upgrade: avoid stopping certmonger when fixing requests

During upgrade, if discrepancies are detected in Certmonger tracking request configuration we remove and re-create tracking requests. The default behaviour of the CAInstance and KRAInstance stop_tracking_certificates() method is to stop certmonger after the requests have been removed. This behaviour results in an unnecessary restart of certmonger and has also been observed to cause problems. For example, subsequent certmonger operations have to start the certmonger process and can fail because certmonger is not yet properly initialised (manifesting as D-Bus errors). Suppress the unnecessary restart(s) of certmonger during tracking request update. Related: https://pagure.io/freeipa/issue/8186 Reviewed-By: Alexander Bokovoy <abbra@users.noreply.github.com>
2025-02-25 18:55:28 -06:00 · 2020-06-09 17:21:25 +10:00
parent 9d9012f682
commit e6fda6f0fb
3 changed files with 13 additions and 6 deletions
--- a/ipaserver/install/cainstance.py
+++ b/ipaserver/install/cainstance.py
@@ -1065,8 +1065,11 @@ class CAInstance(DogtagInstance):
            logger.error(
                "certmonger failed to start tracking certificate: %s", e)

-    def stop_tracking_certificates(self):
-        """Stop tracking our certificates. Called on uninstall.
+    def stop_tracking_certificates(self, stop_certmonger=True):
+        """
+        Stop tracking our certificates. Called on uninstall.  Also called
+        during upgrade to fix discrepancies.
+
        """
        super(CAInstance, self).stop_tracking_certificates(False)

@@ -1082,7 +1085,8 @@ class CAInstance(DogtagInstance):
            logger.error(
                "certmonger failed to stop tracking certificate: %s", e)

-        services.knownservices.certmonger.stop()
+        if stop_certmonger:
+            services.knownservices.certmonger.stop()


    def set_audit_renewal(self):
--- a/ipaserver/install/dogtaginstance.py
+++ b/ipaserver/install/dogtaginstance.py
@@ -426,7 +426,10 @@ class DogtagInstance(service.Service):
                    "certmonger failed to start tracking certificate: %s", e)

    def stop_tracking_certificates(self, stop_certmonger=True):
-        """Stop tracking our certificates. Called on uninstall.
+        """
+        Stop tracking our certificates. Called on uninstall.  Also called
+        during upgrade to fix discrepancies.
+
        """
        logger.debug(
            "Configuring certmonger to stop tracking system certificates "
--- a/ipaserver/install/server/upgrade.py
+++ b/ipaserver/install/server/upgrade.py
@@ -1212,9 +1212,9 @@ def certificate_renewal_update(ca, kra, ds, http):

    # Ok, now we need to stop tracking, then we can start tracking them
    # again with new configuration:
-    ca.stop_tracking_certificates()
+    ca.stop_tracking_certificates(stop_certmonger=False)
    if kra.is_installed():
-        kra.stop_tracking_certificates()
+        kra.stop_tracking_certificates(stop_certmonger=False)
    ds.stop_tracking_certificates(serverid)
    http.stop_tracking_certificates()