On 01/22/2014 03:39 PM, Simo Sorce wrote:
> On Wed, 2014-01-22 at 12:42 +0100, Petr Viktorin wrote:
>> On 01/21/2014 05:12 PM, Martin Kosek wrote:
>>> On 01/21/2014 03:07 PM, Petr Viktorin wrote:
>>>> On 01/16/2014 02:16 PM, Martin Kosek wrote:
>>>>> [freeipa-mkosek-448-add-runas-option-to-run-function.patch]:
>>>>> Run function can now run the specified command as different user by
>>>>> setting the EUID and EGID for executed process.
>>>> Please add the new argument to the docstring, otherwise ACK
>>>>> [freeipa-mkosek-449-switch-httpd-to-use-default-ccache.patch]:
>>>>> Stock httpd no longer uses systemd EnvironmentFile option which is
>>>>> making FreeIPA's KRB5CCNAME setting ineffective. This can lead in hard
>>>>> to debug problems during subsequent ipa-server-install's where HTTP
>>>>> may use a stale CCACHE in the default kernel keyring CCACHE.
>>>>> Avoid forcing custom CCACHE and switch to system one, just make sure
>>>>> that it is properly cleaned by kdestroy run as "apache" user during
>>>>> FreeIPA server installation process.
>>>>> https://fedorahosted.org/freeipa/ticket/4084
>>>> This does not fix the issue for me.
>>>> On a fresh f20 machine, I installed the server, uninstalled it, and 
>>>> installed
>>>> again. The second installation failed with the ipa-client-install error
>>>> described in the ticket.
>>> On your VM, I saw the method I use for running a command as different 
>>> process
>>> was indeed not effective. I had to change both effective and real UID/GID to
>>> make the kdestroy function working.
>>> I also added the missing docstrings in 448, both for runas as well as other
>>> missing options.
>> Great, thank you! ACK, fixed a typo in the docstring and pushed to 
>> master: f49c26db2c38e5b60a6be990b95c2926ecfa6247
>> For the record, this problem appeared in an install-uninstall-install 
>> cycle with no reboot. It's unlikely to appear in the wild, but happens 
>> all the time in CI and on some developers' workflows.
> Arghh sorry to come in late, but the second patch is not sufficient :-(
> You should run kdestroy -A to remove all ccaches, even non primary ones,
> so that non primary ones are not mistakenly picked up later.
> kdestroy w/o -A will only destroy the primary one if any is selected.
> Simo.

Ok, thanks for the warning. Current patch worked in my environment, but is
better to do it correctly. Attaching a patch to fix that.

BTW, given you read this patch now - are you OK with the approach? Is it fine
with you that we do not insist on FILE CCACHE for httpd but just use the 

From e87536f31d05ef36b7b7e28b88bb3fb8fca98938 Mon Sep 17 00:00:00 2001
From: Martin Kosek <mko...@redhat.com>
Date: Wed, 22 Jan 2014 16:08:51 +0100
Subject: [PATCH] httpd should destroy all CCACHEs

Use "kdestroy -A" command to destroy all CCACHEs, both the primary
and the non-primary ones to make sure that the non-primary ones are
not used later.

 ipaserver/install/httpinstance.py | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/ipaserver/install/httpinstance.py b/ipaserver/install/httpinstance.py
index 12cb2e013ee4f6104f6c366882945c25b4ffc696..34e58fbb845c91c42a37d94a172e167cfb6f1790 100644
--- a/ipaserver/install/httpinstance.py
+++ b/ipaserver/install/httpinstance.py
@@ -218,7 +218,7 @@ def remove_httpd_ccache(self):
         # Clean up existing ccache
         # Make sure that empty env is passed to avoid passing KRB5CCNAME from
         # current env
-        ipautil.run(['kdestroy'], runas='apache', raiseonerr=False, env={})
+        ipautil.run(['kdestroy', '-A'], runas='apache', raiseonerr=False, env={})
     def __configure_http(self):
         target_fname = '/etc/httpd/conf.d/ipa.conf'

Freeipa-devel mailing list

Reply via email to