Handle errors raised by plugins more gracefully in mod_wsgi.

This started as an effort to display a more useful error message in the
Apache error log if retrieving the schema failed. I broadened the scope
a little to include limiting the output in the Apache error log
so errors are easier to find.

This adds a new configuration option, startup_traceback. Outside of
lite-server.py it is False by default so does not display the traceback
that lead to the StandardError being raised. This makes the mod_wsgi
error much easier to follow.

6 files changed, 36 insertions, 22 deletions

diff --git a/install/share/wsgi.py b/install/share/wsgi.py
index 457d8e024..e1c2c7332 100644
--- a/install/share/wsgi.py
+++ b/install/share/wsgi.py
@@ -4,10 +4,14 @@ WSGI appliction for IPA server.
 
 from ipalib import api
 api.bootstrap(context='server', debug=True, log=None)
-api.finalize()
-api.log.info('*** PROCESS START ***')
-import ipawebui
-ui = ipawebui.create_wsgi_app(api)
+try:
+    api.finalize()
+except StandardError, e:
+    api.log.error('Failed to start IPA: %s' % e)
+else:
+    api.log.info('*** PROCESS START ***')
+    import ipawebui
+    ui = ipawebui.create_wsgi_app(api)
 
-# This is the WSGI callable:
-application = api.Backend.session
+    # This is the WSGI callable:
+    application = api.Backend.session
diff --git a/ipalib/constants.py b/ipalib/constants.py
index 05fa1e667..20f1d95d7 100644
--- a/ipalib/constants.py
+++ b/ipalib/constants.py
@@ -120,6 +120,7 @@ DEFAULT_CONFIG = (
     # Debugging:
     ('verbose', 0),
     ('debug', False),
+    ('startup_traceback', False),
     ('mode', 'production'),
 
     # CA plugin:
diff --git a/ipalib/plugable.py b/ipalib/plugable.py
index 397004eb1..fd5f31a76 100644
--- a/ipalib/plugable.py
+++ b/ipalib/plugable.py
@@ -536,8 +536,9 @@ class API(DictProxy):
                     'skipping plugin module %s: %s', fullname, e.reason
                 )
             except StandardError, e:
-                import traceback
-                self.log.error('could not load plugin module %r\n%s', pyfile, traceback.format_exc())
+                if self.env.startup_traceback:
+                    import traceback
+                    self.log.error('could not load plugin module %r\n%s', pyfile, traceback.format_exc())
                 raise e
 
     def finalize(self):
diff --git a/ipalib/plugins/migration.py b/ipalib/plugins/migration.py
index 55a21572c..a2773efb8 100644
--- a/ipalib/plugins/migration.py
+++ b/ipalib/plugins/migration.py
@@ -31,7 +31,10 @@ from ipalib import api, errors, output, uuid
 from ipalib import Command, List, Password, Str
 from ipalib.cli import to_cli
 if api.env.in_server and api.env.context in ['lite', 'server']:
-    from ipaserver.plugins.ldap2 import ldap2
+    try:
+        from ipaserver.plugins.ldap2 import ldap2
+    except StandardError, e:
+        raise e
 from ipalib import _
 from ipalib.text import Gettext # FIXME: remove once the other Gettext FIXME is removed
 
diff --git a/ipaserver/plugins/ldap2.py b/ipaserver/plugins/ldap2.py
index 987203caa..aebeb5c27 100644
--- a/ipaserver/plugins/ldap2.py
+++ b/ipaserver/plugins/ldap2.py
@@ -124,17 +124,20 @@ def global_init(url):
 
     try:
         if api.env.context == 'server':
-            # Create a new credentials cache for this Apache process
-            tmpdir = tempfile.mkdtemp(prefix = "tmp-")
-            ccache_file = 'FILE:%s/ccache' % tmpdir
-            krbcontext = krbV.default_context()
-            principal = str('HTTP/%s@%s' % (api.env.host, api.env.realm))
-            keytab = krbV.Keytab(name='/etc/httpd/conf/ipa.keytab', context=krbcontext)
-            principal = krbV.Principal(name=principal, context=krbcontext)
-            os.environ['KRB5CCNAME'] = ccache_file
-            ccache = krbV.CCache(name=ccache_file, context=krbcontext, primary_principal=principal)
-            ccache.init(principal)
-            ccache.init_creds_keytab(keytab=keytab, principal=principal)
+            try:
+                # Create a new credentials cache for this Apache process
+                tmpdir = tempfile.mkdtemp(prefix = "tmp-")
+                ccache_file = 'FILE:%s/ccache' % tmpdir
+                krbcontext = krbV.default_context()
+                principal = str('HTTP/%s@%s' % (api.env.host, api.env.realm))
+                keytab = krbV.Keytab(name='/etc/httpd/conf/ipa.keytab', context=krbcontext)
+                principal = krbV.Principal(name=principal, context=krbcontext)
+                os.environ['KRB5CCNAME'] = ccache_file
+                ccache = krbV.CCache(name=ccache_file, context=krbcontext, primary_principal=principal)
+                ccache.init(principal)
+                ccache.init_creds_keytab(keytab=keytab, principal=principal)
+            except krbV.Krb5Error, e:
+                raise StandardError('Unable to retrieve LDAP schema. Error initializing principal %s in %s: %s' % (principal.name, '/etc/httpd/conf/ipa.keytab', str(e)))
 
         conn = _ldap.initialize(url)
         conn.sasl_interactive_bind_s('', SASL_AUTH)
@@ -155,8 +158,9 @@ def global_init(url):
     except _ldap.SERVER_DOWN:
         return (None, upg)
     except _ldap.LDAPError, e:
-        # TODO: raise a more appropriate exception
-        _handle_errors(e, **{})
+        desc = e.args[0]['desc'].strip()
+        info = e.args[0].get('info', '').strip()
+        raise StandardError('Unable to retrieve LDAP schema: %s: %s' % (desc, info))
     except IndexError:
         # no 'cn=schema' entry in LDAP? some servers use 'cn=subschema'
         # TODO: DS uses 'cn=schema', support for other server?
diff --git a/lite-server.py b/lite-server.py
index ba7cfe3d3..22ff720f9 100755
--- a/lite-server.py
+++ b/lite-server.py
@@ -72,6 +72,7 @@ if __name__ == '__main__':
     )
 
     api.env.in_server = True
+    api.env.startup_traceback = True
     (options, args) = api.bootstrap_with_global_options(parser, context='lite')
     api.env._merge(
         lite_port=options.port,