[Pki-devel] [PATCH] 46 Prevent concurrent execution of pkispawn and pkidestroy

Ade Lee alee at redhat.com
Wed Apr 3 14:52:12 UTC 2013 

On Wed, 2013-04-03 at 10:36 -0400, Abhishek Koneru wrote:
> Hi Ade, 
> 
>  Please share your views on this. It is regarding a ticket to prevent a
> concurrent execution of pkispawn/pkidestroy.
> 
> On Tue, 2013-04-02 at 15:52 -0500, Endi Sukma Dewata wrote:
> On 4/2/2013 11:54 AM, Abhishek Koneru wrote:
> > Please review the patch which adds a locking mechanism to prevent
> > pkispawn and pkidestroy to execute concurrently.
> 
> Some comments:
> 
> 1. This mechanism locks the entire system, so only one 
> pkispawn/pkidestroy can run at any time. Is this the intended behavior? 
> Or should we lock a particular instance only?
> 
> I think it was decided to allow only one pkispawn/pkidestroy for an
> entire system.

pkispawn and pkidestroy do selinux operations.  Only one set of selinux
operations should be done at a time.  Not doing this could cause an
operation to fail or worse.  If you like, you could try to lock this
section only, but then you still need to ensure that concurrent
oerations do not affect the same data -- for instance, are they touching
the same ports?

The simplest and easiest solution will be to lock to having one
operation per system at a time.

> 
> 2. If another script is already running, the current script will block 
> until the other script is done. Is this the intended behavior? Or should 
> it fail immediately? Or should it wait but show a message saying another 
> script is running?
> 
> Since only the section of code which does spawn()/destroy() are under
> lock, all the user details are taken by that time. But the blocked
> script will be waiting for some-time. I think showing a message would be
> nice as Endi reviewed.
> 
My first thought was that it should fail immediately.  But I could see
having it wait with the relevant message.  The user can then choose to
control-C if they want.


> 3. Right now the lock file is called /tmp/pkioperationlock.lck. It might 
> be better to move it into /var/run/pki/pki-deployment.lock or something 
> like that.
> 
> Will be changed.
> 
> PFA the patch for you convenience.
> 
> --Abhishek
>

More information about the Pki-devel mailing list