[Freeipa-devel] [PATCH 506] cert renewal: make renewal of ipaCert atomic
David Kupka
dkupka at redhat.com
Thu Nov 19 12:01:35 UTC 2015
On 18/11/15 14:10, Jan Cholasta wrote:
> On 10.11.2015 19:19, Rob Crittenden wrote:
>> Jan Cholasta wrote:
>>> On 9.11.2015 16:51, Rob Crittenden wrote:
>>>> Jan Cholasta wrote:
>>>>> Hi,
>>>>>
>>>>> the attached patch fixes
>>>>> <https://fedorahosted.org/freeipa/ticket/5436>.
>>>>>
>>>>> Honza
>>>>>
>>>>>
>>>>>
>>>>
>>>> There be a note in renew_ra_cert that the lock is obtained in
>>>> advance by
>>>> renew_ra_cert_pre.
>>>
>>> Added comment.
>>>
>>>>
>>>> It looks like it will silently fail if the lock cannot be acquired. Is
>>>> that desired?
>>>
>>> All unhandled exceptions are logged to syslog in both renew_ra_cert_pre
>>> and renew_ra_cert:
>>>
>>> try:
>>> main()
>>> except Exception:
>>> syslog.syslog(syslog.LOG_ERR, traceback.format_exc())
>>>
>>> Updated patch attached.
>>>
>>
>> My confusion was with the auto-expiration. I guess this is ok. When
>> debugging this sort of thing via logs the more the merrier, so I guess
>> I'd have added a syslog to say "obtaining lock" or "locked" and then
>> something when the renewal actually starts, so one can try to piece
>> together what happened after the fact if something goes wrong.
>>
>> I guess certmonger already logs when a pre/post command is executed so
>> that may already be available.
>
> Yes. The ticket is not related to logging anyway.
>
> Is the last patch OK, then?
>
Thanks for the patch. Works for me, ACK.
--
David Kupka
More information about the Freeipa-devel
mailing list