Replace replication_wait_timeout with certmonger_wait_timeout

The variable is intended to control the timeout for replication events. If someone had significantly reduced it via configuration then it could have caused certmogner requests to fail due to timeouts. Add replication_wait_timeout, certmonger_wait_timeout and http_timeout to the default.conf man page. Related: https://pagure.io/freeipa/issue/7971 Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
2025-02-25 18:55:28 -06:00 · 2019-07-05 13:31:32 -04:00
parent 0d7eb0a972
commit faf34fcdfd
9 changed files with 27 additions and 8 deletions
--- a/client/man/default.conf.5
+++ b/client/man/default.conf.5
@@ -77,6 +77,9 @@ Specifies the hostname of the dogtag CA server. The default is the hostname of t
 .B ca_port <port>
 Specifies the insecure CA end user port. The default is 8080.
 .TP
+.B certmonger_wait_timeout <seconds>
+The time to wait for a certmonger request to complete during installation. The default value is 300 seconds.
+.TP
 .B context <context>
 Specifies the context that IPA is being executed in. IPA may operate differently depending on the context. The current defined contexts are cli and server. Additionally this value is used to load /etc/ipa/\fBcontext\fR.conf to provide context\-specific configuration. For example, if you want to always perform client requests in verbose mode but do not want to have verbose enabled on the server, add the verbose option to \fI/etc/ipa/cli.conf\fR.
 .TP
@@ -98,6 +101,9 @@ Specifies whether an IPA client should attempt to fall back and try other servic
 .B host <hostname>
 Specifies the local system hostname.
 .TP
+.B http_timeout <seconds>
+Timeout for HTTP blocking requests (e.g. connection). The default value is 30 seconds.
+.TP
 .B in_server <boolean>
 Specifies whether requests should be forwarded to an IPA server or handled locally. This is used internally by IPA in a similar way as context. The same IPA framework is used by the ipa command\-line tool and the server. This setting tells the framework whether it should execute the command as if on the server or forward it via XML\-RPC to a remote server.
 .TP
@@ -160,6 +166,9 @@ Specifies the name of the CA back end to use. The current options are \fBdogtag\
 .B realm <realm>
 Specifies the Kerberos realm.
 .TP
+.B replication_wait_timeout <seconds>
+The time to wait for a new entry to be replicated during replica installation. The default value is 300 seconds.
+.TP
 .B server <hostname>
 Specifies the IPA Server hostname.
 .TP
--- a/ipalib/constants.py
+++ b/ipalib/constants.py
@@ -173,6 +173,8 @@ DEFAULT_CONFIG = (
    ('http_timeout', 30),
    # How long to wait for an entry to appear on a replica
    ('replication_wait_timeout', 300),
+    # How long to wait for a certmonger request to finish
+    ('certmonger_wait_timeout', 300),

    # Web Application mount points
    ('mount_ipa', '/ipa/'),
--- a/ipalib/install/certmonger.py
+++ b/ipalib/install/certmonger.py
@@ -326,7 +326,11 @@ def request_and_wait_for_cert(

    deadline = time.time() + resubmit_timeout
    while True:  # until success, timeout, or error
-        state = wait_for_request(req_id, api.env.replication_wait_timeout)
+        try:
+            state = wait_for_request(req_id, api.env.http_timeout)
+        except RuntimeError as e:
+            logger.debug("wait_for_request raised %s", e)
+            state = 'TIMEOUT'
        ca_error = get_request_value(req_id, 'ca-error')
        if state == 'MONITORING' and ca_error is None:
            # we got a winner, exiting
@@ -336,7 +340,7 @@ def request_and_wait_for_cert(
        logger.debug(
            "Cert request %s failed: %s (%s)", req_id, state, ca_error
        )
-        if state not in {'CA_REJECTED', 'CA_UNREACHABLE'}:
+        if state in {'CA_REJECTED', 'CA_UNREACHABLE'}:
            # probably unrecoverable error
            logger.debug("Giving up on cert request %s", req_id)
            break
@@ -344,8 +348,11 @@ def request_and_wait_for_cert(
            # no resubmit
            break
        elif time.time() > deadline:
-            logger.debug("Request %s reached resubmit dead line", req_id)
+            logger.debug("Request %s reached resubmit deadline", req_id)
            break
+        elif state == 'TIMEOUT':
+            logger.debug("%s not in final state, continue waiting", req_id)
+            time.sleep(10)
        else:
            # sleep and resubmit
            logger.debug("Sleep and resubmit cert request %s", req_id)
--- a/ipaserver/install/cainstance.py
+++ b/ipaserver/install/cainstance.py
@@ -874,7 +874,7 @@ class CAInstance(DogtagInstance):
                pre_command='renew_ra_cert_pre',
                post_command='renew_ra_cert',
                storage="FILE",
-                resubmit_timeout=api.env.replication_wait_timeout
+                resubmit_timeout=api.env.certmonger_wait_timeout
            )
            self.__set_ra_cert_perms()

--- a/ipaserver/install/certs.py
+++ b/ipaserver/install/certs.py
@@ -663,7 +663,7 @@ class CertDB:
    def request_service_cert(self, nickname, principal, host,
                             resubmit_timeout=None):
        if resubmit_timeout is None:
-            resubmit_timeout = api.env.replication_wait_timeout
+            resubmit_timeout = api.env.certmonger_wait_timeout
        return certmonger.request_and_wait_for_cert(
            certpath=self.secdir,
            storage='NSSDB',
--- a/ipaserver/install/dsinstance.py
+++ b/ipaserver/install/dsinstance.py
@@ -872,7 +872,7 @@ class DsInstance(service.Service):
                    profile=dogtag.DEFAULT_PROFILE,
                    dns=[self.fqdn],
                    post_command=cmd,
-                    resubmit_timeout=api.env.replication_wait_timeout
+                    resubmit_timeout=api.env.certmonger_wait_timeout
                )
            finally:
                if prev_helper is not None:
--- a/ipaserver/install/httpinstance.py
+++ b/ipaserver/install/httpinstance.py
@@ -385,7 +385,7 @@ class HTTPInstance(service.Service):
                    post_command='restart_httpd',
                    storage='FILE',
                    passwd_fname=key_passwd_file,
-                    resubmit_timeout=api.env.replication_wait_timeout
+                    resubmit_timeout=api.env.certmonger_wait_timeout
                )
            finally:
                if prev_helper is not None:
--- a/ipaserver/install/krbinstance.py
+++ b/ipaserver/install/krbinstance.py
@@ -459,7 +459,7 @@ class KrbInstance(service.Service):
                profile=KDC_PROFILE,
                post_command='renew_kdc_cert',
                perms=(0o644, 0o600),
-                resubmit_timeout=api.env.replication_wait_timeout
+                resubmit_timeout=api.env.certmonger_wait_timeout
            )
        except dbus.DBusException as e:
            # if the certificate is already tracked, ignore the error
--- a/pylint_plugins.py
+++ b/pylint_plugins.py
@@ -432,6 +432,7 @@ AstroidBuilder(MANAGER).string_build(textwrap.dedent(
    api.env.ca_host = ''
    api.env.ca_install_port = None
    api.env.ca_port = 0
+    api.env.certmonger_wait_timeout = 0
    api.env.conf = ''  # object
    api.env.conf_default = ''  # object
    api.env.confdir = ''  # object