On Mon, 04 May 2015, Martin Babinsky wrote:
On 04/30/2015 08:23 AM, Alexander Bokovoy wrote:
On Thu, 30 Apr 2015, Jan Cholasta wrote:

Dne 29.4.2015 v 19:42 Martin Babinsky napsal(a):
The attached patch is a merge of PATCHES 0031-0032 incorporating Simo's
and Martin's suggestions (see e.g.
for reference).


IMHO we should set the environment variable in
/etc/systemd/system/httpd.service, instead of providing a new service
file, because we are just changing configuration, not creating a new
concurrent httpd instance, as is the case with ipa-memcached, and also
not using alternative httpd implementation which masks the current
one, as is the case with bind-pkcs11. It would simplify the whole
thing significantly and it's even recommended in httpd.service to do
I agree.


  # For example, to pass additional options (for instance, -D
definitions) to the
  # httpd binary at startup, you need to create a file named
  # "/etc/systemd/system/httpd.service" containing:
  #    .include /lib/systemd/system/httpd.service
  #    [Service]
  #    Environment=OPTIONS=-DMY_DEFINE

(BTW I wonder why /etc/sysconfig/httpd support was removed from httpd
in Fedora
it seems like a better place to customize environment variables,
rather than having to create a modified service file...)
We had discussion with Joe Orton (httpd maintainer) a while ago and his
arguments were following:
Hi guys, we made that change to adopt what is considered "best practice"
for systemd.  The change is not in RHEL7, only Fedora >= 20.

I would not say we are strongly wedded to that change, but the use case
you provide seems very weak.  /etc/sysconfig/httpd is intended to be
user-configurable and if users do "rm -f /etc/sysconfig/httpd" then
Fedora packages should keep working correctly.  Can we find a more
robust way to achieve the same results?  Why is it required that the
environment variable is set globally within /usr/sbin/httpd?

... [and later in dicussion]

I'd argue that in this case you should not be using httpd.service as-is;
instead it would be correct to create an "httpd-ipa.service" unit file
or similar, which can ".include" the system httpd.service, and sets up
the appropriate Environment= (or EnvironmentFile=) directly.

Also, if the intent is to purely to change mod_auth_kerb's interaction
with libkrb5 is there no way to do this via the libkrb API - or
mod_auth_kerb's existing use thereof?

The use of /etc/sysconfig/httpd has historically been a mild PITA and
I'm not seeing a compelling reason to revert the decision to kill it

Anyway, I would prefer if we set it in a way that works on non-systemd
distros as well. Can't we just set "GssapiCredStore
ccache:FILE:/var/run/httpd/krbcache/krb5ccache" in
It is not just mod_auth_gssapi, it is needed for users of the
credentials obtained by mod_auth_gssapi. mod_auth_gssapi only sets
KRB5CCNAME value when there is delegation of credentials in use and
there is something to delegate.

Ok, attaching updated patches. After the discussion with Martin^1 we decided to play it safe and put KRB5CCNAME into /etc/systemd/system/httpd.service.

Martin^3 Babinsky

From 6042f4ce093890394da4f6e625d5cc745b285c35 Mon Sep 17 00:00:00 2001
From: Martin Babinsky <mbabi...@redhat.com>
Date: Tue, 28 Apr 2015 16:24:02 +0200
Subject: [PATCH] provide dedicated ccache file for httpd

httpd service stores Kerberos credentials in kernel keyring which gets
destroyed and recreated during service install/upgrade, causing problems when
the process is run under SELinux context other than 'unconfined_t'. This patch
enables HTTPInstance to set up a dedicated CCache file for Apache to store

freeipa.spec.in            | 4 ++++
init/systemd/httpd.service | 4 ++++
2 files changed, 8 insertions(+)
create mode 100644 init/systemd/httpd.service

diff --git a/freeipa.spec.in b/freeipa.spec.in
--- a/freeipa.spec.in
+++ b/freeipa.spec.in
@@ -12,6 +12,7 @@

%global plugin_dir %{_libdir}/dirsrv/plugins
+%global etc_systemd_dir %{_sysconfdir}/systemd/system
%global gettext_domain ipa
%if 0%{?rhel}
%global platform_module rhel
@@ -470,8 +471,10 @@ touch 

# NOTE: systemd specific section
mkdir -p %{buildroot}%{_unitdir}
+mkdir -p %{buildroot}%{etc_systemd_dir}
install -m 644 init/systemd/ipa.service %{buildroot}%{_unitdir}/ipa.service
install -m 644 init/systemd/ipa_memcached.service 
+install -m 644 init/systemd/httpd.service 
mkdir -p %{buildroot}/%{_localstatedir}/lib/ipa/backup
%endif # ONLY_CLIENT
@@ -691,6 +694,7 @@ fi
%attr(644,root,root) %{_unitdir}/ipa-dnskeysyncd.service
%attr(644,root,root) %{_unitdir}/ipa-ods-exporter.socket
%attr(644,root,root) %{_unitdir}/ipa-ods-exporter.service
+%attr(644,root,root) %{etc_systemd_dir}/httpd.service
There is a minor issue: a lack of

Requires: /etc/systemd/system

which is needed because of /etc/systemd/system directory owned by a
different package. We require systemd-units which is provided by systemd
package as well so it is sort of mitigated by that but it would
good to be explicit in the require. And yes, you can require the
directory because systemd provides it:

$ rpm -q --whatprovides /etc/systemd/system

Otherwise, ACK.

/ Alexander Bokovoy

Manage your subscription for the Freeipa-devel mailing list:
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Reply via email to