diff options
| author | Rob Austein <sra@hactrn.net> | 2017-01-27 18:49:37 -0500 |
|---|---|---|
| committer | Rob Austein <sra@hactrn.net> | 2017-01-27 18:49:37 -0500 |
| commit | 9bcd874fc3f83e2517f89db122ed49cad4e9e599 (patch) | |
| tree | c6b8c53cf6de3f636bb0fe74223a26dd91687a1c | |
| parent | 824cdf673f5f26679d7fe7955060963e720066d6 (diff) | |
Accumulate primary keys instead of objects to work around Django caching.
This is nasty, and I still don't entirely understand it why this was
happening. We collect ca_detail objects during bulk ROA processing,
so that we can defer manifest and CRL updates until the end of the
batch. Somehow, Django's caching code was causing the parent CA's
issued serial number to roll back as part of this caching, which
caused us to reuse serial numbers. Which is (very) bad.
Replacing the collection of ca_detail objects with a collection of
primary key values for those same ca_detail objects seems to have
worked, presumably because it lets us force creation of a new queryset
when it's time for us to process the relevant ca_detail objects.
The question is how many other booby traps like this might be lurking.
| -rw-r--r-- | rpki/rpkid_tasks.py | 6 |
1 files changed, 3 insertions, 3 deletions
diff --git a/rpki/rpkid_tasks.py b/rpki/rpkid_tasks.py index 7137c973..a39b0a82 100644 --- a/rpki/rpkid_tasks.py +++ b/rpki/rpkid_tasks.py @@ -431,7 +431,7 @@ class UpdateROAsTask(AbstractTask): roa = roas.pop(0) try: roa.update(publisher = publisher) - ca_details.add(roa.ca_detail) + ca_details.add(roa.ca_detail.pk) except rpki.exceptions.NoCoveringCertForROA: logger.warning("%r: No covering certificate for %r, skipping", self, roa) except: @@ -440,13 +440,13 @@ class UpdateROAsTask(AbstractTask): if not postponing: for roa in orphans: try: - ca_details.add(roa.ca_detail) + ca_details.add(roa.ca_detail.pk) roa.revoke(publisher = publisher) except: logger.exception("%r: Could not revoke %r", self, roa) if not publisher.empty(): - for ca_detail in ca_details: + for ca_detail in rpki.rpkidb.models.CADetail.objects.filter(pk__in = ca_details): logger.debug("%r: Generating new CRL and manifest for %r", self, ca_detail) ca_detail.generate_crl_and_manifest(publisher = publisher) yield publisher.call_pubd() |