Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add a random sleep for noninteractive renewals #6393

Merged
merged 15 commits into from
Nov 21, 2018
Merged

Add a random sleep for noninteractive renewals #6393

merged 15 commits into from
Nov 21, 2018

Conversation

schoen
Copy link
Contributor

@schoen schoen commented Sep 24, 2018

Fixes #6391.

@schoen
Copy link
Contributor Author

schoen commented Sep 25, 2018

The testing for this is a little tricky because the tox tests cause isatty() to be False all the time, meaning that every renewal test ends up sleeping and we end up getting over the maximum allowed test time. It looks like we need to mock it in the other direction, to persuade most of the tests that the input is interactive.

@ohemorange
Copy link
Contributor

Is this ready for a review?

@schoen
Copy link
Contributor Author

schoen commented Oct 16, 2018

Hi @ohemorange, I'm working on this today—I think the functionality is right but the tests are a little tricky because currently all renewal tests are doing the random sleep which makes Travis take way too long to complete them. Hopefully the tests will be fixed up later today and then you could review it!

@schoen schoen changed the title WIP on adding a random sleep for noninteractive renewal Add a random sleep for noninteractive renewals Oct 17, 2018
@ohemorange
Copy link
Contributor

I'm guessing the title change means it's ready for a review now?

@schoen
Copy link
Contributor Author

schoen commented Oct 17, 2018 via email

ohemorange
ohemorange requested changes Oct 18, 2018
View reviewed changes
Copy link
Contributor

@ohemorange ohemorange left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The meat of it looks good!

certbot/main.py
@@ -1242,6 +1244,16 @@ def renew(config, unused_plugins):
:rtype: None

"""
if not sys.stdin.isatty():
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It's probably safer to put this down in main the function, so we catch any subcommand that people might have put in their crontab.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Per our chat discussion, maybe we can find out in Sumologic whether there are any load spikes that can be attributed to uses of certonly (I suspect that they're all due to uses renew). In our chat I pointed out that there might be other unattended uses for initial issuance (if people wrap Certbot with their own scripts) and so we might not want to introduce this delay across-the-board in order to avoid slowing down random scripted uses of Certbot that aren't related to renewals.

I mean, an extreme example could be if someone had set up some kind of unattended script that calls certbot certificates in order to feed some sort of status monitor—it might be annoying to have this command take several minutes to execute! And since it doesn't interact with the CA at all, there's no resource-related reason to make it delay before running.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I mean, an extreme example could be if someone had set up some kind of unattended script that calls certbot certificates in order to feed some sort of status monitor—it might be annoying to have this command take several minutes to execute! And since it doesn't interact with the CA at all, there's no resource-related reason to make it delay before running.

It does hit OCSP. (And, for certbot-auto, PyPI.)

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

After checking the logs, looks like most of the spikiness comes from renews (not all! but a lot of it) so I'm cool keeping it here.

@ohemorange ohemorange merged commit e8e3534 into master Nov 21, 2018
@filipkis
Copy link

This is causing a problem in my renew script which doesn't use hooks, but instead turns of webserver runs certbot and then turns webserver back on. Meaning, sometimes the server is down for several minutes due to this change.

Could you provide CLI argument to disable this. Or even better, might be good that it's not enabled by default.

@ohemorange
Copy link
Contributor

@filipkis, can your renew script be refactored to use hooks?

If it currently looks like:

some code before; maybe another line of code
certbot renew
some code after; maybe a second line of after code

Then, you should be able to refactor that to:

certbot renew --pre-hook some code before; maybe another line of code --post-hook some code after; maybe a second line of after code

@filipkis
Copy link

Yes, it can and that's what I've done (after digging into the docs).

Thank you for suggesting though. Might be useful to document this change somewhere else in case others stumble on the same issues.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@mnordhoff mnordhoff mnordhoff left review comments

@ohemorange ohemorange ohemorange approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@schoen @ohemorange @filipkis @mnordhoff