[Opendnssec-user] kasp locking

Mon Jul 9 15:20:07 UTC 2012

[root at signer-02 log]# ods-ksmutil key list
/var/opendnssec/kasp.db.our_lock already locked, sleep
/var/opendnssec/kasp.db.our_lock already locked, sleep
/var/opendnssec/kasp.db.our_lock already locked, sleep
couldn't get lock on /var/opendnssec/kasp.db.our_lock; Resource 
temporarily unavailable

[root at signer-02 log]# ps auxww |grep -i ods
zonefile  3264  0.0  0.0  22468   680 ?        S    11:01   0:00 
/usr/sbin/ods-signer update ZONENAME
zonefile  3497  0.0  0.0 108184  1256 ?        S    11:11   0:00 sh -c { 
ods-ksmutil key list --all --verbose; } 2>&1
zonefile  3498  0.0  0.0  25416  1652 ?        S    11:11   0:00 
ods-ksmutil key list --all --verbose
root      3505  0.0  0.0 103232   868 pts/0    S+   11:12   0:00 grep -i 
ods
zonefile 37394  0.0  0.0  44816  5156 ?        Ss   Jul06   0:02 
/usr/sbin/ods-enforcerd
zonefile 37418  1.9  3.1 2546748 1665532 ?     Ssl  Jul06  85:04 
/usr/sbin/ods-signerd

Questions:

signerd is locking the kasp database during signing?

Why would an "ods-ksmutil key list", a read function, be locked out?

Can a signerd lock also lock out enforcerd?

Is this why keys between multiple separate instances of kasp/enforcer can 
work beautifully for days and then magically get out of sync?  Where all 
instances are picking the same keys in the same order, but occasionally at 
different times for reasons unknown?

-jake