DNSSEC: Fix deadlock in ipa-ods-exporter <-> ods-enforcerd interaction

https://fedorahosted.org/freeipa/ticket/5273 Reviewed-By: Martin Basti <mbasti@redhat.com> Reviewed-By: Oleg Fayans <ofayans@redhat.com>
2025-02-25 18:55:28 -06:00 · 2015-08-31 18:01:12 +02:00
parent f8c637d95d
commit 87c494593e
1 changed files with 31 additions and 8 deletions
--- a/daemons/dnssec/ipa-ods-exporter
+++ b/daemons/dnssec/ipa-ods-exporter
@@ -368,12 +368,12 @@ def parse_command(cmd):
    """
    if cmd == 'ipa-hsm-update':
        return (0,
-                'HSM synchronization finished, exiting.',
+                'HSM synchronization finished, skipping zone synchronization.',
                None)

    elif cmd == 'ipa-full-update':
        return (None,
-                'Synchronization of all zones requested.',
+                'Synchronization of all zones was finished.',
                None)

    elif not cmd.startswith('update '):
@@ -386,7 +386,7 @@ def parse_command(cmd):
    else:
        zone_name = cmd2ods_zone_name(cmd)
        return (None,
-                'Update request for zone "%s" queued.\n' % zone_name,
+                'Zone was "%s" updated.\n' % zone_name,
                zone_name)

 def send_systemd_reply(conn, reply):
@@ -541,18 +541,29 @@ except KeyError as e:

 exitcode, msg, zone_name = parse_command(cmd)

-if conn:
-    send_systemd_reply(conn, msg)
 if exitcode is not None:
+    if conn:
+        send_systemd_reply(conn, msg)
    log.info(msg)
    sys.exit(exitcode)
 else:
    log.debug(msg)

 # Open DB directly and read key timestamps etc.
-with ods_db_lock():
-    db = sqlite3.connect(paths.OPENDNSSEC_KASP_DB,
-            isolation_level="EXCLUSIVE")
+db = None
+try:
+    # LOCK WARNING:
+    # ods-enforcerd is holding kasp.db.our_lock when processing all zones and
+    # the lock is unlocked only after all calls to ods-signer are finished,
+    # i.e. when ods-enforcerd receives reply from each ods-signer call.
+    #
+    # Consequently, ipa-ods-exporter (ods-signerd implementation) must not
+    # request kasp.db.our_lock to prevent deadlocks.
+    # SQLite transaction isolation should suffice.
+    # Beware: Reply can be sent back only after DB is unlocked and closed
+    #         otherwise ods-enforcerd will fail.
+
+    db = sqlite3.connect(paths.OPENDNSSEC_KASP_DB)
    db.row_factory = sqlite3.Row
    db.execute('BEGIN')

@@ -564,4 +575,16 @@ with ods_db_lock():
        for zone_row in db.execute("SELECT name FROM zones"):
            sync_zone(log, ldap, dns_dn, zone_row['name'])

+except Exception as ex:
+    msg = "ipa-ods-exporter exception: %s" % ex
+    raise ex
+
+finally:
+    try:
+        if db:
+            db.close()
+    finally:
+        if conn:
+            send_systemd_reply(conn, msg)
+
 log.debug('Done')