[Freeipa-devel] [PATCH 3/3] Get list of service from LDAP only at startup

Rob Crittenden rcritten at redhat.com
Wed Oct 31 17:22:13 UTC 2012 

Simo Sorce wrote:
> On Mon, 2012-10-29 at 15:41 -0400, Rob Crittenden wrote:
>> Simo Sorce wrote:
>>> On Fri, 2012-10-26 at 16:30 -0400, Rob Crittenden wrote:
>>>> Simo Sorce wrote:
>>>>> From: Simo Sorce <ssorce at redhat.com>
>>>>>
>>>>> We check (possibly different) data from LDAP only at (re)start.
>>>>> This way we always shutdown exactly the services we started even if the list
>>>>> changed in the meanwhile (we avoid leaving a service running even if it was
>>>>> removed from LDAP as the admin decided it should not be started in future).
>>>>>
>>>>> This should also fix a problematic deadlock with systemd when we try to read
>>>>> the list of service from LDAP at shutdown.
>>>>
>>>> I'm thinking that in patch 2 we need to be sure the name is unique, for
>>>> whatever reason, when starting a service. I'm not sure if it is related
>>>> to this or not:
>>>>
>>>> ...
>>>> Done configuring the web interface (httpd).
>>>> Applying LDAP updates
>>>> Restarting the directory server
>>>> Restarting the KDC
>>>> Sample zone file for bind has been created in /tmp/sample.zone.t1LC7e.db
>>>> Restarting the web server
>>>> Unexpected error - see /var/log/ipaserver-install.log for details:
>>>> CalledProcessError: Command '/bin/systemctl restart ipa.service'
>>>> returned non-zero exit status 1
>>>> [root at rawhide2 freeipa]# cat /var/run/ipa/services.list
>>>> ["messagebus", "certmonger", "ntpd", "messagebus", "certmonger",
>>>> "messagebus", "certmonger", "certmonger", "messagebus", "certmonger",
>>>> "certmonger", "krb5kdc", "messagebus", "certmonger", "certmonger"]
>>>
>>> Maybe I should add code to remove entries on stop() ?
>>> I haven't considered the case where our own code stop instances outside
>>> of ipactl stop
>>>
>>> Now having duplicate instances shouldn't be fatal but maybe systemd is
>>> returning an error to signal the instance was already started ?
>>
>> Maybe converting the list to a set before starting would be enough.
>
> I can easily weed out duplicates, but I am relying on the order in this
> list in the code by using reverse() so that services are stopped in
> reverse order. However the fact you can restart single services will
> make this sorta break I guess.
>
> I am going to think about ordering and propose a solution that properly
> handles that, the main issue is that SERVICE_LIST cannot be used because
> it uses the original 'abstract' names, while the service class now uses
> this wellknown service name.
>
>>>
>>>> I don't see any smoking gun in the install log:
>>>>
>>>> 2012-10-26T20:27:40Z DEBUG Starting external process
>>>> 2012-10-26T20:27:40Z DEBUG args=/bin/systemctl restart ipa.service
>>>> 2012-10-26T20:27:42Z DEBUG Process finished, return code=1
>>>> 2012-10-26T20:27:42Z DEBUG stdout=
>>>> 2012-10-26T20:27:42Z DEBUG stderr=Job for ipa.service failed. See
>>>> 'systemctl status ipa.service' and 'journalctl' for details.
>>>>
>>>> 2012-10-26T20:27:42Z INFO   File
>>>> "/usr/lib/python2.7/site-packages/ipaserver/install/installutils.py",
>>>> line 614, in run_script
>>>>        return_value = main_function()
>>>>
>>>>      File "/usr/sbin/ipa-server-install", line 1100, in main
>>>>        ipaservices.knownservices.ipa.enable()
>>>>
>>>>      File
>>>> "/usr/lib/python2.7/site-packages/ipapython/platform/fedora16.py", line
>>>> 129, in enable
>>>>        self.restart(instance_name)
>>>>
>>>>      File
>>>> "/usr/lib/python2.7/site-packages/ipapython/platform/systemd.py", line
>>>> 104, in restart
>>>>        ipautil.run(["/bin/systemctl", "restart",
>>>> self.service_instance(instance_name)], capture_output=capture_output)
>>>>
>>>>      File "/usr/lib/python2.7/site-packages/ipapython/ipautil.py", line
>>>> 323, in run
>>>>        raise CalledProcessError(p.returncode, arg_string)
>>>>
>>>> 2012-10-26T20:27:42Z INFO The ipa-server-install command failed,
>>>> exception: CalledProcessError: Command '/bin/systemctl restart
>>>> ipa.service' returned non-zero exit status 1
>>>
>>> So it returned just 1 without any error message ?
>>>
>>> Simo.
>>>
>>>
>>
>> # /bin/systemctl status ipa.service
>> ipa.service - Identity, Policy, Audit
>>             Loaded: loaded (/usr/lib/systemd/system/ipa.service; enabled)
>>             Active: failed (Result: exit-code) since Fri, 26 Oct 2012
>> 16:27:42 -0400; 2 days ago
>>            Process: 17543 ExecStart=/usr/sbin/ipactl start (code=exited,
>> status=1/FAILURE)
>>             CGroup: name=systemd:/system/ipa.service
>>
>> Oct 26 16:27:40 rawhide2.greyoak.com systemd[1]: Starting Identity,
>> Policy, Audit...
>> Oct 26 16:27:41 rawhide2.greyoak.com ipactl[17543]: IPA service already
>> started!
>> Oct 26 16:27:42 rawhide2.greyoak.com systemd[1]: Failed to start
>> Identity, Policy, Audit.
>
> I don't think this depends on my patch.
>
> Simo.
>

It seems to be. I can't install in F-18 at all with your 3 patches applied.

rob

More information about the Freeipa-devel mailing list