Make certificate renewal process synchronized

Synchronization is achieved using a global renewal lock.

https://fedorahosted.org/freeipa/ticket/4803

Reviewed-By: David Kupka <dkupka@redhat.com>

3 files changed, 59 insertions, 1 deletions

diff --git a/install/certmonger/Makefile.am b/install/certmonger/Makefile.am
index ef6a0a635..2dc476f18 100644
--- a/install/certmonger/Makefile.am
+++ b/install/certmonger/Makefile.am
@@ -3,6 +3,7 @@ NULL =
 appdir = $(libexecdir)/certmonger/
 app_SCRIPTS =					\
 	dogtag-ipa-ca-renew-agent-submit	\
+	ipa-server-guard			\
 	$(NULL)
 
 EXTRA_DIST =				\
diff --git a/install/certmonger/dogtag-ipa-ca-renew-agent-submit b/install/certmonger/dogtag-ipa-ca-renew-agent-submit
index 3c6e8175c..7b91fc611 100755
--- a/install/certmonger/dogtag-ipa-ca-renew-agent-submit
+++ b/install/certmonger/dogtag-ipa-ca-renew-agent-submit
@@ -38,7 +38,7 @@ from ipapython.dn import DN
 from ipalib import api, errors, pkcs10, x509
 from ipaplatform.paths import paths
 from ipaserver.plugins.ldap2 import ldap2
-from ipaserver.install import cainstance
+from ipaserver.install import cainstance, certs
 
 # This is a certmonger CA helper script for IPA CA subsystem cert renewal. See
 # https://git.fedorahosted.org/cgit/certmonger.git/tree/doc/submit.txt for more
@@ -437,6 +437,7 @@ def main():
         return OPERATION_NOT_SUPPORTED_BY_HELPER
 
     tmpdir = tempfile.mkdtemp(prefix="tmp-")
+    certs.renewal_lock.acquire()
     try:
         principal = str('host/%s@%s' % (api.env.host, api.env.realm))
         ipautil.kinit_hostprincipal(paths.KRB5_KEYTAB, tmpdir, principal)
@@ -456,6 +457,7 @@ def main():
             print item
         return res[0]
     finally:
+        certs.renewal_lock.release()
         shutil.rmtree(tmpdir)
 
 try:
diff --git a/install/certmonger/ipa-server-guard b/install/certmonger/ipa-server-guard
new file mode 100755
index 000000000..5e31d89b7
--- /dev/null
+++ b/install/certmonger/ipa-server-guard
@@ -0,0 +1,55 @@
+#!/usr/bin/python2 -E
+#
+# Authors:
+#   Jan Cholasta <jcholast@redhat.com>
+#
+# Copyright (C) 2015  Red Hat
+# see file 'COPYING' for use and warranty information
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+import os
+# Prevent garbage from readline on standard output
+# (see https://fedorahosted.org/freeipa/ticket/4064)
+if not os.isatty(1):
+    os.environ['TERM'] = 'dumb'
+import sys
+import syslog
+import traceback
+
+from ipapython import ipautil
+from ipaserver.install import certs
+
+
+def main():
+    if len(sys.argv) < 2:
+        raise RuntimeError("Not enough arguments")
+
+    with certs.renewal_lock:
+        stdout, stderr, rc = ipautil.run(sys.argv[1:], raiseonerr=False,
+                                         env=os.environ)
+        sys.stdout.write(stdout)
+        sys.stdout.flush()
+        sys.stderr.write(stderr)
+        sys.stderr.flush()
+
+    return rc
+
+
+try:
+    sys.exit(main())
+except Exception, e:
+    syslog.syslog(syslog.LOG_ERR, traceback.format_exc())
+    print "Internal error"
+    sys.exit(3)