[Freeipa-devel] [PATCH 506] cert renewal: make renewal of ipaCert atomic
Jan Cholasta
jcholast at redhat.com
Thu Nov 19 12:07:16 UTC 2015
On 19.11.2015 13:01, David Kupka wrote:
> On 18/11/15 14:10, Jan Cholasta wrote:
>> On 10.11.2015 19:19, Rob Crittenden wrote:
>>> Jan Cholasta wrote:
>>>> On 9.11.2015 16:51, Rob Crittenden wrote:
>>>>> Jan Cholasta wrote:
>>>>>> Hi,
>>>>>>
>>>>>> the attached patch fixes
>>>>>> <https://fedorahosted.org/freeipa/ticket/5436>.
>>>>>>
>>>>>> Honza
>>>>>>
>>>>>>
>>>>>>
>>>>>
>>>>> There be a note in renew_ra_cert that the lock is obtained in
>>>>> advance by
>>>>> renew_ra_cert_pre.
>>>>
>>>> Added comment.
>>>>
>>>>>
>>>>> It looks like it will silently fail if the lock cannot be acquired. Is
>>>>> that desired?
>>>>
>>>> All unhandled exceptions are logged to syslog in both renew_ra_cert_pre
>>>> and renew_ra_cert:
>>>>
>>>> try:
>>>> main()
>>>> except Exception:
>>>> syslog.syslog(syslog.LOG_ERR, traceback.format_exc())
>>>>
>>>> Updated patch attached.
>>>>
>>>
>>> My confusion was with the auto-expiration. I guess this is ok. When
>>> debugging this sort of thing via logs the more the merrier, so I guess
>>> I'd have added a syslog to say "obtaining lock" or "locked" and then
>>> something when the renewal actually starts, so one can try to piece
>>> together what happened after the fact if something goes wrong.
>>>
>>> I guess certmonger already logs when a pre/post command is executed so
>>> that may already be available.
>>
>> Yes. The ticket is not related to logging anyway.
>>
>> Is the last patch OK, then?
>>
>
> Thanks for the patch. Works for me, ACK.
Pushed to:
master: f3076c6ab37e081ba9b0ec9f0502379f60dfbd10
ipa-4-2: f831cb6a3da0c5f2a3e71004ae327273b25723fa
--
Jan Cholasta
More information about the Freeipa-devel
mailing list