[Opendnssec-user] kaspConnect() causes ods-enforcer brittleness

Havard Eidnes he at uninett.no
Tue Dec 8 08:22:21 UTC 2015


the ods-enforcer daemon loops, periodically looking for things
which need to be done / scheduled.  Inside its service loop it
has this piece of code:

        log_msg(config, LOG_INFO, "Connecting to Database...");
        kaspConnect(config, &dbhandle);

followed by misleadingly-indented code (that's a minor issue).

However...  What happens if an administrator just happens to run
"ods-ksmutil key list ..." at exactly that time when the enforcer
wants to connect to the database?  This is what the log can tell:

Dec  8 08:32:43 hugin ods-enforcerd: Connecting to Database...
Dec  8 08:32:43 hugin ods-enforcerd: ERROR: error executing SQL - database is locked

and this time it looks like ods-enforcerd really means that this
is an error, because kaspConnect() doesn't return an error but
does an exit() if connecting to the database fails:

 * Connect to the DB
kaspConnect(DAEMONCONFIG* config, DB_HANDLE     *handle)
    /* Note that all these XML derived strings are unsigned chars */
        if (DbConnect(handle, (char *)config->schema, (char *)config->host, (char *)config->password, (char *)config->user, (char *)config->port) != 0) {


That's not a good way to design a library function interface!

This makes ods-enforcer brittle, provides no automatic error
recovery, and requires operator intervention to restart the
now-dead enforcer.

Again, this is with OpenDNSSEC 1.4.7, using sqlite3.


- Håvard

More information about the Opendnssec-user mailing list