Remove the renewal lock file upon uninstall #229
Conversation
|
The file is owned by the server, not the client, so it should be deleted in |
flo-renaud
force-pushed
the
renewallock
branch
from
fafddd8
to
bd23f2d
Compare
|
You are right, I updated the PR to put the code at the end of server uninstallation. |
flo-renaud
force-pushed
the
renewallock
branch
from
bd23f2d
to
88d1855
Compare
|
Works as expected. |
| pre_command, post_command) | ||
| state = wait_for_request(reqId, timeout=60) | ||
| passwd_fname, dns, ca, profile) | ||
| state = wait_for_request(reqId, timeout=180) |
There was a problem hiding this comment.
Could you please put the timeout increase into a separate commit?
There was a problem hiding this comment.
Maybe it might not even be necessary with the other fixes?
| try: | ||
| os.remove(paths.IPA_RENEWAL_LOCK) | ||
| except Exception: | ||
| pass |
There was a problem hiding this comment.
This would be better (off the top of my head):
try:
os.remove(paths.IPA_RENEWAL_LOCK)
except OSError as e:
if e.errno != errno.ENOENT:
root_logger.warning("Failed to remove %s: %s", paths.IPA_RENEWAL_LOCK, e)|
|
||
| # Add presave and postsave commands | ||
| # This is not done earlier to avoid running the cmds | ||
| # during the initial request |
There was a problem hiding this comment.
Instead of this, I would rather not restart the services in renew_ra_cert, restart_httpd and restart_dirsrv if they were not previously running.
There was a problem hiding this comment.
Speaking of which, I don't think the restart in renew_ra_cert is necessary at all - httpd itself does not use the RA cert in any way, it is used only in the framework.
- Make sure that the file /var/run/ipa/renewal.lock is deleted upon uninstallation, in order to avoid subsequent installation issues. - Modify certmonger renewal script: restart the http/dirsrv services only if they were already running - Cleanup certmonger ra renewal script: no need to restart httpd - Reorder during http install: request the SSL cert before adding ipa-service-guard Rationale: when a CA helper is modified, certmonger launches the helper with various operations (FETCH_ROOTS, ...) If the CA helper is once again modified, the on-going helper is killed. This can lead to ipa-service-guard being killed and not releasing the renew lock. If the SSL cert is requested with IPA helper before ipa-service-guard is added, we avoid this locking issue. Part of the refactoring effort, certificates sub-effort. https://fedorahosted.org/freeipa/ticket/6433
flo-renaud
force-pushed
the
renewallock
branch
from
88d1855
to
1222e8f
Compare
|
Hi, |
|
Works for me on both domain levels, I'd ACK this if nobody is against |
MartinBasti
added
ack
|
Fixed upstream |
Make sure that the file /var/run/ipa/renewal.lock is deleted upon
uninstallation, in order to avoid subsequent installation issues.
Part of the refactoring effort, certificates sub-effort.
https://fedorahosted.org/freeipa/ticket/6433