The script /usr/libexec/ipa/certmonger/restart_httpd does not work on an IPA client system:
/usr/libexec/ipa/certmonger/restart_httpd
Jul 06 15:01:22 demo.ipa.example restart_httpd[5228]: Traceback (most recent call last): File "/usr/libexec/ipa/certmonger/restart_httpd", line 44, in <module> main() File "/usr/libexec/ipa/certmonger/restart_httpd", line 39, in main with certs.renewal_lock: File "/usr/lib/python2.7/site-packages/ipaserver/install/certs.py", line 680, in __enter__ self.acquire() File "/usr/lib/python2.7/site-packages/ipaserver/install/certs.py", line 686, in acquire self._do(self._acquire, owner) File "/usr/lib/python2.7/site-packages/ipaserver/install/certs.py", line 721, in _do with open(self._filename, 'a+') as f: IOError: [Errno 2] No such file or directory: '/var/run/ipa/renewal.lock'
The directory /var/run/ipa does not exist on an IPA client system. On a server, the directory is created by a tempfiles.d rule file. The rule file /etc/tmpfiles.d/ipa.conf is only installed ipa-server-install.
/var/run/ipa
/etc/tmpfiles.d/ipa.conf
ipa-server-install
Proposed solution:
/usr/lib/tmpfiles.d/ipa.conf
ipa-server.conf
/var/run/ipa/ccache
Metadata Update from @pvoborni: - Issue set to the milestone: FreeIPA 4.5.3
Metadata Update from @tkrizek: - Issue set to the milestone: FreeIPA 4.5.4 (was: FreeIPA 4.5.3)
In what use case it is necessary to run /usr/libexec/ipa/certmonger/restart_httpd on client?
AFAIK restart_httpd is configured as Certmonger post_command only for certain IPA certificates only on IPA server.
Metadata Update from @pvoborni: - Issue set to the milestone: None (was: FreeIPA 4.5.4)
This command is provided by freeipa-server for use by IPA. There was no intention to make it usable otherwise.
That said, there is also no need for a renewal lock on clients so perhaps a test for existence of /var/run/ipa is sufficient. No locking in that case.
Yep, I'd agree on improving the script to test on the /var/run/ipa existence.
Metadata Update from @pvoborni: - Issue set to the milestone: FreeIPA 4.7
Metadata Update from @rcritten: - Issue set to the milestone: FreeIPA 4.7.1 (was: FreeIPA 4.7)
FreeIPA 4.7 has been released, moving to FreeIPA 4.7.1 milestone
@cheimes this seems to call for using nullcontext() from python 3.7. What would you suggest?
I considered changing the renewal_lock import to import separately, rather than importing all of certs.
Then if we do a try/except with an ImportError on the except we can do renewal_lock = nullcontext() and change nothing else in the file.
The question is: where do we get nullcontext? Backport from 3.7 into this file? Do an even more complex where we add an add'l try/except to use the one from 3.7 when that version is available and fall back to our local version?
Or I guess we could put it into some ipaclient file and do the import/fallback there.
Login to comment on this ticket.