Make certificate renewal process synchronized

Synchronization is achieved using a global renewal lock.

https://fedorahosted.org/freeipa/ticket/4803

Reviewed-By: David Kupka <dkupka@redhat.com>

9 files changed, 102 insertions, 6 deletions

diff --git a/install/certmonger/Makefile.am b/install/certmonger/Makefile.am
index ef6a0a635..2dc476f18 100644
--- a/install/certmonger/Makefile.am
+++ b/install/certmonger/Makefile.am
@@ -3,6 +3,7 @@ NULL =
 appdir = $(libexecdir)/certmonger/
 app_SCRIPTS =					\
 	dogtag-ipa-ca-renew-agent-submit	\
+	ipa-server-guard			\
 	$(NULL)
 
 EXTRA_DIST =				\
diff --git a/install/certmonger/dogtag-ipa-ca-renew-agent-submit b/install/certmonger/dogtag-ipa-ca-renew-agent-submit
index 3c6e8175c..7b91fc611 100755
--- a/install/certmonger/dogtag-ipa-ca-renew-agent-submit
+++ b/install/certmonger/dogtag-ipa-ca-renew-agent-submit
@@ -38,7 +38,7 @@ from ipapython.dn import DN
 from ipalib import api, errors, pkcs10, x509
 from ipaplatform.paths import paths
 from ipaserver.plugins.ldap2 import ldap2
-from ipaserver.install import cainstance
+from ipaserver.install import cainstance, certs
 
 # This is a certmonger CA helper script for IPA CA subsystem cert renewal. See
 # https://git.fedorahosted.org/cgit/certmonger.git/tree/doc/submit.txt for more
@@ -437,6 +437,7 @@ def main():
         return OPERATION_NOT_SUPPORTED_BY_HELPER
 
     tmpdir = tempfile.mkdtemp(prefix="tmp-")
+    certs.renewal_lock.acquire()
     try:
         principal = str('host/%s@%s' % (api.env.host, api.env.realm))
         ipautil.kinit_hostprincipal(paths.KRB5_KEYTAB, tmpdir, principal)
@@ -456,6 +457,7 @@ def main():
             print item
         return res[0]
     finally:
+        certs.renewal_lock.release()
         shutil.rmtree(tmpdir)
 
 try:
diff --git a/install/certmonger/ipa-server-guard b/install/certmonger/ipa-server-guard
new file mode 100755
index 000000000..5e31d89b7
--- /dev/null
+++ b/install/certmonger/ipa-server-guard
@@ -0,0 +1,55 @@
+#!/usr/bin/python2 -E
+#
+# Authors:
+#   Jan Cholasta <jcholast@redhat.com>
+#
+# Copyright (C) 2015  Red Hat
+# see file 'COPYING' for use and warranty information
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+import os
+# Prevent garbage from readline on standard output
+# (see https://fedorahosted.org/freeipa/ticket/4064)
+if not os.isatty(1):
+    os.environ['TERM'] = 'dumb'
+import sys
+import syslog
+import traceback
+
+from ipapython import ipautil
+from ipaserver.install import certs
+
+
+def main():
+    if len(sys.argv) < 2:
+        raise RuntimeError("Not enough arguments")
+
+    with certs.renewal_lock:
+        stdout, stderr, rc = ipautil.run(sys.argv[1:], raiseonerr=False,
+                                         env=os.environ)
+        sys.stdout.write(stdout)
+        sys.stdout.flush()
+        sys.stderr.write(stderr)
+        sys.stderr.flush()
+
+    return rc
+
+
+try:
+    sys.exit(main())
+except Exception, e:
+    syslog.syslog(syslog.LOG_ERR, traceback.format_exc())
+    print "Internal error"
+    sys.exit(3)
diff --git a/install/restart_scripts/renew_ca_cert b/install/restart_scripts/renew_ca_cert
index a205b0e36..c7bd5d74c 100644
--- a/install/restart_scripts/renew_ca_cert
+++ b/install/restart_scripts/renew_ca_cert
@@ -35,7 +35,7 @@ from ipaplatform import services
 from ipaplatform.paths import paths
 
 
-def main():
+def _main():
     nickname = sys.argv[1]
 
     api.bootstrap(context='restart')
@@ -210,6 +210,14 @@ def main():
         syslog.syslog(
             syslog.LOG_NOTICE, "Started %s" % dogtag_service.service_name)
 
+
+def main():
+    try:
+        _main()
+    finally:
+        certs.renewal_lock.release('renew_ca_cert')
+
+
 try:
     main()
 except Exception:
diff --git a/install/restart_scripts/renew_ra_cert b/install/restart_scripts/renew_ra_cert
index 6d4b81a53..7dae35623 100644
--- a/install/restart_scripts/renew_ra_cert
+++ b/install/restart_scripts/renew_ra_cert
@@ -32,9 +32,10 @@ from ipaserver.install import certs, cainstance
 from ipaplatform import services
 from ipaplatform.paths import paths
 
-nickname = 'ipaCert'
 
-def main():
+def _main():
+    nickname = 'ipaCert'
+
     api.bootstrap(context='restart')
     api.finalize()
 
@@ -68,6 +69,12 @@ def main():
     else:
         syslog.syslog(syslog.LOG_NOTICE, "Restarted httpd")
 
+
+def main():
+    with certs.renewal_lock:
+        _main()
+
+
 try:
     main()
 except Exception:
diff --git a/install/restart_scripts/restart_dirsrv b/install/restart_scripts/restart_dirsrv
index 837378191..723644215 100644
--- a/install/restart_scripts/restart_dirsrv
+++ b/install/restart_scripts/restart_dirsrv
@@ -24,8 +24,10 @@ import syslog
 import traceback
 from ipalib import api
 from ipaplatform import services
+from ipaserver.install import certs
 
-def main():
+
+def _main():
     try:
         instance = sys.argv[1]
     except IndexError:
@@ -41,6 +43,12 @@ def main():
     except Exception, e:
         syslog.syslog(syslog.LOG_ERR, "Cannot restart dirsrv (instance: '%s'): %s" % (instance, str(e)))
 
+
+def main():
+    with certs.renewal_lock:
+        _main()
+
+
 try:
     main()
 except Exception:
diff --git a/install/restart_scripts/restart_httpd b/install/restart_scripts/restart_httpd
index e3ef73c4f..f060a3091 100644
--- a/install/restart_scripts/restart_httpd
+++ b/install/restart_scripts/restart_httpd
@@ -22,8 +22,10 @@
 import syslog
 import traceback
 from ipaplatform import services
+from ipaserver.install import certs
 
-def main():
+
+def _main():
     syslog.syslog(syslog.LOG_NOTICE, 'certmonger restarted httpd')
 
     try:
@@ -31,6 +33,12 @@ def main():
     except Exception, e:
         syslog.syslog(syslog.LOG_ERR, "Cannot restart httpd: %s" % str(e))
 
+
+def main():
+    with certs.renewal_lock:
+        _main()
+
+
 try:
     main()
 except Exception:
diff --git a/install/restart_scripts/stop_pkicad b/install/restart_scripts/stop_pkicad
index b8866f16e..871e5e761 100644
--- a/install/restart_scripts/stop_pkicad
+++ b/install/restart_scripts/stop_pkicad
@@ -25,6 +25,8 @@ import traceback
 from ipapython import dogtag
 from ipalib import api
 from ipaplatform import services
+from ipaserver.install import certs
+
 
 def main():
     api.bootstrap(context='restart')
@@ -34,6 +36,8 @@ def main():
     dogtag_service = services.knownservices[configured_constants.SERVICE_NAME]
     dogtag_instance = configured_constants.PKI_INSTANCE_NAME
 
+    certs.renewal_lock.acquire('renew_ca_cert')
+
     syslog.syslog(syslog.LOG_NOTICE, "Stopping %s" % dogtag_service.service_name)
     try:
         dogtag_service.stop(dogtag_instance)
diff --git a/install/tools/ipa-upgradeconfig b/install/tools/ipa-upgradeconfig
index 050fd25db..8159ce244 100755
--- a/install/tools/ipa-upgradeconfig
+++ b/install/tools/ipa-upgradeconfig
@@ -1327,6 +1327,8 @@ def main():
             )
         upgrade_pki(ca, fstore)
 
+    ca.configure_certmonger_renewal_guard()
+
     update_dbmodules(api.env.realm)
     uninstall_ipa_kpasswd()
 
@@ -1339,6 +1341,7 @@ def main():
     http = httpinstance.HTTPInstance(fstore)
     http.configure_selinux_for_httpd()
     http.change_mod_nss_port_from_http()
+    http.configure_certmonger_renewal_guard()
 
     http.stop()
     update_mod_nss_protocol(http)