In issue #6652 a new cache for KRA transport certs was introduced. The new cache uses a combination of file system cache and in-memory cache. The in-memory cache has a higher precedence than the fs cache. Once loaded, the in-memory cache is never synced from the file system again.
For a forking service like Custodia, this results in a performance regression and concurrency issues. Custodia initializes the KRA transport cert cache in the main process right before the server socket listens on incoming requests. Since all requests are handled in forked child processes, the in-memory cache of the server process is created once and never updated. This can lead to performance regressions in case the KRA cert is updated:
Steps 3 to 5 are repeated over and over again because the child can't modify the in-memory cache of the parent process.
Proposed solution: Use a simpler implementation that uses an atomic on-filesystem cache.
Further more there is a bug in the new KRA cache code. On one occasion a logger.info() has a format string with two %s but just one positional argument. This causes the cache to break with a TypeError: not enough arguments for format string exception.
logger.info()
%s
TypeError: not enough arguments for format string
Metadata Update from @cheimes: - Issue tagged with: integration, regression
Metadata Update from @cheimes: - Issue assigned to jcholast - Issue priority set to: 2
I closed https://github.com/freeipa/freeipa/pull/616 . Honza requested several changes but I don't have time to work them. Please take over and come up with a PR as you see fit.
For the record. I was having following "xmlrpc" tests failed due to this (reporting "NotFound: No archived data."):
ipa.test_xmlrpc.test_vault_plugin.test_vault_plugin.test_command[0022: vault_retrieve: Retrieve secret from standard vault] ipa.test_xmlrpc.test_vault_plugin.test_vault_plugin.test_command[0023: vault_mod: Change standard vault to symmetric vault] ipa.test_xmlrpc.test_vault_plugin.test_vault_plugin.test_command[0024: vault_retrieve: Retrieve secret from standard vault converted to symmetric vault] ipa.test_xmlrpc.test_vault_plugin.test_vault_plugin.test_command[0027: vault_retrieve: Retrieve secret from symmetric vault] ipa.test_xmlrpc.test_vault_plugin.test_vault_plugin.test_command[0028: vault_mod: Change symmetric vault password] ipa.test_xmlrpc.test_vault_plugin.test_vault_plugin.test_command[0029: vault_retrieve: Retrieve secret from symmetric vault with new password] ipa.test_xmlrpc.test_vault_plugin.test_vault_plugin.test_command[0030: vault_mod: Change symmetric vault to asymmetric vault] ipa.test_xmlrpc.test_vault_plugin.test_vault_plugin.test_command[0031: vault_retrieve: Retrieve secret from symmetric vault converted to asymmetric vault] ipa.test_xmlrpc.test_vault_plugin.test_vault_plugin.test_command[0034: vault_retrieve: Retrieve secret from asymmetric vault] ipa.test_xmlrpc.test_vault_plugin.test_vault_plugin.test_command[0035: vault_mod: Change asymmetric vault keys] ipa.test_xmlrpc.test_vault_plugin.test_vault_plugin.test_command[0036: vault_retrieve: Retrieve secret from asymmetric vault with new keys] ipa.test_xmlrpc.test_vault_plugin.test_vault_plugin.test_command[0037: vault_mod: Change asymmetric vault to standard vault] ipa.test_xmlrpc.test_vault_plugin.test_vault_plugin.test_command[0038: vault_retrieve: Retrieve secret from asymmetric vault converted to standard vault]
Issuing "ipa vaultconfig_show" helped.
master:
ipa-4-5:
Metadata Update from @jcholast: - Issue close_status updated to: fixed - Issue set to the milestone: FreeIPA 4.5.1 - Issue status updated to: Closed (was: Open)
Metadata Update from @pvoborni: - Custom field rhbz adjusted to https://bugzilla.redhat.com/show_bug.cgi?id=1436715
Issue linked to bug 1436715
Metadata Update from @pvoborni: - Custom field rhbz adjusted to https://bugzilla.redhat.com/show_bug.cgi?id=1436714 (was: https://bugzilla.redhat.com/show_bug.cgi?id=1436715)
Issue linked to bug 1436714
Login to comment on this ticket.