[freeipa/f22] Timeout when performing time sync during client installation
Petr Vobornik
pvoborni at fedoraproject.org
Tue Mar 17 09:56:49 UTC 2015
commit e15ea7bdcd5b627ddc41e64fab33507b620f6564
Author: Petr Vobornik <pvoborni at redhat.com>
Date: Tue Mar 17 10:26:56 2015 +0100
Timeout when performing time sync during client installation
https://fedorahosted.org/freeipa/ticket/4842
...ync-during-client-install-when-using-no-n.patch | 33 +++++++
...n-performing-time-sync-during-client-inst.patch | 105 +++++++++++++++++++++
freeipa.spec | 9 +-
3 files changed, 146 insertions(+), 1 deletion(-)
---
diff --git a/0001-Skip-time-sync-during-client-install-when-using-no-n.patch b/0001-Skip-time-sync-during-client-install-when-using-no-n.patch
new file mode 100644
index 0000000..9004be8
--- /dev/null
+++ b/0001-Skip-time-sync-during-client-install-when-using-no-n.patch
@@ -0,0 +1,33 @@
+From 80514f225f628f7c7993b85e562a851e7ee40644 Mon Sep 17 00:00:00 2001
+From: Nathan Kinder <nkinder at redhat.com>
+Date: Wed, 25 Feb 2015 14:22:02 -0800
+Subject: [PATCH 1/2] Skip time sync during client install when using --no-ntp
+
+When --no-ntp is specified during ipa-client-install, we still
+attempt to perform a time sync before obtaining a TGT from the
+KDC. We should not be attempting to sync time with the KDC if
+we are explicitly told to not configure ntp.
+
+Ticket: https://fedorahosted.org/freeipa/ticket/4842
+---
+ ipa-client/ipa-install/ipa-client-install | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/ipa-client/ipa-install/ipa-client-install b/ipa-client/ipa-install/ipa-client-install
+index ccaab55..a625fbd 100755
+--- a/ipa-client/ipa-install/ipa-client-install
++++ b/ipa-client/ipa-install/ipa-client-install
+@@ -2324,8 +2324,9 @@ def install(options, env, fstore, statestore):
+ # hostname if different from system hostname
+ tasks.backup_and_replace_hostname(fstore, statestore, options.hostname)
+
+- if not options.on_master:
++ if not options.on_master and options.conf_ntp:
+ # Attempt to sync time with IPA server.
++ # If we're skipping NTP configuration, we also skip the time sync here.
+ # We assume that NTP servers are discoverable through SRV records in the DNS
+ # If that fails, we try to sync directly with IPA server, assuming it runs NTP
+ root_logger.info('Synchronizing time with KDC...')
+--
+1.9.3
+
diff --git a/0002-Timeout-when-performing-time-sync-during-client-inst.patch b/0002-Timeout-when-performing-time-sync-during-client-inst.patch
new file mode 100644
index 0000000..82fa470
--- /dev/null
+++ b/0002-Timeout-when-performing-time-sync-during-client-inst.patch
@@ -0,0 +1,105 @@
+>From 8c6aaa8a9b2829f9cfff402dc65f2b5a9a93813b Mon Sep 17 00:00:00 2001
+From: Nathan Kinder <nkinder at redhat.com>
+Date: Wed, 25 Feb 2015 15:19:47 -0800
+Subject: [PATCH 2/2] Timeout when performing time sync during client install
+
+We use ntpd now to sync time before fetching a TGT during client
+install. Unfortuantely, ntpd will hang forever if it is unable to
+reach the NTP server.
+
+This patch adds the ability for commands run via ipautil.run() to
+have an optional timeout. This capability is used by the NTP sync
+code that is run during ipa-client-install.
+
+Ticket: https://fedorahosted.org/freeipa/ticket/4842
+---
+ ipa-client/ipaclient/ntpconf.py | 8 +++++++-
+ ipaplatform/base/paths.py | 1 +
+ ipapython/ipautil.py | 12 +++++++++++-
+ 3 files changed, 19 insertions(+), 2 deletions(-)
+
+diff --git a/ipa-client/ipaclient/ntpconf.py b/ipa-client/ipaclient/ntpconf.py
+index e1ac55a..99e43a6 100644
+--- a/ipa-client/ipaclient/ntpconf.py
++++ b/ipa-client/ipaclient/ntpconf.py
+@@ -18,6 +18,7 @@
+ #
+
+ from ipapython import ipautil
++from ipapython.ipa_log_manager import root_logger
+ import shutil
+ import os
+ from ipaplatform.tasks import tasks
+@@ -149,7 +150,12 @@ def synconce_ntp(server_fqdn):
+
+ tmp_ntp_conf = ipautil.write_tmp_file('server %s' % server_fqdn)
+ try:
+- ipautil.run([ntpd, '-qgc', tmp_ntp_conf.name])
++ # The ntpd command will never exit if it is unable to reach the
++ # server, so timeout after 15 seconds.
++ timeout = 15
++ root_logger.info('Attempting to sync time using ntpd. '
++ 'Will timeout after %s seconds' % timeout)
++ ipautil.run([ntpd, '-qgc', tmp_ntp_conf.name], timeout=timeout)
+ return True
+ except ipautil.CalledProcessError:
+ return False
+diff --git a/ipaplatform/base/paths.py b/ipaplatform/base/paths.py
+index 7922e3b..11c7e92 100644
+--- a/ipaplatform/base/paths.py
++++ b/ipaplatform/base/paths.py
+@@ -186,6 +186,7 @@ class BasePathNamespace(object):
+ SSLGET = "/usr/bin/sslget"
+ SSS_SSH_AUTHORIZEDKEYS = "/usr/bin/sss_ssh_authorizedkeys"
+ SSS_SSH_KNOWNHOSTSPROXY = "/usr/bin/sss_ssh_knownhostsproxy"
++ BIN_TIMEOUT = "/usr/bin/timeout"
+ UPDATE_CA_TRUST = "/usr/bin/update-ca-trust"
+ BIN_WGET = "/usr/bin/wget"
+ ZIP = "/usr/bin/zip"
+diff --git a/ipapython/ipautil.py b/ipapython/ipautil.py
+index 4116d97..6a06a8e 100644
+--- a/ipapython/ipautil.py
++++ b/ipapython/ipautil.py
+@@ -249,7 +249,7 @@ def shell_quote(string):
+
+ def run(args, stdin=None, raiseonerr=True,
+ nolog=(), env=None, capture_output=True, skip_output=False, cwd=None,
+- runas=None):
++ runas=None, timeout=None):
+ """
+ Execute a command and return stdin, stdout and the process return code.
+
+@@ -277,6 +277,8 @@ def run(args, stdin=None, raiseonerr=True,
+ :param cwd: Current working directory
+ :param runas: Name of a user that the command shold be run as. The spawned
+ process will have both real and effective UID and GID set.
++ :param timeout: Timeout if the command hasn't returned within the specified
++ number of seconds.
+ """
+ p_in = None
+ p_out = None
+@@ -302,6 +304,11 @@ def run(args, stdin=None, raiseonerr=True,
+ p_out = subprocess.PIPE
+ p_err = subprocess.PIPE
+
++ if timeout:
++ # If a timeout was provided, use the timeout command
++ # to execute the requested command.
++ args[0:0] = [paths.BIN_TIMEOUT, str(timeout)]
++
+ arg_string = nolog_replace(' '.join(shell_quote(a) for a in args), nolog)
+ root_logger.debug('Starting external process')
+ root_logger.debug('args=%s' % arg_string)
+@@ -332,6 +339,9 @@ def run(args, stdin=None, raiseonerr=True,
+ if skip_output:
+ p_out.close() # pylint: disable=E1103
+
++ if timeout and p.returncode == 124:
++ root_logger.debug('Process did not complete before timeout')
++
+ root_logger.debug('Process finished, return code=%s', p.returncode)
+
+ # The command and its output may include passwords that we don't want
+--
+1.9.3
+
diff --git a/freeipa.spec b/freeipa.spec
index adb65d6..5d92fbc 100644
--- a/freeipa.spec
+++ b/freeipa.spec
@@ -25,7 +25,7 @@
Name: freeipa
Version: %{VERSION}
-Release: 2%{?dist}
+Release: 3%{?dist}
Summary: The Identity, Policy and Audit system
Group: System Environment/Base
@@ -34,6 +34,9 @@ URL: http://www.freeipa.org/
Source0: http://www.freeipa.org/downloads/src/freeipa-%{VERSION}.tar.gz
BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
+Patch0001: 0001-Skip-time-sync-during-client-install-when-using-no-n.patch
+Patch0002: 0002-Timeout-when-performing-time-sync-during-client-inst.patch
+
%if ! %{ONLY_CLIENT}
BuildRequires: 389-ds-base-devel >= 1.3.3.8
BuildRequires: svrcore-devel
@@ -939,6 +942,10 @@ fi
%endif # ONLY_CLIENT
%changelog
+* Tue Mar 17 2015 Petr Vobornik <pvoborni at redhat.com> - 4.1.3-3
+- Timeout ipa-client install if ntp server is unreachable #4842
+- Skip time sync during client install when using --no-ntp #4842
+
* Wed Mar 04 2015 Petr Vobornik <pvoborni at redhat.com> - 4.1.3-2
- Add missing sssd python dependencies
- https://bugzilla.redhat.com/show_bug.cgi?id=1197218
More information about the scm-commits
mailing list