Re: [Freeipa-devel] error handling in httpd.service and ipa-httpd-kdcproxy
On 2015-07-07 15:41, Simo Sorce wrote: > On Tue, 2015-07-07 at 08:48 -0400, Nathaniel McCallum wrote: >>> On Jul 6, 2015, at 11:35 AM, Christian Heimes wrote: >>> >>> Hello, >>> >>> I like to ask for your opinion regarding the pre-exec hook >>> 'ipa-httpd-kdcproxy' in httpd.service. Alex has asked me to handle error >>> cases like LDAP connection timeout more gracefully. At the moment any >>> error causes the script to return a non-zero exit code. This breaks the >>> service and apparently also offline RPM upgrades. >>> >>> How should I handle error cases? I can change httpd.service to simply >>> ignore the exit code of ipa-httpd-kdcproxy. But that might lead to an >>> invalid state. I could modify the script to catch connection errors and >>> to disable kdcproxy in case of an error. >>> >>> The options are: >>> >>> 1) httpd.service ignores exit code of ipa-httpd-kdcproxy >>> 2) ipa-httpd-kdcproxy removes kdcproxy config file in case of a >>> connection error >>> 3) 1 + 2 >>> >>> What do you think? >> >> If ipa-httpd-kdcproxy cannot contact LDAP, kdcproxy MUST NOT be >> enabled. So #2. >> >> However, ipa-httpd-kdcproxy should leave error codes to real >> catastrophic failures and http.service should be aware of these. So >> not #1. >> >> Nathaniel >> > > IMO it is ok for httpd to fail to start if the kdc-proxy cannot contact > LDAP, because other stuff will fail too if that's the case anyway. > > In fact I had to change my replica promotion patches to account for this > as it was failing here, for various reasons, on one restart during the > install. :-) Without LDAP non of the IPA services in Apache are usable. From that perspective it doesn't make much of a difference. However Alexander is worried about a different thing. When LDAP isn't running or GSSAPI fails, then the service can't be restarted and offline RPM update fails. We can either fix the offline update problem in the spec file (ignore systemctl failures) or in the ipa-httpd-kdcproxy script. Since my script is new and changes behavior, I'm reluctant to say that I'm to blame. :) Christian signature.asc Description: OpenPGP digital signature -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] error handling in httpd.service and ipa-httpd-kdcproxy
On Tue, 2015-07-07 at 08:48 -0400, Nathaniel McCallum wrote: > > On Jul 6, 2015, at 11:35 AM, Christian Heimes wrote: > > > > Hello, > > > > I like to ask for your opinion regarding the pre-exec hook > > 'ipa-httpd-kdcproxy' in httpd.service. Alex has asked me to handle error > > cases like LDAP connection timeout more gracefully. At the moment any > > error causes the script to return a non-zero exit code. This breaks the > > service and apparently also offline RPM upgrades. > > > > How should I handle error cases? I can change httpd.service to simply > > ignore the exit code of ipa-httpd-kdcproxy. But that might lead to an > > invalid state. I could modify the script to catch connection errors and > > to disable kdcproxy in case of an error. > > > > The options are: > > > > 1) httpd.service ignores exit code of ipa-httpd-kdcproxy > > 2) ipa-httpd-kdcproxy removes kdcproxy config file in case of a > > connection error > > 3) 1 + 2 > > > > What do you think? > > If ipa-httpd-kdcproxy cannot contact LDAP, kdcproxy MUST NOT be > enabled. So #2. > > However, ipa-httpd-kdcproxy should leave error codes to real > catastrophic failures and http.service should be aware of these. So > not #1. > > Nathaniel > IMO it is ok for httpd to fail to start if the kdc-proxy cannot contact LDAP, because other stuff will fail too if that's the case anyway. In fact I had to change my replica promotion patches to account for this as it was failing here, for various reasons, on one restart during the install. :-) Simo. -- Simo Sorce * Red Hat, Inc * New York -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] error handling in httpd.service and ipa-httpd-kdcproxy
> On Jul 6, 2015, at 11:35 AM, Christian Heimes wrote: > > Hello, > > I like to ask for your opinion regarding the pre-exec hook > 'ipa-httpd-kdcproxy' in httpd.service. Alex has asked me to handle error > cases like LDAP connection timeout more gracefully. At the moment any > error causes the script to return a non-zero exit code. This breaks the > service and apparently also offline RPM upgrades. > > How should I handle error cases? I can change httpd.service to simply > ignore the exit code of ipa-httpd-kdcproxy. But that might lead to an > invalid state. I could modify the script to catch connection errors and > to disable kdcproxy in case of an error. > > The options are: > > 1) httpd.service ignores exit code of ipa-httpd-kdcproxy > 2) ipa-httpd-kdcproxy removes kdcproxy config file in case of a > connection error > 3) 1 + 2 > > What do you think? If ipa-httpd-kdcproxy cannot contact LDAP, kdcproxy MUST NOT be enabled. So #2. However, ipa-httpd-kdcproxy should leave error codes to real catastrophic failures and http.service should be aware of these. So not #1. Nathaniel -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] error handling in httpd.service and ipa-httpd-kdcproxy
Hello, I like to ask for your opinion regarding the pre-exec hook 'ipa-httpd-kdcproxy' in httpd.service. Alex has asked me to handle error cases like LDAP connection timeout more gracefully. At the moment any error causes the script to return a non-zero exit code. This breaks the service and apparently also offline RPM upgrades. How should I handle error cases? I can change httpd.service to simply ignore the exit code of ipa-httpd-kdcproxy. But that might lead to an invalid state. I could modify the script to catch connection errors and to disable kdcproxy in case of an error. The options are: 1) httpd.service ignores exit code of ipa-httpd-kdcproxy 2) ipa-httpd-kdcproxy removes kdcproxy config file in case of a connection error 3) 1 + 2 What do you think? Christian signature.asc Description: OpenPGP digital signature -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
