dnssec: concurrency issue when disabling old replica key

When dnssec role is removed from the local node, the uninstaller creates a new replica key and marks the older replica keys as disabled (both in the local HSM and in LDAP). If ipa-ods-exporter runs in the middle of this operation, the old replica key may be disabled in the local HSM but not yet in LDAP and ipa-ods-exporter believes that it is a new replica key that needs to be imported from LDAP to local hsm. The op fails as there is already the key in the local HSM. The error can be ignored, ipa-ods-exporter simply needs to log a warning. Fixes: https://pagure.io/freeipa/issue/8654 Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2025-01-26 16:16:31 -06:00 · 2021-03-05 15:00:07 +01:00 · 2021-03-05 15:00:07 +01:00 · 73ced07e2e
commit 73ced07e2e
parent 3b1a56f588
1 changed files with 14 additions and 1 deletions
--- a/daemons/dnssec/ipa-ods-exporter.in
+++ b/daemons/dnssec/ipa-ods-exporter.in
@ -37,6 +37,7 @@ from ipapython.dn import DN
 from ipapython.ipa_log_manager import standard_logging_setup
 from ipapython import ipaldap
 from ipaplatform.paths import paths
+from ipaserver import p11helper
 from ipaserver.dnssec.abshsm import sync_pkcs11_metadata, wrappingmech_name2id
 from ipaserver.dnssec.ldapkeydb import LdapKeyDB, str_hexlify
 from ipaserver.dnssec.localhsm import LocalHSM
@ -301,7 +302,19 @@ def ldap2master_replica_keys_sync(ldapkeydb, localhsm):
                     new_key_ldap['ipk11label'],
                     str_hexlify(new_key_ldap['ipk11id']),
                     str_hexlify(new_key_ldap['ipapublickey']))
-        localhsm.import_public_key(new_key_ldap, new_key_ldap['ipapublickey'])
+        try:
+            localhsm.import_public_key(
+                new_key_ldap, new_key_ldap['ipapublickey'])
+        except p11helper.DuplicationError:
+            # we may have been called in the middle of operations
+            # disabling dnssec on the current node, while the
+            # replica key has already been disabled in localhsm but
+            # not yet in LDAP.
+            # Ignore the import error (key is already in localhsm but disabled)
+            # and log a warning
+            logger.warning("import of replica key to localhsm %s failed, "
+                           "key already present but disabled",
+                           str_hexlify(new_key_ldap['ipk11id']))

    # set CKA_WRAP = FALSE for all replica keys removed from LDAP
    removed_replica_keys = set(localhsm.replica_pubkeys_wrap.keys()) \