[Freeipa-devel] error handling in httpd.service and ipa-httpd-kdcproxy
Nathaniel McCallum
npmccallum at redhat.com
Tue Jul 7 12:48:09 UTC 2015
> On Jul 6, 2015, at 11:35 AM, Christian Heimes <cheimes at redhat.com> wrote:
>
> Hello,
>
> I like to ask for your opinion regarding the pre-exec hook
> 'ipa-httpd-kdcproxy' in httpd.service. Alex has asked me to handle error
> cases like LDAP connection timeout more gracefully. At the moment any
> error causes the script to return a non-zero exit code. This breaks the
> service and apparently also offline RPM upgrades.
>
> How should I handle error cases? I can change httpd.service to simply
> ignore the exit code of ipa-httpd-kdcproxy. But that might lead to an
> invalid state. I could modify the script to catch connection errors and
> to disable kdcproxy in case of an error.
>
> The options are:
>
> 1) httpd.service ignores exit code of ipa-httpd-kdcproxy
> 2) ipa-httpd-kdcproxy removes kdcproxy config file in case of a
> connection error
> 3) 1 + 2
>
> What do you think?
If ipa-httpd-kdcproxy cannot contact LDAP, kdcproxy MUST NOT be enabled. So #2.
However, ipa-httpd-kdcproxy should leave error codes to real catastrophic failures and http.service should be aware of these. So not #1.
Nathaniel
More information about the Freeipa-devel
mailing list