Re: [Pki-devel] [PATCH] 46 Prevent concurrent execution of pkispawn and pkidestroy
On 4/3/2013 9:52 AM, Ade Lee wrote:
On Wed, 2013-04-03 at 10:36 -0400, Abhishek Koneru wrote:
> 1. This mechanism locks the entire system, so only one
> pkispawn/pkidestroy can run at any time. Is this the intended behavior?
> Or should we lock a particular instance only?
>
> I think it was decided to allow only one pkispawn/pkidestroy for an
> entire system.
pkispawn and pkidestroy do selinux operations. Only one set of selinux
operations should be done at a time. Not doing this could cause an
operation to fail or worse. If you like, you could try to lock this
section only, but then you still need to ensure that concurrent
oerations do not affect the same data -- for instance, are they touching
the same ports?
The simplest and easiest solution will be to lock to having one
operation per system at a time.
Is it because the selinux operations in general are not safe to run
concurrently? If that's the case what about selinux operations executed
by other applications, do we need to be concerned about that?
Or is this only a concern when the operations affect the same data (e.g.
same instance/ports)? This means running concurrent pkispawn to create
two unrelated instances with completely different settings should not be
blocked at all.
If that's the case, there are two things that can be done:
1. Lock the instance to make sure it's not modified at the same time.
2. Check to make sure different instances don't use conflicting settings
(e.g. ports).
In general we should be able to assume that people won't use conflicting
settings in different instances. But if that happens the above steps
should catch that. Does setup-ds.pl lock the entire system?
Locking pkispawn/pkidestroy to prevent concurrent execution doesn't
really prevent someone from using conflicting settings in a later execution.
--
Endi S. Dewata