On 04/30/2015 08:23 AM, Alexander Bokovoy wrote:
On Thu, 30 Apr 2015, Jan Cholasta wrote:

Dne 29.4.2015 v 19:42 Martin Babinsky napsal(a):
The attached patch is a merge of PATCHES 0031-0032 incorporating Simo's
and Martin's suggestions (see e.g.
for reference).


IMHO we should set the environment variable in
/etc/systemd/system/httpd.service, instead of providing a new service
file, because we are just changing configuration, not creating a new
concurrent httpd instance, as is the case with ipa-memcached, and also
not using alternative httpd implementation which masks the current
one, as is the case with bind-pkcs11. It would simplify the whole
thing significantly and it's even recommended in httpd.service to do
I agree.


   # For example, to pass additional options (for instance, -D
definitions) to the
   # httpd binary at startup, you need to create a file named
   # "/etc/systemd/system/httpd.service" containing:
   #    .include /lib/systemd/system/httpd.service
   #    [Service]
   #    Environment=OPTIONS=-DMY_DEFINE

(BTW I wonder why /etc/sysconfig/httpd support was removed from httpd
in Fedora
it seems like a better place to customize environment variables,
rather than having to create a modified service file...)
We had discussion with Joe Orton (httpd maintainer) a while ago and his
arguments were following:
Hi guys, we made that change to adopt what is considered "best practice"
for systemd.  The change is not in RHEL7, only Fedora >= 20.

I would not say we are strongly wedded to that change, but the use case
you provide seems very weak.  /etc/sysconfig/httpd is intended to be
user-configurable and if users do "rm -f /etc/sysconfig/httpd" then
Fedora packages should keep working correctly.  Can we find a more
robust way to achieve the same results?  Why is it required that the
environment variable is set globally within /usr/sbin/httpd?

... [and later in dicussion]

I'd argue that in this case you should not be using httpd.service as-is;
instead it would be correct to create an "httpd-ipa.service" unit file
or similar, which can ".include" the system httpd.service, and sets up
the appropriate Environment= (or EnvironmentFile=) directly.

Also, if the intent is to purely to change mod_auth_kerb's interaction
with libkrb5 is there no way to do this via the libkrb API - or
mod_auth_kerb's existing use thereof?

The use of /etc/sysconfig/httpd has historically been a mild PITA and
I'm not seeing a compelling reason to revert the decision to kill it

Anyway, I would prefer if we set it in a way that works on non-systemd
distros as well. Can't we just set "GssapiCredStore
ccache:FILE:/var/run/httpd/krbcache/krb5ccache" in
It is not just mod_auth_gssapi, it is needed for users of the
credentials obtained by mod_auth_gssapi. mod_auth_gssapi only sets
KRB5CCNAME value when there is delegation of credentials in use and
there is something to delegate.

Ok, attaching updated patches. After the discussion with Martin^1 we decided to play it safe and put KRB5CCNAME into /etc/systemd/system/httpd.service.

Martin^3 Babinsky
From 6042f4ce093890394da4f6e625d5cc745b285c35 Mon Sep 17 00:00:00 2001
From: Martin Babinsky <mbabi...@redhat.com>
Date: Tue, 28 Apr 2015 16:24:02 +0200
Subject: [PATCH] provide dedicated ccache file for httpd

httpd service stores Kerberos credentials in kernel keyring which gets
destroyed and recreated during service install/upgrade, causing problems when
the process is run under SELinux context other than 'unconfined_t'. This patch
enables HTTPInstance to set up a dedicated CCache file for Apache to store

 freeipa.spec.in            | 4 ++++
 init/systemd/httpd.service | 4 ++++
 2 files changed, 8 insertions(+)
 create mode 100644 init/systemd/httpd.service

diff --git a/freeipa.spec.in b/freeipa.spec.in
index 608242b5adbc43efbbf0ae30a6d7a933bebc1084..664162fe918f03049c27f70c9e7f852a11c50a8c 100644
--- a/freeipa.spec.in
+++ b/freeipa.spec.in
@@ -12,6 +12,7 @@
 %global plugin_dir %{_libdir}/dirsrv/plugins
+%global etc_systemd_dir %{_sysconfdir}/systemd/system
 %global gettext_domain ipa
 %if 0%{?rhel}
 %global platform_module rhel
@@ -470,8 +471,10 @@ touch %{buildroot}%{_libdir}/krb5/plugins/libkrb5/winbind_krb5_locator.so
 # NOTE: systemd specific section
 mkdir -p %{buildroot}%{_unitdir}
+mkdir -p %{buildroot}%{etc_systemd_dir}
 install -m 644 init/systemd/ipa.service %{buildroot}%{_unitdir}/ipa.service
 install -m 644 init/systemd/ipa_memcached.service %{buildroot}%{_unitdir}/ipa_memcached.service
+install -m 644 init/systemd/httpd.service %{buildroot}%{etc_systemd_dir}/httpd.service
 # END
 mkdir -p %{buildroot}/%{_localstatedir}/lib/ipa/backup
 %endif # ONLY_CLIENT
@@ -691,6 +694,7 @@ fi
 %attr(644,root,root) %{_unitdir}/ipa-dnskeysyncd.service
 %attr(644,root,root) %{_unitdir}/ipa-ods-exporter.socket
 %attr(644,root,root) %{_unitdir}/ipa-ods-exporter.service
+%attr(644,root,root) %{etc_systemd_dir}/httpd.service
 # END
 %dir %{python_sitelib}/ipaserver
 %dir %{python_sitelib}/ipaserver/install
diff --git a/init/systemd/httpd.service b/init/systemd/httpd.service
new file mode 100644
index 0000000000000000000000000000000000000000..ef1e6bfda06f1a1d703a174040f1f6e6ea0757c7
--- /dev/null
+++ b/init/systemd/httpd.service
@@ -0,0 +1,4 @@
+.include /usr/lib/systemd/system/httpd.service

Manage your subscription for the Freeipa-devel mailing list:
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Reply via email to