[Freeipa-devel] [PATCH 506] cert renewal: make renewal of ipaCert atomic
Jan Cholasta
jcholast at redhat.com
Wed Nov 18 13:10:58 UTC 2015
On 10.11.2015 19:19, Rob Crittenden wrote:
> Jan Cholasta wrote:
>> On 9.11.2015 16:51, Rob Crittenden wrote:
>>> Jan Cholasta wrote:
>>>> Hi,
>>>>
>>>> the attached patch fixes <https://fedorahosted.org/freeipa/ticket/5436>.
>>>>
>>>> Honza
>>>>
>>>>
>>>>
>>>
>>> There be a note in renew_ra_cert that the lock is obtained in advance by
>>> renew_ra_cert_pre.
>>
>> Added comment.
>>
>>>
>>> It looks like it will silently fail if the lock cannot be acquired. Is
>>> that desired?
>>
>> All unhandled exceptions are logged to syslog in both renew_ra_cert_pre
>> and renew_ra_cert:
>>
>> try:
>> main()
>> except Exception:
>> syslog.syslog(syslog.LOG_ERR, traceback.format_exc())
>>
>> Updated patch attached.
>>
>
> My confusion was with the auto-expiration. I guess this is ok. When
> debugging this sort of thing via logs the more the merrier, so I guess
> I'd have added a syslog to say "obtaining lock" or "locked" and then
> something when the renewal actually starts, so one can try to piece
> together what happened after the fact if something goes wrong.
>
> I guess certmonger already logs when a pre/post command is executed so
> that may already be available.
Yes. The ticket is not related to logging anyway.
Is the last patch OK, then?
--
Jan Cholasta
More information about the Freeipa-devel
mailing list