diff options
author | Jan Cholasta <jcholast@redhat.com> | 2015-01-08 09:06:46 +0000 |
---|---|---|
committer | Jan Cholasta <jcholast@redhat.com> | 2015-01-13 18:34:59 +0000 |
commit | b9ae7690489368ead9f4983d386fa210dc265dfa (patch) | |
tree | 25437961e983a3a239541f9482e69ff70941c32c /install/certmonger | |
parent | 6a1304324fe94b17e8dc4a418f90bea028160ace (diff) | |
download | freeipa-b9ae7690489368ead9f4983d386fa210dc265dfa.tar.gz freeipa-b9ae7690489368ead9f4983d386fa210dc265dfa.tar.xz freeipa-b9ae7690489368ead9f4983d386fa210dc265dfa.zip |
Make certificate renewal process synchronized
Synchronization is achieved using a global renewal lock.
https://fedorahosted.org/freeipa/ticket/4803
Reviewed-By: David Kupka <dkupka@redhat.com>
Diffstat (limited to 'install/certmonger')
-rw-r--r-- | install/certmonger/Makefile.am | 1 | ||||
-rwxr-xr-x | install/certmonger/dogtag-ipa-ca-renew-agent-submit | 4 | ||||
-rwxr-xr-x | install/certmonger/ipa-server-guard | 55 |
3 files changed, 59 insertions, 1 deletions
diff --git a/install/certmonger/Makefile.am b/install/certmonger/Makefile.am index ef6a0a635..2dc476f18 100644 --- a/install/certmonger/Makefile.am +++ b/install/certmonger/Makefile.am @@ -3,6 +3,7 @@ NULL = appdir = $(libexecdir)/certmonger/ app_SCRIPTS = \ dogtag-ipa-ca-renew-agent-submit \ + ipa-server-guard \ $(NULL) EXTRA_DIST = \ diff --git a/install/certmonger/dogtag-ipa-ca-renew-agent-submit b/install/certmonger/dogtag-ipa-ca-renew-agent-submit index 3c6e8175c..7b91fc611 100755 --- a/install/certmonger/dogtag-ipa-ca-renew-agent-submit +++ b/install/certmonger/dogtag-ipa-ca-renew-agent-submit @@ -38,7 +38,7 @@ from ipapython.dn import DN from ipalib import api, errors, pkcs10, x509 from ipaplatform.paths import paths from ipaserver.plugins.ldap2 import ldap2 -from ipaserver.install import cainstance +from ipaserver.install import cainstance, certs # This is a certmonger CA helper script for IPA CA subsystem cert renewal. See # https://git.fedorahosted.org/cgit/certmonger.git/tree/doc/submit.txt for more @@ -437,6 +437,7 @@ def main(): return OPERATION_NOT_SUPPORTED_BY_HELPER tmpdir = tempfile.mkdtemp(prefix="tmp-") + certs.renewal_lock.acquire() try: principal = str('host/%s@%s' % (api.env.host, api.env.realm)) ipautil.kinit_hostprincipal(paths.KRB5_KEYTAB, tmpdir, principal) @@ -456,6 +457,7 @@ def main(): print item return res[0] finally: + certs.renewal_lock.release() shutil.rmtree(tmpdir) try: diff --git a/install/certmonger/ipa-server-guard b/install/certmonger/ipa-server-guard new file mode 100755 index 000000000..5e31d89b7 --- /dev/null +++ b/install/certmonger/ipa-server-guard @@ -0,0 +1,55 @@ +#!/usr/bin/python2 -E +# +# Authors: +# Jan Cholasta <jcholast@redhat.com> +# +# Copyright (C) 2015 Red Hat +# see file 'COPYING' for use and warranty information +# +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation, either version 3 of the License, or +# (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see <http://www.gnu.org/licenses/>. + +import os +# Prevent garbage from readline on standard output +# (see https://fedorahosted.org/freeipa/ticket/4064) +if not os.isatty(1): + os.environ['TERM'] = 'dumb' +import sys +import syslog +import traceback + +from ipapython import ipautil +from ipaserver.install import certs + + +def main(): + if len(sys.argv) < 2: + raise RuntimeError("Not enough arguments") + + with certs.renewal_lock: + stdout, stderr, rc = ipautil.run(sys.argv[1:], raiseonerr=False, + env=os.environ) + sys.stdout.write(stdout) + sys.stdout.flush() + sys.stderr.write(stderr) + sys.stderr.flush() + + return rc + + +try: + sys.exit(main()) +except Exception, e: + syslog.syslog(syslog.LOG_ERR, traceback.format_exc()) + print "Internal error" + sys.exit(3) |