If an exception is thrown in localhsm.py init by the super-class, .p11 will not be defined and if del is called, it throws a further exception.
This bug appears in freeipa-4.9.1-1.fc33 because, somehow, after a replica is installed, the softhsm2 slot defining ipaDNSSEC is deleted on the master (bug detailed elsewhere). Debugging that led to this further failure and fix. e.g.:
...ipalib.plugable: DEBUG importing plugin module ipaserver.plugins.topology ipalib.plugable: DEBUG importing plugin module ipaserver.plugins.trust ipalib.plugable: DEBUG importing plugin module ipaserver.plugins.user ipalib.plugable: DEBUG importing plugin module ipaserver.plugins.vault ipalib.plugable: DEBUG importing plugin module ipaserver.plugins.virtual ipalib.plugable: DEBUG ipaserver.plugins.virtual is not a valid plugin module ipalib.plugable: DEBUG importing plugin module ipaserver.plugins.whoami ipalib.plugable: DEBUG importing plugin module ipaserver.plugins.xmlserver ipa-dnskeysync-replica: DEBUG Kerberos principal: ipa-dnskeysyncd/registry1.1.quietfountain.com ipalib.install.kinit: DEBUG Initializing principal ipa-dnskeysyncd/registry1.1.quietfountain.com using keytab /etc/ipa/dnssec/ipa-dnskeysyncd.keytab ipalib.install.kinit: DEBUG using ccache /tmp/ipa-dnskeysync-replica.ccache ipalib.install.kinit: DEBUG Attempt 1/5: success ipa-dnskeysync-replica: DEBUG Got TGT Traceback (most recent call last): File "/usr/libexec/ipa/ipa-dnskeysync-replica", line 174, in <module> localhsm = LocalHSM( File "/usr/lib/python3.9/site-packages/ipaserver/dnssec/localhsm.py", line 104, in init self.p11 = _ipap11helper.P11_Helper(label, pin, library) File "/usr/lib/python3.9/site-packages/ipaserver/p11helper.py", line 868, in init raise Error("No slot for label {} found".format(self.token_label)) ipaserver.p11helper.Error: No slot for label ipaDNSSEC found Exception ignored in: <function LocalHSM.__del__ at 0x7ff7913de670> Traceback (most recent call last): File "/usr/lib/python3.9/site-packages/ipaserver/dnssec/localhsm.py", line 107, in del self.p11.finalize() AttributeError: 'LocalHSM' object has no attribute 'p11'
...
The 'fast way out' would be to test whether the property exists before calling finalize. The (sort of) 'pythonic' way to manage that properly is with a context, as follows:
--- localhsm_old.py 2021-02-06 21:44:06.402087302 -0600 +++ /usr/lib/python3.9/site-packages/ipaserver/dnssec/localhsm.py 2021-02-06 21:44:52.150585932 -0600 @@ -101,10 +101,14 @@ class LocalHSM(AbstractHSM): def __init__(self, library, label, pin): self.cache_replica_pubkeys = None self.p11 = _ipap11helper.P11_Helper(label, pin, library) + + def __enter__(self): + return self - def __del__(self): + def __exit__(self, *exc): self.p11.finalize() + return False def find_keys(self, **kwargs): """Return dict with Key objects matching given criteria. @@ -198,39 +202,39 @@ if __name__ == '__main__': if 'SOFTHSM2_CONF' not in os.environ: os.environ['SOFTHSM2_CONF'] = paths.DNSSEC_SOFTHSM2_CONF - localhsm = LocalHSM(paths.LIBSOFTHSM2_SO, SOFTHSM_DNSSEC_TOKEN_LABEL, - open(paths.DNSSEC_SOFTHSM_PIN).read()) + with LocalHSM(paths.LIBSOFTHSM2_SO, SOFTHSM_DNSSEC_TOKEN_LABEL, + open(paths.DNSSEC_SOFTHSM_PIN).read()) as localhsm: - print('replica public keys: CKA_WRAP = TRUE') - print('====================================') - for pubkey_id, pubkey in localhsm.replica_pubkeys_wrap.items(): - print(str_hexlify(pubkey_id)) - pprint(pubkey) - - print('') - print('replica public keys: all') - print('========================') - for pubkey_id, pubkey in localhsm.replica_pubkeys.items(): - print(str_hexlify(pubkey_id)) - pprint(pubkey) - - print('') - print('master keys') - print('===========') - for mkey_id, mkey in localhsm.master_keys.items(): - print(str_hexlify(mkey_id)) - pprint(mkey) - - print('') - print('zone public keys') - print('================') - for key_id, zkey in localhsm.zone_pubkeys.items(): - print(str_hexlify(key_id)) - pprint(zkey) - - print('') - print('zone private keys') - print('=================') - for key_id, zkey in localhsm.zone_privkeys.items(): - print(str_hexlify(key_id)) - pprint(zkey) + print('replica public keys: CKA_WRAP = TRUE') + print('====================================') + for pubkey_id, pubkey in localhsm.replica_pubkeys_wrap.items(): + print(str_hexlify(pubkey_id)) + pprint(pubkey) + + print('') + print('replica public keys: all') + print('========================') + for pubkey_id, pubkey in localhsm.replica_pubkeys.items(): + print(str_hexlify(pubkey_id)) + pprint(pubkey) + + print('') + print('master keys') + print('===========') + for mkey_id, mkey in localhsm.master_keys.items(): + print(str_hexlify(mkey_id)) + pprint(mkey) + + print('') + print('zone public keys') + print('================') + for key_id, zkey in localhsm.zone_pubkeys.items(): + print(str_hexlify(key_id)) + pprint(zkey) + + print('') + print('zone private keys') + print('=================') + for key_id, zkey in localhsm.zone_privkeys.items(): + print(str_hexlify(key_id)) + pprint(zkey)
Hi @hcoin I am having a hard time reproducing the issue. Would you have reproducer steps in order to delete the softhsm2 slot on the master (outside of manually deleting the tokens directory)? In the source code, I only found the uninstall method that could remove the ipaDNSSEC slot by deleting the /var/lib/ipa/dnssec/tokens directory. But this would also mean that the ipa-dnskeysyncd service is stopped and won't call ipa-dnskeysync-replica.
Metadata Update from @pcech: - Issue set to the milestone: DNSSEC
Login to comment on this ticket.