The attached patches address
https://fedorahosted.org/freeipa/ticket/4973 and implement the solution
proposed in Comment 2.
Please review the hell out of them.
--
Martin^3 Babinsky
From 6a6a4561f0faf817a027280bb93e74823416ed01 Mon Sep 17 00:00:00 2001
From: Martin Babinsky <mbabi...@redhat.com>
Date: Tue, 28 Apr 2015 16:24:02 +0200
Subject: [PATCH 1/2] HTTPInstance should set up dedicated CCache file for
httpd
httpd service stores Kerberos credentials in kernel keyring which gets
destroyed and recreated during service install/upgrade. If the process is run
under SELinux context other than 'unconfined_t', the recreated keyring is
inaccessible to Apache. This patch enables HTTPInstance to set up a dedicated
CCache file for Apache to store credentials.
https://fedorahosted.org/freeipa/ticket/4973
---
install/share/Makefile.am | 1 +
install/share/httpd.service.template | 4 ++++
ipaserver/install/httpinstance.py | 18 ++++++++++++++++++
3 files changed, 23 insertions(+)
create mode 100644 install/share/httpd.service.template
diff --git a/install/share/Makefile.am b/install/share/Makefile.am
index ca6128e2911ab5c0a773dd553f8e67eab944f120..15f4a323d5a2df1af9522611b4453d1d9dae7c94 100644
--- a/install/share/Makefile.am
+++ b/install/share/Makefile.am
@@ -76,6 +76,7 @@ app_DATA = \
copy-schema-to-ca.py \
sasl-mapping-fallback.ldif \
schema-update.ldif \
+ httpd.service.template \
$(NULL)
EXTRA_DIST = \
diff --git a/install/share/httpd.service.template b/install/share/httpd.service.template
new file mode 100644
index 0000000000000000000000000000000000000000..f990c92fb1f23f43dfa6df8795d471e0ea937c1d
--- /dev/null
+++ b/install/share/httpd.service.template
@@ -0,0 +1,4 @@
+.include $LIB_SYSTEMD_HTTPD_SERVICE
+
+[Service]
+Environment=KRB5CCNAME=/tmp/ipa-httpd.ccache
diff --git a/ipaserver/install/httpinstance.py b/ipaserver/install/httpinstance.py
index 18cf6bb1a55512f475bde62b2db7a775945a97ec..7568f4df239e0da3f09438021fa399cc4f841ed9 100644
--- a/ipaserver/install/httpinstance.py
+++ b/ipaserver/install/httpinstance.py
@@ -87,6 +87,8 @@ class HTTPInstance(service.Service):
self.cert_nickname = cert_nickname
self.ca_is_configured = True
+ self.service_file = os.path.join(paths.ETC_SYSTEMD_SYSTEM_DIR,
+ 'httpd.service')
subject_base = ipautil.dn_attribute_property('_subject_base')
@@ -109,6 +111,8 @@ class HTTPInstance(service.Service):
DOMAIN=self.domain,
AUTOREDIR='' if auto_redirect else '#',
CRL_PUBLISH_PATH=dogtag.install_constants.CRL_PUBLISH_PATH,
+ LIB_SYSTEMD_HTTPD_SERVICE=os.path.join(
+ paths.LIB_SYSTEMD_SYSTEMD_DIR, 'httpd.service')
)
self.ca_file = ca_file
if ca_is_configured is not None:
@@ -135,6 +139,8 @@ class HTTPInstance(service.Service):
self.step("publish CA cert", self.__publish_ca_cert)
self.step("creating a keytab for httpd", self.__create_http_keytab)
self.step("clean up any existing httpd ccache", self.remove_httpd_ccache)
+ self.step("creating custom systemd service file",
+ self.create_custom_service_file)
self.step("configuring SELinux for httpd", self.configure_selinux_for_httpd)
self.step("restarting httpd", self.__start)
self.step("configuring httpd to start on boot", self.__enable)
@@ -191,6 +197,15 @@ class HTTPInstance(service.Service):
http_fd.close()
os.chmod(target_fname, 0644)
+ def create_custom_service_file(self):
+ service_file_template = os.path.join(ipautil.SHARE_DIR,
+ 'httpd.service.template')
+
+ ipautil.copy_template_file(service_file_template,
+ self.service_file,
+ self.sub_dict)
+ os.chmod(self.service_file, 0644)
+
def change_mod_nss_port_from_http(self):
# mod_ssl enforces SSLEngine on for vhost on 443 even though
# the listener is mod_nss. This then crashes the httpd as mod_nss
@@ -432,6 +447,9 @@ class HTTPInstance(service.Service):
if enabled:
self.enable()
+ # remove the custom service file
+ installutils.remove_file(self.service_file)
+
def stop_tracking_certificates(self):
db = certs.CertDB(api.env.realm)
db.untrack_server_cert(self.cert_nickname)
--
2.1.0
From 99949e6db6e44fe0c1245bd293a09dda899c9fce Mon Sep 17 00:00:00 2001
From: Martin Babinsky <mbabi...@redhat.com>
Date: Tue, 28 Apr 2015 16:34:33 +0200
Subject: [PATCH 2/2] rename httpd.service to ipa-httpd.service
The Apache server service controlled by HTTPInstance is renamed to
ipa-httpd.service.
https://fedorahosted.org/freeipa/ticket/4973
---
install/share/Makefile.am | 2 +-
.../share/{httpd.service.template => ipa-httpd.service.template} | 0
ipaplatform/redhat/services.py | 1 +
ipaserver/install/httpinstance.py | 6 +++---
ipaserver/install/service.py | 2 +-
5 files changed, 6 insertions(+), 5 deletions(-)
rename install/share/{httpd.service.template => ipa-httpd.service.template} (100%)
diff --git a/install/share/Makefile.am b/install/share/Makefile.am
index 15f4a323d5a2df1af9522611b4453d1d9dae7c94..9f6eaab7b3d9ab6931f1797e8672c6eaf09e700b 100644
--- a/install/share/Makefile.am
+++ b/install/share/Makefile.am
@@ -76,7 +76,7 @@ app_DATA = \
copy-schema-to-ca.py \
sasl-mapping-fallback.ldif \
schema-update.ldif \
- httpd.service.template \
+ ipa-httpd.service.template \
$(NULL)
EXTRA_DIST = \
diff --git a/install/share/httpd.service.template b/install/share/ipa-httpd.service.template
similarity index 100%
rename from install/share/httpd.service.template
rename to install/share/ipa-httpd.service.template
diff --git a/ipaplatform/redhat/services.py b/ipaplatform/redhat/services.py
index c9994e409a8a005012c0467c016608b8f689eef1..30d8b0d648c6fe9a1b10850f1204380218a55f6e 100644
--- a/ipaplatform/redhat/services.py
+++ b/ipaplatform/redhat/services.py
@@ -74,6 +74,7 @@ redhat_system_units['ods-enforcerd'] = 'ods-enforcerd.service'
redhat_system_units['ods_enforcerd'] = redhat_system_units['ods-enforcerd']
redhat_system_units['ods-signerd'] = 'ods-signerd.service'
redhat_system_units['ods_signerd'] = redhat_system_units['ods-signerd']
+redhat_system_units['ipa-httpd'] = 'ipa-httpd.service'
# Service classes that implement Red Hat OS family-specific behaviour
diff --git a/ipaserver/install/httpinstance.py b/ipaserver/install/httpinstance.py
index 7568f4df239e0da3f09438021fa399cc4f841ed9..72e9d2b2deb5ec7b87a6d710fb114fc5f8748e67 100644
--- a/ipaserver/install/httpinstance.py
+++ b/ipaserver/install/httpinstance.py
@@ -79,7 +79,7 @@ class WebGuiInstance(service.SimpleServiceInstance):
class HTTPInstance(service.Service):
def __init__(self, fstore=None, cert_nickname='Server-Cert'):
- service.Service.__init__(self, "httpd", service_desc="the web interface")
+ service.Service.__init__(self, "ipa-httpd", service_desc="the web interface")
if fstore:
self.fstore = fstore
else:
@@ -88,7 +88,7 @@ class HTTPInstance(service.Service):
self.cert_nickname = cert_nickname
self.ca_is_configured = True
self.service_file = os.path.join(paths.ETC_SYSTEMD_SYSTEM_DIR,
- 'httpd.service')
+ 'ipa-httpd.service')
subject_base = ipautil.dn_attribute_property('_subject_base')
@@ -199,7 +199,7 @@ class HTTPInstance(service.Service):
def create_custom_service_file(self):
service_file_template = os.path.join(ipautil.SHARE_DIR,
- 'httpd.service.template')
+ 'ipa-httpd.service.template')
ipautil.copy_template_file(service_file_template,
self.service_file,
diff --git a/ipaserver/install/service.py b/ipaserver/install/service.py
index 5a04ef323c1e89588a746603b52cbb4b9cdb8496..33202387fdc0407665864ed062addac7581ef9aa 100644
--- a/ipaserver/install/service.py
+++ b/ipaserver/install/service.py
@@ -39,7 +39,7 @@ SERVICE_LIST = {
'KPASSWD': ('kadmin', 20),
'DNS': ('named', 30),
'MEMCACHE': ('ipa_memcached', 39),
- 'HTTP': ('httpd', 40),
+ 'HTTP': ('ipa-httpd', 40),
'CA': ('%sd' % dogtag.configured_constants().PKI_INSTANCE_NAME, 50),
'ADTRUST': ('smb', 60),
'EXTID': ('winbind', 70),
--
2.1.0
--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code