Re: [Freeipa-devel] [PATCH 0031] provide a dedicated ccache file to httpd
On Wednesday, May 13, 2015 01:28:44 PM Martin Babinsky wrote: On 05/12/2015 06:47 PM, Alexander Bokovoy wrote: On Tue, 12 May 2015, Petr Vobornik wrote: On 05/12/2015 11:22 AM, Alexander Bokovoy wrote: On Tue, 12 May 2015, Martin Babinsky wrote: %attr(644,root,root) %{_unitdir}/ipa-ods-exporter.service +%attr(644,root,root) %{etc_systemd_dir}/httpd.service There is a minor issue: a lack of Requires: /etc/systemd/system which is needed because of /etc/systemd/system directory owned by a different package. We require systemd-units which is provided by systemd package as well so it is sort of mitigated by that but it would good to be explicit in the require. And yes, you can require the directory because systemd provides it: $ rpm -q --whatprovides /etc/systemd/system systemd-219-13.fc22.x86_64 Otherwise, ACK. thank for review Alexander, attaching updated patch. ACK Pushed to master: 9a1a409d63e30dcb939b672d352fc4aa7ba690fe We also need a tmpfiles config changes because otherwise /var/run/httpd/krbcache does not exist. Patch attached. ACK I'm not sure it matters, but mod_auth_kerb already sets up /var/run/httpd/krbcache via /lib/tmpfiles.d/httpd-krbcache.conf: d /var/run/httpd/krbcache 0700 apache apache -- Anthony - https://messinet.com/ - https://messinet.com/~amessina/gallery 8F89 5E72 8DF0 BCF0 10BE 9967 92DC 35DC B001 4A4E signature.asc Description: This is a digitally signed message part. -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCH 0031] provide a dedicated ccache file to httpd
On 05/12/2015 06:47 PM, Alexander Bokovoy wrote: On Tue, 12 May 2015, Petr Vobornik wrote: On 05/12/2015 11:22 AM, Alexander Bokovoy wrote: On Tue, 12 May 2015, Martin Babinsky wrote: %attr(644,root,root) %{_unitdir}/ipa-ods-exporter.service +%attr(644,root,root) %{etc_systemd_dir}/httpd.service There is a minor issue: a lack of Requires: /etc/systemd/system which is needed because of /etc/systemd/system directory owned by a different package. We require systemd-units which is provided by systemd package as well so it is sort of mitigated by that but it would good to be explicit in the require. And yes, you can require the directory because systemd provides it: $ rpm -q --whatprovides /etc/systemd/system systemd-219-13.fc22.x86_64 Otherwise, ACK. thank for review Alexander, attaching updated patch. ACK Pushed to master: 9a1a409d63e30dcb939b672d352fc4aa7ba690fe We also need a tmpfiles config changes because otherwise /var/run/httpd/krbcache does not exist. Patch attached. ACK -- Martin^3 Babinsky -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCH 0031] provide a dedicated ccache file to httpd
On Wednesday, May 13, 2015 02:58:40 PM Alexander Bokovoy wrote: On Wed, 13 May 2015, Anthony Messina wrote: On Wednesday, May 13, 2015 01:28:44 PM Martin Babinsky wrote: On 05/12/2015 06:47 PM, Alexander Bokovoy wrote: On Tue, 12 May 2015, Petr Vobornik wrote: On 05/12/2015 11:22 AM, Alexander Bokovoy wrote: On Tue, 12 May 2015, Martin Babinsky wrote: %attr(644,root,root) %{_unitdir}/ipa-ods-exporter.service +%attr(644,root,root) %{etc_systemd_dir}/httpd.service There is a minor issue: a lack of Requires: /etc/systemd/system which is needed because of /etc/systemd/system directory owned by a different package. We require systemd-units which is provided by systemd package as well so it is sort of mitigated by that but it would good to be explicit in the require. And yes, you can require the directory because systemd provides it: $ rpm -q --whatprovides /etc/systemd/system systemd-219-13.fc22.x86_64 Otherwise, ACK. thank for review Alexander, attaching updated patch. ACK Pushed to master: 9a1a409d63e30dcb939b672d352fc4aa7ba690fe We also need a tmpfiles config changes because otherwise /var/run/httpd/krbcache does not exist. Patch attached. ACK I'm not sure it matters, but mod_auth_kerb already sets up /var/run/httpd/krbcache via /lib/tmpfiles.d/httpd-krbcache.conf: d /var/run/httpd/krbcache 0700 apache apache We don't use mod_auth_kerb in Fedora 22 anymore, and mod_auth_gssapi doesn't bring the same configuration in, so installing git master will fail to operate due to missing directory. True, though mod_auth_gssapi has (at least for this user) uses beyond FreeIPA. Perhaps Simo would be willing to include the tmpfiles.d snippet in the upstream mod_auth_gssapi RPMs. -A -- Anthony - https://messinet.com/ - https://messinet.com/~amessina/gallery 8F89 5E72 8DF0 BCF0 10BE 9967 92DC 35DC B001 4A4E signature.asc Description: This is a digitally signed message part. -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCH 0031] provide a dedicated ccache file to httpd
On Wed, 13 May 2015, Anthony Messina wrote: On Wednesday, May 13, 2015 02:58:40 PM Alexander Bokovoy wrote: On Wed, 13 May 2015, Anthony Messina wrote: On Wednesday, May 13, 2015 01:28:44 PM Martin Babinsky wrote: On 05/12/2015 06:47 PM, Alexander Bokovoy wrote: On Tue, 12 May 2015, Petr Vobornik wrote: On 05/12/2015 11:22 AM, Alexander Bokovoy wrote: On Tue, 12 May 2015, Martin Babinsky wrote: %attr(644,root,root) %{_unitdir}/ipa-ods-exporter.service +%attr(644,root,root) %{etc_systemd_dir}/httpd.service There is a minor issue: a lack of Requires: /etc/systemd/system which is needed because of /etc/systemd/system directory owned by a different package. We require systemd-units which is provided by systemd package as well so it is sort of mitigated by that but it would good to be explicit in the require. And yes, you can require the directory because systemd provides it: $ rpm -q --whatprovides /etc/systemd/system systemd-219-13.fc22.x86_64 Otherwise, ACK. thank for review Alexander, attaching updated patch. ACK Pushed to master: 9a1a409d63e30dcb939b672d352fc4aa7ba690fe We also need a tmpfiles config changes because otherwise /var/run/httpd/krbcache does not exist. Patch attached. ACK I'm not sure it matters, but mod_auth_kerb already sets up /var/run/httpd/krbcache via /lib/tmpfiles.d/httpd-krbcache.conf: d /var/run/httpd/krbcache 0700 apache apache We don't use mod_auth_kerb in Fedora 22 anymore, and mod_auth_gssapi doesn't bring the same configuration in, so installing git master will fail to operate due to missing directory. True, though mod_auth_gssapi has (at least for this user) uses beyond FreeIPA. Perhaps Simo would be willing to include the tmpfiles.d snippet in the upstream mod_auth_gssapi RPMs. -A This is configuration specific to FreeIPA httpd service unit -- a default httpd service unit in Fedora doesn't change Kerberos ccache path and therefore uses kernel keyring for it where any file system path is not required. -- / Alexander Bokovoy -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCH 0031] provide a dedicated ccache file to httpd
On 05/12/2015 07:50 AM, Alexander Bokovoy wrote: On Mon, 04 May 2015, Martin Babinsky wrote: On 04/30/2015 08:23 AM, Alexander Bokovoy wrote: On Thu, 30 Apr 2015, Jan Cholasta wrote: Hi, Dne 29.4.2015 v 19:42 Martin Babinsky napsal(a): The attached patch is a merge of PATCHES 0031-0032 incorporating Simo's and Martin's suggestions (see e.g. https://www.redhat.com/archives/freeipa-devel/2015-April/msg00327.html for reference). https://fedorahosted.org/freeipa/ticket/4973 IMHO we should set the environment variable in /etc/systemd/system/httpd.service, instead of providing a new service file, because we are just changing configuration, not creating a new concurrent httpd instance, as is the case with ipa-memcached, and also not using alternative httpd implementation which masks the current one, as is the case with bind-pkcs11. It would simplify the whole thing significantly and it's even recommended in httpd.service to do I agree. so: # For example, to pass additional options (for instance, -D definitions) to the # httpd binary at startup, you need to create a file named # /etc/systemd/system/httpd.service containing: #.include /lib/systemd/system/httpd.service #[Service] #Environment=OPTIONS=-DMY_DEFINE (BTW I wonder why /etc/sysconfig/httpd support was removed from httpd in Fedora (http://pkgs.fedoraproject.org/cgit/httpd.git/commit/?id=0b19f7b6e1a47c6167a8ab43b4a9d1e759b54721), it seems like a better place to customize environment variables, rather than having to create a modified service file...) We had discussion with Joe Orton (httpd maintainer) a while ago and his arguments were following: Hi guys, we made that change to adopt what is considered best practice for systemd. The change is not in RHEL7, only Fedora = 20. I would not say we are strongly wedded to that change, but the use case you provide seems very weak. /etc/sysconfig/httpd is intended to be user-configurable and if users do rm -f /etc/sysconfig/httpd then Fedora packages should keep working correctly. Can we find a more robust way to achieve the same results? Why is it required that the environment variable is set globally within /usr/sbin/httpd? ... [and later in dicussion] I'd argue that in this case you should not be using httpd.service as-is; instead it would be correct to create an httpd-ipa.service unit file or similar, which can .include the system httpd.service, and sets up the appropriate Environment= (or EnvironmentFile=) directly. Also, if the intent is to purely to change mod_auth_kerb's interaction with libkrb5 is there no way to do this via the libkrb API - or mod_auth_kerb's existing use thereof? The use of /etc/sysconfig/httpd has historically been a mild PITA and I'm not seeing a compelling reason to revert the decision to kill it here. Anyway, I would prefer if we set it in a way that works on non-systemd distros as well. Can't we just set GssapiCredStore ccache:FILE:/var/run/httpd/krbcache/krb5ccache in /etc/httpd/conf.d/ipa.conf? It is not just mod_auth_gssapi, it is needed for users of the credentials obtained by mod_auth_gssapi. mod_auth_gssapi only sets KRB5CCNAME value when there is delegation of credentials in use and there is something to delegate. Ok, attaching updated patches. After the discussion with Martin^1 we decided to play it safe and put KRB5CCNAME into /etc/systemd/system/httpd.service. -- Martin^3 Babinsky From 6042f4ce093890394da4f6e625d5cc745b285c35 Mon Sep 17 00:00:00 2001 From: Martin Babinsky mbabi...@redhat.com Date: Tue, 28 Apr 2015 16:24:02 +0200 Subject: [PATCH] provide dedicated ccache file for httpd httpd service stores Kerberos credentials in kernel keyring which gets destroyed and recreated during service install/upgrade, causing problems when the process is run under SELinux context other than 'unconfined_t'. This patch enables HTTPInstance to set up a dedicated CCache file for Apache to store credentials. https://fedorahosted.org/freeipa/ticket/4973 --- freeipa.spec.in| 4 init/systemd/httpd.service | 4 2 files changed, 8 insertions(+) create mode 100644 init/systemd/httpd.service diff --git a/freeipa.spec.in b/freeipa.spec.in index 608242b5adbc43efbbf0ae30a6d7a933bebc1084..664162fe918f03049c27f70c9e7f852a11c50a8c 100644 --- a/freeipa.spec.in +++ b/freeipa.spec.in @@ -12,6 +12,7 @@ %endif %global plugin_dir %{_libdir}/dirsrv/plugins +%global etc_systemd_dir %{_sysconfdir}/systemd/system %global gettext_domain ipa %if 0%{?rhel} %global platform_module rhel @@ -470,8 +471,10 @@ touch %{buildroot}%{_libdir}/krb5/plugins/libkrb5/winbind_krb5_locator.so # NOTE: systemd specific section mkdir -p %{buildroot}%{_unitdir} +mkdir -p %{buildroot}%{etc_systemd_dir} install -m 644 init/systemd/ipa.service %{buildroot}%{_unitdir}/ipa.service install -m 644 init/systemd/ipa_memcached.service %{buildroot}%{_unitdir}/ipa_memcached.service +install -m 644 init/systemd/httpd.service
Re: [Freeipa-devel] [PATCH 0031] provide a dedicated ccache file to httpd
On Tue, 12 May 2015, Petr Vobornik wrote: On 05/12/2015 11:22 AM, Alexander Bokovoy wrote: On Tue, 12 May 2015, Martin Babinsky wrote: %attr(644,root,root) %{_unitdir}/ipa-ods-exporter.service +%attr(644,root,root) %{etc_systemd_dir}/httpd.service There is a minor issue: a lack of Requires: /etc/systemd/system which is needed because of /etc/systemd/system directory owned by a different package. We require systemd-units which is provided by systemd package as well so it is sort of mitigated by that but it would good to be explicit in the require. And yes, you can require the directory because systemd provides it: $ rpm -q --whatprovides /etc/systemd/system systemd-219-13.fc22.x86_64 Otherwise, ACK. thank for review Alexander, attaching updated patch. ACK Pushed to master: 9a1a409d63e30dcb939b672d352fc4aa7ba690fe We also need a tmpfiles config changes because otherwise /var/run/httpd/krbcache does not exist. Patch attached. -- / Alexander Bokovoy From b13986cf0815c6e90d313fb8a4ab5f739901222a Mon Sep 17 00:00:00 2001 From: Alexander Bokovoy aboko...@redhat.com Date: Tue, 12 May 2015 16:45:01 + Subject: [PATCH] Make sure new httpd kerberos cache directory is created --- init/systemd/ipa.conf.tmpfiles | 1 + 1 file changed, 1 insertion(+) diff --git a/init/systemd/ipa.conf.tmpfiles b/init/systemd/ipa.conf.tmpfiles index b4503cc..276a1dc 100644 --- a/init/systemd/ipa.conf.tmpfiles +++ b/init/systemd/ipa.conf.tmpfiles @@ -1,3 +1,4 @@ d /var/run/ipa_memcached 0700 apache apache d /var/run/ipa 0700 root root d /var/run/httpd/clientcaches 0700 apache apache +d /var/run/httpd/krbcache 0700 apache apache -- 2.4.0 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCH 0031] provide a dedicated ccache file to httpd
On Tue, 12 May 2015, Martin Babinsky wrote: %attr(644,root,root) %{_unitdir}/ipa-ods-exporter.service +%attr(644,root,root) %{etc_systemd_dir}/httpd.service There is a minor issue: a lack of Requires: /etc/systemd/system which is needed because of /etc/systemd/system directory owned by a different package. We require systemd-units which is provided by systemd package as well so it is sort of mitigated by that but it would good to be explicit in the require. And yes, you can require the directory because systemd provides it: $ rpm -q --whatprovides /etc/systemd/system systemd-219-13.fc22.x86_64 Otherwise, ACK. thank for review Alexander, attaching updated patch. ACK -- / Alexander Bokovoy -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCH 0031] provide a dedicated ccache file to httpd
On 05/12/2015 11:22 AM, Alexander Bokovoy wrote: On Tue, 12 May 2015, Martin Babinsky wrote: %attr(644,root,root) %{_unitdir}/ipa-ods-exporter.service +%attr(644,root,root) %{etc_systemd_dir}/httpd.service There is a minor issue: a lack of Requires: /etc/systemd/system which is needed because of /etc/systemd/system directory owned by a different package. We require systemd-units which is provided by systemd package as well so it is sort of mitigated by that but it would good to be explicit in the require. And yes, you can require the directory because systemd provides it: $ rpm -q --whatprovides /etc/systemd/system systemd-219-13.fc22.x86_64 Otherwise, ACK. thank for review Alexander, attaching updated patch. ACK Pushed to master: 9a1a409d63e30dcb939b672d352fc4aa7ba690fe -- Petr Vobornik -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCH 0031] provide a dedicated ccache file to httpd
On Mon, 04 May 2015, Martin Babinsky wrote: On 04/30/2015 08:23 AM, Alexander Bokovoy wrote: On Thu, 30 Apr 2015, Jan Cholasta wrote: Hi, Dne 29.4.2015 v 19:42 Martin Babinsky napsal(a): The attached patch is a merge of PATCHES 0031-0032 incorporating Simo's and Martin's suggestions (see e.g. https://www.redhat.com/archives/freeipa-devel/2015-April/msg00327.html for reference). https://fedorahosted.org/freeipa/ticket/4973 IMHO we should set the environment variable in /etc/systemd/system/httpd.service, instead of providing a new service file, because we are just changing configuration, not creating a new concurrent httpd instance, as is the case with ipa-memcached, and also not using alternative httpd implementation which masks the current one, as is the case with bind-pkcs11. It would simplify the whole thing significantly and it's even recommended in httpd.service to do I agree. so: # For example, to pass additional options (for instance, -D definitions) to the # httpd binary at startup, you need to create a file named # /etc/systemd/system/httpd.service containing: #.include /lib/systemd/system/httpd.service #[Service] #Environment=OPTIONS=-DMY_DEFINE (BTW I wonder why /etc/sysconfig/httpd support was removed from httpd in Fedora (http://pkgs.fedoraproject.org/cgit/httpd.git/commit/?id=0b19f7b6e1a47c6167a8ab43b4a9d1e759b54721), it seems like a better place to customize environment variables, rather than having to create a modified service file...) We had discussion with Joe Orton (httpd maintainer) a while ago and his arguments were following: Hi guys, we made that change to adopt what is considered best practice for systemd. The change is not in RHEL7, only Fedora = 20. I would not say we are strongly wedded to that change, but the use case you provide seems very weak. /etc/sysconfig/httpd is intended to be user-configurable and if users do rm -f /etc/sysconfig/httpd then Fedora packages should keep working correctly. Can we find a more robust way to achieve the same results? Why is it required that the environment variable is set globally within /usr/sbin/httpd? ... [and later in dicussion] I'd argue that in this case you should not be using httpd.service as-is; instead it would be correct to create an httpd-ipa.service unit file or similar, which can .include the system httpd.service, and sets up the appropriate Environment= (or EnvironmentFile=) directly. Also, if the intent is to purely to change mod_auth_kerb's interaction with libkrb5 is there no way to do this via the libkrb API - or mod_auth_kerb's existing use thereof? The use of /etc/sysconfig/httpd has historically been a mild PITA and I'm not seeing a compelling reason to revert the decision to kill it here. Anyway, I would prefer if we set it in a way that works on non-systemd distros as well. Can't we just set GssapiCredStore ccache:FILE:/var/run/httpd/krbcache/krb5ccache in /etc/httpd/conf.d/ipa.conf? It is not just mod_auth_gssapi, it is needed for users of the credentials obtained by mod_auth_gssapi. mod_auth_gssapi only sets KRB5CCNAME value when there is delegation of credentials in use and there is something to delegate. Ok, attaching updated patches. After the discussion with Martin^1 we decided to play it safe and put KRB5CCNAME into /etc/systemd/system/httpd.service. -- Martin^3 Babinsky From 6042f4ce093890394da4f6e625d5cc745b285c35 Mon Sep 17 00:00:00 2001 From: Martin Babinsky mbabi...@redhat.com Date: Tue, 28 Apr 2015 16:24:02 +0200 Subject: [PATCH] provide dedicated ccache file for httpd httpd service stores Kerberos credentials in kernel keyring which gets destroyed and recreated during service install/upgrade, causing problems when the process is run under SELinux context other than 'unconfined_t'. This patch enables HTTPInstance to set up a dedicated CCache file for Apache to store credentials. https://fedorahosted.org/freeipa/ticket/4973 --- freeipa.spec.in| 4 init/systemd/httpd.service | 4 2 files changed, 8 insertions(+) create mode 100644 init/systemd/httpd.service diff --git a/freeipa.spec.in b/freeipa.spec.in index 608242b5adbc43efbbf0ae30a6d7a933bebc1084..664162fe918f03049c27f70c9e7f852a11c50a8c 100644 --- a/freeipa.spec.in +++ b/freeipa.spec.in @@ -12,6 +12,7 @@ %endif %global plugin_dir %{_libdir}/dirsrv/plugins +%global etc_systemd_dir %{_sysconfdir}/systemd/system %global gettext_domain ipa %if 0%{?rhel} %global platform_module rhel @@ -470,8 +471,10 @@ touch %{buildroot}%{_libdir}/krb5/plugins/libkrb5/winbind_krb5_locator.so # NOTE: systemd specific section mkdir -p %{buildroot}%{_unitdir} +mkdir -p %{buildroot}%{etc_systemd_dir} install -m 644 init/systemd/ipa.service %{buildroot}%{_unitdir}/ipa.service install -m 644 init/systemd/ipa_memcached.service %{buildroot}%{_unitdir}/ipa_memcached.service +install -m 644 init/systemd/httpd.service %{buildroot}%{etc_systemd_dir}/httpd.service # END mkdir -p
Re: [Freeipa-devel] [PATCH 0031] provide a dedicated ccache file to httpd
On 04/30/2015 08:23 AM, Alexander Bokovoy wrote: On Thu, 30 Apr 2015, Jan Cholasta wrote: Hi, Dne 29.4.2015 v 19:42 Martin Babinsky napsal(a): The attached patch is a merge of PATCHES 0031-0032 incorporating Simo's and Martin's suggestions (see e.g. https://www.redhat.com/archives/freeipa-devel/2015-April/msg00327.html for reference). https://fedorahosted.org/freeipa/ticket/4973 IMHO we should set the environment variable in /etc/systemd/system/httpd.service, instead of providing a new service file, because we are just changing configuration, not creating a new concurrent httpd instance, as is the case with ipa-memcached, and also not using alternative httpd implementation which masks the current one, as is the case with bind-pkcs11. It would simplify the whole thing significantly and it's even recommended in httpd.service to do I agree. so: # For example, to pass additional options (for instance, -D definitions) to the # httpd binary at startup, you need to create a file named # /etc/systemd/system/httpd.service containing: #.include /lib/systemd/system/httpd.service #[Service] #Environment=OPTIONS=-DMY_DEFINE (BTW I wonder why /etc/sysconfig/httpd support was removed from httpd in Fedora (http://pkgs.fedoraproject.org/cgit/httpd.git/commit/?id=0b19f7b6e1a47c6167a8ab43b4a9d1e759b54721), it seems like a better place to customize environment variables, rather than having to create a modified service file...) We had discussion with Joe Orton (httpd maintainer) a while ago and his arguments were following: Hi guys, we made that change to adopt what is considered best practice for systemd. The change is not in RHEL7, only Fedora = 20. I would not say we are strongly wedded to that change, but the use case you provide seems very weak. /etc/sysconfig/httpd is intended to be user-configurable and if users do rm -f /etc/sysconfig/httpd then Fedora packages should keep working correctly. Can we find a more robust way to achieve the same results? Why is it required that the environment variable is set globally within /usr/sbin/httpd? ... [and later in dicussion] I'd argue that in this case you should not be using httpd.service as-is; instead it would be correct to create an httpd-ipa.service unit file or similar, which can .include the system httpd.service, and sets up the appropriate Environment= (or EnvironmentFile=) directly. Also, if the intent is to purely to change mod_auth_kerb's interaction with libkrb5 is there no way to do this via the libkrb API - or mod_auth_kerb's existing use thereof? The use of /etc/sysconfig/httpd has historically been a mild PITA and I'm not seeing a compelling reason to revert the decision to kill it here. Anyway, I would prefer if we set it in a way that works on non-systemd distros as well. Can't we just set GssapiCredStore ccache:FILE:/var/run/httpd/krbcache/krb5ccache in /etc/httpd/conf.d/ipa.conf? It is not just mod_auth_gssapi, it is needed for users of the credentials obtained by mod_auth_gssapi. mod_auth_gssapi only sets KRB5CCNAME value when there is delegation of credentials in use and there is something to delegate. Ok, attaching updated patches. After the discussion with Martin^1 we decided to play it safe and put KRB5CCNAME into /etc/systemd/system/httpd.service. -- Martin^3 Babinsky From 6042f4ce093890394da4f6e625d5cc745b285c35 Mon Sep 17 00:00:00 2001 From: Martin Babinsky mbabi...@redhat.com Date: Tue, 28 Apr 2015 16:24:02 +0200 Subject: [PATCH] provide dedicated ccache file for httpd httpd service stores Kerberos credentials in kernel keyring which gets destroyed and recreated during service install/upgrade, causing problems when the process is run under SELinux context other than 'unconfined_t'. This patch enables HTTPInstance to set up a dedicated CCache file for Apache to store credentials. https://fedorahosted.org/freeipa/ticket/4973 --- freeipa.spec.in| 4 init/systemd/httpd.service | 4 2 files changed, 8 insertions(+) create mode 100644 init/systemd/httpd.service diff --git a/freeipa.spec.in b/freeipa.spec.in index 608242b5adbc43efbbf0ae30a6d7a933bebc1084..664162fe918f03049c27f70c9e7f852a11c50a8c 100644 --- a/freeipa.spec.in +++ b/freeipa.spec.in @@ -12,6 +12,7 @@ %endif %global plugin_dir %{_libdir}/dirsrv/plugins +%global etc_systemd_dir %{_sysconfdir}/systemd/system %global gettext_domain ipa %if 0%{?rhel} %global platform_module rhel @@ -470,8 +471,10 @@ touch %{buildroot}%{_libdir}/krb5/plugins/libkrb5/winbind_krb5_locator.so # NOTE: systemd specific section mkdir -p %{buildroot}%{_unitdir} +mkdir -p %{buildroot}%{etc_systemd_dir} install -m 644 init/systemd/ipa.service %{buildroot}%{_unitdir}/ipa.service install -m 644 init/systemd/ipa_memcached.service %{buildroot}%{_unitdir}/ipa_memcached.service +install -m 644 init/systemd/httpd.service %{buildroot}%{etc_systemd_dir}/httpd.service # END mkdir -p
Re: [Freeipa-devel] [PATCH 0031] provide a dedicated ccache file to httpd
On Thu, 30 Apr 2015, Jan Cholasta wrote: Hi, Dne 29.4.2015 v 19:42 Martin Babinsky napsal(a): The attached patch is a merge of PATCHES 0031-0032 incorporating Simo's and Martin's suggestions (see e.g. https://www.redhat.com/archives/freeipa-devel/2015-April/msg00327.html for reference). https://fedorahosted.org/freeipa/ticket/4973 IMHO we should set the environment variable in /etc/systemd/system/httpd.service, instead of providing a new service file, because we are just changing configuration, not creating a new concurrent httpd instance, as is the case with ipa-memcached, and also not using alternative httpd implementation which masks the current one, as is the case with bind-pkcs11. It would simplify the whole thing significantly and it's even recommended in httpd.service to do I agree. so: # For example, to pass additional options (for instance, -D definitions) to the # httpd binary at startup, you need to create a file named # /etc/systemd/system/httpd.service containing: #.include /lib/systemd/system/httpd.service #[Service] #Environment=OPTIONS=-DMY_DEFINE (BTW I wonder why /etc/sysconfig/httpd support was removed from httpd in Fedora (http://pkgs.fedoraproject.org/cgit/httpd.git/commit/?id=0b19f7b6e1a47c6167a8ab43b4a9d1e759b54721), it seems like a better place to customize environment variables, rather than having to create a modified service file...) We had discussion with Joe Orton (httpd maintainer) a while ago and his arguments were following: Hi guys, we made that change to adopt what is considered best practice for systemd. The change is not in RHEL7, only Fedora = 20. I would not say we are strongly wedded to that change, but the use case you provide seems very weak. /etc/sysconfig/httpd is intended to be user-configurable and if users do rm -f /etc/sysconfig/httpd then Fedora packages should keep working correctly. Can we find a more robust way to achieve the same results? Why is it required that the environment variable is set globally within /usr/sbin/httpd? ... [and later in dicussion] I'd argue that in this case you should not be using httpd.service as-is; instead it would be correct to create an httpd-ipa.service unit file or similar, which can .include the system httpd.service, and sets up the appropriate Environment= (or EnvironmentFile=) directly. Also, if the intent is to purely to change mod_auth_kerb's interaction with libkrb5 is there no way to do this via the libkrb API - or mod_auth_kerb's existing use thereof? The use of /etc/sysconfig/httpd has historically been a mild PITA and I'm not seeing a compelling reason to revert the decision to kill it here. Anyway, I would prefer if we set it in a way that works on non-systemd distros as well. Can't we just set GssapiCredStore ccache:FILE:/var/run/httpd/krbcache/krb5ccache in /etc/httpd/conf.d/ipa.conf? It is not just mod_auth_gssapi, it is needed for users of the credentials obtained by mod_auth_gssapi. mod_auth_gssapi only sets KRB5CCNAME value when there is delegation of credentials in use and there is something to delegate. -- / Alexander Bokovoy -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCH 0031] provide a dedicated ccache file to httpd
On Wed, 2015-04-29 at 19:42 +0200, Martin Babinsky wrote: # NOTE: systemd specific section -/bin/systemctl try-restart httpd.service /dev/null 21 || : +/bin/systemctl try-restart ipa-httpd.service /dev/null 21 || : # END fi Isn't this going to fail on upgrades where you want to move from httpd.service to ipa-httpd.service ? Simo. -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [PATCH 0031] provide a dedicated ccache file to httpd
The attached patch is a merge of PATCHES 0031-0032 incorporating Simo's and Martin's suggestions (see e.g. https://www.redhat.com/archives/freeipa-devel/2015-April/msg00327.html for reference). https://fedorahosted.org/freeipa/ticket/4973 -- Martin^3 Babinsky From 93bbf9f3004279fae53d81d95b60b340bd77f433 Mon Sep 17 00:00:00 2001 From: Martin Babinsky mbabi...@redhat.com Date: Tue, 28 Apr 2015 16:24:02 +0200 Subject: [PATCH] provide dedicated ccache file for httpd httpd service stores Kerberos credentials in kernel keyring which gets destroyed and recreated during service install/upgrade, causing problems when the process is run under SELinux context other than 'unconfined_t'. This patch enables HTTPInstance to set up a dedicated CCache file for Apache to store credentials. https://fedorahosted.org/freeipa/ticket/4973 --- freeipa.spec.in| 4 +++- init/systemd/ipa-httpd.service | 4 ipaplatform/redhat/services.py | 1 + 3 files changed, 8 insertions(+), 1 deletion(-) create mode 100644 init/systemd/ipa-httpd.service diff --git a/freeipa.spec.in b/freeipa.spec.in index 608242b5adbc43efbbf0ae30a6d7a933bebc1084..3ccd66411808ce204b6d2b084eb44c805a59621a 100644 --- a/freeipa.spec.in +++ b/freeipa.spec.in @@ -472,6 +472,7 @@ touch %{buildroot}%{_libdir}/krb5/plugins/libkrb5/winbind_krb5_locator.so mkdir -p %{buildroot}%{_unitdir} install -m 644 init/systemd/ipa.service %{buildroot}%{_unitdir}/ipa.service install -m 644 init/systemd/ipa_memcached.service %{buildroot}%{_unitdir}/ipa_memcached.service +install -m 644 init/systemd/ipa-httpd.service %{buildroot}%{_unitdir}/ipa-httpd.service # END mkdir -p %{buildroot}/%{_localstatedir}/lib/ipa/backup %endif # ONLY_CLIENT @@ -560,7 +561,7 @@ fi python2 -c import sys; from ipaserver.install import installutils; sys.exit(0 if installutils.is_ipa_configured() else 1); /dev/null 21 if [ $? -eq 0 ]; then # NOTE: systemd specific section -/bin/systemctl try-restart httpd.service /dev/null 21 || : +/bin/systemctl try-restart ipa-httpd.service /dev/null 21 || : # END fi @@ -691,6 +692,7 @@ fi %attr(644,root,root) %{_unitdir}/ipa-dnskeysyncd.service %attr(644,root,root) %{_unitdir}/ipa-ods-exporter.socket %attr(644,root,root) %{_unitdir}/ipa-ods-exporter.service +%attr(644,root,root) %{_unitdir}/ipa-httpd.service # END %dir %{python_sitelib}/ipaserver %dir %{python_sitelib}/ipaserver/install diff --git a/init/systemd/ipa-httpd.service b/init/systemd/ipa-httpd.service new file mode 100644 index ..ef1e6bfda06f1a1d703a174040f1f6e6ea0757c7 --- /dev/null +++ b/init/systemd/ipa-httpd.service @@ -0,0 +1,4 @@ +.include /usr/lib/systemd/system/httpd.service + +[Service] +Environment=KRB5CCNAME=/var/run/httpd/krbcache/krb5ccache diff --git a/ipaplatform/redhat/services.py b/ipaplatform/redhat/services.py index c9994e409a8a005012c0467c016608b8f689eef1..0537680bb6b3e0cb58df732e0cb390edb73795cb 100644 --- a/ipaplatform/redhat/services.py +++ b/ipaplatform/redhat/services.py @@ -74,6 +74,7 @@ redhat_system_units['ods-enforcerd'] = 'ods-enforcerd.service' redhat_system_units['ods_enforcerd'] = redhat_system_units['ods-enforcerd'] redhat_system_units['ods-signerd'] = 'ods-signerd.service' redhat_system_units['ods_signerd'] = redhat_system_units['ods-signerd'] +redhat_system_units['httpd'] = 'ipa-httpd.service' # Service classes that implement Red Hat OS family-specific behaviour -- 2.1.0 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCH 0031] provide a dedicated ccache file to httpd
Hi, Dne 29.4.2015 v 19:42 Martin Babinsky napsal(a): The attached patch is a merge of PATCHES 0031-0032 incorporating Simo's and Martin's suggestions (see e.g. https://www.redhat.com/archives/freeipa-devel/2015-April/msg00327.html for reference). https://fedorahosted.org/freeipa/ticket/4973 IMHO we should set the environment variable in /etc/systemd/system/httpd.service, instead of providing a new service file, because we are just changing configuration, not creating a new concurrent httpd instance, as is the case with ipa-memcached, and also not using alternative httpd implementation which masks the current one, as is the case with bind-pkcs11. It would simplify the whole thing significantly and it's even recommended in httpd.service to do so: # For example, to pass additional options (for instance, -D definitions) to the # httpd binary at startup, you need to create a file named # /etc/systemd/system/httpd.service containing: # .include /lib/systemd/system/httpd.service # [Service] # Environment=OPTIONS=-DMY_DEFINE (BTW I wonder why /etc/sysconfig/httpd support was removed from httpd in Fedora (http://pkgs.fedoraproject.org/cgit/httpd.git/commit/?id=0b19f7b6e1a47c6167a8ab43b4a9d1e759b54721), it seems like a better place to customize environment variables, rather than having to create a modified service file...) Anyway, I would prefer if we set it in a way that works on non-systemd distros as well. Can't we just set GssapiCredStore ccache:FILE:/var/run/httpd/krbcache/krb5ccache in /etc/httpd/conf.d/ipa.conf? Honza -- Jan Cholasta -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code