[Freeipa-devel] [PATCH] 1068 wait for LDAP when renewing the RA

Rob Crittenden rcritten at redhat.com
Thu Nov 1 15:32:41 UTC 2012 

Jan Cholasta wrote:
> Hi,
>
> On 24.10.2012 21:24, Rob Crittenden wrote:
>> All the certs are pretty critical in certificate renewal but the agent
>> cert has the distinction of having to be updated in multiple places. It
>> needs to exist in both LDAP servers.
>>
>> It is possible that one or both of these servers may be down briefly
>> during renewal so we need to be a bit more robust in our handling. This
>> will wait up to 5 minutes per server to try to update things, and syslog
>> when failures occur.
>>
>> It is now also safe to re-run this in case something catastrophic
>> happens. One would just need to manually run this to load the required
>> data into LDAP.
>>
>> rob
>>
>
> I believe that there should be a break statement after the "updated =
> True" line:
>
> +        updated = True
> +    except errors.NetworkError:

Sure is, added.

>
> It would be nice if this message said "30 s" instead of just "30":
>
> +        syslog.syslog(syslog.LOG_ERR, 'Connection to %s failed,
> sleeping 30' % dogtag_uri)

Sure.

>
> The continue statement is redundant:
>
> +        attempts += 1
> +        continue
>       except errors.EmptyModlist:

Yup. I used to have code executed after the try/except/finally. Removed.

>
> The variables you access in both of the finally blocks (conn and tmpdir)
> may be unbound. This can be fixed like this:
>
> while attempts < 10:
>      conn = None
>      tmpdir = None
>      try:
>          ...
>      finally:
>          if conn is not None and conn.isconnected():
>              conn.disconnect()
>          if tmpdir is not None:
>              shutil.rmtree(tmpdir)

Good catch, added.

>
> It would be nice if this message (both instances of it) included
> sys.argv[0], so that it is obvious to the user what script is "this
> script":
>
> +    syslog.syslog(syslog.LOG_ERR, 'Giving up. This script may be safely
> re-executed.')

It is included by syslog:

Nov  1 11:13:24 edsel renew_ra_cert: Connection to ldap://localhost:7389 
failed, sleeping 30

>
>
> No spaces in kwarg assignment please:
>
> +        tmpdir = tempfile.mkdtemp(prefix = "tmp-")

OK.

>
>
> You might want to include "sleeping 30 s" in this message as well:
>
> +    except Exception, e:
> +        syslog.syslog(syslog.LOG_ERR, 'Updating renewal certificate
> failed: %s' % e)
> +        time.sleep(30)

Sure, added that.

I also added a missing update. I added handling for ldap.SERVER_DOWN as 
a NetworkError instead of a DatabaseError.

rob

-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-rcrit-1068-2-renewal.patch
Type: text/x-diff
Size: 6625 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20121101/d1bdd67b/attachment.bin>

More information about the Freeipa-devel mailing list