mirror of
https://salsa.debian.org/freeipa-team/freeipa.git
synced 2024-12-26 00:41:25 -06:00
18a8a41580
* Drop support for python 2 * Only import traceback and syslog when needed * Only import ipaserver.install.certs when the lock is needed * Only import ipautil when run is needed For the unsupported operations case this improves performance by 95% For the supported operations that don't require a lock the improvement is about 50%. For the supported operations that require a lock the improvement is about 20% When configuring a CA certmonger calls its helper with the following operations: IDENTIFY FETCH-ROOTS GET-SUPPORTED-TEMPLATES GET-DEFAULT-TEMPLATE GET-NEW-REQUEST-REQUIREMENTS GET-RENEW-REQUEST-REQUIREMENTS FETCH-SCEP-CA-CAPS FETCH-SCEP-CA-CERTS Only IDENTIFY, FETCH-ROOTS and GET-NEW-REQUEST-REQUIREMENTS are supported by ipa-submit, along with the request options SUBMIT and POLL. Which means every time the IPA CA in certmonger is updated eight calls to ipa-server-guard are made so the savings are cumulative. The savings when executing these eight operations is a 73% decrease (.7 sec vs 2.5 sec). https://pagure.io/freeipa/issue/8425 Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com> Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
76 lines
2.4 KiB
Python
76 lines
2.4 KiB
Python
#!/usr/bin/python3
|
|
#
|
|
# Authors:
|
|
# Jan Cholasta <jcholast@redhat.com>
|
|
#
|
|
# Copyright (C) 2015 Red Hat
|
|
# see file 'COPYING' for use and warranty information
|
|
#
|
|
# This program is free software; you can redistribute it and/or modify
|
|
# it under the terms of the GNU General Public License as published by
|
|
# the Free Software Foundation, either version 3 of the License, or
|
|
# (at your option) any later version.
|
|
#
|
|
# This program is distributed in the hope that it will be useful,
|
|
# but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
|
# GNU General Public License for more details.
|
|
#
|
|
# You should have received a copy of the GNU General Public License
|
|
# along with this program. If not, see <http://www.gnu.org/licenses/>.
|
|
|
|
import os
|
|
# Prevent garbage from readline on standard output
|
|
# (see https://fedorahosted.org/freeipa/ticket/4064)
|
|
if not os.isatty(1):
|
|
os.environ['TERM'] = 'dumb'
|
|
import sys
|
|
|
|
# Return codes. Names of the constants are taken from
|
|
# https://git.fedorahosted.org/cgit/certmonger.git/tree/src/submit-e.h
|
|
OPERATION_NOT_SUPPORTED_BY_HELPER = 6
|
|
|
|
|
|
def run_operation(cmd):
|
|
from ipapython import ipautil
|
|
|
|
result = ipautil.run(cmd, raiseonerr=False, env=os.environ)
|
|
# Write bytes directly
|
|
sys.stdout.buffer.write(result.raw_output) #pylint: disable=no-member
|
|
sys.stderr.buffer.write(result.raw_error_output) #pylint: disable=no-member
|
|
sys.stdout.flush()
|
|
sys.stderr.flush()
|
|
|
|
return result.returncode
|
|
|
|
|
|
def main():
|
|
if len(sys.argv) < 2:
|
|
raise RuntimeError("Not enough arguments")
|
|
|
|
# Avoid the lock if the operation is unsupported by ipa-submit
|
|
operation = os.environ.get('CERTMONGER_OPERATION')
|
|
if operation not in ('IDENTIFY',
|
|
'FETCH-ROOTS',
|
|
'GET-NEW-REQUEST-REQUIREMENTS',
|
|
'SUBMIT',
|
|
'POLL'):
|
|
return OPERATION_NOT_SUPPORTED_BY_HELPER
|
|
|
|
if operation in ('SUBMIT', 'POLL', 'FETCH-ROOTS'):
|
|
from ipaserver.install import certs
|
|
with certs.renewal_lock:
|
|
return run_operation(sys.argv[1:])
|
|
else:
|
|
return run_operation(sys.argv[1:])
|
|
|
|
|
|
try:
|
|
sys.exit(main())
|
|
except Exception as e:
|
|
import traceback
|
|
import syslog
|
|
syslog.syslog(syslog.LOG_ERR, traceback.format_exc())
|
|
print("Internal error")
|
|
sys.exit(3)
|