IntenseWebs/freeipa
3
0
Fork 0
mirror of https://salsa.debian.org/freeipa-team/freeipa.git synced 2025-02-25 18:55:28 -06:00
Code Issues Packages Projects Releases Wiki Activity

ipatests: remove certmonger tracking before uninstall

Browse Source 
test_ipahealthcheck_expiring is moving the date in the future
in order to check that certmonger properly warns about expiring
certificates, then uninstalls the master.

The uninstallation randomly fails with a DBus error communicating
with certmonger because of a contention between certmonger being
waken up by the call to stop tracking certs and the certmonger
helpers trying to renew the certs.

The test is stopping PKI server, then moves the date in the future.
At this point, certmonger is still running (we are testing that
getcert list properly warns about near expiration). This means that
chances are high that certmonger has enough time to launch the CA helper
for renewal, that takes the lock. But since PKI is down, the helper
remains running for a while and does not release the lock. Then
certmonger is stopped, the tracking files are removed, certmonger is
restarted.

To avoid the contention, manually remove the tracking before
calling uninstall and remove the renewal lock file.

Fixes: https://pagure.io/freeipa/issue/9123
Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
This commit is contained in:
Florence Blanc-Renaud 2022-03-07 08:59:34 +01:00
parent a283735fbf
commit 52ec9cc027
1 changed files with 13 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

13
ipatests/test_integration/test_ipahealthcheck.py
View File

@ -1387,6 +1387,19 @@ class TestIpaHealthCheck(IntegrationTest):
execute_nsscheck_cert_expiring(check) execute_nsscheck_cert_expiring(check)
finally: finally:
# Prior to uninstall remove all the cert tracking to prevent
# errors from certmonger trying to check the status of certs
# that don't matter because we are uninstalling.
self.master.run_command(['systemctl', 'stop', 'certmonger'])
# Important: run_command with a str argument is able to
# perform shell expansion but run_command with a list of
# arguments is not
self.master.run_command(
"rm -fv " + paths.CERTMONGER_REQUESTS_DIR + "*"
)
# Delete the renewal lock file to make sure the helpers don't block
self.master.run_command("rm -fv " + paths.IPA_RENEWAL_LOCK)
self.master.run_command(['systemctl', 'start', 'certmonger'])
# Uninstall the master here so that the certs don't try # Uninstall the master here so that the certs don't try
# to renew after the CA is running again. # to renew after the CA is running again.
tasks.uninstall_master(self.master) tasks.uninstall_master(self.master)