IntenseWebs/freeipa
3
0
Fork 0
mirror of https://salsa.debian.org/freeipa-team/freeipa.git synced 2025-02-25 18:55:28 -06:00
Code Issues Packages Projects Releases Wiki Activity

Increase dbus client timeouts during CA install

Browse Source 
When running on memory-constrained systems, the `ipa-server-install`
program often fails during the "Configuring certificate server
(pki-tomcatd)" stage in FreeIPA 4.5 and 4.6.

The memory-intensive dogtag service causes swapping on low-memory
systems right after start-up, and especially new certificate
operations requested via certmonger can exceed the dbus client default
25 second timeout.

This patch changes dbus client timeouts for some such operations to
120 seconds (from the default 25 seconds, IIRC).

See more discussion in FreeIPA PR #1078 [1] and FreeIPA container
issue #157 [2].  Upstream ticket at [3].

[1]: https://github.com/freeipa/freeipa/pull/1078
[2]: https://github.com/freeipa/freeipa-container/issues/157
[3]: https://pagure.io/freeipa/issue/7213

Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
This commit is contained in:
John Morris 2017-09-13 11:27:48 -05:00 committed by Tomas Krizek
parent 3a0410267f
commit a2dea5a56d
No known key found for this signature in database
GPG Key ID: 22A2A94B5E49415A
3 changed files with 10 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
ipalib/constants.py
View File

@ -287,6 +287,8 @@ IPA_CA_RECORD = "ipa-ca"
IPA_CA_NICKNAME = 'caSigningCert cert-pki-ca' IPA_CA_NICKNAME = 'caSigningCert cert-pki-ca'
RENEWAL_CA_NAME = 'dogtag-ipa-ca-renew-agent' RENEWAL_CA_NAME = 'dogtag-ipa-ca-renew-agent'
RENEWAL_REUSE_CA_NAME = 'dogtag-ipa-ca-renew-agent-reuse' RENEWAL_REUSE_CA_NAME = 'dogtag-ipa-ca-renew-agent-reuse'
# How long dbus clients should wait for CA certificate RPCs [seconds]
CA_DBUS_TIMEOUT = 120
# regexp definitions # regexp definitions
PATTERN_GROUPUSER_NAME = '^[a-zA-Z0-9_.][a-zA-Z0-9_.-]*[a-zA-Z0-9_.$-]?$' PATTERN_GROUPUSER_NAME = '^[a-zA-Z0-9_.][a-zA-Z0-9_.-]*[a-zA-Z0-9_.$-]?$'

5
ipalib/install/certmonger.py
View File

@ -32,6 +32,7 @@ import shlex
import subprocess import subprocess
import tempfile import tempfile
from ipalib import api from ipalib import api
from ipalib.constants import CA_DBUS_TIMEOUT
from ipapython.dn import DN from ipapython.dn import DN
from ipaplatform.paths import paths from ipaplatform.paths import paths
from ipaplatform import services from ipaplatform import services
@ -620,7 +621,9 @@ def modify_ca_helper(ca_name, helper):
old_helper = ca_iface.Get('org.fedorahosted.certmonger.ca', old_helper = ca_iface.Get('org.fedorahosted.certmonger.ca',
'external-helper') 'external-helper')
ca_iface.Set('org.fedorahosted.certmonger.ca', ca_iface.Set('org.fedorahosted.certmonger.ca',
'external-helper', helper) 'external-helper', helper,
# Give dogtag extra time to generate cert
timeout=CA_DBUS_TIMEOUT)
return old_helper return old_helper

5
ipaserver/install/dogtaginstance.py
View File

@ -31,6 +31,7 @@ import pki.system
from ipalib import api, errors, x509 from ipalib import api, errors, x509
from ipalib.install import certmonger from ipalib.install import certmonger
from ipalib.constants import CA_DBUS_TIMEOUT
from ipaplatform import services from ipaplatform import services
from ipaplatform.constants import constants from ipaplatform.constants import constants
from ipaplatform.paths import paths from ipaplatform.paths import paths
@ -262,7 +263,9 @@ class DogtagInstance(service.Service):
iface.add_known_ca( iface.add_known_ca(
name, name,
command, command,
dbus.Array([], dbus.Signature('s'))) dbus.Array([], dbus.Signature('s')),
# Give dogtag extra time to generate cert
timeout=CA_DBUS_TIMEOUT)
def __get_pin(self): def __get_pin(self):
try: try: