Re: Starting funcd when certmaster is down?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Michael DeHaan wrote:
It's always kind of bugged me that if I have a valid certificate, and I start funcd when certmaster can NOT be contacted, that funcd fails.
I think there are a couple of ways to fix this. If the machine already has a cert from the configured certmaster, how about we have it not try to contact certmaster?
We have a bit of a catch-22 with the funcd starting with no certmaster. We try to figure out the fqdn name in some cases by talking to the certmaster, since we need the fqdn to know what the cert names are so we can if they exist.
We could just fallback to the less effictive get_hostname, but I think that behaves incorrectly in many cases. 

We could store some way of knowing which cert the minion uses as it's own.
   - we could symlink "self" or something to the right certs in the dir
- we could store the hostname we create the certs with somewhere (config file presumably). Not entirely sure what to do in 
      cases where the hostname changes though.
The scenario I want to deal with is if you have a lab full of machines and for some reason have to cycle the power on the lab. We don't really want to require that the machines have to start up in a sufficient order that certmaster on machine X is running before funcd on machine Y.
For machines that have a cert, assuming we do one of the above, we can skip the code that checks in with certmaster.
The cert requesting code, certmaster/certmaster/utils:creation_minion_keys (an odd place for that core code, but alas...) will keep trying to talk to request a key from a running certmaster. At the moment, I don't think it handles certmaster not responding 
very well.
Later, we may have some need to talk to certmaster if there is going to be bi-directional communication from that central point, but right now, it's unidirectional and func is daemonless -- so I don't think it should have to talk to certmaster if funcd doesn't think it needs to talk to certmaster. 
Should be doable.


Adrian

_______________________________________________
Func-list mailing list
Func-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/func-list
[Index of Archives]     [Fedora Users]     [Linux Networking]     [Fedora Legacy List]     [Fedora Desktop]     [Fedora SELinux]     [Big List of Linux Books]     [Yosemite News]     [KDE Users]

  Powered by Linux