On 23.11.2015 10:04, Jan Cholasta wrote:
On 23.11.2015 06:46, Fraser Tweedale wrote:
The attached patch 0043 fixes #5269[1]: nondeterministic failure of
certificate profile creation during ipa-server-install.
[1] https://fedorahosted.org/freeipa/ticket/5269
The other patch 0042 is drive-by improvements of IPA install/upgrade
logging that I did while diagnosing the issue.
Thanks,
Fraser
Patch 0042: Does not apply on master.
Patch 0043: ACK
I have rebased the patches on top of master, see attachment.
ACK and pushed to:
master: 5136cd6e4bd305d6f4b6bf22d22fb4abc365cfad
ipa-4-2: a8a666416201a7a7d6739f60854c5e5223b9ceb5
--
Jan Cholasta
From 9e0e735fa6bb042fbc5acd5b02d4d5da716c737d Mon Sep 17 00:00:00 2001
From: Fraser Tweedale
Date: Fri, 20 Nov 2015 15:39:00 +1100
Subject: [PATCH 1/2] TLS and Dogtag HTTPS request logging improvements
Pretty printing the TLS peer certificate to logs on every request
introduces a lot of noise; do not log it (subject name, key usage
and validity are still logged).
Fix and tidy up some HTTP logging messages for Dogtag requests.
Part of: https://fedorahosted.org/freeipa/ticket/5269
---
ipapython/dogtag.py | 9 -
ipapython/nsslib.py | 3 ---
2 files changed, 4 insertions(+), 8 deletions(-)
diff --git a/ipapython/dogtag.py b/ipapython/dogtag.py
index 51c2ec9..71de96d 100644
--- a/ipapython/dogtag.py
+++ b/ipapython/dogtag.py
@@ -324,7 +324,7 @@ def _httplib_request(
if isinstance(host, unicode):
host = host.encode('utf-8')
uri = '%s://%s%s' % (protocol, ipautil.format_netloc(host, port), path)
-root_logger.debug('request %r', uri)
+root_logger.debug('request %s %s', method, uri)
root_logger.debug('request body %r', request_body)
headers = headers or {}
@@ -347,9 +347,8 @@ def _httplib_request(
except Exception as e:
raise NetworkError(uri=uri, error=str(e))
-root_logger.debug('request status %d',http_status)
-root_logger.debug('request reason_phrase %r', http_reason_phrase)
-root_logger.debug('request headers %s', http_headers)
-root_logger.debug('request body %r', http_body)
+root_logger.debug('response status %d %s', http_status, http_reason_phrase)
+root_logger.debug('response headers %s', http_headers)
+root_logger.debug('response body %r', http_body)
return http_status, http_reason_phrase, http_headers, http_body
diff --git a/ipapython/nsslib.py b/ipapython/nsslib.py
index 5ae79b6..06e5329 100644
--- a/ipapython/nsslib.py
+++ b/ipapython/nsslib.py
@@ -48,9 +48,6 @@ def auth_certificate_callback(sock, check_sig, is_server, certdb):
cert = sock.get_peer_certificate()
-root_logger.debug("auth_certificate_callback: check_sig=%s is_server=%s\n%s",
- check_sig, is_server, str(cert))
-
pin_args = sock.get_pkcs11_pin_arg()
if pin_args is None:
pin_args = ()
--
2.4.3
From 8103ab5efe32859678430145407cdb19dc77f542 Mon Sep 17 00:00:00 2001
From: Fraser Tweedale
Date: Fri, 20 Nov 2015 15:59:11 +1100
Subject: [PATCH 2/2] Avoid race condition caused by profile delete and
recreate
When importing IPA-managed certificate profiles into Dogtag,
profiles with the same name (usually caIPAserviceCert) are removed,
then immediately recreated with the new profile data. This causes a
race condition - Dogtag's LDAPProfileSystem profileChangeMonitor
thread could observe and process the deletion after the profile was
recreated, disappearing it again.
Update the profile instead of deleting and recreating it to avoid
this race condition.
Fixes: https://fedorahosted.org/freeipa/ticket/5269
---
ipaserver/install/cainstance.py | 3 +--
1 file changed, 1 insertion(+), 2 deletions(-)
diff --git a/ipaserver/install/cainstance.py b/ipaserver/install/cainstance.py
index 1cbc0d0..448e42e 100644
--- a/ipaserver/install/cainstance.py
+++ b/ipaserver/install/cainstance.py
@@ -1970,8 +1970,7 @@ def _create_dogtag_profile(profile_id, profile_data):
root_logger.debug(
"Failed to disable profile '%s' "
"(it is probably already disabled)")
-profile_api.delete_profile(profile_id)
-profile_api.create_profile(profile_data)
+profile_api.update_profile(profile_id, profile_data)
# enable the profile
try:
--
2.4.3
--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
