hook concurrency: more hook granularity

mf commented

2021-08-31 13:06:39 +02:00

Collaborator

Currently there is one hook which is run for each certificate which is updated. These hooks may run in parallel which is generally desirable but may cause service restart failure at the end of the hook. This is very likely to happen when another instance of the hook is writing to a certificate file which is also used by the service which is to be restarted in the hook.

This can be worked around by using a lock file in the hook, but this will serialize hook execution of course which is counterproductive if hook parallelization was done on purpose.

Ideally there would be one (post) or two (pre and post) or even more hooks per certificate and one global hook which is run before any per certificate hook is run and another one which is run after all per certificate hooks finished. The hook script runner could identify this global phases to the hook script by setting the DOMAIN environment variable to the value global or by setting the environment variable GLOBAL.

Currently there is one hook which is run for each certificate which is updated. These hooks may run in parallel which is generally desirable but may cause service restart failure at the end of the hook. This is very likely to happen when another instance of the hook is writing to a certificate file which is also used by the service which is to be restarted in the hook. This can be worked around by using a lock file in the hook, but this will serialize hook execution of course which is counterproductive if hook parallelization was done on purpose. Ideally there would be one (post) or two (pre and post) or even more hooks per certificate and one global hook which is run before any per certificate hook is run and another one which is run after all per certificate hooks finished. The hook script runner could identify this global phases to the hook script by setting the `DOMAIN` environment variable to the value `global` or by setting the environment variable `GLOBAL`.

heiko added the

enhancement

label

2021-08-31 13:09:32 +02:00

heiko self-assigned this

2021-08-31 13:09:39 +02:00

heiko changed title from ~~more hook granularity~~ to hook concurrency: more hook granularity

2021-08-31 13:16:01 +02:00

heiko referenced this issue from a commit

2021-09-08 17:54:58 +02:00

CA: Copy the requested "CN" into the SAN (closes #2)

heiko referenced this issue from a commit

2021-10-31 18:31:34 +01:00

Provide new option -shared-hook (fixes #2)

heiko commented

2021-10-31 18:36:40 +01:00

Owner

What about (as in the recent commit)

New option -shared-hook <hook>, which then calls <hook> after all other hooks are done, as:

<file> shared CN...

This is compatible with the hooks we have already.

BTW, the hooks run serialized (at least it is supposed to do so), but while a hook is running, another thread of the cert-proxy-client may update one of the other certificates.

What about (as in the recent commit) New option `-shared-hook <hook>`, which then calls `<hook>` after all other hooks are done, as: ``` <file> shared CN... ``` This is compatible with the hooks we have already. BTW, the hooks run serialized (at least it is supposed to do so), but while a hook is running, another thread of the cert-proxy-client may update one of the other certificates.

heiko added this to the release 1.17 milestone

2021-11-01 10:53:31 +01:00

heiko referenced this issue from a pull request that will close it,

2021-11-01 11:19:39 +01:00

Allow shared hook (fixes #2) #11

heiko referenced this issue from a commit

2021-11-21 23:22:46 +01:00

Allow shared hook (fixes #2) (#11)

heiko closed this issue

2021-11-21 23:22:46 +01:00

heiko referenced this issue from a pull request that will close it,

2021-11-21 23:23:32 +01:00