[Freeipa-devel] [PATCHES] 241-253 CA certificate renewal
Rob Crittenden
rcritten at redhat.com
Fri Apr 25 13:10:17 UTC 2014
Petr Viktorin wrote:
> On 04/24/2014 11:16 PM, Rob Crittenden wrote:
>> Jan Cholasta wrote:
>>> On 10.4.2014 22:06, Rob Crittenden wrote:
>>>> Some in-line, a whole ton of data appended to end.
>>>>
>>>> Jan Cholasta wrote:
>>>>> On 7.4.2014 20:09, Rob Crittenden wrote:
>>>>>> Rob Crittenden wrote:
> [...]
>>>>>>> $ ipa-cacert-manage -v renew
>>>>>>> ipa.ipaserver.install.ipa_cacert_manage.CACertManage: DEBUG: File
>>>>>>> "/usr/lib/python2.7/site-packages/ipapython/admintool.py", line
>>>>>>> 168, in
>>>>>>> execute
>>>>>>> self.validate_options()
>>>>>>> File
>>>>>>> "/usr/lib/python2.7/site-packages/ipaserver/install/ipa_cacert_manage.py",
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> line 62, in validate_options
>>>>>>> super(CACertManage, self).validate_options(needs_root=True)
>>>>>>> File "/usr/lib/python2.7/site-packages/ipapython/admintool.py",
>>>>>>> line
>>>>>>> 189, in validate_options
>>>>>>> raise ScriptError('Must be root to run %s' %
>>>>>>> self.command_name, 1)
>>>>>>>
>>>>>>> ipa.ipaserver.install.ipa_cacert_manage.CACertManage: DEBUG: The
>>>>>>> ipa-cacert-manage command failed, exception: ScriptError: Must be
>>>>>>> root
>>>>>>> to run ipa-cacert-manage
>>>>>>> ipa.ipaserver.install.ipa_cacert_manage.CACertManage: ERROR: Must be
>>>>>>> root to run ipa-cacert-manage
>>>>>
>>>>> That's correct, you can run it only as root, because you can't
>>>>> resubmit
>>>>> certmonger requests as a regular user.
>>>>
>>>> Yes but one shouldn't get a traceback!
>>>
>>> You get the traceback only in verbose mode. I did not invent this, it's
>>> how ipapython.admintool does things.
>>
>> Ok, I'll blame Petr.
>
> In verbose mode you get all the debugging information that's written to
> logs, and that includes the tracebacks. I stand by this decision.
> If the command is normally so quiet that you need the -v flag for normal
> operation, that's a problem. Log interesting messages at INFO.
> http://www.freeipa.org/page/V3/Logging_and_output#Design
>
Well, it's just that the traceback is caught and handled, so it seems
odd that it is reported. Then again, this is useful for the case of too
broad an except, so as usual I have mixed feelings.
I think long-term we need to provide some mid-level solution, more info
without spamming with everything. The cacert command takes a REALLY long
time, and my twitchy fingers nearly killed it a number of times. We have
other commands that do similarly long-lived things with no feedback
(separate from things that go over the JSON/XML api).
If I can come up with any concrete ideas I'll file a ticket, but reserve
the right to whine and complain in the meantime.
rob
More information about the Freeipa-devel
mailing list