Re: [Freeipa-devel] [PATCH] 448-449 Switch httpd to use default CCACHE

2014-01-22 Thread Petr Viktorin 

On 01/21/2014 05:12 PM, Martin Kosek wrote:

On 01/21/2014 03:07 PM, Petr Viktorin wrote:

On 01/16/2014 02:16 PM, Martin Kosek wrote:

[freeipa-mkosek-448-add-runas-option-to-run-function.patch]:

Run function can now run the specified command as different user by
setting the EUID and EGID for executed process.


Please add the new argument to the docstring, otherwise ACK


[freeipa-mkosek-449-switch-httpd-to-use-default-ccache.patch]:

Stock httpd no longer uses systemd EnvironmentFile option which is
making FreeIPA's KRB5CCNAME setting ineffective. This can lead in hard
to debug problems during subsequent ipa-server-install's where HTTP
may use a stale CCACHE in the default kernel keyring CCACHE.

Avoid forcing custom CCACHE and switch to system one, just make sure
that it is properly cleaned by kdestroy run as apache user during
FreeIPA server installation process.

https://fedorahosted.org/freeipa/ticket/4084


This does not fix the issue for me.
On a fresh f20 machine, I installed the server, uninstalled it, and installed
again. The second installation failed with the ipa-client-install error
described in the ticket.



On your VM, I saw the method I use for running a command as different process
was indeed not effective. I had to change both effective and real UID/GID to
make the kdestroy function working.

I also added the missing docstrings in 448, both for runas as well as other
missing options.


Great, thank you! ACK, fixed a typo in the docstring and pushed to 
master: f49c26db2c38e5b60a6be990b95c2926ecfa6247


For the record, this problem appeared in an install-uninstall-install 
cycle with no reboot. It's unlikely to appear in the wild, but happens 
all the time in CI and on some developers' workflows.


--
PetrĀ³

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Re: [Freeipa-devel] [PATCH] 448-449 Switch httpd to use default CCACHE

2014-01-21 Thread Petr Viktorin 

On 01/16/2014 02:16 PM, Martin Kosek wrote:

[freeipa-mkosek-448-add-runas-option-to-run-function.patch]:

Run function can now run the specified command as different user by
setting the EUID and EGID for executed process.


Please add the new argument to the docstring, otherwise ACK


[freeipa-mkosek-449-switch-httpd-to-use-default-ccache.patch]:

Stock httpd no longer uses systemd EnvironmentFile option which is
making FreeIPA's KRB5CCNAME setting ineffective. This can lead in hard
to debug problems during subsequent ipa-server-install's where HTTP
may use a stale CCACHE in the default kernel keyring CCACHE.

Avoid forcing custom CCACHE and switch to system one, just make sure
that it is properly cleaned by kdestroy run as apache user during
FreeIPA server installation process.

https://fedorahosted.org/freeipa/ticket/4084


This does not fix the issue for me.
On a fresh f20 machine, I installed the server, uninstalled it, and 
installed again. The second installation failed with the 
ipa-client-install error described in the ticket.


--
PetrĀ³

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Re: [Freeipa-devel] [PATCH] 448-449 Switch httpd to use default CCACHE

2014-01-21 Thread Martin Kosek 
On 01/21/2014 03:07 PM, Petr Viktorin wrote:
 On 01/16/2014 02:16 PM, Martin Kosek wrote:
 [freeipa-mkosek-448-add-runas-option-to-run-function.patch]:

 Run function can now run the specified command as different user by
 setting the EUID and EGID for executed process.
 
 Please add the new argument to the docstring, otherwise ACK
 
 [freeipa-mkosek-449-switch-httpd-to-use-default-ccache.patch]:

 Stock httpd no longer uses systemd EnvironmentFile option which is
 making FreeIPA's KRB5CCNAME setting ineffective. This can lead in hard
 to debug problems during subsequent ipa-server-install's where HTTP
 may use a stale CCACHE in the default kernel keyring CCACHE.

 Avoid forcing custom CCACHE and switch to system one, just make sure
 that it is properly cleaned by kdestroy run as apache user during
 FreeIPA server installation process.

 https://fedorahosted.org/freeipa/ticket/4084
 
 This does not fix the issue for me.
 On a fresh f20 machine, I installed the server, uninstalled it, and installed
 again. The second installation failed with the ipa-client-install error
 described in the ticket.
 

On your VM, I saw the method I use for running a command as different process
was indeed not effective. I had to change both effective and real UID/GID to
make the kdestroy function working.

I also added the missing docstrings in 448, both for runas as well as other
missing options.

Martin
From 3b6683c7a3da885350542157aae2afa0b3cdd37e Mon Sep 17 00:00:00 2001
From: Martin Kosek mko...@redhat.com
Date: Thu, 16 Jan 2014 14:10:42 +0100
Subject: [PATCH 1/2] Add runas option to run function

Run function can now run the specified command as different user by
setting the both real and effective UID and GID for executed process.

Add both the missing run function attribute doc strings as well as
a doc string for the runas attribute.
---
 ipapython/ipautil.py | 59 +---
 1 file changed, 38 insertions(+), 21 deletions(-)

diff --git a/ipapython/ipautil.py b/ipapython/ipautil.py
index a25dc358b9ddf9681925491ec1c4cd2de03d6b00..4ed32a6ad25daab2a606556cc0f532918abbfec1 100644
--- a/ipapython/ipautil.py
+++ b/ipapython/ipautil.py
@@ -42,6 +42,7 @@
 import netaddr
 import time
 import krbV
+import pwd
 from dns import resolver, rdatatype
 from dns.exception import DNSException
 
@@ -246,29 +247,35 @@ def shell_quote(string):
 return ' + string.replace(', '\\'') + '
 
 def run(args, stdin=None, raiseonerr=True,
-nolog=(), env=None, capture_output=True, skip_output=False, cwd=None):
+nolog=(), env=None, capture_output=True, skip_output=False, cwd=None,
+runas=None):
 
 Execute a command and return stdin, stdout and the process return code.
 
-args is a list of arguments for the command
-
-stdin is used if you want to pass input to the command
-
-raiseonerr raises an exception if the return code is not zero
-
-nolog is a tuple of strings that shouldn't be logged, like passwords.
-Each tuple consists of a string to be replaced by .
-
-For example, the command ['/usr/bin/setpasswd', '--password', 'Secret123', 'someuser']
-
-We don't want to log the password so nolog would be set to:
-('Secret123',)
-
-The resulting log output would be:
-
-/usr/bin/setpasswd --password  someuser
-
-If an value isn't found in the list it is silently ignored.
+:param args: List of arguments for the command
+:param stdin: Optional input to the command
+:param: raiseonerr: If True, raises an exception if the return code is
+not zero
+:param nolog: Tuple of strings that shouldn't be logged, like passwords.
+Each tuple consists of a string to be replaced by .
+
+Example:
+We have a command
+['/usr/bin/setpasswd', '--password', 'Secret123', 'someuser']
+and we don't want to log the password so nolog would be set to:
+('Secret123',)
+The resulting log output would be:
+
+/usr/bin/setpasswd --password  someuser
+
+If an value isn't found in the list it is silently ignored.
+:param env: Dictionary of environment variables passed to the command.
+When None, current environment is copied
+:param capture_output: Capture stderr and stdout
+:param skip_output: Redirect the output to /dev/null and do not capture it
+:param cwd: Current working directory
+:param runas: Name of a user that the command shold be run as. The spawned
+process will have both real and effective UID and GID set.
 
 p_in = None
 p_out = None
@@ -298,9 +305,19 @@ def run(args, stdin=None, raiseonerr=True,
 root_logger.debug('Starting external process')
 root_logger.debug('args=%s' % arg_string)
 
+preexec_fn = None
+if runas is not None:
+pent = pwd.getpwnam(runas)
+root_logger.debug('runas=%s (UID %d, GID %s)', runas,
+pent.pw_uid, pent.pw_gid)