting Directory Service" @@ -174,11 +209,11 @@ def ipa_start(options): except Exception, e: raise IpactlError("Failed to start Directory Service: " + str(e)) -svc_list = [] +ldap_list = [] try: svc_list = get_config(dirsrv) except Exception, e: -emit_err("Failed to read data from Directory Service: " + str(e)) +emit_err("Failed to data from service file: " + str(e)) emit_err("Shutting down") try: dirsrv.stop(capture_output=False) @@ -191,21 +226,19 @@ def ipa_start(options): raise IpactlError() if len(svc_list) == 0: -# no service to stop +# no service to start return -for (order, svc) in sorted(svc_list): -svc_name = service.SERVICE_LIST[svc][0] -svchandle = ipaservices.service(svc_name) +for svc in svc_list: +svchandle = ipaservices.service(svc) try: print "Starting %s Service" % svc -svchandle.start(capture_output=get_capture_output(svc_name, options.debug)) +svchandle.start(capture_output=get_capture_output(svc, options.debug)) except:
[Freeipa-devel] [PATCH 3/3] Get list of service from LDAP only at startup
From: Simo Sorce We check (possibly different) data from LDAP only at (re)start. This way we always shutdown exactly the services we started even if the list changed in the meanwhile (we avoid leaving a service running even if it was removed from LDAP as the admin decided it should not be started in future). This should also fix a problematic deadlock with systemd when we try to read the list of service from LDAP at shutdown. --- freeipa.spec.in|2 + init/systemd/ipa.conf.tmpfiles |1 + install/tools/ipactl | 199 3 files changed, 143 insertions(+), 59 deletions(-) diff --git a/freeipa.spec.in b/freeipa.spec.in index af76118fd0294fa4d8934b747c254b891ae7f2cb..397d60b1d2a22b1d1eb26b8f567f381da526f282 100644 --- a/freeipa.spec.in +++ b/freeipa.spec.in @@ -447,6 +447,7 @@ install -m 0644 init/systemd/ipa.conf.tmpfiles %{buildroot}%{_sysconfdir}/tmpfil mkdir -p %{buildroot}%{_localstatedir}/run/ install -d -m 0700 %{buildroot}%{_localstatedir}/run/ipa_memcached/ +install -d -m 0700 %{buildroot}%{_localstatedir}/run/ipa/ mkdir -p %{buildroot}%{_libdir}/krb5/plugins/libkrb5 touch %{buildroot}%{_libdir}/krb5/plugins/libkrb5/winbind_krb5_locator.so @@ -624,6 +625,7 @@ fi %{_sysconfdir}/cron.d/ipa-compliance %config(noreplace) %{_sysconfdir}/sysconfig/ipa_memcached %dir %attr(0700,apache,apache) %{_localstatedir}/run/ipa_memcached/ +%dir %attr(0700,root,root) %{_localstatedir}/run/ipa/ %if 0%{?fedora} >= 15 %config %{_sysconfdir}/tmpfiles.d/ipa.conf %endif diff --git a/init/systemd/ipa.conf.tmpfiles b/init/systemd/ipa.conf.tmpfiles index e4b679a55d68a6b83991ac72dd520c32b2a0de50..1e7a896ed8df00c97f2d092504e2a65960bb341d 100644 --- a/init/systemd/ipa.conf.tmpfiles +++ b/init/systemd/ipa.conf.tmpfiles @@ -1 +1,2 @@ d /var/run/ipa_memcached 0700 apache apache +d /var/run/ipa 0700 root root diff --git a/install/tools/ipactl b/install/tools/ipactl index d4b2c0878f2b62fd12198f76bef01ef70e9f3de1..9b151ab9f9bd10423d5145a1fcf028b6ddb65096 100755 --- a/install/tools/ipactl +++ b/install/tools/ipactl @@ -34,6 +34,7 @@ try: import ldap.sasl import ldapurl import socket +import json except ImportError: print >> sys.stderr, """\ There was a problem importing one of the required Python modules. The @@ -162,11 +163,30 @@ def get_config(dirsrv): for p in entry[1]['ipaConfigString']: if p.startswith('startOrder '): order = p.split()[1] -svc_list.append((order, name)) +svc_list.append([order, name]) + +ordered_list = [] +for (order, svc) in sorted(svc_list): +ordered_list.append(service.SERVICE_LIST[svc][0]) +return ordered_list + +def get_config_from_file(): + +svc_list = [] + +try: +f = open(ipaservices.get_svc_list_file(), 'r') +svc_list = json.load(f) +except Exception, e: +raise IpactlError("Unknown error when retrieving list of services from file: " + str(e)) return svc_list def ipa_start(options): + +if os.path.isfile(ipaservices.get_svc_list_file()): +raise IpactlError("IPA service already started!") + dirsrv = ipaservices.knownservices.dirsrv try: print "Starting Directory Service" @@ -174,7 +194,7 @@ def ipa_start(options): except Exception, e: raise IpactlError("Failed to start Directory Service: " + str(e)) -svc_list = [] +ldap_list = [] try: svc_list = get_config(dirsrv) except Exception, e: @@ -191,21 +211,19 @@ def ipa_start(options): raise IpactlError() if len(svc_list) == 0: -# no service to stop +# no service to start return -for (order, svc) in sorted(svc_list): -svc_name = service.SERVICE_LIST[svc][0] -svchandle = ipaservices.service(svc_name) +for svc in svc_list: +svchandle = ipaservices.service(svc) try: print "Starting %s Service" % svc -svchandle.start(capture_output=get_capture_output(svc_name, options.debug)) +svchandle.start(capture_output=get_capture_output(svc, options.debug)) except: emit_err("Failed to start %s Service" % svc) emit_err("Shutting down") -for (order, svc) in sorted(svc_list): -svc_name = service.SERVICE_LIST[svc][0] -svc_off = ipaservices.service(svc_name) +for svc in svc_list: +svc_off = ipaservices.service(svc) try: svc_off.stop(capture_output=False) except: @@ -220,11 +238,10 @@ def ipa_stop(options): dirsrv = ipaservices.knownservices.dirsrv svc_list = [] try: -svc_list = get_config(dirsrv) +svc_list = get_config_from_file() except Exception, e: -# ok if dirsrv died this may fail, so let's try to quickly restart it -# and see if we
Re: [Freeipa-devel] [PATCH 3/3] Get list of service from LDAP only at startup
On Mon, 2012-10-29 at 15:41 -0400, Rob Crittenden wrote: > Simo Sorce wrote: > > On Fri, 2012-10-26 at 16:30 -0400, Rob Crittenden wrote: > >> Simo Sorce wrote: > >>> From: Simo Sorce > >>> > >>> We check (possibly different) data from LDAP only at (re)start. > >>> This way we always shutdown exactly the services we started even if the > >>> list > >>> changed in the meanwhile (we avoid leaving a service running even if it > >>> was > >>> removed from LDAP as the admin decided it should not be started in > >>> future). > >>> > >>> This should also fix a problematic deadlock with systemd when we try to > >>> read > >>> the list of service from LDAP at shutdown. > >> > >> I'm thinking that in patch 2 we need to be sure the name is unique, for > >> whatever reason, when starting a service. I'm not sure if it is related > >> to this or not: > >> > >> ... > >> Done configuring the web interface (httpd). > >> Applying LDAP updates > >> Restarting the directory server > >> Restarting the KDC > >> Sample zone file for bind has been created in /tmp/sample.zone.t1LC7e.db > >> Restarting the web server > >> Unexpected error - see /var/log/ipaserver-install.log for details: > >> CalledProcessError: Command '/bin/systemctl restart ipa.service' > >> returned non-zero exit status 1 > >> [root@rawhide2 freeipa]# cat /var/run/ipa/services.list > >> ["messagebus", "certmonger", "ntpd", "messagebus", "certmonger", > >> "messagebus", "certmonger", "certmonger", "messagebus", "certmonger", > >> "certmonger", "krb5kdc", "messagebus", "certmonger", "certmonger"] > > > > Maybe I should add code to remove entries on stop() ? > > I haven't considered the case where our own code stop instances outside > > of ipactl stop > > > > Now having duplicate instances shouldn't be fatal but maybe systemd is > > returning an error to signal the instance was already started ? > > Maybe converting the list to a set before starting would be enough. I can easily weed out duplicates, but I am relying on the order in this list in the code by using reverse() so that services are stopped in reverse order. However the fact you can restart single services will make this sorta break I guess. I am going to think about ordering and propose a solution that properly handles that, the main issue is that SERVICE_LIST cannot be used because it uses the original 'abstract' names, while the service class now uses this wellknown service name. > > > >> I don't see any smoking gun in the install log: > >> > >> 2012-10-26T20:27:40Z DEBUG Starting external process > >> 2012-10-26T20:27:40Z DEBUG args=/bin/systemctl restart ipa.service > >> 2012-10-26T20:27:42Z DEBUG Process finished, return code=1 > >> 2012-10-26T20:27:42Z DEBUG stdout= > >> 2012-10-26T20:27:42Z DEBUG stderr=Job for ipa.service failed. See > >> 'systemctl status ipa.service' and 'journalctl' for details. > >> > >> 2012-10-26T20:27:42Z INFO File > >> "/usr/lib/python2.7/site-packages/ipaserver/install/installutils.py", > >> line 614, in run_script > >> return_value = main_function() > >> > >> File "/usr/sbin/ipa-server-install", line 1100, in main > >> ipaservices.knownservices.ipa.enable() > >> > >> File > >> "/usr/lib/python2.7/site-packages/ipapython/platform/fedora16.py", line > >> 129, in enable > >> self.restart(instance_name) > >> > >> File > >> "/usr/lib/python2.7/site-packages/ipapython/platform/systemd.py", line > >> 104, in restart > >> ipautil.run(["/bin/systemctl", "restart", > >> self.service_instance(instance_name)], capture_output=capture_output) > >> > >> File "/usr/lib/python2.7/site-packages/ipapython/ipautil.py", line > >> 323, in run > >> raise CalledProcessError(p.returncode, arg_string) > >> > >> 2012-10-26T20:27:42Z INFO The ipa-server-install command failed, > >> exception: CalledProcessError: Command '/bin/systemctl restart > >> ipa.service' returned non-zero exit status 1 > > > > So it returned just 1 without any error message ? > > > > Simo. > > > > > > # /bin/systemctl status ipa.service > ipa.service - Identity, Policy, Audit >Loaded: loaded (/usr/lib/systemd/system/ipa.service; enabled) >Active: failed (Result: exit-code) since Fri, 26 Oct 2012 > 16:27:42 -0400; 2 days ago > Process: 17543 ExecStart=/usr/sbin/ipactl start (code=exited, > status=1/FAILURE) >CGroup: name=systemd:/system/ipa.service > > Oct 26 16:27:40 rawhide2.greyoak.com systemd[1]: Starting Identity, > Policy, Audit... > Oct 26 16:27:41 rawhide2.greyoak.com ipactl[17543]: IPA service already > started! > Oct 26 16:27:42 rawhide2.greyoak.com systemd[1]: Failed to start > Identity, Policy, Audit. I don't think this depends on my patch. Simo. -- Simo Sorce * Red Hat, Inc * New York ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH 3/3] Get list of service from LDAP only at startup
Simo Sorce wrote: On Fri, 2012-10-26 at 16:30 -0400, Rob Crittenden wrote: Simo Sorce wrote: From: Simo Sorce We check (possibly different) data from LDAP only at (re)start. This way we always shutdown exactly the services we started even if the list changed in the meanwhile (we avoid leaving a service running even if it was removed from LDAP as the admin decided it should not be started in future). This should also fix a problematic deadlock with systemd when we try to read the list of service from LDAP at shutdown. I'm thinking that in patch 2 we need to be sure the name is unique, for whatever reason, when starting a service. I'm not sure if it is related to this or not: ... Done configuring the web interface (httpd). Applying LDAP updates Restarting the directory server Restarting the KDC Sample zone file for bind has been created in /tmp/sample.zone.t1LC7e.db Restarting the web server Unexpected error - see /var/log/ipaserver-install.log for details: CalledProcessError: Command '/bin/systemctl restart ipa.service' returned non-zero exit status 1 [root@rawhide2 freeipa]# cat /var/run/ipa/services.list ["messagebus", "certmonger", "ntpd", "messagebus", "certmonger", "messagebus", "certmonger", "certmonger", "messagebus", "certmonger", "certmonger", "krb5kdc", "messagebus", "certmonger", "certmonger"] Maybe I should add code to remove entries on stop() ? I haven't considered the case where our own code stop instances outside of ipactl stop Now having duplicate instances shouldn't be fatal but maybe systemd is returning an error to signal the instance was already started ? Maybe converting the list to a set before starting would be enough. I don't see any smoking gun in the install log: 2012-10-26T20:27:40Z DEBUG Starting external process 2012-10-26T20:27:40Z DEBUG args=/bin/systemctl restart ipa.service 2012-10-26T20:27:42Z DEBUG Process finished, return code=1 2012-10-26T20:27:42Z DEBUG stdout= 2012-10-26T20:27:42Z DEBUG stderr=Job for ipa.service failed. See 'systemctl status ipa.service' and 'journalctl' for details. 2012-10-26T20:27:42Z INFO File "/usr/lib/python2.7/site-packages/ipaserver/install/installutils.py", line 614, in run_script return_value = main_function() File "/usr/sbin/ipa-server-install", line 1100, in main ipaservices.knownservices.ipa.enable() File "/usr/lib/python2.7/site-packages/ipapython/platform/fedora16.py", line 129, in enable self.restart(instance_name) File "/usr/lib/python2.7/site-packages/ipapython/platform/systemd.py", line 104, in restart ipautil.run(["/bin/systemctl", "restart", self.service_instance(instance_name)], capture_output=capture_output) File "/usr/lib/python2.7/site-packages/ipapython/ipautil.py", line 323, in run raise CalledProcessError(p.returncode, arg_string) 2012-10-26T20:27:42Z INFO The ipa-server-install command failed, exception: CalledProcessError: Command '/bin/systemctl restart ipa.service' returned non-zero exit status 1 So it returned just 1 without any error message ? Simo. # /bin/systemctl status ipa.service ipa.service - Identity, Policy, Audit Loaded: loaded (/usr/lib/systemd/system/ipa.service; enabled) Active: failed (Result: exit-code) since Fri, 26 Oct 2012 16:27:42 -0400; 2 days ago Process: 17543 ExecStart=/usr/sbin/ipactl start (code=exited, status=1/FAILURE) CGroup: name=systemd:/system/ipa.service Oct 26 16:27:40 rawhide2.greyoak.com systemd[1]: Starting Identity, Policy, Audit... Oct 26 16:27:41 rawhide2.greyoak.com ipactl[17543]: IPA service already started! Oct 26 16:27:42 rawhide2.greyoak.com systemd[1]: Failed to start Identity, Policy, Audit. ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH 3/3] Get list of service from LDAP only at startup
On Fri, 2012-10-26 at 16:30 -0400, Rob Crittenden wrote: > Simo Sorce wrote: > > From: Simo Sorce > > > > We check (possibly different) data from LDAP only at (re)start. > > This way we always shutdown exactly the services we started even if the list > > changed in the meanwhile (we avoid leaving a service running even if it was > > removed from LDAP as the admin decided it should not be started in future). > > > > This should also fix a problematic deadlock with systemd when we try to read > > the list of service from LDAP at shutdown. > > I'm thinking that in patch 2 we need to be sure the name is unique, for > whatever reason, when starting a service. I'm not sure if it is related > to this or not: > > ... > Done configuring the web interface (httpd). > Applying LDAP updates > Restarting the directory server > Restarting the KDC > Sample zone file for bind has been created in /tmp/sample.zone.t1LC7e.db > Restarting the web server > Unexpected error - see /var/log/ipaserver-install.log for details: > CalledProcessError: Command '/bin/systemctl restart ipa.service' > returned non-zero exit status 1 > [root@rawhide2 freeipa]# cat /var/run/ipa/services.list > ["messagebus", "certmonger", "ntpd", "messagebus", "certmonger", > "messagebus", "certmonger", "certmonger", "messagebus", "certmonger", > "certmonger", "krb5kdc", "messagebus", "certmonger", "certmonger"] Maybe I should add code to remove entries on stop() ? I haven't considered the case where our own code stop instances outside of ipactl stop Now having duplicate instances shouldn't be fatal but maybe systemd is returning an error to signal the instance was already started ? > I don't see any smoking gun in the install log: > > 2012-10-26T20:27:40Z DEBUG Starting external process > 2012-10-26T20:27:40Z DEBUG args=/bin/systemctl restart ipa.service > 2012-10-26T20:27:42Z DEBUG Process finished, return code=1 > 2012-10-26T20:27:42Z DEBUG stdout= > 2012-10-26T20:27:42Z DEBUG stderr=Job for ipa.service failed. See > 'systemctl status ipa.service' and 'journalctl' for details. > > 2012-10-26T20:27:42Z INFO File > "/usr/lib/python2.7/site-packages/ipaserver/install/installutils.py", > line 614, in run_script > return_value = main_function() > >File "/usr/sbin/ipa-server-install", line 1100, in main > ipaservices.knownservices.ipa.enable() > >File > "/usr/lib/python2.7/site-packages/ipapython/platform/fedora16.py", line > 129, in enable > self.restart(instance_name) > >File > "/usr/lib/python2.7/site-packages/ipapython/platform/systemd.py", line > 104, in restart > ipautil.run(["/bin/systemctl", "restart", > self.service_instance(instance_name)], capture_output=capture_output) > >File "/usr/lib/python2.7/site-packages/ipapython/ipautil.py", line > 323, in run > raise CalledProcessError(p.returncode, arg_string) > > 2012-10-26T20:27:42Z INFO The ipa-server-install command failed, > exception: CalledProcessError: Command '/bin/systemctl restart > ipa.service' returned non-zero exit status 1 So it returned just 1 without any error message ? Simo. -- Simo Sorce * Red Hat, Inc * New York ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH 3/3] Get list of service from LDAP only at startup
Simo Sorce wrote: From: Simo Sorce We check (possibly different) data from LDAP only at (re)start. This way we always shutdown exactly the services we started even if the list changed in the meanwhile (we avoid leaving a service running even if it was removed from LDAP as the admin decided it should not be started in future). This should also fix a problematic deadlock with systemd when we try to read the list of service from LDAP at shutdown. I'm thinking that in patch 2 we need to be sure the name is unique, for whatever reason, when starting a service. I'm not sure if it is related to this or not: ... Done configuring the web interface (httpd). Applying LDAP updates Restarting the directory server Restarting the KDC Sample zone file for bind has been created in /tmp/sample.zone.t1LC7e.db Restarting the web server Unexpected error - see /var/log/ipaserver-install.log for details: CalledProcessError: Command '/bin/systemctl restart ipa.service' returned non-zero exit status 1 [root@rawhide2 freeipa]# cat /var/run/ipa/services.list ["messagebus", "certmonger", "ntpd", "messagebus", "certmonger", "messagebus", "certmonger", "certmonger", "messagebus", "certmonger", "certmonger", "krb5kdc", "messagebus", "certmonger", "certmonger"] I don't see any smoking gun in the install log: 2012-10-26T20:27:40Z DEBUG Starting external process 2012-10-26T20:27:40Z DEBUG args=/bin/systemctl restart ipa.service 2012-10-26T20:27:42Z DEBUG Process finished, return code=1 2012-10-26T20:27:42Z DEBUG stdout= 2012-10-26T20:27:42Z DEBUG stderr=Job for ipa.service failed. See 'systemctl status ipa.service' and 'journalctl' for details. 2012-10-26T20:27:42Z INFO File "/usr/lib/python2.7/site-packages/ipaserver/install/installutils.py", line 614, in run_script return_value = main_function() File "/usr/sbin/ipa-server-install", line 1100, in main ipaservices.knownservices.ipa.enable() File "/usr/lib/python2.7/site-packages/ipapython/platform/fedora16.py", line 129, in enable self.restart(instance_name) File "/usr/lib/python2.7/site-packages/ipapython/platform/systemd.py", line 104, in restart ipautil.run(["/bin/systemctl", "restart", self.service_instance(instance_name)], capture_output=capture_output) File "/usr/lib/python2.7/site-packages/ipapython/ipautil.py", line 323, in run raise CalledProcessError(p.returncode, arg_string) 2012-10-26T20:27:42Z INFO The ipa-server-install command failed, exception: CalledProcessError: Command '/bin/systemctl restart ipa.service' returned non-zero exit status 1 ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [PATCH 3/3] Get list of service from LDAP only at startup
From: Simo Sorce We check (possibly different) data from LDAP only at (re)start. This way we always shutdown exactly the services we started even if the list changed in the meanwhile (we avoid leaving a service running even if it was removed from LDAP as the admin decided it should not be started in future). This should also fix a problematic deadlock with systemd when we try to read the list of service from LDAP at shutdown. --- freeipa.spec.in|2 + init/systemd/ipa.conf.tmpfiles |1 + install/tools/ipactl | 199 3 files changed, 143 insertions(+), 59 deletions(-) diff --git a/freeipa.spec.in b/freeipa.spec.in index 916630029f6dfac8ef32dabb00f338052cbbf08e..41745c318655fa3eb37a512aaf253016f1620581 100644 --- a/freeipa.spec.in +++ b/freeipa.spec.in @@ -446,6 +446,7 @@ install -m 0644 init/systemd/ipa.conf.tmpfiles %{buildroot}%{_sysconfdir}/tmpfil mkdir -p %{buildroot}%{_localstatedir}/run/ install -d -m 0700 %{buildroot}%{_localstatedir}/run/ipa_memcached/ +install -d -m 0700 %{buildroot}%{_localstatedir}/run/ipa/ mkdir -p %{buildroot}%{_libdir}/krb5/plugins/libkrb5 touch %{buildroot}%{_libdir}/krb5/plugins/libkrb5/winbind_krb5_locator.so @@ -623,6 +624,7 @@ fi %{_sysconfdir}/cron.d/ipa-compliance %config(noreplace) %{_sysconfdir}/sysconfig/ipa_memcached %dir %attr(0700,apache,apache) %{_localstatedir}/run/ipa_memcached/ +%dir %attr(0700,root,root) %{_localstatedir}/run/ipa/ %if 0%{?fedora} >= 15 %config %{_sysconfdir}/tmpfiles.d/ipa.conf %endif diff --git a/init/systemd/ipa.conf.tmpfiles b/init/systemd/ipa.conf.tmpfiles index e4b679a55d68a6b83991ac72dd520c32b2a0de50..1e7a896ed8df00c97f2d092504e2a65960bb341d 100644 --- a/init/systemd/ipa.conf.tmpfiles +++ b/init/systemd/ipa.conf.tmpfiles @@ -1 +1,2 @@ d /var/run/ipa_memcached 0700 apache apache +d /var/run/ipa 0700 root root diff --git a/install/tools/ipactl b/install/tools/ipactl index d4b2c0878f2b62fd12198f76bef01ef70e9f3de1..9b151ab9f9bd10423d5145a1fcf028b6ddb65096 100755 --- a/install/tools/ipactl +++ b/install/tools/ipactl @@ -34,6 +34,7 @@ try: import ldap.sasl import ldapurl import socket +import json except ImportError: print >> sys.stderr, """\ There was a problem importing one of the required Python modules. The @@ -162,11 +163,30 @@ def get_config(dirsrv): for p in entry[1]['ipaConfigString']: if p.startswith('startOrder '): order = p.split()[1] -svc_list.append((order, name)) +svc_list.append([order, name]) + +ordered_list = [] +for (order, svc) in sorted(svc_list): +ordered_list.append(service.SERVICE_LIST[svc][0]) +return ordered_list + +def get_config_from_file(): + +svc_list = [] + +try: +f = open(ipaservices.get_svc_list_file(), 'r') +svc_list = json.load(f) +except Exception, e: +raise IpactlError("Unknown error when retrieving list of services from file: " + str(e)) return svc_list def ipa_start(options): + +if os.path.isfile(ipaservices.get_svc_list_file()): +raise IpactlError("IPA service already started!") + dirsrv = ipaservices.knownservices.dirsrv try: print "Starting Directory Service" @@ -174,7 +194,7 @@ def ipa_start(options): except Exception, e: raise IpactlError("Failed to start Directory Service: " + str(e)) -svc_list = [] +ldap_list = [] try: svc_list = get_config(dirsrv) except Exception, e: @@ -191,21 +211,19 @@ def ipa_start(options): raise IpactlError() if len(svc_list) == 0: -# no service to stop +# no service to start return -for (order, svc) in sorted(svc_list): -svc_name = service.SERVICE_LIST[svc][0] -svchandle = ipaservices.service(svc_name) +for svc in svc_list: +svchandle = ipaservices.service(svc) try: print "Starting %s Service" % svc -svchandle.start(capture_output=get_capture_output(svc_name, options.debug)) +svchandle.start(capture_output=get_capture_output(svc, options.debug)) except: emit_err("Failed to start %s Service" % svc) emit_err("Shutting down") -for (order, svc) in sorted(svc_list): -svc_name = service.SERVICE_LIST[svc][0] -svc_off = ipaservices.service(svc_name) +for svc in svc_list: +svc_off = ipaservices.service(svc) try: svc_off.stop(capture_output=False) except: @@ -220,11 +238,10 @@ def ipa_stop(options): dirsrv = ipaservices.knownservices.dirsrv svc_list = [] try: -svc_list = get_config(dirsrv) +svc_list = get_config_from_file() except Exception, e: -# ok if dirsrv died this may fail, so let's try to quickly restart it -# and see if we