On Fri, Apr 30, 2021 at 10:58:25PM -0600, Theo de Raadt wrote: > Sebastian Benoit <be...@openbsd.org> wrote: > > > Claudio Jeker(cje...@diehard.n-r-g.com) on 2021.04.29 15:34:15 +0200: > > > Like for rsync repos files in the RRDP repos should be delayed until after > > > the validation finished. As with anything RPKI related there is little > > > trust in the repositories and their abilities to not botch an update. > > This is also working nicely for me. > > > You could get a file listing at the start and then remove files from the > > list that are referenced, at the end you delete the ones left. > > That isn't an unreasonable idea. > > If we go that way, we might need to be careful of >1 rpki-client running > against the same repo, because they can confuse their filesystem. Most > of these cases will lead to rpki-client aborting since it is pretty paranoid > about inconsistancy in the filesystem, but I'm not sure if all potential > weirdness > can be anticipated and handled. > > So, that would suggest some sort of lockout against running multiple > rpki-client with the correct termination strategy. I don't believe we > have such a thing right now. We have the timeout, to ensure rpki-client > doesn't run too long which may prevent simultaneous runs, but I'm not > sure it covers all cases (imagine a weird case where two rpki-client are > "unintentionally" started at the same time) >
We currently depend on cron to do the right thing and not start two rpki-client at the same time. I would prefer to leave it up to cron (or whatever other method people use to run rpki-client) and not add complicated locking into rpki-client itself. -- :wq Claudio