Project

General

Profile

Bug #19734

race condition when creating the candlepin keystore

Added by Evgeni Golov about 5 years ago. Updated almost 4 years ago.

Status:
Closed
Priority:
High
Assignee:
Category:
Installer
Target version:
Difficulty:
easy
Triaged:
Bugzilla link:
Fixed in Releases:
Found in Releases:
Red Hat JIRA:

Description

when running the installer, I sometimes see "Exec[import client certificate into Candlepin keystore]" being executed before "File[/etc/pki/katello/keystore_password-file]" which obviously does not work, as the exec wants to read that file.

Example log:

[DEBUG 2017-06-01 10:17:27 main]  Exec[import client certificate into Candlepin keystore](provider=posix): Executing 'openssl pkcs12 -export -name amqp-client -in /etc/pki/katello/certs/java-client.crt -inkey /etc/pki/katello/private/java-client.key -out /tmp/keystore.p12 -passout file:/etc/pki/katello/keystore_password-file && keytool -importkeystore -destkeystore /etc/candlepin/certs/amqp/candlepin.jks -srckeystore /tmp/keystore.p12 -srcstoretype pkcs12 -alias amqp-client -storepass HrDYjb4wHnhxm97GtPv9dHGkvppQHCjb -srcstorepass HrDYjb4wHnhxm97GtPv9dHGkvppQHCjb -noprompt && rm /tmp/keystore.p12'
[DEBUG 2017-06-01 10:17:27 main]  Executing 'openssl pkcs12 -export -name amqp-client -in /etc/pki/katello/certs/java-client.crt -inkey /etc/pki/katello/private/java-client.key -out /tmp/keystore.p12 -passout file:/etc/pki/katello/keystore_password-file && keytool -importkeystore -destkeystore /etc/candlepin/certs/amqp/candlepin.jks -srckeystore /tmp/keystore.p12 -srcstoretype pkcs12 -alias amqp-client -storepass HrDYjb4wHnhxm97GtPv9dHGkvppQHCjb -srcstorepass HrDYjb4wHnhxm97GtPv9dHGkvppQHCjb -noprompt && rm /tmp/keystore.p12'
[ WARN 2017-06-01 10:17:27 main]  /Stage[main]/Certs::Candlepin/Exec[import client certificate into Candlepin keystore]/returns: Can't open file /etc/pki/katello/keystore_password-file
[ WARN 2017-06-01 10:17:27 main]  /Stage[main]/Certs::Candlepin/Exec[import client certificate into Candlepin keystore]/returns: Error getting passwords
[ERROR 2017-06-01 10:17:27 main]  openssl pkcs12 -export -name amqp-client -in /etc/pki/katello/certs/java-client.crt -inkey /etc/pki/katello/private/java-client.key -out /tmp/keystore.p12 -passout file:/etc/pki/katello/keystore_password-file && keytool -importkeystore -destkeystore /etc/candlepin/certs/amqp/candlepin.jks -srckeystore /tmp/keystore.p12 -srcstoretype pkcs12 -alias amqp-client -storepass HrDYjb4wHnhxm97GtPv9dHGkvppQHCjb -srcstorepass HrDYjb4wHnhxm97GtPv9dHGkvppQHCjb -noprompt && rm /tmp/keystore.p12 returned 1 instead of one of [0]
[ERROR 2017-06-01 10:17:27 main] /usr/share/ruby/vendor_ruby/puppet/util/errors.rb:106:in `fail'
[ERROR 2017-06-01 10:17:27 main] /usr/share/ruby/vendor_ruby/puppet/type/exec.rb:160:in `sync'
[ERROR 2017-06-01 10:17:27 main] /usr/share/ruby/vendor_ruby/puppet/transaction/resource_harness.rb:204:in `sync'
[ERROR 2017-06-01 10:17:27 main] /usr/share/ruby/vendor_ruby/puppet/transaction/resource_harness.rb:128:in `sync_if_needed'
[ERROR 2017-06-01 10:17:27 main] /usr/share/ruby/vendor_ruby/puppet/transaction/resource_harness.rb:89:in `block in perform_changes'
[ERROR 2017-06-01 10:17:27 main] /usr/share/ruby/vendor_ruby/puppet/transaction/resource_harness.rb:88:in `each'
[ERROR 2017-06-01 10:17:27 main] /usr/share/ruby/vendor_ruby/puppet/transaction/resource_harness.rb:88:in `perform_changes'
[ERROR 2017-06-01 10:17:27 main] /usr/share/ruby/vendor_ruby/puppet/transaction/resource_harness.rb:20:in `evaluate'
[ERROR 2017-06-01 10:17:27 main] /usr/share/ruby/vendor_ruby/puppet/transaction.rb:204:in `apply'
[ERROR 2017-06-01 10:17:27 main] /usr/share/ruby/vendor_ruby/puppet/transaction.rb:217:in `eval_resource'
[ERROR 2017-06-01 10:17:27 main] /usr/share/ruby/vendor_ruby/puppet/transaction.rb:147:in `call'
[ERROR 2017-06-01 10:17:27 main] /usr/share/ruby/vendor_ruby/puppet/transaction.rb:147:in `block (2 levels) in evaluate'
[ERROR 2017-06-01 10:17:27 main] /usr/share/ruby/vendor_ruby/puppet/util.rb:335:in `block in thinmark'
[ERROR 2017-06-01 10:17:27 main] /usr/share/ruby/benchmark.rb:296:in `realtime'
[ERROR 2017-06-01 10:17:27 main] /usr/share/ruby/vendor_ruby/puppet/util.rb:334:in `thinmark'
[ERROR 2017-06-01 10:17:27 main] /usr/share/ruby/vendor_ruby/puppet/transaction.rb:147:in `block in evaluate'
[ERROR 2017-06-01 10:17:27 main] /usr/share/ruby/vendor_ruby/puppet/graph/relationship_graph.rb:118:in `traverse'
[ERROR 2017-06-01 10:17:27 main] /usr/share/ruby/vendor_ruby/puppet/transaction.rb:138:in `evaluate'
[ERROR 2017-06-01 10:17:27 main] /usr/share/ruby/vendor_ruby/puppet/resource/catalog.rb:169:in `block in apply'
[ERROR 2017-06-01 10:17:27 main] /usr/share/ruby/vendor_ruby/puppet/util/log.rb:149:in `with_destination'
[ERROR 2017-06-01 10:17:27 main] /usr/share/ruby/vendor_ruby/puppet/transaction/report.rb:112:in `as_logging_destination'
[ERROR 2017-06-01 10:17:27 main] /usr/share/ruby/vendor_ruby/puppet/resource/catalog.rb:168:in `apply'
[ERROR 2017-06-01 10:17:27 main] /usr/share/ruby/vendor_ruby/puppet/configurer.rb:120:in `block in apply_catalog'
[ERROR 2017-06-01 10:17:27 main] /usr/share/ruby/vendor_ruby/puppet/util.rb:161:in `block in benchmark'
[ERROR 2017-06-01 10:17:27 main] /usr/share/ruby/benchmark.rb:296:in `realtime'
[ERROR 2017-06-01 10:17:27 main] /usr/share/ruby/vendor_ruby/puppet/util.rb:160:in `benchmark'
[ERROR 2017-06-01 10:17:27 main] /usr/share/ruby/vendor_ruby/puppet/configurer.rb:119:in `apply_catalog'
[ERROR 2017-06-01 10:17:27 main] /usr/share/ruby/vendor_ruby/puppet/configurer.rb:227:in `run_internal'
[ERROR 2017-06-01 10:17:27 main] /usr/share/ruby/vendor_ruby/puppet/configurer.rb:134:in `block in run'
[ERROR 2017-06-01 10:17:27 main] /usr/share/ruby/vendor_ruby/puppet/context.rb:64:in `override'
[ERROR 2017-06-01 10:17:27 main] /usr/share/ruby/vendor_ruby/puppet.rb:246:in `override'
[ERROR 2017-06-01 10:17:27 main] /usr/share/ruby/vendor_ruby/puppet/configurer.rb:133:in `run'
[ERROR 2017-06-01 10:17:27 main] /usr/share/ruby/vendor_ruby/puppet/application/apply.rb:302:in `apply_catalog'
[ERROR 2017-06-01 10:17:27 main] /usr/share/ruby/vendor_ruby/puppet/application/apply.rb:236:in `block in main'
[ERROR 2017-06-01 10:17:27 main] /usr/share/ruby/vendor_ruby/puppet/context.rb:64:in `override'
[ERROR 2017-06-01 10:17:27 main] /usr/share/ruby/vendor_ruby/puppet.rb:246:in `override'
[ERROR 2017-06-01 10:17:27 main] /usr/share/ruby/vendor_ruby/puppet/application/apply.rb:198:in `main'
[ERROR 2017-06-01 10:17:27 main] /usr/share/ruby/vendor_ruby/puppet/application/apply.rb:159:in `run_command'
[ERROR 2017-06-01 10:17:27 main] /usr/share/ruby/vendor_ruby/puppet/application.rb:381:in `block (2 levels) in run'
[ERROR 2017-06-01 10:17:27 main] /usr/share/ruby/vendor_ruby/puppet/application.rb:507:in `plugin_hook'
[ERROR 2017-06-01 10:17:27 main] /usr/share/ruby/vendor_ruby/puppet/application.rb:381:in `block in run'
[ERROR 2017-06-01 10:17:27 main] /usr/share/ruby/vendor_ruby/puppet/util.rb:496:in `exit_on_fail'
[ERROR 2017-06-01 10:17:27 main] /usr/share/ruby/vendor_ruby/puppet/application.rb:381:in `run'
[ERROR 2017-06-01 10:17:27 main] /usr/share/ruby/vendor_ruby/puppet/util/command_line.rb:146:in `run'
[ERROR 2017-06-01 10:17:27 main] /usr/share/ruby/vendor_ruby/puppet/util/command_line.rb:92:in `execute'
[ERROR 2017-06-01 10:17:27 main] /usr/bin/puppet:8:in `<main>'
[ERROR 2017-06-01 10:17:27 main]  /Stage[main]/Certs::Candlepin/Exec[import client certificate into Candlepin keystore]/returns: change from notrun to 0 failed: openssl pkcs12 -export -name amqp-client -in /etc/pki/katello/certs/java-client.crt -inkey /etc/pki/katello/private/java-client.key -out /tmp/keystore.p12 -passout file:/etc/pki/katello/keystore_password-file && keytool -importkeystore -destkeystore /etc/candlepin/certs/amqp/candlepin.jks -srckeystore /tmp/keystore.p12 -srcstoretype pkcs12 -alias amqp-client -storepass HrDYjb4wHnhxm97GtPv9dHGkvppQHCjb -srcstorepass HrDYjb4wHnhxm97GtPv9dHGkvppQHCjb -noprompt && rm /tmp/keystore.p12 returned 1 instead of one of [0]
[DEBUG 2017-06-01 10:17:27 main]  Exec[import client certificate into Candlepin keystore](provider=posix): Executing check 'keytool -list -keystore /etc/candlepin/certs/amqp/candlepin.jks -storepass HrDYjb4wHnhxm97GtPv9dHGkvppQHCjb -alias amqp-client'
[DEBUG 2017-06-01 10:17:27 main]  Executing 'keytool -list -keystore /etc/candlepin/certs/amqp/candlepin.jks -storepass HrDYjb4wHnhxm97GtPv9dHGkvppQHCjb -alias amqp-client'
[DEBUG 2017-06-01 10:17:27 main]  /Stage[main]/Certs::Candlepin/Exec[import client certificate into Candlepin keystore]/unless: keytool error: java.lang.Exception: Keystore file does not exist: /etc/candlepin/certs/amqp/candlepin.jks
[DEBUG 2017-06-01 10:17:27 main]  Exec[import client certificate into Candlepin keystore](provider=posix): Executing 'openssl pkcs12 -export -name amqp-client -in /etc/pki/katello/certs/java-client.crt -inkey /etc/pki/katello/private/java-client.key -out /tmp/keystore.p12 -passout file:/etc/pki/katello/keystore_password-file && keytool -importkeystore -destkeystore /etc/candlepin/certs/amqp/candlepin.jks -srckeystore /tmp/keystore.p12 -srcstoretype pkcs12 -alias amqp-client -storepass HrDYjb4wHnhxm97GtPv9dHGkvppQHCjb -srcstorepass HrDYjb4wHnhxm97GtPv9dHGkvppQHCjb -noprompt && rm /tmp/keystore.p12'
[DEBUG 2017-06-01 10:17:27 main]  Executing 'openssl pkcs12 -export -name amqp-client -in /etc/pki/katello/certs/java-client.crt -inkey /etc/pki/katello/private/java-client.key -out /tmp/keystore.p12 -passout file:/etc/pki/katello/keystore_password-file && keytool -importkeystore -destkeystore /etc/candlepin/certs/amqp/candlepin.jks -srckeystore /tmp/keystore.p12 -srcstoretype pkcs12 -alias amqp-client -storepass HrDYjb4wHnhxm97GtPv9dHGkvppQHCjb -srcstorepass HrDYjb4wHnhxm97GtPv9dHGkvppQHCjb -noprompt && rm /tmp/keystore.p12'
[ WARN 2017-06-01 10:17:27 main]  /Stage[main]/Certs::Candlepin/Exec[import client certificate into Candlepin keystore]/returns: Can't open file /etc/pki/katello/keystore_password-file
[ WARN 2017-06-01 10:17:27 main]  /Stage[main]/Certs::Candlepin/Exec[import client certificate into Candlepin keystore]/returns: Error getting passwords
[ERROR 2017-06-01 10:17:27 main]  /Stage[main]/Certs::Candlepin/Exec[import client certificate into Candlepin keystore]: Failed to call refresh: openssl pkcs12 -export -name amqp-client -in /etc/pki/katello/certs/java-client.crt -inkey /etc/pki/katello/private/java-client.key -out /tmp/keystore.p12 -passout file:/etc/pki/katello/keystore_password-file && keytool -importkeystore -destkeystore /etc/candlepin/certs/amqp/candlepin.jks -srckeystore /tmp/keystore.p12 -srcstoretype pkcs12 -alias amqp-client -storepass HrDYjb4wHnhxm97GtPv9dHGkvppQHCjb -srcstorepass HrDYjb4wHnhxm97GtPv9dHGkvppQHCjb -noprompt && rm /tmp/keystore.p12 returned 1 instead of one of [0]
[ERROR 2017-06-01 10:17:27 main]  /Stage[main]/Certs::Candlepin/Exec[import client certificate into Candlepin keystore]: openssl pkcs12 -export -name amqp-client -in /etc/pki/katello/certs/java-client.crt -inkey /etc/pki/katello/private/java-client.key -out /tmp/keystore.p12 -passout file:/etc/pki/katello/keystore_password-file && keytool -importkeystore -destkeystore /etc/candlepin/certs/amqp/candlepin.jks -srckeystore /tmp/keystore.p12 -srcstoretype pkcs12 -alias amqp-client -storepass HrDYjb4wHnhxm97GtPv9dHGkvppQHCjb -srcstorepass HrDYjb4wHnhxm97GtPv9dHGkvppQHCjb -noprompt && rm /tmp/keystore.p12 returned 1 instead of one of [0]

[... later ...

[ WARN 2017-06-01 10:17:29 main]  /Stage[main]/Certs::Candlepin/File[/etc/pki/katello/keystore_password-file]/ensure: defined content as '{md5}ec492ca83a74aab244d72168e4a8dd1b'

Associated revisions

Revision cf927332 (diff)
Added by Evgeni Golov about 5 years ago

Fixes #19734 - enforce proper exection order for Candlepin (#158)

otherwise `Exec[import client certificate into Candlepin keystore]` has
no relationship with `File[/etc/pki/katello/keystore_password-file]` and
Puppet might execute them in any order, but the Exec needs the File.

History

#1 Updated by Evgeni Golov about 5 years ago

  • Pull request https://github.com/Katello/puppet-certs/pull/158 added

#2 Updated by Evgeni Golov about 5 years ago

  • Status changed from New to Closed
  • % Done changed from 0 to 100

#3 Updated by Eric Helms about 5 years ago

  • Legacy Backlogs Release (now unused) set to 228

Also available in: Atom PDF