On 01/22/2014 04:42 PM, Simo Sorce wrote: > On Wed, 2014-01-22 at 16:14 +0100, Martin Kosek wrote: >> On 01/22/2014 03:39 PM, Simo Sorce wrote: >>> On Wed, 2014-01-22 at 12:42 +0100, Petr Viktorin wrote: >>>> On 01/21/2014 05:12 PM, Martin Kosek wrote: >>>>> On 01/21/2014 03:07 PM, Petr Viktorin wrote: >>>>>> On 01/16/2014 02:16 PM, Martin Kosek wrote: >>>>>>> [freeipa-mkosek-448-add-runas-option-to-run-function.patch]: >>>>>>> >>>>>>> Run function can now run the specified command as different user by >>>>>>> setting the EUID and EGID for executed process. >>>>>> >>>>>> Please add the new argument to the docstring, otherwise ACK >>>>>> >>>>>>> [freeipa-mkosek-449-switch-httpd-to-use-default-ccache.patch]: >>>>>>> >>>>>>> Stock httpd no longer uses systemd EnvironmentFile option which is >>>>>>> making FreeIPA's KRB5CCNAME setting ineffective. This can lead in hard >>>>>>> to debug problems during subsequent ipa-server-install's where HTTP >>>>>>> may use a stale CCACHE in the default kernel keyring CCACHE. >>>>>>> >>>>>>> Avoid forcing custom CCACHE and switch to system one, just make sure >>>>>>> that it is properly cleaned by kdestroy run as "apache" user during >>>>>>> FreeIPA server installation process. >>>>>>> >>>>>>> https://fedorahosted.org/freeipa/ticket/4084 >>>>>> >>>>>> This does not fix the issue for me. >>>>>> On a fresh f20 machine, I installed the server, uninstalled it, and >>>>>> installed >>>>>> again. The second installation failed with the ipa-client-install error >>>>>> described in the ticket. >>>>>> >>>>> >>>>> On your VM, I saw the method I use for running a command as different >>>>> process >>>>> was indeed not effective. I had to change both effective and real UID/GID >>>>> to >>>>> make the kdestroy function working. >>>>> >>>>> I also added the missing docstrings in 448, both for runas as well as >>>>> other >>>>> missing options. >>>> >>>> Great, thank you! ACK, fixed a typo in the docstring and pushed to >>>> master: f49c26db2c38e5b60a6be990b95c2926ecfa6247 >>>> >>>> For the record, this problem appeared in an install-uninstall-install >>>> cycle with no reboot. It's unlikely to appear in the wild, but happens >>>> all the time in CI and on some developers' workflows. >>>> >>> >>> Arghh sorry to come in late, but the second patch is not sufficient :-( >>> >>> You should run kdestroy -A to remove all ccaches, even non primary ones, >>> so that non primary ones are not mistakenly picked up later. >>> kdestroy w/o -A will only destroy the primary one if any is selected. >>> >>> Simo. >> >> Ok, thanks for the warning. Current patch worked in my environment, but is >> better to do it correctly. Attaching a patch to fix that. > > Ack to the patch
Pushed to master. > >> BTW, given you read this patch now - are you OK with the approach? Is it fine >> with you that we do not insist on FILE CCACHE for httpd but just use the >> default? > > Yeah, I see no problem, people can always change the system wide default > or add their own unit file if they really have an issue with this, so it > is not like a change that pins us down in any specifically bad way. > > Simo. > Ok. Thanks, Martin _______________________________________________ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel