Workaround https://fedorahosted.org/freeipa/ticket/5269.

sgnl05 · Nov 27, 2015 · 3be7b40 · 3be7b40
1 parent 5de01bc
commit 3be7b40
Show file tree

Hide file tree

Showing 2 changed files with 36 additions and 1 deletion.
diff --git a/Dockerfile b/Dockerfile
@@ -4,7 +4,9 @@ FROM fedora:23
 MAINTAINER Jan Pazdziora
 
 # Install FreeIPA server
-RUN mkdir -p /run/lock ; dnf install -y freeipa-server freeipa-server-dns bind bind-dyndb-ldap perl 'perl(bigint)' && dnf clean all
+RUN mkdir -p /run/lock ; dnf install -y freeipa-server freeipa-server-dns bind bind-dyndb-ldap perl 'perl(bigint)' patch && dnf clean all
+ADD ticket-5269.patch /root/ticket-5269.patch
+RUN patch /usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py < /root/ticket-5269.patch
 
 ADD dbus.service /etc/systemd/system/dbus.service
 RUN ln -sf dbus.service /etc/systemd/system/messagebus.service

diff --git a/ticket-5269.patch b/ticket-5269.patch
@@ -0,0 +1,33 @@
+commit a8a666416201a7a7d6739f60854c5e5223b9ceb5
+Author: Fraser Tweedale <ftweedal@redhat.com>
+Date:   Fri Nov 20 15:59:11 2015 +1100
+
+    Avoid race condition caused by profile delete and recreate
+
+    When importing IPA-managed certificate profiles into Dogtag,
+    profiles with the same name (usually caIPAserviceCert) are removed,
+    then immediately recreated with the new profile data.  This causes a
+    race condition - Dogtag's LDAPProfileSystem profileChangeMonitor
+    thread could observe and process the deletion after the profile was
+    recreated, disappearing it again.
+
+    Update the profile instead of deleting and recreating it to avoid
+    this race condition.
+
+    Fixes: https://fedorahosted.org/freeipa/ticket/5269
+    Reviewed-By: Jan Cholasta <jcholast@redhat.com>
+
+diff --git a/ipaserver/install/cainstance.py b/ipaserver/install/cainstance.py
+index d230c9b..3e3dce9 100644
+--- a/ipaserver/install/cainstance.py
++++ b/ipaserver/install/cainstance.py
+@@ -1812,8 +1812,7 @@ def _create_dogtag_profile(profile_id, profile_data):
+                     root_logger.debug(
+                         "Failed to disable profile '%s' "
+                         "(it is probably already disabled)")
+-                profile_api.delete_profile(profile_id)
+-                profile_api.create_profile(profile_data)
++                profile_api.update_profile(profile_id, profile_data)
+
+         # enable the profile
+         try: