Add ExecStartPost hook to wait for Dogtag PKI

Dogtag PKI typically takes around 10 seconds to start and respond to requests. Dogtag uses a simple systemd service, which means systemd is unable to detect when Dogtag is ready. Commands like ``systemctl start`` and ``systemctl restart`` don't block and wait until the CA is up. There have been various workarounds in Dogtag and IPA. Systemd has an ExecStartPost hook to run programs after the main service is started. The post hook blocks systemctl start and restart until all post hooks report ready, too. The new ipa-pki-wait-running script polls on port 8080 and waits until the CA subsystem returns ``running``. Related: https://pagure.io/freeipa/issue/7916 Signed-off-by: Christian Heimes <cheimes@redhat.com> Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2025-02-25 18:55:28 -06:00 · 2019-04-17 07:45:18 +02:00
parent edd53d8c50
commit 3f9e23f125
8 changed files with 160 additions and 12 deletions
--- a/ipaserver/install/cainstance.py
+++ b/ipaserver/install/cainstance.py
@@ -399,6 +399,7 @@ class CAInstance(DogtagInstance):
                self.step("creating installation admin user", self.setup_admin)
            self.step("configuring certificate server instance",
                      self.__spawn_instance)
+            self.step("Add ipa-pki-wait-running", self.add_ipa_wait)
            self.step("reindex attributes", self.reindex_task)
            self.step("exporting Dogtag certificate store pin",
                      self.create_certstore_passwdfile)
@@ -604,6 +605,18 @@ class CAInstance(DogtagInstance):

        logger.debug("completed creating ca instance")

+    def add_ipa_wait(self):
+        """Add ipa-pki-wait-running to pki-tomcatd service
+        """
+        conf = paths.SYSTEMD_PKI_TOMCAT_IPA_CONF
+        directory = os.path.dirname(conf)
+        if not os.path.isdir(directory):
+            os.mkdir(directory)
+        with open(conf, 'w') as f:
+            f.write('[Service]\n')
+            f.write('ExecStartPost={}\n'.format(paths.IPA_PKI_WAIT_RUNNING))
+        tasks.systemd_daemon_reload()
+
    def safe_backup_config(self):
        """
        Safely handle exceptions if backup_config fails
@@ -983,6 +996,14 @@ class CAInstance(DogtagInstance):

        cmonger.stop()

+        # remove ipa-pki-wait-running config
+        remove_file(paths.SYSTEMD_PKI_TOMCAT_IPA_CONF)
+        try:
+            os.rmdir(os.path.dirname(paths.SYSTEMD_PKI_TOMCAT_IPA_CONF))
+        except OSError:
+            pass
+        tasks.systemd_daemon_reload()
+
        # remove CRL files
        logger.debug("Remove old CRL files")
        try:
--- a/ipaserver/install/ipa_backup.py
+++ b/ipaserver/install/ipa_backup.py
@@ -190,6 +190,7 @@ class Backup(admintool.AdminTool):
        paths.IPA_CUSTODIA_CONF,
        paths.GSSPROXY_CONF,
        paths.HOSTS,
+        paths.SYSTEMD_PKI_TOMCAT_IPA_CONF,
    ) + tuple(
        os.path.join(paths.IPA_NSSDB_DIR, file)
        for file in (certdb.NSS_DBM_FILES + certdb.NSS_SQL_FILES)