Note: This bug is displayed in read-only format because
the product is no longer active in Red Hat Bugzilla.
RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
Cloned from upstream: https://pagure.io/freeipa/issue/6787
In issue #6652 a new cache for KRA transport certs was introduced. The new cache uses a combination of file system cache and in-memory cache. The in-memory cache has a higher precedence than the fs cache. Once loaded, the in-memory cache is never synced from the file system again.
For a forking service like Custodia, this results in a performance regression and concurrency issues. Custodia initializes the KRA transport cert cache in the main process right before the server socket listens on incoming requests. Since all requests are handled in forked child processes, the in-memory cache of the server process is created once and never updated. This can lead to performance regressions in case the KRA cert is updated:
1. master process stores KRA cert in-memory and on-fs
2. External process modifies KRA cert of the KRA subsystem
3. Custodia requests comes in, server forks child process
3. child process uses old KRA cert for first write attempt, fails
4. child processes fetches new cert and stores it in memory and on fs
5. child process uses new cert to attempt second write
Steps 3 to 5 are repeated over and over again because the child can't modify the in-memory cache of the parent process.
Proposed solution: Use a simpler implementation that uses an atomic on-filesystem cache.
Further more there is a bug in the new KRA cache code. On one occasion a ```logger.info()``` has a format string with two ```%s``` but just one positional argument. This causes the cache to break with a ```TypeError: not enough arguments for format string``` exception.