Change behavior of services (use ods-control instead of opendnssec-signer and opendnssec-enforcer init scripts)
mave007 opened this issue · 4 comments
Affected opendnssec startup
Puppet: all
Ruby: all
Distribution: all
Module version: current
How to reproduce (e.g Puppet code you use)
start opendnssec service or let puppet restart service once it has stopped.
What are you seeing
OpenDNSSEC fails to start and to do the initial handshake with the HSM:
Dec 5 22:49:11 iad01 ods-signerd: [engine] signer started (version 1.4.13), pid 24913
Dec 5 22:49:11 iad01 ods-signerd: [hsm] hsm_get_slot_id(): could not find token with the name OpenDNSSEC
Dec 5 22:49:11 iad01 ods-signerd: [engine] opening hsm failed (for engine recover)
Dec 5 22:49:11 iad01 ods-signerd: [engine] signer shutdown
What behaviour did you expect instead
opendnssec service (signer and enforcer) should start
Output log
Any additional information you'd like to impart
puppet-opendnssec/manifests/init.pp
Line 156 in eac83bd
The process to start opendnssec needs to run in certain order alongside the HSM services in order to run.
Seems like puppet can not manage via its usual init.d services this aspect, so it might be better to use ods-control instead for this.
do you think above pull is enough to fix this?
xenial is still failing will take a look later
I tried to use ods-control however it caused problems with puppets management of services. however i looked at ods-control and all it does is ensure that the enforcer starts before the signer. By chaining the services as i have in #3 should ensure this behaviour. I have also added chaining to ensure that all configs are written before services are started. @mave007 can you check the change and comment on its viability
Just as a note: I noticed after several tries and errors that when doing a manual restart, a double start call using ods control (ie ods-hsmutil login; ods-control start ; ods-control start ) makes things work again with correct PIDs marks and services as expected.