-
Type:
Improvement
-
Status: Closed
-
Priority:
Minor
-
Resolution: Fixed
-
Affects Version/s: 1.3.16
-
Fix Version/s: 2.1.0
-
Component/s: Signer
-
Labels:
-
Environment:
RHEL 6.5 (Santiago), OpenDNSSEC 1.3.16.
Our replicated HSM that has trouble handing the thread model of the signer; we suspect the cause to be the vendor-provided replication library.
We need a quickfix to stop ik from gradually locking down all of its threads; replication is mainly useful as a live/instant backup for Enforcer-generated keys, but signing could be done on just a single HSM.
RHEL 6.5 (Santiago), OpenDNSSEC 1.3.16. Our replicated HSM that has trouble handing the thread model of the signer; we suspect the cause to be the vendor-provided replication library. We need a quickfix to stop ik from gradually locking down all of its threads; replication is mainly useful as a live/instant backup for Enforcer-generated keys, but signing could be done on just a single HSM.
Our Signer process deadlocks every few days. GDB and stack tracing led us to believe that the HSM is at fault (confirmed by Matthijs).
We therefore want the Enforcer to store keys on the replicated HSM, and the Signer to use only one (nearby) replicum. This is possible; the vendor's replication library offers variations through distinct token labels.
The ods-signerd has an option -c to set its conffile, but it is customarily started through ods-signer which does not have that behaviour. This patch adds that behaviour. Next to "ods-signer start" there is now an option to use "ods-signer start /path/to/conf.xml". We have altered ods-control to use this facility, defaulting to "@OPENDNSSEC_CONFIG_DIR@/conf.xml".
Please let me know where you would like me to cover this in documentation; I don't really know, but am willing to patch that too of course.