URL: https://github.com/freeipa/freeipa/pull/468
Title: #468: Remove non-sensical kdestroy on https stop
martbab commented:
"""
@pvoborni should the fix go also into 4-4 branch? see
https://fedorahosted.org/freeipa/ticket/6673#comment:3
"""
See the full comment at
URL: https://github.com/freeipa/freeipa/pull/468
Title: #468: Remove non-sensical kdestroy on https stop
martbab commented:
"""
Fixed upstream
master:
https://fedorahosted.org/freeipa/changeset/b8f304c66994ae82ea484a4e8bd057d4ccf1e6bd
"""
See the full comment at
URL: https://github.com/freeipa/freeipa/pull/468
Title: #468: Remove non-sensical kdestroy on https stop
martbab commented:
"""
I have also noticed that the ccache is not created there, strange. However I
think it is better to explicitly specify file-based ccache anyway just to be
one the
URL: https://github.com/freeipa/freeipa/pull/468
Title: #468: Remove non-sensical kdestroy on https stop
simo5 commented:
"""
Uhm I just tried setting KRB5CCNAME=/tmp/krb5_httpd in my install and ... I
found out we do not actually generate an httpd ccache, so why are we trying to
destroy the
URL: https://github.com/freeipa/freeipa/pull/468
Title: #468: Remove non-sensical kdestroy on https stop
simo5 commented:
"""
I guess we can simply set KRB5CCNAME=/tmp/krb5_httpd in the unit file and we
should be ok then.
@martbab or @mbasti, can you try that ?
If it solves your scenario we
URL: https://github.com/freeipa/freeipa/pull/468
Title: #468: Remove non-sensical kdestroy on https stop
tiran commented:
"""
That's my point. Why is the ccache file not stored in ```PrivateTmp```? The
ccache can be removed at any time. It doesn't have to be retained.
```PrivateTmp``` solves
URL: https://github.com/freeipa/freeipa/pull/468
Title: #468: Remove non-sensical kdestroy on https stop
abbra commented:
"""
@tiran we do use PrivateTmp already. This is not about PrivateTmp, though,
because we don't store credentials caches in a private tmp.
"""
See the full comment at
URL: https://github.com/freeipa/freeipa/pull/468
Title: #468: Remove non-sensical kdestroy on https stop
tiran commented:
"""
How about we use systemd PrivateTmp for temporary files? It is not only more
secure but it also automatically removes all temporary files when the service
is stopped:
URL: https://github.com/freeipa/freeipa/pull/468
Title: #468: Remove non-sensical kdestroy on https stop
abbra commented:
"""
Yes, when namespaced /tmp is used, unit file does not have any view into that.
"""
See the full comment at
URL: https://github.com/freeipa/freeipa/pull/468
Title: #468: Remove non-sensical kdestroy on https stop
martbab commented:
"""
Could we use just keep the post command as "kdestroy -c {apache_ccache_path}"?
Or is everything chrooted into name-spaced /tmp and we can not access the
ccache file
URL: https://github.com/freeipa/freeipa/pull/468
Title: #468: Remove non-sensical kdestroy on https stop
simo5 commented:
"""
If you request a new keytab you should clean up the cacche ?
If we have a way to run the post exec command as the right user and with the
right /tmp (httpd unit file
URL: https://github.com/freeipa/freeipa/pull/468
Title: #468: Remove non-sensical kdestroy on https stop
MartinBasti commented:
"""
how about @martbab comment?
https://github.com/freeipa/freeipa/pull/468#issuecomment-280056786
> However the restore use-case is not the only one which can
URL: https://github.com/freeipa/freeipa/pull/468
Title: #468: Remove non-sensical kdestroy on https stop
simo5 commented:
"""
If this is about backup/restore, add a kdestroy ccache in the restore scripts,
making sue it su - apache first
"""
See the full comment at
URL: https://github.com/freeipa/freeipa/pull/468
Title: #468: Remove non-sensical kdestroy on https stop
MartinBasti commented:
"""
@simo5 any ideas how this should be fixed? We cannot push this patch without
additional fix of removing outdated ccache because it will cause permanent fail
of
URL: https://github.com/freeipa/freeipa/pull/468
Title: #468: Remove non-sensical kdestroy on https stop
simo5 commented:
"""
@MartinBasti the unit files are the wrong place to destroy ccaches, especially
given they run as a different user (root) and may not have access to destroy
stuff when
URL: https://github.com/freeipa/freeipa/pull/468
Title: #468: Remove non-sensical kdestroy on https stop
MartinBasti commented:
"""
@pvoborni this is the way how it this tested by QA, so that's why I added this
kind of test to upstream. I disagree that `b)` is not supported. It is just
URL: https://github.com/freeipa/freeipa/pull/468
Title: #468: Remove non-sensical kdestroy on https stop
martbab commented:
"""
@rcritten I apologize for sounding rude. I misread your comment and interpreted
it differently than intended.
That said, if the restore to a running IPA server is
URL: https://github.com/freeipa/freeipa/pull/468
Title: #468: Remove non-sensical kdestroy on https stop
pvoborni commented:
"""
And AFAIK b) is not supported. @martbab , does something indicate otherwise?
"""
See the full comment at
URL: https://github.com/freeipa/freeipa/pull/468
Title: #468: Remove non-sensical kdestroy on https stop
tiran commented:
"""
I'm with @rcritten .
If we need to clean up / remove some files during a restore, then these
clean-ups should be handled by ```ipa-restore```. The service files are
URL: https://github.com/freeipa/freeipa/pull/468
Title: #468: Remove non-sensical kdestroy on https stop
rcritten commented:
"""
Rudeness is not necessary.
You said:
"As to why a) we backup Kerberos keys, and b) support restoring into running
IPA server that is beyond me."
The reason for a)
URL: https://github.com/freeipa/freeipa/pull/468
Title: #468: Remove non-sensical kdestroy on https stop
martbab commented:
"""
And indeed I can reproduce the original failure reported in
https://fedorahosted.org/freeipa/ticket/5296 with this PR.
If I manually remove apache ccache (kdestroy
URL: https://github.com/freeipa/freeipa/pull/468
Title: #468: Remove non-sensical kdestroy on https stop
martbab commented:
"""
@rcritten can you please re-read my comment very slowly? I wrote that we *do*
backup keytabs.
"""
See the full comment at
URL: https://github.com/freeipa/freeipa/pull/468
Title: #468: Remove non-sensical kdestroy on https stop
rcritten commented:
"""
If you don't backup the keytab then how do you expect to bring the server back
up? Fetch new keys for all services?
Full restore is very clearly documented as a
URL: https://github.com/freeipa/freeipa/pull/468
Title: #468: Remove non-sensical kdestroy on https stop
tiran commented:
"""
Why do we back up ccache in the first place?
"""
See the full comment at
https://github.com/freeipa/freeipa/pull/468#issuecomment-280040752
--
Manage your
URL: https://github.com/freeipa/freeipa/pull/468
Title: #468: Remove non-sensical kdestroy on https stop
martbab commented:
"""
We do not backup ccache, we back up apache keytab.
During restore into installer server we back up old Kerberos keys, but without
any mechanism to purge the new
URL: https://github.com/freeipa/freeipa/pull/468
Title: #468: Remove non-sensical kdestroy on https stop
martbab commented:
"""
I would rather keep `kdestroy` there, but only really purge the apache ccache
explicitly:
```diff
--- a/ipaplatform/redhat/tasks.py
+++ b/ipaplatform/redhat/tasks.py
26 matches
Mail list logo