On Mon, 04 May 2015, Martin Babinsky wrote:
On 04/30/2015 08:23 AM, Alexander Bokovoy wrote:
On Thu, 30 Apr 2015, Jan Cholasta wrote:
Hi,

Dne 29.4.2015 v 19:42 Martin Babinsky napsal(a):
The attached patch is a merge of PATCHES 0031-0032 incorporating Simo's
and Martin's suggestions (see e.g.
https://www.redhat.com/archives/freeipa-devel/2015-April/msg00327.html
for reference).

https://fedorahosted.org/freeipa/ticket/4973

IMHO we should set the environment variable in
/etc/systemd/system/httpd.service, instead of providing a new service
file, because we are just changing configuration, not creating a new
concurrent httpd instance, as is the case with ipa-memcached, and also
not using alternative httpd implementation which masks the current
one, as is the case with bind-pkcs11. It would simplify the whole
thing significantly and it's even recommended in httpd.service to do
I agree.

so:

  # For example, to pass additional options (for instance, -D
definitions) to the
  # httpd binary at startup, you need to create a file named
  # "/etc/systemd/system/httpd.service" containing:
  #    .include /lib/systemd/system/httpd.service
  #    [Service]
  #    Environment=OPTIONS=-DMY_DEFINE

(BTW I wonder why /etc/sysconfig/httpd support was removed from httpd
in Fedora
(<http://pkgs.fedoraproject.org/cgit/httpd.git/commit/?id=0b19f7b6e1a47c6167a8ab43b4a9d1e759b54721>),
it seems like a better place to customize environment variables,
rather than having to create a modified service file...)
We had discussion with Joe Orton (httpd maintainer) a while ago and his
arguments were following:
----
Hi guys, we made that change to adopt what is considered "best practice"
for systemd.  The change is not in RHEL7, only Fedora >= 20.

I would not say we are strongly wedded to that change, but the use case
you provide seems very weak.  /etc/sysconfig/httpd is intended to be
user-configurable and if users do "rm -f /etc/sysconfig/httpd" then
Fedora packages should keep working correctly.  Can we find a more
robust way to achieve the same results?  Why is it required that the
environment variable is set globally within /usr/sbin/httpd?

... [and later in dicussion]

I'd argue that in this case you should not be using httpd.service as-is;
instead it would be correct to create an "httpd-ipa.service" unit file
or similar, which can ".include" the system httpd.service, and sets up
the appropriate Environment= (or EnvironmentFile=) directly.

Also, if the intent is to purely to change mod_auth_kerb's interaction
with libkrb5 is there no way to do this via the libkrb API - or
mod_auth_kerb's existing use thereof?

The use of /etc/sysconfig/httpd has historically been a mild PITA and
I'm not seeing a compelling reason to revert the decision to kill it
here.
----

Anyway, I would prefer if we set it in a way that works on non-systemd
distros as well. Can't we just set "GssapiCredStore
ccache:FILE:/var/run/httpd/krbcache/krb5ccache" in
/etc/httpd/conf.d/ipa.conf?
It is not just mod_auth_gssapi, it is needed for users of the
credentials obtained by mod_auth_gssapi. mod_auth_gssapi only sets
KRB5CCNAME value when there is delegation of credentials in use and
there is something to delegate.



Ok, attaching updated patches. After the discussion with Martin^1 we decided to play it safe and put KRB5CCNAME into /etc/systemd/system/httpd.service.

--
Martin^3 Babinsky

From 6042f4ce093890394da4f6e625d5cc745b285c35 Mon Sep 17 00:00:00 2001
From: Martin Babinsky <mbabi...@redhat.com>
Date: Tue, 28 Apr 2015 16:24:02 +0200
Subject: [PATCH] provide dedicated ccache file for httpd

httpd service stores Kerberos credentials in kernel keyring which gets
destroyed and recreated during service install/upgrade, causing problems when
the process is run under SELinux context other than 'unconfined_t'. This patch
enables HTTPInstance to set up a dedicated CCache file for Apache to store
credentials.

https://fedorahosted.org/freeipa/ticket/4973
---
freeipa.spec.in            | 4 ++++
init/systemd/httpd.service | 4 ++++
2 files changed, 8 insertions(+)
create mode 100644 init/systemd/httpd.service

diff --git a/freeipa.spec.in b/freeipa.spec.in
index 
608242b5adbc43efbbf0ae30a6d7a933bebc1084..664162fe918f03049c27f70c9e7f852a11c50a8c
 100644
--- a/freeipa.spec.in
+++ b/freeipa.spec.in
@@ -12,6 +12,7 @@
%endif

%global plugin_dir %{_libdir}/dirsrv/plugins
+%global etc_systemd_dir %{_sysconfdir}/systemd/system
%global gettext_domain ipa
%if 0%{?rhel}
%global platform_module rhel
@@ -470,8 +471,10 @@ touch 
%{buildroot}%{_libdir}/krb5/plugins/libkrb5/winbind_krb5_locator.so

# NOTE: systemd specific section
mkdir -p %{buildroot}%{_unitdir}
+mkdir -p %{buildroot}%{etc_systemd_dir}
install -m 644 init/systemd/ipa.service %{buildroot}%{_unitdir}/ipa.service
install -m 644 init/systemd/ipa_memcached.service 
%{buildroot}%{_unitdir}/ipa_memcached.service
+install -m 644 init/systemd/httpd.service 
%{buildroot}%{etc_systemd_dir}/httpd.service
# END
mkdir -p %{buildroot}/%{_localstatedir}/lib/ipa/backup
%endif # ONLY_CLIENT
@@ -691,6 +694,7 @@ fi
%attr(644,root,root) %{_unitdir}/ipa-dnskeysyncd.service
%attr(644,root,root) %{_unitdir}/ipa-ods-exporter.socket
%attr(644,root,root) %{_unitdir}/ipa-ods-exporter.service
+%attr(644,root,root) %{etc_systemd_dir}/httpd.service
There is a minor issue: a lack of

Requires: /etc/systemd/system

which is needed because of /etc/systemd/system directory owned by a
different package. We require systemd-units which is provided by systemd
package as well so it is sort of mitigated by that but it would
good to be explicit in the require. And yes, you can require the
directory because systemd provides it:

$ rpm -q --whatprovides /etc/systemd/system
systemd-219-13.fc22.x86_64

Otherwise, ACK.

--
/ Alexander Bokovoy

--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Reply via email to