dind: ensure node certs are generated serially

The cert gen commands are not intended to be run concurrently.
openshift · Oct 11, 2016 · 5efe73a · 5efe73a
1 parent 606716e
commit 5efe73a
Showing 1 changed file with 10 additions and 0 deletions.
diff --git a/images/dind/node/openshift-generate-node-config.sh b/images/dind/node/openshift-generate-node-config.sh
@@ -40,6 +40,13 @@ function ensure-node-config() {
     local ip_addr
     ip_addr="$(ip addr | grep inet | grep eth0 | awk '{print $2}' | sed -e 's+/.*++')"
 
+    # Hold a lock on the shared volume to ensure cert generation is
+    # performed serially.  Cert generation is not compatible with
+    # concurrent execution since the file passed to --signer-serial
+    # needs to be incremented by each invocation.
+    exec 200>"${config_path}"/.openshift-generate-node-config.exclusivelock
+    flock 200
+
     /usr/local/bin/openshift admin create-node-config \
       --node-dir="${config_path}" \
       --node="${host}" \
@@ -51,6 +58,9 @@ function ensure-node-config() {
       --signer-cert="${master_config_path}/ca.crt" \
       --signer-key="${master_config_path}/ca.key" \
       --signer-serial="${master_config_path}/ca.serial.txt"
+
+    # Release the lock
+    flock -o
   fi
 
   # Deploy the node config