From 3be7b40e17e4f899e8f2d3087137d0b8949cce93 Mon Sep 17 00:00:00 2001 From: Jan Pazdziora Date: Fri, 27 Nov 2015 09:06:38 +0100 Subject: [PATCH] Workaround https://fedorahosted.org/freeipa/ticket/5269. --- Dockerfile | 4 +++- ticket-5269.patch | 33 +++++++++++++++++++++++++++++++++ 2 files changed, 36 insertions(+), 1 deletion(-) create mode 100644 ticket-5269.patch diff --git a/Dockerfile b/Dockerfile index 56e6bdfd..0ccb7308 100644 --- a/Dockerfile +++ b/Dockerfile @@ -4,7 +4,9 @@ FROM fedora:23 MAINTAINER Jan Pazdziora # Install FreeIPA server -RUN mkdir -p /run/lock ; dnf install -y freeipa-server freeipa-server-dns bind bind-dyndb-ldap perl 'perl(bigint)' && dnf clean all +RUN mkdir -p /run/lock ; dnf install -y freeipa-server freeipa-server-dns bind bind-dyndb-ldap perl 'perl(bigint)' patch && dnf clean all +ADD ticket-5269.patch /root/ticket-5269.patch +RUN patch /usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py < /root/ticket-5269.patch ADD dbus.service /etc/systemd/system/dbus.service RUN ln -sf dbus.service /etc/systemd/system/messagebus.service diff --git a/ticket-5269.patch b/ticket-5269.patch new file mode 100644 index 00000000..e78d082e --- /dev/null +++ b/ticket-5269.patch @@ -0,0 +1,33 @@ +commit a8a666416201a7a7d6739f60854c5e5223b9ceb5 +Author: Fraser Tweedale +Date: Fri Nov 20 15:59:11 2015 +1100 + + Avoid race condition caused by profile delete and recreate + + When importing IPA-managed certificate profiles into Dogtag, + profiles with the same name (usually caIPAserviceCert) are removed, + then immediately recreated with the new profile data. This causes a + race condition - Dogtag's LDAPProfileSystem profileChangeMonitor + thread could observe and process the deletion after the profile was + recreated, disappearing it again. + + Update the profile instead of deleting and recreating it to avoid + this race condition. + + Fixes: https://fedorahosted.org/freeipa/ticket/5269 + Reviewed-By: Jan Cholasta + +diff --git a/ipaserver/install/cainstance.py b/ipaserver/install/cainstance.py +index d230c9b..3e3dce9 100644 +--- a/ipaserver/install/cainstance.py ++++ b/ipaserver/install/cainstance.py +@@ -1812,8 +1812,7 @@ def _create_dogtag_profile(profile_id, profile_data): + root_logger.debug( + "Failed to disable profile '%s' " + "(it is probably already disabled)") +- profile_api.delete_profile(profile_id) +- profile_api.create_profile(profile_data) ++ profile_api.update_profile(profile_id, profile_data) + + # enable the profile + try: