Increase dbus client timeouts during CA install #1078
Conversation
ipalib/install/certmonger.py
Outdated
| @@ -595,7 +595,7 @@ def modify_ca_helper(ca_name, helper): | |||
| old_helper = ca_iface.Get('org.fedorahosted.certmonger.ca', | |||
| 'external-helper') | |||
| ca_iface.Set('org.fedorahosted.certmonger.ca', | |||
| 'external-helper', helper) | |||
| 'external-helper', helper, timeout=120) | |||
There was a problem hiding this comment.
It would be nice to have a code comment here, explaining briefly why we are setting the timeout to this value.
ipaserver/install/dogtaginstance.py
Outdated
| @@ -261,7 +261,7 @@ def configure_certmonger_renewal(self): | |||
| iface.add_known_ca( | |||
| name, | |||
| command, | |||
| dbus.Array([], dbus.Signature('s'))) | |||
| dbus.Array([], dbus.Signature('s')), timeout=120) | |||
There was a problem hiding this comment.
It would be nice to have a code comment here, explaining briefly why we are setting the timeout to this value.
There was a problem hiding this comment.
Done. Thanks for the review.
zultron
force-pushed
the
ipa-4-5-dbus-timeouts
branch
from
a83b2bf
to
67fe032
Compare
stlaz
added
re-run
|
I actually don't think this change will change much. The crash we're seeing is pretty deterministic, really. Do go ahead and try: domain=IPA.TEST; docker run -t --name freeipa-popelnice -h $HOSTNAME \
--tmpfs /run --tmpfs /tmp --security-opt seccomp:unconfined \
-v /dev/urandom:/dev/random:ro -v /opt/ipa-data/master:/data \
-v /sys/fs/cgroup:/sys/fs/cgroup:ro --cap-add=SYS_TIME \
-e DEBUG_TRACE=1 -e DEBUG_NO_EXIT=1 freeipa/freeipa-server:fedora-26 \
--hostname $HOSTNAME --domain $domain --realm ${domain^^} \
-p milan_je_buh123 -a milan_je_buh123 --setup-dns --auto-forwarders --no-reverse -UIt should fail on I am currently trying to get some more info from the Dogtag guys on how not to use the keyring. |
|
@stlaz, you're right, this PR doesn't address the problem you're pointing out. (I work around that problem for now with This PR addresses dbus timeouts breaking the install. This can happen on memory-constrained systems, where any swapping after dogtag startup can exceed the default 25 second dbus default timeout. |
|
I don't see a downside in increasing the timeout whether it's for memory constrained systems, slow disks or whatever. Fast systems will never hit it so it's a moot point in that case. The 120 seconds seems arbitrary though, how did you come up with it? Should there be a define somewhere, DBUS_TIMEOUT, and use that instead? I think I'd want a comment about the default 25 seconds (or whatever it is) as well to leave a bread crumb for future devs. |
|
@rcritten, the 120 seconds is arbitrary, you're correct. On a system that swaps pretty heavily during dogtag startup, the certmonger request was observed to take 61 seconds to complete, so I chose a value around 2x. Do you have another suggestion for determining the timeout? I'm fine with adding the additional comments and plumbing in a Thanks for the review and suggestions. |
|
I agree with @rcritten that this should be a constant. Personally, I would probably have it configurable as well. |
|
It can get tricky to make this sort of thing configurable because normally you'd put this sort of value into /etc/ipa/default.conf but since there is no config yet... I'd be ok with hardcoding it. There is precedence for that elsewhere. Normally I'd like to see some sort of "Waiting" message somewhere in the case of log timeouts so users don't think something is hung up but in this case I don't see an obvious place to put it. I think for the average user this is fine given AFAIK this timeout hasn't come up before. On underpowered h/w I'd hope that the user would expect things to take forever. |
zultron
force-pushed
the
ipa-4-5-dbus-timeouts
branch
from
67fe032
to
8176433
Compare
When running on memory-constrained systems, the `ipa-server-install` program often fails during the "Configuring certificate server (pki-tomcatd)" stage in FreeIPA 4.5 and 4.6. The memory-intensive dogtag service causes swapping on low-memory systems right after start-up, and especially new certificate operations requested via certmonger can exceed the dbus client default 25 second timeout. This patch changes dbus client timeouts for some such operations to 120 seconds (from the default 25 seconds, IIRC). See more discussion in FreeIPA PR freeipa#1078 [1] and FreeIPA container issue freeipa#157 [2]. [1]: freeipa#1078 [2]: freeipa/freeipa-container#157
|
Please see the updated PR. I admit to being a bit out of my depth here, and wasn't sure if |
|
The |
zultron
force-pushed
the
ipa-4-5-dbus-timeouts
branch
from
8176433
to
465b5c5
Compare
When running on memory-constrained systems, the `ipa-server-install` program often fails during the "Configuring certificate server (pki-tomcatd)" stage in FreeIPA 4.5 and 4.6. The memory-intensive dogtag service causes swapping on low-memory systems right after start-up, and especially new certificate operations requested via certmonger can exceed the dbus client default 25 second timeout. This patch changes dbus client timeouts for some such operations to 120 seconds (from the default 25 seconds, IIRC). See more discussion in FreeIPA PR freeipa#1078 [1] and FreeIPA container issue freeipa#157 [2]. [1]: freeipa#1078 [2]: freeipa/freeipa-container#157
|
Thanks, @stlaz, PR updated. |
|
LGTM, tested ok in master (after minor rebase). Will wait for add'l reviews before giving final ack. |
|
If @rcritten tested this, it's ok with me. ACK. |
|
@stlaz Please make sure all the tests executed and green before acking :) PR CI wasn't triggered before. The commit message is also missing an upstream ticket -- do we want to create one or do we just push this to master only? |
When running on memory-constrained systems, the `ipa-server-install` program often fails during the "Configuring certificate server (pki-tomcatd)" stage in FreeIPA 4.5 and 4.6. The memory-intensive dogtag service causes swapping on low-memory systems right after start-up, and especially new certificate operations requested via certmonger can exceed the dbus client default 25 second timeout. This patch changes dbus client timeouts for some such operations to 120 seconds (from the default 25 seconds, IIRC). See more discussion in FreeIPA PR freeipa#1078 [1] and FreeIPA container issue freeipa#157 [2]. Upstream ticket at [3]. [1]: freeipa#1078 [2]: freeipa/freeipa-container#157 [3]: https://pagure.io/freeipa/issue/7213
zultron
force-pushed
the
ipa-4-5-dbus-timeouts
branch
from
465b5c5
to
340fec4
Compare
When running on memory-constrained systems, the `ipa-server-install` program often fails during the "Configuring certificate server (pki-tomcatd)" stage in FreeIPA 4.5 and 4.6. The memory-intensive dogtag service causes swapping on low-memory systems right after start-up, and especially new certificate operations requested via certmonger can exceed the dbus client default 25 second timeout. This patch changes dbus client timeouts for some such operations to 120 seconds (from the default 25 seconds, IIRC). See more discussion in FreeIPA PR freeipa#1078 [1] and FreeIPA container issue freeipa#157 [2]. Upstream ticket at [3]. [1]: freeipa#1078 [2]: freeipa/freeipa-container#157 [3]: https://pagure.io/freeipa/issue/7213
zultron
force-pushed
the
ipa-4-5-dbus-timeouts
branch
from
340fec4
to
1d3c2dc
Compare
When running on memory-constrained systems, the `ipa-server-install` program often fails during the "Configuring certificate server (pki-tomcatd)" stage in FreeIPA 4.5 and 4.6. The memory-intensive dogtag service causes swapping on low-memory systems right after start-up, and especially new certificate operations requested via certmonger can exceed the dbus client default 25 second timeout. This patch changes dbus client timeouts for some such operations to 120 seconds (from the default 25 seconds, IIRC). See more discussion in FreeIPA PR freeipa#1078 [1] and FreeIPA container issue freeipa#157 [2]. Upstream ticket at [3]. [1]: freeipa#1078 [2]: freeipa/freeipa-container#157 [3]: https://pagure.io/freeipa/issue/7213
zultron
force-pushed
the
ipa-4-5-dbus-timeouts
branch
from
1d3c2dc
to
3d265ac
Compare
|
We'll add this to the master and backport to the |
|
@zultron Thanks for creating the issue and linking it! |
When running on memory-constrained systems, the `ipa-server-install` program often fails during the "Configuring certificate server (pki-tomcatd)" stage in FreeIPA 4.5 and 4.6. The memory-intensive dogtag service causes swapping on low-memory systems right after start-up, and especially new certificate operations requested via certmonger can exceed the dbus client default 25 second timeout. This patch changes dbus client timeouts for some such operations to 120 seconds (from the default 25 seconds, IIRC). See more discussion in FreeIPA PR freeipa#1078 [1] and FreeIPA container issue freeipa#157 [2]. Upstream ticket at [3]. [1]: freeipa#1078 [2]: freeipa/freeipa-container#157 [3]: https://pagure.io/freeipa/issue/7213
|
I've re-based the commit against Thanks for your contribution, I apologize for the bureaucracy :) |
When running on memory-constrained systems, the `ipa-server-install` program often fails during the "Configuring certificate server (pki-tomcatd)" stage in FreeIPA 4.5 and 4.6. The memory-intensive dogtag service causes swapping on low-memory systems right after start-up, and especially new certificate operations requested via certmonger can exceed the dbus client default 25 second timeout. This patch changes dbus client timeouts for some such operations to 120 seconds (from the default 25 seconds, IIRC). See more discussion in FreeIPA PR freeipa#1078 [1] and FreeIPA container issue freeipa#157 [2]. Upstream ticket at [3]. [1]: freeipa#1078 [2]: freeipa/freeipa-container#157 [3]: https://pagure.io/freeipa/issue/7213
When running on memory-constrained systems, the `ipa-server-install` program often fails during the "Configuring certificate server (pki-tomcatd)" stage in FreeIPA 4.5 and 4.6. The memory-intensive dogtag service causes swapping on low-memory systems right after start-up, and especially new certificate operations requested via certmonger can exceed the dbus client default 25 second timeout. This patch changes dbus client timeouts for some such operations to 120 seconds (from the default 25 seconds, IIRC). See more discussion in FreeIPA PR freeipa#1078 [1] and FreeIPA container issue freeipa#157 [2]. Upstream ticket at [3]. [1]: freeipa#1078 [2]: freeipa/freeipa-container#157 [3]: https://pagure.io/freeipa/issue/7213
When running on memory-constrained systems, the `ipa-server-install` program often fails during the "Configuring certificate server (pki-tomcatd)" stage in FreeIPA 4.5 and 4.6. The memory-intensive dogtag service causes swapping on low-memory systems right after start-up, and especially new certificate operations requested via certmonger can exceed the dbus client default 25 second timeout. This patch changes dbus client timeouts for some such operations to 120 seconds (from the default 25 seconds, IIRC). See more discussion in FreeIPA PR freeipa#1078 [1] and FreeIPA container issue #157 [2]. Upstream ticket at [3]. [1]: freeipa#1078 [2]: freeipa/freeipa-container#157 [3]: https://pagure.io/freeipa/issue/7213 Reviewed-By: Stanislav Laznicka <slaznick@redhat.com> Reviewed-By: Rob Crittenden <rcritten@redhat.com>
When running on memory-constrained systems, the `ipa-server-install` program often fails during the "Configuring certificate server (pki-tomcatd)" stage in FreeIPA 4.5 and 4.6. The memory-intensive dogtag service causes swapping on low-memory systems right after start-up, and especially new certificate operations requested via certmonger can exceed the dbus client default 25 second timeout. This patch changes dbus client timeouts for some such operations to 120 seconds (from the default 25 seconds, IIRC). See more discussion in FreeIPA PR freeipa#1078 [1] and FreeIPA container issue freeipa#157 [2]. Upstream ticket at [3]. [1]: freeipa#1078 [2]: freeipa/freeipa-container#157 [3]: https://pagure.io/freeipa/issue/7213 Reviewed-By: Stanislav Laznicka <slaznick@redhat.com> Reviewed-By: Rob Crittenden <rcritten@redhat.com>
When running on memory-constrained systems, the `ipa-server-install` program often fails during the "Configuring certificate server (pki-tomcatd)" stage in FreeIPA 4.5 and 4.6. The memory-intensive dogtag service causes swapping on low-memory systems right after start-up, and especially new certificate operations requested via certmonger can exceed the dbus client default 25 second timeout. This patch changes dbus client timeouts for some such operations to 120 seconds (from the default 25 seconds, IIRC). See more discussion in FreeIPA PR freeipa#1078 [1] and FreeIPA container issue freeipa#157 [2]. Upstream ticket at [3]. [1]: freeipa#1078 [2]: freeipa/freeipa-container#157 [3]: https://pagure.io/freeipa/issue/7213
When running on memory-constrained systems, the `ipa-server-install` program often fails during the "Configuring certificate server (pki-tomcatd)" stage in FreeIPA 4.5 and 4.6. The memory-intensive dogtag service causes swapping on low-memory systems right after start-up, and especially new certificate operations requested via certmonger can exceed the dbus client default 25 second timeout. This patch changes dbus client timeouts for some such operations to 120 seconds (from the default 25 seconds, IIRC). See more discussion in FreeIPA PR freeipa#1078 [1] and FreeIPA container issue freeipa#157 [2]. Upstream ticket at [3]. [1]: freeipa#1078 [2]: freeipa/freeipa-container#157 [3]: https://pagure.io/freeipa/issue/7213 Reviewed-By: Stanislav Laznicka <slaznick@redhat.com> Reviewed-By: Rob Crittenden <rcritten@redhat.com>
In FreeIPA 4.5 and 4.6, the
ipa-server-installprogram can fail during the "Configuring certificate server (pki-tomcatd)" stage on a heavily-loaded host.The dogtag service is memory intensive, and on a memory-constrained system, can be unresponsive right after start-up, especially for expensive operations that generate new certificates.
These delays can cause failures when dbus clients time out while attempting to run
new certificate operations through certmonger. This patch changes dbus client timeouts for some such operations to 120 seconds (from the default 25 seconds).