Timeout when performing time sync during client installation

https://fedorahosted.org/freeipa/ticket/4842
2015-03-17 10:26:56 +01:00 · 2015-03-17 10:26:56 +01:00 · 37a047a11a
commit 37a047a11a
parent b0ad0e0344
3 changed files with 146 additions and 1 deletions
--- a/0001-Skip-time-sync-during-client-install-when-using-no-n.patch
+++ b/0001-Skip-time-sync-during-client-install-when-using-no-n.patch
@ -0,0 +1,33 @@
+From 80514f225f628f7c7993b85e562a851e7ee40644 Mon Sep 17 00:00:00 2001
+From: Nathan Kinder <nkinder@redhat.com>
+Date: Wed, 25 Feb 2015 14:22:02 -0800
+Subject: [PATCH 1/2] Skip time sync during client install when using --no-ntp
+
+When --no-ntp is specified during ipa-client-install, we still
+attempt to perform a time sync before obtaining a TGT from the
+KDC.  We should not be attempting to sync time with the KDC if
+we are explicitly told to not configure ntp.
+
+Ticket: https://fedorahosted.org/freeipa/ticket/4842
+---
+ ipa-client/ipa-install/ipa-client-install | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/ipa-client/ipa-install/ipa-client-install b/ipa-client/ipa-install/ipa-client-install
+index ccaab55..a625fbd 100755
+--- a/ipa-client/ipa-install/ipa-client-install
+++ b/ipa-client/ipa-install/ipa-client-install
+@@ -2324,8 +2324,9 @@ def install(options, env, fstore, statestore):
+         # hostname if different from system hostname
+         tasks.backup_and_replace_hostname(fstore, statestore, options.hostname)
+ 
+-    if not options.on_master:
+    if not options.on_master and options.conf_ntp:
+         # Attempt to sync time with IPA server.
+        # If we're skipping NTP configuration, we also skip the time sync here.
+         # We assume that NTP servers are discoverable through SRV records in the DNS
+         # If that fails, we try to sync directly with IPA server, assuming it runs NTP
+         root_logger.info('Synchronizing time with KDC...')
+-- 
+1.9.3
+
--- a/0002-Timeout-when-performing-time-sync-during-client-inst.patch
+++ b/0002-Timeout-when-performing-time-sync-during-client-inst.patch
@ -0,0 +1,105 @@
+>From 8c6aaa8a9b2829f9cfff402dc65f2b5a9a93813b Mon Sep 17 00:00:00 2001
+From: Nathan Kinder <nkinder@redhat.com>
+Date: Wed, 25 Feb 2015 15:19:47 -0800
+Subject: [PATCH 2/2] Timeout when performing time sync during client install
+
+We use ntpd now to sync time before fetching a TGT during client
+install.  Unfortuantely, ntpd will hang forever if it is unable to
+reach the NTP server.
+
+This patch adds the ability for commands run via ipautil.run() to
+have an optional timeout.  This capability is used by the NTP sync
+code that is run during ipa-client-install.
+
+Ticket: https://fedorahosted.org/freeipa/ticket/4842
+---
+ ipa-client/ipaclient/ntpconf.py |  8 +++++++-
+ ipaplatform/base/paths.py       |  1 +
+ ipapython/ipautil.py            | 12 +++++++++++-
+ 3 files changed, 19 insertions(+), 2 deletions(-)
+
+diff --git a/ipa-client/ipaclient/ntpconf.py b/ipa-client/ipaclient/ntpconf.py
+index e1ac55a..99e43a6 100644
+--- a/ipa-client/ipaclient/ntpconf.py
+++ b/ipa-client/ipaclient/ntpconf.py
+@@ -18,6 +18,7 @@
+ #
+ 
+ from ipapython import ipautil
+from ipapython.ipa_log_manager import root_logger
+ import shutil
+ import os
+ from ipaplatform.tasks import tasks
+@@ -149,7 +150,12 @@ def synconce_ntp(server_fqdn):
+ 
+     tmp_ntp_conf = ipautil.write_tmp_file('server %s' % server_fqdn)
+     try:
+-        ipautil.run([ntpd, '-qgc', tmp_ntp_conf.name])
+        # The ntpd command will never exit if it is unable to reach the
+        # server, so timeout after 15 seconds.
+        timeout = 15
+        root_logger.info('Attempting to sync time using ntpd.  '
+                         'Will timeout after %s seconds' % timeout)
+        ipautil.run([ntpd, '-qgc', tmp_ntp_conf.name], timeout=timeout)
+         return True
+     except ipautil.CalledProcessError:
+         return False
+diff --git a/ipaplatform/base/paths.py b/ipaplatform/base/paths.py
+index 7922e3b..11c7e92 100644
+--- a/ipaplatform/base/paths.py
+++ b/ipaplatform/base/paths.py
+@@ -186,6 +186,7 @@ class BasePathNamespace(object):
+     SSLGET = "/usr/bin/sslget"
+     SSS_SSH_AUTHORIZEDKEYS = "/usr/bin/sss_ssh_authorizedkeys"
+     SSS_SSH_KNOWNHOSTSPROXY = "/usr/bin/sss_ssh_knownhostsproxy"
+    BIN_TIMEOUT = "/usr/bin/timeout"
+     UPDATE_CA_TRUST = "/usr/bin/update-ca-trust"
+     BIN_WGET = "/usr/bin/wget"
+     ZIP = "/usr/bin/zip"
+diff --git a/ipapython/ipautil.py b/ipapython/ipautil.py
+index 4116d97..6a06a8e 100644
+--- a/ipapython/ipautil.py
+++ b/ipapython/ipautil.py
+@@ -249,7 +249,7 @@ def shell_quote(string):
+ 
+ def run(args, stdin=None, raiseonerr=True,
+         nolog=(), env=None, capture_output=True, skip_output=False, cwd=None,
+-        runas=None):
+        runas=None, timeout=None):
+     """
+     Execute a command and return stdin, stdout and the process return code.
+ 
+@@ -277,6 +277,8 @@ def run(args, stdin=None, raiseonerr=True,
+     :param cwd: Current working directory
+     :param runas: Name of a user that the command shold be run as. The spawned
+         process will have both real and effective UID and GID set.
+    :param timeout: Timeout if the command hasn't returned within the specified
+        number of seconds.
+     """
+     p_in = None
+     p_out = None
+@@ -302,6 +304,11 @@ def run(args, stdin=None, raiseonerr=True,
+         p_out = subprocess.PIPE
+         p_err = subprocess.PIPE
+ 
+    if timeout:
+        # If a timeout was provided, use the timeout command
+        # to execute the requested command.
+        args[0:0] = [paths.BIN_TIMEOUT, str(timeout)]
+
+     arg_string = nolog_replace(' '.join(shell_quote(a) for a in args), nolog)
+     root_logger.debug('Starting external process')
+     root_logger.debug('args=%s' % arg_string)
+@@ -332,6 +339,9 @@ def run(args, stdin=None, raiseonerr=True,
+         if skip_output:
+             p_out.close()   # pylint: disable=E1103
+ 
+    if timeout and p.returncode == 124:
+        root_logger.debug('Process did not complete before timeout')
+
+     root_logger.debug('Process finished, return code=%s', p.returncode)
+ 
+     # The command and its output may include passwords that we don't want
+-- 
+1.9.3
+
--- a/freeipa.spec
+++ b/freeipa.spec
@ -25,7 +25,7 @@

 Name:           freeipa
 Version:        %{VERSION}
-Release:        2%{?dist}
+Release:        3%{?dist}
 Summary:        The Identity, Policy and Audit system

 Group:          System Environment/Base
@ -34,6 +34,9 @@ URL:            http://www.freeipa.org/
 Source0:        http://www.freeipa.org/downloads/src/freeipa-%{VERSION}.tar.gz
 BuildRoot:      %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)

+Patch0001:      0001-Skip-time-sync-during-client-install-when-using-no-n.patch
+Patch0002:      0002-Timeout-when-performing-time-sync-during-client-inst.patch
+
 %if ! %{ONLY_CLIENT}
 BuildRequires:  389-ds-base-devel >= 1.3.3.8
 BuildRequires:  svrcore-devel
@ -939,6 +942,10 @@ fi
 %endif # ONLY_CLIENT

 %changelog
+* Tue Mar 17 2015 Petr Vobornik <pvoborni@redhat.com> - 4.1.3-3
+- Timeout ipa-client install if ntp server is unreachable #4842
+- Skip time sync during client install when using --no-ntp #4842
+
 * Wed Mar 04 2015 Petr Vobornik <pvoborni@redhat.com> - 4.1.3-2
 - Add missing sssd python dependencies
 - https://bugzilla.redhat.com/show_bug.cgi?id=1197218