diff options
| author | Fraser Tweedale <ftweedal@redhat.com> | 2015-11-20 15:59:11 +1100 |
|---|---|---|
| committer | Jan Cholasta <jcholast@redhat.com> | 2015-11-23 11:05:49 +0100 |
| commit | 5136cd6e4bd305d6f4b6bf22d22fb4abc365cfad (patch) | |
| tree | f65b0a82a979841841dd594e0e4a3bf2332e141a /ipaserver | |
| parent | 2be8d2d068557631813607d84bb03c91fbeaaf80 (diff) | |
| download | freeipa-5136cd6e4bd305d6f4b6bf22d22fb4abc365cfad.tar.gz freeipa-5136cd6e4bd305d6f4b6bf22d22fb4abc365cfad.tar.xz freeipa-5136cd6e4bd305d6f4b6bf22d22fb4abc365cfad.zip | |
Avoid race condition caused by profile delete and recreate
When importing IPA-managed certificate profiles into Dogtag,
profiles with the same name (usually caIPAserviceCert) are removed,
then immediately recreated with the new profile data. This causes a
race condition - Dogtag's LDAPProfileSystem profileChangeMonitor
thread could observe and process the deletion after the profile was
recreated, disappearing it again.
Update the profile instead of deleting and recreating it to avoid
this race condition.
Fixes: https://fedorahosted.org/freeipa/ticket/5269
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Diffstat (limited to 'ipaserver')
| -rw-r--r-- | ipaserver/install/cainstance.py | 3 |
1 files changed, 1 insertions, 2 deletions
diff --git a/ipaserver/install/cainstance.py b/ipaserver/install/cainstance.py index 1cbc0d03b..448e42e2b 100644 --- a/ipaserver/install/cainstance.py +++ b/ipaserver/install/cainstance.py @@ -1970,8 +1970,7 @@ def _create_dogtag_profile(profile_id, profile_data): root_logger.debug( "Failed to disable profile '%s' " "(it is probably already disabled)") - profile_api.delete_profile(profile_id) - profile_api.create_profile(profile_data) + profile_api.update_profile(profile_id, profile_data) # enable the profile try: |