Hi Jason, i tried out your systemd config as below. I have a CentOS 7 box.
k5start and Apache starts.
pstree:
====
k5start───httpd───10*[httpd───2*[{httpd}]]
less /proc/fs/openafs/unixusers:
===================
UID/PAG Refs States Cell ViceID Tok Set
Tok Begin Tok Expire vno NFS Client UID/PAG Client UID Sysname(s)
0 0 0005 cellname 0 1499920292 1499920290
1499963490 256
1000 0 0005 cellname 1 1499930214 1499930215
1499966212 256
1091860458 0 0005 cellname 29787 1499931869 1499931870
1499967869 256
The VideID 29787 is the afs id of the correct afs username
(afsweb.fqdn_of_the_host) in pts. The keytab which k5start reads
contains the kerberos principal (afsweb/fqdn_of_the_host@REALM).
I set read (rl) permission for the afs username afsweb.fqdn_of_the_host
(29787) on the folder which contain the webfiles and "lookup" permission
to all parent folders of the webfolder. Apache tells me he cant access
to the webfolder (DocumentRoot).
Another problem i found out is apache cant open logfiles in the afs path
and cant start:
(13)Permission denied: AH00091: httpd: could not open error log file
/afs/.............
sestatus:
=====
SELinux status: enabled
SELinuxfs mount: /sys/fs/selinux
SELinux root directory: /etc/selinux
Loaded policy name: targeted
Current mode: permissive
Mode from config file: error (Success)
Policy MLS status: enabled
Policy deny_unknown status: allowed
Max kernel policy version: 28
regards,
Andreas
> Hi Andreas,
>
> Getting systemd, apache, and kstart to play nice took a little bit of
> work. I have included a sanitized copy of my Apache systemd unit file.
> Be sure to modify the ExecStart line to have the correct keytab
> location and principal name.
>
> I have NOT tested this in selinux enforcing mode, so beware.
>
> I think that kstart does create a new PAG, but I'm not certain. Be
> sure to verify that by running bash via kstart, then running "id" to
> see if an extra high-numbered numeric group appears. If no new PAG is
> created, then you might play with the pagsh command.
>
> Sincerely,
> Jason
>
> ----------------------------cut----------------------------
> [Unit]
> # customized unit file to start apache with a kerberos keytab
> Description=The Apache HTTP Server
> After=network.target remote-fs.target nss-lookup.target
> Documentation=man:httpd(8)
> Documentation=man:apachectl(8)
>
> [Service]
> Type=notify
> EnvironmentFile=/etc/sysconfig/httpd
> ExecStart=/usr/bin/k5start -o apache -K30 -f /etc/httpd.keytab
> httpd-principal-name -- /usr/sbin/httpd $OPTIONS -DFOREGROUND
> ExecReload=/usr/sbin/httpd $OPTIONS -k graceful
> ExecStop=/bin/kill -WINCH ${MAINPID}
> # We want systemd to give httpd some time to finish gracefully, but
> still want
> # it to kill httpd after TimeoutStopSec if something went wrong during the
> # graceful stop. Normally, Systemd sends SIGTERM signal right after the
> # ExecStop, which would kill httpd. We are sending useless SIGCONT
> here to give
> # httpd time to finish.
> KillSignal=SIGCONT
>
> # allow k5start child processes (i.e. apache) to notify system that
> it's up
> NotifyAccess=all
> PrivateTmp=false
>
> [Install]
> WantedBy=multi-user.target
> ----------------------------cut----------------------------
>
smime.p7s
Description: S/MIME Cryptographic Signature
