Re: [Freeipa-devel] [PATCH 0031] provide a dedicated ccache file to httpd
On Wednesday, May 13, 2015 01:28:44 PM Martin Babinsky wrote:
On 05/12/2015 06:47 PM, Alexander Bokovoy wrote:
On Tue, 12 May 2015, Petr Vobornik wrote:
On 05/12/2015 11:22 AM, Alexander Bokovoy wrote:
On Tue, 12 May 2015, Martin Babinsky wrote:
%attr(644,root,root) %{_unitdir}/ipa-ods-exporter.service
+%attr(644,root,root) %{etc_systemd_dir}/httpd.service
There is a minor issue: a lack of
Requires: /etc/systemd/system
which is needed because of /etc/systemd/system directory owned by a
different package. We require systemd-units which is provided by
systemd
package as well so it is sort of mitigated by that but it would
good to be explicit in the require. And yes, you can require the
directory because systemd provides it:
$ rpm -q --whatprovides /etc/systemd/system
systemd-219-13.fc22.x86_64
Otherwise, ACK.
thank for review Alexander, attaching updated patch.
ACK
Pushed to master: 9a1a409d63e30dcb939b672d352fc4aa7ba690fe
We also need a tmpfiles config changes because otherwise
/var/run/httpd/krbcache does not exist.
Patch attached.
ACK
I'm not sure it matters, but mod_auth_kerb already sets up
/var/run/httpd/krbcache via /lib/tmpfiles.d/httpd-krbcache.conf:
d /var/run/httpd/krbcache 0700 apache apache
--
Anthony - https://messinet.com/ - https://messinet.com/~amessina/gallery
8F89 5E72 8DF0 BCF0 10BE 9967 92DC 35DC B001 4A4E
signature.asc
Description: This is a digitally signed message part.
--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCH 0031] provide a dedicated ccache file to httpd
On 05/12/2015 06:47 PM, Alexander Bokovoy wrote:
On Tue, 12 May 2015, Petr Vobornik wrote:
On 05/12/2015 11:22 AM, Alexander Bokovoy wrote:
On Tue, 12 May 2015, Martin Babinsky wrote:
%attr(644,root,root) %{_unitdir}/ipa-ods-exporter.service
+%attr(644,root,root) %{etc_systemd_dir}/httpd.service
There is a minor issue: a lack of
Requires: /etc/systemd/system
which is needed because of /etc/systemd/system directory owned by a
different package. We require systemd-units which is provided by
systemd
package as well so it is sort of mitigated by that but it would
good to be explicit in the require. And yes, you can require the
directory because systemd provides it:
$ rpm -q --whatprovides /etc/systemd/system
systemd-219-13.fc22.x86_64
Otherwise, ACK.
thank for review Alexander, attaching updated patch.
ACK
Pushed to master: 9a1a409d63e30dcb939b672d352fc4aa7ba690fe
We also need a tmpfiles config changes because otherwise
/var/run/httpd/krbcache does not exist.
Patch attached.
ACK
--
Martin^3 Babinsky
--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCH 0031] provide a dedicated ccache file to httpd
On Wednesday, May 13, 2015 02:58:40 PM Alexander Bokovoy wrote:
On Wed, 13 May 2015, Anthony Messina wrote:
On Wednesday, May 13, 2015 01:28:44 PM Martin Babinsky wrote:
On 05/12/2015 06:47 PM, Alexander Bokovoy wrote:
On Tue, 12 May 2015, Petr Vobornik wrote:
On 05/12/2015 11:22 AM, Alexander Bokovoy wrote:
On Tue, 12 May 2015, Martin Babinsky wrote:
%attr(644,root,root) %{_unitdir}/ipa-ods-exporter.service
+%attr(644,root,root) %{etc_systemd_dir}/httpd.service
There is a minor issue: a lack of
Requires: /etc/systemd/system
which is needed because of /etc/systemd/system directory owned by a
different package. We require systemd-units which is provided by
systemd
package as well so it is sort of mitigated by that but it would
good to be explicit in the require. And yes, you can require the
directory because systemd provides it:
$ rpm -q --whatprovides /etc/systemd/system
systemd-219-13.fc22.x86_64
Otherwise, ACK.
thank for review Alexander, attaching updated patch.
ACK
Pushed to master: 9a1a409d63e30dcb939b672d352fc4aa7ba690fe
We also need a tmpfiles config changes because otherwise
/var/run/httpd/krbcache does not exist.
Patch attached.
ACK
I'm not sure it matters, but mod_auth_kerb already sets up
/var/run/httpd/krbcache via /lib/tmpfiles.d/httpd-krbcache.conf:
d /var/run/httpd/krbcache 0700 apache apache
We don't use mod_auth_kerb in Fedora 22 anymore, and mod_auth_gssapi
doesn't bring the same configuration in, so installing git master will
fail to operate due to missing directory.
True, though mod_auth_gssapi has (at least for this user) uses beyond FreeIPA.
Perhaps Simo would be willing to include the tmpfiles.d snippet in the
upstream mod_auth_gssapi RPMs. -A
--
Anthony - https://messinet.com/ - https://messinet.com/~amessina/gallery
8F89 5E72 8DF0 BCF0 10BE 9967 92DC 35DC B001 4A4E
signature.asc
Description: This is a digitally signed message part.
--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCH 0031] provide a dedicated ccache file to httpd
On Wed, 13 May 2015, Anthony Messina wrote:
On Wednesday, May 13, 2015 02:58:40 PM Alexander Bokovoy wrote:
On Wed, 13 May 2015, Anthony Messina wrote:
On Wednesday, May 13, 2015 01:28:44 PM Martin Babinsky wrote:
On 05/12/2015 06:47 PM, Alexander Bokovoy wrote:
On Tue, 12 May 2015, Petr Vobornik wrote:
On 05/12/2015 11:22 AM, Alexander Bokovoy wrote:
On Tue, 12 May 2015, Martin Babinsky wrote:
%attr(644,root,root) %{_unitdir}/ipa-ods-exporter.service
+%attr(644,root,root) %{etc_systemd_dir}/httpd.service
There is a minor issue: a lack of
Requires: /etc/systemd/system
which is needed because of /etc/systemd/system directory owned by a
different package. We require systemd-units which is provided by
systemd
package as well so it is sort of mitigated by that but it would
good to be explicit in the require. And yes, you can require the
directory because systemd provides it:
$ rpm -q --whatprovides /etc/systemd/system
systemd-219-13.fc22.x86_64
Otherwise, ACK.
thank for review Alexander, attaching updated patch.
ACK
Pushed to master: 9a1a409d63e30dcb939b672d352fc4aa7ba690fe
We also need a tmpfiles config changes because otherwise
/var/run/httpd/krbcache does not exist.
Patch attached.
ACK
I'm not sure it matters, but mod_auth_kerb already sets up
/var/run/httpd/krbcache via /lib/tmpfiles.d/httpd-krbcache.conf:
d /var/run/httpd/krbcache 0700 apache apache
We don't use mod_auth_kerb in Fedora 22 anymore, and mod_auth_gssapi
doesn't bring the same configuration in, so installing git master will
fail to operate due to missing directory.
True, though mod_auth_gssapi has (at least for this user) uses beyond FreeIPA.
Perhaps Simo would be willing to include the tmpfiles.d snippet in the
upstream mod_auth_gssapi RPMs. -A
This is configuration specific to FreeIPA httpd service unit -- a
default httpd service unit in Fedora doesn't change Kerberos ccache
path and therefore uses kernel keyring for it where any file system path
is not required.
--
/ Alexander Bokovoy
--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCH 0031] provide a dedicated ccache file to httpd
On 05/12/2015 07:50 AM, Alexander Bokovoy wrote:
On Mon, 04 May 2015, Martin Babinsky wrote:
On 04/30/2015 08:23 AM, Alexander Bokovoy wrote:
On Thu, 30 Apr 2015, Jan Cholasta wrote:
Hi,
Dne 29.4.2015 v 19:42 Martin Babinsky napsal(a):
The attached patch is a merge of PATCHES 0031-0032 incorporating
Simo's
and Martin's suggestions (see e.g.
https://www.redhat.com/archives/freeipa-devel/2015-April/msg00327.html
for reference).
https://fedorahosted.org/freeipa/ticket/4973
IMHO we should set the environment variable in
/etc/systemd/system/httpd.service, instead of providing a new service
file, because we are just changing configuration, not creating a new
concurrent httpd instance, as is the case with ipa-memcached, and also
not using alternative httpd implementation which masks the current
one, as is the case with bind-pkcs11. It would simplify the whole
thing significantly and it's even recommended in httpd.service to do
I agree.
so:
# For example, to pass additional options (for instance, -D
definitions) to the
# httpd binary at startup, you need to create a file named
# /etc/systemd/system/httpd.service containing:
#.include /lib/systemd/system/httpd.service
#[Service]
#Environment=OPTIONS=-DMY_DEFINE
(BTW I wonder why /etc/sysconfig/httpd support was removed from httpd
in Fedora
(http://pkgs.fedoraproject.org/cgit/httpd.git/commit/?id=0b19f7b6e1a47c6167a8ab43b4a9d1e759b54721),
it seems like a better place to customize environment variables,
rather than having to create a modified service file...)
We had discussion with Joe Orton (httpd maintainer) a while ago and his
arguments were following:
Hi guys, we made that change to adopt what is considered best practice
for systemd. The change is not in RHEL7, only Fedora = 20.
I would not say we are strongly wedded to that change, but the use case
you provide seems very weak. /etc/sysconfig/httpd is intended to be
user-configurable and if users do rm -f /etc/sysconfig/httpd then
Fedora packages should keep working correctly. Can we find a more
robust way to achieve the same results? Why is it required that the
environment variable is set globally within /usr/sbin/httpd?
... [and later in dicussion]
I'd argue that in this case you should not be using httpd.service as-is;
instead it would be correct to create an httpd-ipa.service unit file
or similar, which can .include the system httpd.service, and sets up
the appropriate Environment= (or EnvironmentFile=) directly.
Also, if the intent is to purely to change mod_auth_kerb's interaction
with libkrb5 is there no way to do this via the libkrb API - or
mod_auth_kerb's existing use thereof?
The use of /etc/sysconfig/httpd has historically been a mild PITA and
I'm not seeing a compelling reason to revert the decision to kill it
here.
Anyway, I would prefer if we set it in a way that works on non-systemd
distros as well. Can't we just set GssapiCredStore
ccache:FILE:/var/run/httpd/krbcache/krb5ccache in
/etc/httpd/conf.d/ipa.conf?
It is not just mod_auth_gssapi, it is needed for users of the
credentials obtained by mod_auth_gssapi. mod_auth_gssapi only sets
KRB5CCNAME value when there is delegation of credentials in use and
there is something to delegate.
Ok, attaching updated patches. After the discussion with Martin^1 we
decided to play it safe and put KRB5CCNAME into
/etc/systemd/system/httpd.service.
--
Martin^3 Babinsky
From 6042f4ce093890394da4f6e625d5cc745b285c35 Mon Sep 17 00:00:00 2001
From: Martin Babinsky mbabi...@redhat.com
Date: Tue, 28 Apr 2015 16:24:02 +0200
Subject: [PATCH] provide dedicated ccache file for httpd
httpd service stores Kerberos credentials in kernel keyring which gets
destroyed and recreated during service install/upgrade, causing
problems when
the process is run under SELinux context other than 'unconfined_t'.
This patch
enables HTTPInstance to set up a dedicated CCache file for Apache to
store
credentials.
https://fedorahosted.org/freeipa/ticket/4973
---
freeipa.spec.in| 4
init/systemd/httpd.service | 4
2 files changed, 8 insertions(+)
create mode 100644 init/systemd/httpd.service
diff --git a/freeipa.spec.in b/freeipa.spec.in
index
608242b5adbc43efbbf0ae30a6d7a933bebc1084..664162fe918f03049c27f70c9e7f852a11c50a8c
100644
--- a/freeipa.spec.in
+++ b/freeipa.spec.in
@@ -12,6 +12,7 @@
%endif
%global plugin_dir %{_libdir}/dirsrv/plugins
+%global etc_systemd_dir %{_sysconfdir}/systemd/system
%global gettext_domain ipa
%if 0%{?rhel}
%global platform_module rhel
@@ -470,8 +471,10 @@ touch
%{buildroot}%{_libdir}/krb5/plugins/libkrb5/winbind_krb5_locator.so
# NOTE: systemd specific section
mkdir -p %{buildroot}%{_unitdir}
+mkdir -p %{buildroot}%{etc_systemd_dir}
install -m 644 init/systemd/ipa.service
%{buildroot}%{_unitdir}/ipa.service
install -m 644 init/systemd/ipa_memcached.service
%{buildroot}%{_unitdir}/ipa_memcached.service
+install -m 644 init/systemd/httpd.service
Re: [Freeipa-devel] [PATCH 0031] provide a dedicated ccache file to httpd
On Tue, 12 May 2015, Petr Vobornik wrote:
On 05/12/2015 11:22 AM, Alexander Bokovoy wrote:
On Tue, 12 May 2015, Martin Babinsky wrote:
%attr(644,root,root) %{_unitdir}/ipa-ods-exporter.service
+%attr(644,root,root) %{etc_systemd_dir}/httpd.service
There is a minor issue: a lack of
Requires: /etc/systemd/system
which is needed because of /etc/systemd/system directory owned by a
different package. We require systemd-units which is provided by systemd
package as well so it is sort of mitigated by that but it would
good to be explicit in the require. And yes, you can require the
directory because systemd provides it:
$ rpm -q --whatprovides /etc/systemd/system
systemd-219-13.fc22.x86_64
Otherwise, ACK.
thank for review Alexander, attaching updated patch.
ACK
Pushed to master: 9a1a409d63e30dcb939b672d352fc4aa7ba690fe
We also need a tmpfiles config changes because otherwise
/var/run/httpd/krbcache does not exist.
Patch attached.
--
/ Alexander Bokovoy
From b13986cf0815c6e90d313fb8a4ab5f739901222a Mon Sep 17 00:00:00 2001
From: Alexander Bokovoy aboko...@redhat.com
Date: Tue, 12 May 2015 16:45:01 +
Subject: [PATCH] Make sure new httpd kerberos cache directory is created
---
init/systemd/ipa.conf.tmpfiles | 1 +
1 file changed, 1 insertion(+)
diff --git a/init/systemd/ipa.conf.tmpfiles b/init/systemd/ipa.conf.tmpfiles
index b4503cc..276a1dc 100644
--- a/init/systemd/ipa.conf.tmpfiles
+++ b/init/systemd/ipa.conf.tmpfiles
@@ -1,3 +1,4 @@
d /var/run/ipa_memcached 0700 apache apache
d /var/run/ipa 0700 root root
d /var/run/httpd/clientcaches 0700 apache apache
+d /var/run/httpd/krbcache 0700 apache apache
--
2.4.0
--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCH 0031] provide a dedicated ccache file to httpd
On Tue, 12 May 2015, Martin Babinsky wrote:
%attr(644,root,root) %{_unitdir}/ipa-ods-exporter.service
+%attr(644,root,root) %{etc_systemd_dir}/httpd.service
There is a minor issue: a lack of
Requires: /etc/systemd/system
which is needed because of /etc/systemd/system directory owned by a
different package. We require systemd-units which is provided by systemd
package as well so it is sort of mitigated by that but it would
good to be explicit in the require. And yes, you can require the
directory because systemd provides it:
$ rpm -q --whatprovides /etc/systemd/system
systemd-219-13.fc22.x86_64
Otherwise, ACK.
thank for review Alexander, attaching updated patch.
ACK
--
/ Alexander Bokovoy
--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCH 0031] provide a dedicated ccache file to httpd
On 05/12/2015 11:22 AM, Alexander Bokovoy wrote:
On Tue, 12 May 2015, Martin Babinsky wrote:
%attr(644,root,root) %{_unitdir}/ipa-ods-exporter.service
+%attr(644,root,root) %{etc_systemd_dir}/httpd.service
There is a minor issue: a lack of
Requires: /etc/systemd/system
which is needed because of /etc/systemd/system directory owned by a
different package. We require systemd-units which is provided by systemd
package as well so it is sort of mitigated by that but it would
good to be explicit in the require. And yes, you can require the
directory because systemd provides it:
$ rpm -q --whatprovides /etc/systemd/system
systemd-219-13.fc22.x86_64
Otherwise, ACK.
thank for review Alexander, attaching updated patch.
ACK
Pushed to master: 9a1a409d63e30dcb939b672d352fc4aa7ba690fe
--
Petr Vobornik
--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCH 0031] provide a dedicated ccache file to httpd
On Mon, 04 May 2015, Martin Babinsky wrote:
On 04/30/2015 08:23 AM, Alexander Bokovoy wrote:
On Thu, 30 Apr 2015, Jan Cholasta wrote:
Hi,
Dne 29.4.2015 v 19:42 Martin Babinsky napsal(a):
The attached patch is a merge of PATCHES 0031-0032 incorporating Simo's
and Martin's suggestions (see e.g.
https://www.redhat.com/archives/freeipa-devel/2015-April/msg00327.html
for reference).
https://fedorahosted.org/freeipa/ticket/4973
IMHO we should set the environment variable in
/etc/systemd/system/httpd.service, instead of providing a new service
file, because we are just changing configuration, not creating a new
concurrent httpd instance, as is the case with ipa-memcached, and also
not using alternative httpd implementation which masks the current
one, as is the case with bind-pkcs11. It would simplify the whole
thing significantly and it's even recommended in httpd.service to do
I agree.
so:
# For example, to pass additional options (for instance, -D
definitions) to the
# httpd binary at startup, you need to create a file named
# /etc/systemd/system/httpd.service containing:
#.include /lib/systemd/system/httpd.service
#[Service]
#Environment=OPTIONS=-DMY_DEFINE
(BTW I wonder why /etc/sysconfig/httpd support was removed from httpd
in Fedora
(http://pkgs.fedoraproject.org/cgit/httpd.git/commit/?id=0b19f7b6e1a47c6167a8ab43b4a9d1e759b54721),
it seems like a better place to customize environment variables,
rather than having to create a modified service file...)
We had discussion with Joe Orton (httpd maintainer) a while ago and his
arguments were following:
Hi guys, we made that change to adopt what is considered best practice
for systemd. The change is not in RHEL7, only Fedora = 20.
I would not say we are strongly wedded to that change, but the use case
you provide seems very weak. /etc/sysconfig/httpd is intended to be
user-configurable and if users do rm -f /etc/sysconfig/httpd then
Fedora packages should keep working correctly. Can we find a more
robust way to achieve the same results? Why is it required that the
environment variable is set globally within /usr/sbin/httpd?
... [and later in dicussion]
I'd argue that in this case you should not be using httpd.service as-is;
instead it would be correct to create an httpd-ipa.service unit file
or similar, which can .include the system httpd.service, and sets up
the appropriate Environment= (or EnvironmentFile=) directly.
Also, if the intent is to purely to change mod_auth_kerb's interaction
with libkrb5 is there no way to do this via the libkrb API - or
mod_auth_kerb's existing use thereof?
The use of /etc/sysconfig/httpd has historically been a mild PITA and
I'm not seeing a compelling reason to revert the decision to kill it
here.
Anyway, I would prefer if we set it in a way that works on non-systemd
distros as well. Can't we just set GssapiCredStore
ccache:FILE:/var/run/httpd/krbcache/krb5ccache in
/etc/httpd/conf.d/ipa.conf?
It is not just mod_auth_gssapi, it is needed for users of the
credentials obtained by mod_auth_gssapi. mod_auth_gssapi only sets
KRB5CCNAME value when there is delegation of credentials in use and
there is something to delegate.
Ok, attaching updated patches. After the discussion with Martin^1 we
decided to play it safe and put KRB5CCNAME into
/etc/systemd/system/httpd.service.
--
Martin^3 Babinsky
From 6042f4ce093890394da4f6e625d5cc745b285c35 Mon Sep 17 00:00:00 2001
From: Martin Babinsky mbabi...@redhat.com
Date: Tue, 28 Apr 2015 16:24:02 +0200
Subject: [PATCH] provide dedicated ccache file for httpd
httpd service stores Kerberos credentials in kernel keyring which gets
destroyed and recreated during service install/upgrade, causing problems when
the process is run under SELinux context other than 'unconfined_t'. This patch
enables HTTPInstance to set up a dedicated CCache file for Apache to store
credentials.
https://fedorahosted.org/freeipa/ticket/4973
---
freeipa.spec.in| 4
init/systemd/httpd.service | 4
2 files changed, 8 insertions(+)
create mode 100644 init/systemd/httpd.service
diff --git a/freeipa.spec.in b/freeipa.spec.in
index
608242b5adbc43efbbf0ae30a6d7a933bebc1084..664162fe918f03049c27f70c9e7f852a11c50a8c
100644
--- a/freeipa.spec.in
+++ b/freeipa.spec.in
@@ -12,6 +12,7 @@
%endif
%global plugin_dir %{_libdir}/dirsrv/plugins
+%global etc_systemd_dir %{_sysconfdir}/systemd/system
%global gettext_domain ipa
%if 0%{?rhel}
%global platform_module rhel
@@ -470,8 +471,10 @@ touch
%{buildroot}%{_libdir}/krb5/plugins/libkrb5/winbind_krb5_locator.so
# NOTE: systemd specific section
mkdir -p %{buildroot}%{_unitdir}
+mkdir -p %{buildroot}%{etc_systemd_dir}
install -m 644 init/systemd/ipa.service %{buildroot}%{_unitdir}/ipa.service
install -m 644 init/systemd/ipa_memcached.service
%{buildroot}%{_unitdir}/ipa_memcached.service
+install -m 644 init/systemd/httpd.service
%{buildroot}%{etc_systemd_dir}/httpd.service
# END
mkdir -p
Re: [Freeipa-devel] [PATCH 0031] provide a dedicated ccache file to httpd
On 04/30/2015 08:23 AM, Alexander Bokovoy wrote:
On Thu, 30 Apr 2015, Jan Cholasta wrote:
Hi,
Dne 29.4.2015 v 19:42 Martin Babinsky napsal(a):
The attached patch is a merge of PATCHES 0031-0032 incorporating Simo's
and Martin's suggestions (see e.g.
https://www.redhat.com/archives/freeipa-devel/2015-April/msg00327.html
for reference).
https://fedorahosted.org/freeipa/ticket/4973
IMHO we should set the environment variable in
/etc/systemd/system/httpd.service, instead of providing a new service
file, because we are just changing configuration, not creating a new
concurrent httpd instance, as is the case with ipa-memcached, and also
not using alternative httpd implementation which masks the current
one, as is the case with bind-pkcs11. It would simplify the whole
thing significantly and it's even recommended in httpd.service to do
I agree.
so:
# For example, to pass additional options (for instance, -D
definitions) to the
# httpd binary at startup, you need to create a file named
# /etc/systemd/system/httpd.service containing:
#.include /lib/systemd/system/httpd.service
#[Service]
#Environment=OPTIONS=-DMY_DEFINE
(BTW I wonder why /etc/sysconfig/httpd support was removed from httpd
in Fedora
(http://pkgs.fedoraproject.org/cgit/httpd.git/commit/?id=0b19f7b6e1a47c6167a8ab43b4a9d1e759b54721),
it seems like a better place to customize environment variables,
rather than having to create a modified service file...)
We had discussion with Joe Orton (httpd maintainer) a while ago and his
arguments were following:
Hi guys, we made that change to adopt what is considered best practice
for systemd. The change is not in RHEL7, only Fedora = 20.
I would not say we are strongly wedded to that change, but the use case
you provide seems very weak. /etc/sysconfig/httpd is intended to be
user-configurable and if users do rm -f /etc/sysconfig/httpd then
Fedora packages should keep working correctly. Can we find a more
robust way to achieve the same results? Why is it required that the
environment variable is set globally within /usr/sbin/httpd?
... [and later in dicussion]
I'd argue that in this case you should not be using httpd.service as-is;
instead it would be correct to create an httpd-ipa.service unit file
or similar, which can .include the system httpd.service, and sets up
the appropriate Environment= (or EnvironmentFile=) directly.
Also, if the intent is to purely to change mod_auth_kerb's interaction
with libkrb5 is there no way to do this via the libkrb API - or
mod_auth_kerb's existing use thereof?
The use of /etc/sysconfig/httpd has historically been a mild PITA and
I'm not seeing a compelling reason to revert the decision to kill it
here.
Anyway, I would prefer if we set it in a way that works on non-systemd
distros as well. Can't we just set GssapiCredStore
ccache:FILE:/var/run/httpd/krbcache/krb5ccache in
/etc/httpd/conf.d/ipa.conf?
It is not just mod_auth_gssapi, it is needed for users of the
credentials obtained by mod_auth_gssapi. mod_auth_gssapi only sets
KRB5CCNAME value when there is delegation of credentials in use and
there is something to delegate.
Ok, attaching updated patches. After the discussion with Martin^1 we
decided to play it safe and put KRB5CCNAME into
/etc/systemd/system/httpd.service.
--
Martin^3 Babinsky
From 6042f4ce093890394da4f6e625d5cc745b285c35 Mon Sep 17 00:00:00 2001
From: Martin Babinsky mbabi...@redhat.com
Date: Tue, 28 Apr 2015 16:24:02 +0200
Subject: [PATCH] provide dedicated ccache file for httpd
httpd service stores Kerberos credentials in kernel keyring which gets
destroyed and recreated during service install/upgrade, causing problems when
the process is run under SELinux context other than 'unconfined_t'. This patch
enables HTTPInstance to set up a dedicated CCache file for Apache to store
credentials.
https://fedorahosted.org/freeipa/ticket/4973
---
freeipa.spec.in| 4
init/systemd/httpd.service | 4
2 files changed, 8 insertions(+)
create mode 100644 init/systemd/httpd.service
diff --git a/freeipa.spec.in b/freeipa.spec.in
index 608242b5adbc43efbbf0ae30a6d7a933bebc1084..664162fe918f03049c27f70c9e7f852a11c50a8c 100644
--- a/freeipa.spec.in
+++ b/freeipa.spec.in
@@ -12,6 +12,7 @@
%endif
%global plugin_dir %{_libdir}/dirsrv/plugins
+%global etc_systemd_dir %{_sysconfdir}/systemd/system
%global gettext_domain ipa
%if 0%{?rhel}
%global platform_module rhel
@@ -470,8 +471,10 @@ touch %{buildroot}%{_libdir}/krb5/plugins/libkrb5/winbind_krb5_locator.so
# NOTE: systemd specific section
mkdir -p %{buildroot}%{_unitdir}
+mkdir -p %{buildroot}%{etc_systemd_dir}
install -m 644 init/systemd/ipa.service %{buildroot}%{_unitdir}/ipa.service
install -m 644 init/systemd/ipa_memcached.service %{buildroot}%{_unitdir}/ipa_memcached.service
+install -m 644 init/systemd/httpd.service %{buildroot}%{etc_systemd_dir}/httpd.service
# END
mkdir -p
Re: [Freeipa-devel] [PATCH 0031] provide a dedicated ccache file to httpd
On Thu, 30 Apr 2015, Jan Cholasta wrote: Hi, Dne 29.4.2015 v 19:42 Martin Babinsky napsal(a): The attached patch is a merge of PATCHES 0031-0032 incorporating Simo's and Martin's suggestions (see e.g. https://www.redhat.com/archives/freeipa-devel/2015-April/msg00327.html for reference). https://fedorahosted.org/freeipa/ticket/4973 IMHO we should set the environment variable in /etc/systemd/system/httpd.service, instead of providing a new service file, because we are just changing configuration, not creating a new concurrent httpd instance, as is the case with ipa-memcached, and also not using alternative httpd implementation which masks the current one, as is the case with bind-pkcs11. It would simplify the whole thing significantly and it's even recommended in httpd.service to do I agree. so: # For example, to pass additional options (for instance, -D definitions) to the # httpd binary at startup, you need to create a file named # /etc/systemd/system/httpd.service containing: #.include /lib/systemd/system/httpd.service #[Service] #Environment=OPTIONS=-DMY_DEFINE (BTW I wonder why /etc/sysconfig/httpd support was removed from httpd in Fedora (http://pkgs.fedoraproject.org/cgit/httpd.git/commit/?id=0b19f7b6e1a47c6167a8ab43b4a9d1e759b54721), it seems like a better place to customize environment variables, rather than having to create a modified service file...) We had discussion with Joe Orton (httpd maintainer) a while ago and his arguments were following: Hi guys, we made that change to adopt what is considered best practice for systemd. The change is not in RHEL7, only Fedora = 20. I would not say we are strongly wedded to that change, but the use case you provide seems very weak. /etc/sysconfig/httpd is intended to be user-configurable and if users do rm -f /etc/sysconfig/httpd then Fedora packages should keep working correctly. Can we find a more robust way to achieve the same results? Why is it required that the environment variable is set globally within /usr/sbin/httpd? ... [and later in dicussion] I'd argue that in this case you should not be using httpd.service as-is; instead it would be correct to create an httpd-ipa.service unit file or similar, which can .include the system httpd.service, and sets up the appropriate Environment= (or EnvironmentFile=) directly. Also, if the intent is to purely to change mod_auth_kerb's interaction with libkrb5 is there no way to do this via the libkrb API - or mod_auth_kerb's existing use thereof? The use of /etc/sysconfig/httpd has historically been a mild PITA and I'm not seeing a compelling reason to revert the decision to kill it here. Anyway, I would prefer if we set it in a way that works on non-systemd distros as well. Can't we just set GssapiCredStore ccache:FILE:/var/run/httpd/krbcache/krb5ccache in /etc/httpd/conf.d/ipa.conf? It is not just mod_auth_gssapi, it is needed for users of the credentials obtained by mod_auth_gssapi. mod_auth_gssapi only sets KRB5CCNAME value when there is delegation of credentials in use and there is something to delegate. -- / Alexander Bokovoy -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCH 0031] provide a dedicated ccache file to httpd
On Wed, 2015-04-29 at 19:42 +0200, Martin Babinsky wrote: # NOTE: systemd specific section -/bin/systemctl try-restart httpd.service /dev/null 21 || : +/bin/systemctl try-restart ipa-httpd.service /dev/null 21 || : # END fi Isn't this going to fail on upgrades where you want to move from httpd.service to ipa-httpd.service ? Simo. -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [PATCH 0031] provide a dedicated ccache file to httpd
The attached patch is a merge of PATCHES 0031-0032 incorporating Simo's
and Martin's suggestions (see e.g.
https://www.redhat.com/archives/freeipa-devel/2015-April/msg00327.html
for reference).
https://fedorahosted.org/freeipa/ticket/4973
--
Martin^3 Babinsky
From 93bbf9f3004279fae53d81d95b60b340bd77f433 Mon Sep 17 00:00:00 2001
From: Martin Babinsky mbabi...@redhat.com
Date: Tue, 28 Apr 2015 16:24:02 +0200
Subject: [PATCH] provide dedicated ccache file for httpd
httpd service stores Kerberos credentials in kernel keyring which gets
destroyed and recreated during service install/upgrade, causing problems when
the process is run under SELinux context other than 'unconfined_t'. This patch
enables HTTPInstance to set up a dedicated CCache file for Apache to store
credentials.
https://fedorahosted.org/freeipa/ticket/4973
---
freeipa.spec.in| 4 +++-
init/systemd/ipa-httpd.service | 4
ipaplatform/redhat/services.py | 1 +
3 files changed, 8 insertions(+), 1 deletion(-)
create mode 100644 init/systemd/ipa-httpd.service
diff --git a/freeipa.spec.in b/freeipa.spec.in
index 608242b5adbc43efbbf0ae30a6d7a933bebc1084..3ccd66411808ce204b6d2b084eb44c805a59621a 100644
--- a/freeipa.spec.in
+++ b/freeipa.spec.in
@@ -472,6 +472,7 @@ touch %{buildroot}%{_libdir}/krb5/plugins/libkrb5/winbind_krb5_locator.so
mkdir -p %{buildroot}%{_unitdir}
install -m 644 init/systemd/ipa.service %{buildroot}%{_unitdir}/ipa.service
install -m 644 init/systemd/ipa_memcached.service %{buildroot}%{_unitdir}/ipa_memcached.service
+install -m 644 init/systemd/ipa-httpd.service %{buildroot}%{_unitdir}/ipa-httpd.service
# END
mkdir -p %{buildroot}/%{_localstatedir}/lib/ipa/backup
%endif # ONLY_CLIENT
@@ -560,7 +561,7 @@ fi
python2 -c import sys; from ipaserver.install import installutils; sys.exit(0 if installutils.is_ipa_configured() else 1); /dev/null 21
if [ $? -eq 0 ]; then
# NOTE: systemd specific section
-/bin/systemctl try-restart httpd.service /dev/null 21 || :
+/bin/systemctl try-restart ipa-httpd.service /dev/null 21 || :
# END
fi
@@ -691,6 +692,7 @@ fi
%attr(644,root,root) %{_unitdir}/ipa-dnskeysyncd.service
%attr(644,root,root) %{_unitdir}/ipa-ods-exporter.socket
%attr(644,root,root) %{_unitdir}/ipa-ods-exporter.service
+%attr(644,root,root) %{_unitdir}/ipa-httpd.service
# END
%dir %{python_sitelib}/ipaserver
%dir %{python_sitelib}/ipaserver/install
diff --git a/init/systemd/ipa-httpd.service b/init/systemd/ipa-httpd.service
new file mode 100644
index ..ef1e6bfda06f1a1d703a174040f1f6e6ea0757c7
--- /dev/null
+++ b/init/systemd/ipa-httpd.service
@@ -0,0 +1,4 @@
+.include /usr/lib/systemd/system/httpd.service
+
+[Service]
+Environment=KRB5CCNAME=/var/run/httpd/krbcache/krb5ccache
diff --git a/ipaplatform/redhat/services.py b/ipaplatform/redhat/services.py
index c9994e409a8a005012c0467c016608b8f689eef1..0537680bb6b3e0cb58df732e0cb390edb73795cb 100644
--- a/ipaplatform/redhat/services.py
+++ b/ipaplatform/redhat/services.py
@@ -74,6 +74,7 @@ redhat_system_units['ods-enforcerd'] = 'ods-enforcerd.service'
redhat_system_units['ods_enforcerd'] = redhat_system_units['ods-enforcerd']
redhat_system_units['ods-signerd'] = 'ods-signerd.service'
redhat_system_units['ods_signerd'] = redhat_system_units['ods-signerd']
+redhat_system_units['httpd'] = 'ipa-httpd.service'
# Service classes that implement Red Hat OS family-specific behaviour
--
2.1.0
--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCH 0031] provide a dedicated ccache file to httpd
Hi, Dne 29.4.2015 v 19:42 Martin Babinsky napsal(a): The attached patch is a merge of PATCHES 0031-0032 incorporating Simo's and Martin's suggestions (see e.g. https://www.redhat.com/archives/freeipa-devel/2015-April/msg00327.html for reference). https://fedorahosted.org/freeipa/ticket/4973 IMHO we should set the environment variable in /etc/systemd/system/httpd.service, instead of providing a new service file, because we are just changing configuration, not creating a new concurrent httpd instance, as is the case with ipa-memcached, and also not using alternative httpd implementation which masks the current one, as is the case with bind-pkcs11. It would simplify the whole thing significantly and it's even recommended in httpd.service to do so: # For example, to pass additional options (for instance, -D definitions) to the # httpd binary at startup, you need to create a file named # /etc/systemd/system/httpd.service containing: # .include /lib/systemd/system/httpd.service # [Service] # Environment=OPTIONS=-DMY_DEFINE (BTW I wonder why /etc/sysconfig/httpd support was removed from httpd in Fedora (http://pkgs.fedoraproject.org/cgit/httpd.git/commit/?id=0b19f7b6e1a47c6167a8ab43b4a9d1e759b54721), it seems like a better place to customize environment variables, rather than having to create a modified service file...) Anyway, I would prefer if we set it in a way that works on non-systemd distros as well. Can't we just set GssapiCredStore ccache:FILE:/var/run/httpd/krbcache/krb5ccache in /etc/httpd/conf.d/ipa.conf? Honza -- Jan Cholasta -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
