I think this is an extension of a problem I've seen before ... even when you're
not using secure sockets, our clients try to load the certificates database
"just in case", and an apparent side-effect of this is to create an empty
certificate database in $HOME/.pki/nssdb directory, even if one did not exist
before.
706 is failing with new messages of the form
[Fri Apr 19 19:23:48] multifetch(625) Warning: __pmConnectPMCD: certificate
database exists, but failed initialization
The failure is non deterministic. If $HOME/.pki/nssdb has been populated it
does not fail. Otherwise there are 0, 1 or 2 failures as the test runs 4
instances of the qa multifetch application in a parallel, and I guess some of
them see the effects of another creating the directory structure and populating
the files (I believe the database is considered "empty" in between these
events).
I think the behaviour in libpcp is wrong here ... if $HOME/.pki/nssdb does not
exist, we should not create it as a by-product of trying to load certificates
that cannot possibly exist. This would also avoid polluting $HOME with .pki
for those users not interested in using secure sockets for PCP.
But I've had a quick look at the code in nss_connect.c and can't see how this
might be easily done as the path for the certificates database seems to be set
in NSS_InitReadWrite() and cached someplace outside libpcp's control until it
is apparently used under the covers in saveUserCertificate().
Is this fixable in libpcp?
Otherwise I'll have to dance around it in QA land.
|