From f1564cd228068d54b949277f7bdc00203b5da81a Mon Sep 17 00:00:00 2001
From: Fraser Tweedale <ftweedal@redhat.com>
Date: Jun 10 2020 18:40:03 +0000
Subject: upgrade: avoid stopping certmonger when fixing requests


During upgrade, if discrepancies are detected in Certmonger tracking
request configuration we remove and re-create tracking requests.
The default behaviour of the CAInstance and KRAInstance
stop_tracking_certificates() method is to stop certmonger after the
requests have been removed.  This behaviour results in an
unnecessary restart of certmonger and has also been observed to
cause problems.  For example, subsequent certmonger operations have
to start the certmonger process and can fail because certmonger is
not yet properly initialised (manifesting as D-Bus errors).

Suppress the unnecessary restart(s) of certmonger during tracking
request update.

Related: https://pagure.io/freeipa/issue/8186
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>

---

diff --git a/ipaserver/install/cainstance.py b/ipaserver/install/cainstance.py
index 2836bdd..a5ad505 100644
--- a/ipaserver/install/cainstance.py
+++ b/ipaserver/install/cainstance.py
@@ -1065,8 +1065,11 @@ class CAInstance(DogtagInstance):
             logger.error(
                 "certmonger failed to start tracking certificate: %s", e)
 
-    def stop_tracking_certificates(self):
-        """Stop tracking our certificates. Called on uninstall.
+    def stop_tracking_certificates(self, stop_certmonger=True):
+        """
+        Stop tracking our certificates. Called on uninstall.  Also called
+        during upgrade to fix discrepancies.
+
         """
         super(CAInstance, self).stop_tracking_certificates(False)
 
@@ -1082,7 +1085,8 @@ class CAInstance(DogtagInstance):
             logger.error(
                 "certmonger failed to stop tracking certificate: %s", e)
 
-        services.knownservices.certmonger.stop()
+        if stop_certmonger:
+            services.knownservices.certmonger.stop()
 
 
     def set_audit_renewal(self):
diff --git a/ipaserver/install/dogtaginstance.py b/ipaserver/install/dogtaginstance.py
index 650ccff..42c9db3 100644
--- a/ipaserver/install/dogtaginstance.py
+++ b/ipaserver/install/dogtaginstance.py
@@ -426,7 +426,10 @@ class DogtagInstance(service.Service):
                     "certmonger failed to start tracking certificate: %s", e)
 
     def stop_tracking_certificates(self, stop_certmonger=True):
-        """Stop tracking our certificates. Called on uninstall.
+        """
+        Stop tracking our certificates. Called on uninstall.  Also called
+        during upgrade to fix discrepancies.
+
         """
         logger.debug(
             "Configuring certmonger to stop tracking system certificates "
diff --git a/ipaserver/install/server/upgrade.py b/ipaserver/install/server/upgrade.py
index edcbf4e..b0f127e 100644
--- a/ipaserver/install/server/upgrade.py
+++ b/ipaserver/install/server/upgrade.py
@@ -1193,9 +1193,9 @@ def certificate_renewal_update(ca, kra, ds, http):
 
     # Ok, now we need to stop tracking, then we can start tracking them
     # again with new configuration:
-    ca.stop_tracking_certificates()
+    ca.stop_tracking_certificates(stop_certmonger=False)
     if kra.is_installed():
-        kra.stop_tracking_certificates()
+        kra.stop_tracking_certificates(stop_certmonger=False)
     ds.stop_tracking_certificates(serverid)
     http.stop_tracking_certificates()