Re: [Freeipa-devel] [PATCHES 0031-0032] set up a dedicated CCache file for Apache during install/upgrade
On 04/28/2015 05:42 PM, Martin Babinsky wrote: The attached patches address https://fedorahosted.org/freeipa/ticket/4973 and implement the solution proposed in Comment 2. Please review the hell out of them. Why did you split the work in 2 patches? It looks like you first did the first approach of modifying httpd.service and then changed your mind and did the ipa-httpd.service approach (which is what we agreed to). Also, shouldn't ipa-httpd.service be contained in the package itself, like ipa-dnskeysyncd and httpd.service masked during installation? Also, I do not see any daemon-reload, so I am not sure if systemd would pick up the right configuration in the first install. Next, I was thinking what should be the ideal KRB5CCNAME for the HTTPD service. You chose /tmp/ipa-httpd.ccache, is it the best approach CCACHE type/path we should use? This is mostly question to Simo, his mod_auth_gssapi will consume the ccache. -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCHES 0031-0032] set up a dedicated CCache file for Apache during install/upgrade
On 04/29/2015 09:09 AM, Martin Kosek wrote: On 04/28/2015 05:42 PM, Martin Babinsky wrote: The attached patches address https://fedorahosted.org/freeipa/ticket/4973 and implement the solution proposed in Comment 2. Please review the hell out of them. Why did you split the work in 2 patches? It looks like you first did the first approach of modifying httpd.service and then changed your mind and did the ipa-httpd.service approach (which is what we agreed to). I was thinking about it as a two distinct operations (modify existing httpd.service to use KRB5CCNAME and rename httpd.service to ipa-httpd.service). But I can merge them if needed. Also, shouldn't ipa-httpd.service be contained in the package itself, like ipa-dnskeysyncd and httpd.service masked during installation? Also, I do not see any daemon-reload, so I am not sure if systemd would pick up the right configuration in the first install. Martin^2 told me that generating service file from template is evil, so I will put the full service file into init/systemd directory so that it is already present in /etc/systemd/system after rpm install. Next, I was thinking what should be the ideal KRB5CCNAME for the HTTPD service. You chose /tmp/ipa-httpd.ccache, is it the best approach CCACHE type/path we should use? This is mostly question to Simo, his mod_auth_gssapi will consume the ccache. I will ask Simo if there is some preferred way to name CCache files. -- Martin^3 Babinsky -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCHES 0031-0032] set up a dedicated CCache file for Apache during install/upgrade
On Wed, 2015-04-29 at 09:29 +0200, Martin Babinsky wrote: On 04/29/2015 09:09 AM, Martin Kosek wrote: On 04/28/2015 05:42 PM, Martin Babinsky wrote: The attached patches address https://fedorahosted.org/freeipa/ticket/4973 and implement the solution proposed in Comment 2. Please review the hell out of them. Why did you split the work in 2 patches? It looks like you first did the first approach of modifying httpd.service and then changed your mind and did the ipa-httpd.service approach (which is what we agreed to). I was thinking about it as a two distinct operations (modify existing httpd.service to use KRB5CCNAME and rename httpd.service to ipa-httpd.service). But I can merge them if needed. Also, shouldn't ipa-httpd.service be contained in the package itself, like ipa-dnskeysyncd and httpd.service masked during installation? Also, I do not see any daemon-reload, so I am not sure if systemd would pick up the right configuration in the first install. Martin^2 told me that generating service file from template is evil, so I will put the full service file into init/systemd directory so that it is already present in /etc/systemd/system after rpm install. Next, I was thinking what should be the ideal KRB5CCNAME for the HTTPD service. You chose /tmp/ipa-httpd.ccache, is it the best approach CCACHE type/path we should use? This is mostly question to Simo, his mod_auth_gssapi will consume the ccache. I will ask Simo if there is some preferred way to name CCache files. After discussing with Martin I think we should have only one patch, which should simply change the service unit name used on systemd systems, then provide the new unit file ready made (and installed by RPMs directly). The new unit file should basically just include the original httpd unit file and set KRB5CCNAME to a default of /var/run/httpd/krb5ccache or similar. We should avoid using /tmp if not necessary, even though in most systemd based system it is easy to have private /tmp and the default on Fedora I prefer avoid counting on it, as I am not sure what is the default in systems like debian/ubuntu/suse etc.. For older sysv/rpm based systems we just need to change /etc/sysconfig/httpd I guess. Let's try to be consistent and use the same cache controlled by us on newer and older systems alike. Simo. -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code