Re: [Freeipa-devel] [PATCH 0441] Configure httpd service from installer
On 22.04.2016 10:17, Stanislav Laznicka wrote: On 04/22/2016 10:08 AM, Martin Basti wrote: On 21.04.2016 22:55, Timo Aaltonen wrote: 21.04.2016, 20:50, Martin Basti kirjoitti: On 21.04.2016 19:28, Stanislav Laznicka wrote: On 04/21/2016 11:19 AM, Martin Basti wrote: On 20.04.2016 17:27, Martin Basti wrote: On 24.03.2016 14:27, Martin Basti wrote: On 24.03.2016 13:55, Jan Cholasta wrote: On 18.3.2016 23:27, Timo Aaltonen wrote: On 17.03.2016 18:36, Martin Basti wrote: https://fedorahosted.org/freeipa/ticket/5681 would be nicer if ipa-httpd.conf was a template with the current hardcoded values replaced with platform paths.. +1, I would also prefer if the file was renamed to init/systemd/httpd.conf rather than install/share/ipa-httpd.conf. ipa-httpd.conf.template should be in /user/share/ipa, directory init/systemd copied only to rpm and then copied to /etc/systemd/system AFAIK not relevant to this patch, but there are others candidates for templates like: daemons/dnssec/ipa-dnskeysyncd.service daemons/dnssec/ipa-ods-exporter.service install/conf/ipa.conf Updated patch attached, sorry for delay. Updated patch attached (fixed unused import). Seems to work as expected. However, wouldn't it be better to use installutils.remove_file instead of remove_httpd_service_ipa_conf (or at least log the possible error during os.unlink) to get the same behavior as with the other config files? It could be, but because I created platform specific method for adding httpd service config, it seems natural to me to create inverse operation platform specific too. I have no strong opinion about this, Timo what might be better, you use platform specific code more than we? :) Well, with this patch in I'd just reuse the methods from RedHatTaskNamespace() just like some others are being used right now. Systemd is all I support anyway. Updated patch attached, missing log added Thanks, jolly good. ACK. Pushed to master: * 586fee293f42388510fa5436af19460bbe1fdec5 Configure httpd service from installer instead of directly from RPM -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCH 0441] Configure httpd service from installer
On 04/22/2016 10:08 AM, Martin Basti wrote: On 21.04.2016 22:55, Timo Aaltonen wrote: 21.04.2016, 20:50, Martin Basti kirjoitti: On 21.04.2016 19:28, Stanislav Laznicka wrote: On 04/21/2016 11:19 AM, Martin Basti wrote: On 20.04.2016 17:27, Martin Basti wrote: On 24.03.2016 14:27, Martin Basti wrote: On 24.03.2016 13:55, Jan Cholasta wrote: On 18.3.2016 23:27, Timo Aaltonen wrote: On 17.03.2016 18:36, Martin Basti wrote: https://fedorahosted.org/freeipa/ticket/5681 would be nicer if ipa-httpd.conf was a template with the current hardcoded values replaced with platform paths.. +1, I would also prefer if the file was renamed to init/systemd/httpd.conf rather than install/share/ipa-httpd.conf. ipa-httpd.conf.template should be in /user/share/ipa, directory init/systemd copied only to rpm and then copied to /etc/systemd/system AFAIK not relevant to this patch, but there are others candidates for templates like: daemons/dnssec/ipa-dnskeysyncd.service daemons/dnssec/ipa-ods-exporter.service install/conf/ipa.conf Updated patch attached, sorry for delay. Updated patch attached (fixed unused import). Seems to work as expected. However, wouldn't it be better to use installutils.remove_file instead of remove_httpd_service_ipa_conf (or at least log the possible error during os.unlink) to get the same behavior as with the other config files? It could be, but because I created platform specific method for adding httpd service config, it seems natural to me to create inverse operation platform specific too. I have no strong opinion about this, Timo what might be better, you use platform specific code more than we? :) Well, with this patch in I'd just reuse the methods from RedHatTaskNamespace() just like some others are being used right now. Systemd is all I support anyway. Updated patch attached, missing log added Thanks, jolly good. ACK. -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCH 0441] Configure httpd service from installer
On 21.04.2016 22:55, Timo Aaltonen wrote:
21.04.2016, 20:50, Martin Basti kirjoitti:
On 21.04.2016 19:28, Stanislav Laznicka wrote:
On 04/21/2016 11:19 AM, Martin Basti wrote:
On 20.04.2016 17:27, Martin Basti wrote:
On 24.03.2016 14:27, Martin Basti wrote:
On 24.03.2016 13:55, Jan Cholasta wrote:
On 18.3.2016 23:27, Timo Aaltonen wrote:
On 17.03.2016 18:36, Martin Basti wrote:
https://fedorahosted.org/freeipa/ticket/5681
would be nicer if ipa-httpd.conf was a template with the current
hardcoded values replaced with platform paths..
+1, I would also prefer if the file was renamed to
init/systemd/httpd.conf rather than install/share/ipa-httpd.conf.
ipa-httpd.conf.template should be in /user/share/ipa, directory
init/systemd copied only to rpm and then copied to
/etc/systemd/system AFAIK
not relevant to this patch, but there are others candidates for
templates like:
daemons/dnssec/ipa-dnskeysyncd.service
daemons/dnssec/ipa-ods-exporter.service
install/conf/ipa.conf
Updated patch attached, sorry for delay.
Updated patch attached (fixed unused import).
Seems to work as expected. However, wouldn't it be better to use
installutils.remove_file instead of remove_httpd_service_ipa_conf (or
at least log the possible error during os.unlink) to get the same
behavior as with the other config files?
It could be, but because I created platform specific method for adding
httpd service config, it seems natural to me to create inverse operation
platform specific too.
I have no strong opinion about this, Timo what might be better, you use
platform specific code more than we? :)
Well, with this patch in I'd just reuse the methods from
RedHatTaskNamespace() just like some others are being used right now.
Systemd is all I support anyway.
Updated patch attached, missing log added
From 263ff915870ab307b7191500b71db933e92fb505 Mon Sep 17 00:00:00 2001
From: Martin Basti
Date: Wed, 16 Mar 2016 09:04:42 +0100
Subject: [PATCH] Configure httpd service from installer instead of directly
from RPM
File httpd.service was created by RPM, what causes that httpd service may
fail due IPA specific configuration even if IPA wasn't installed or was
uninstalled (without erasing RPMs).
With this patch httpd service is configured by httpd.d/ipa.conf during
IPA installation and this config is removed by uninstaller, so no
residual http configuration related to IPA should stay there.
https://fedorahosted.org/freeipa/ticket/5681
---
freeipa.spec.in | 3 +--
init/systemd/httpd.service| 7 ---
install/share/Makefile.am | 1 +
install/share/ipa-httpd.conf.template | 7 +++
ipaplatform/base/paths.py | 3 +++
ipaplatform/base/tasks.py | 8
ipaplatform/redhat/tasks.py | 29 +
ipaserver/install/httpinstance.py | 6 ++
ipaserver/install/server/upgrade.py | 5 +
9 files changed, 60 insertions(+), 9 deletions(-)
delete mode 100644 init/systemd/httpd.service
create mode 100644 install/share/ipa-httpd.conf.template
diff --git a/freeipa.spec.in b/freeipa.spec.in
index 1ded3048873fb9d4cb97b7aca52132345c209a96..aaa40cc9a2246ed1d244e160edf935da216c75c5 100644
--- a/freeipa.spec.in
+++ b/freeipa.spec.in
@@ -832,7 +832,6 @@ mkdir -p %{buildroot}%{_unitdir}
mkdir -p %{buildroot}%{etc_systemd_dir}
install -m 644 init/systemd/ipa.service %{buildroot}%{_unitdir}/ipa.service
install -m 644 init/systemd/ipa_memcached.service %{buildroot}%{_unitdir}/ipa_memcached.service
-install -m 644 init/systemd/httpd.service %{buildroot}%{etc_systemd_dir}/httpd.service
install -m 644 init/systemd/ipa-custodia.service %{buildroot}%{_unitdir}/ipa-custodia.service
# END
mkdir -p %{buildroot}/%{_localstatedir}/lib/ipa/backup
@@ -1143,7 +1142,7 @@ fi
%{_tmpfilesdir}/%{name}.conf
%attr(644,root,root) %{_unitdir}/ipa_memcached.service
%attr(644,root,root) %{_unitdir}/ipa-custodia.service
-%attr(644,root,root) %{etc_systemd_dir}/httpd.service
+%ghost %attr(644,root,root) %{etc_systemd_dir}/httpd.d/ipa.conf
# END
%dir %{_usr}/share/ipa
%{_usr}/share/ipa/wsgi.py*
diff --git a/init/systemd/httpd.service b/init/systemd/httpd.service
deleted file mode 100644
index 7ce8f04d8b9bb3663e59d4fdc610af0eb4478178..
--- a/init/systemd/httpd.service
+++ /dev/null
@@ -1,7 +0,0 @@
-.include /usr/lib/systemd/system/httpd.service
-
-[Service]
-Environment=KRB5CCNAME=/var/run/httpd/ipa/krbcache/krb5ccache
-Environment=KDCPROXY_CONFIG=/etc/ipa/kdcproxy/kdcproxy.conf
-ExecStartPre=/usr/libexec/ipa/ipa-httpd-kdcproxy
-ExecStopPost=-/usr/bin/kdestroy -A
diff --git a/install/share/Makefile.am b/install/share/Makefile.am
index b4cb8312471a68d8cd855f542478afe10d200c39..3a3bd2699efaf45ab79dd0257c2d26e7952891eb 100644
--- a/install/share/Makefile.am
+++ b/install/share/Makefile.am
@@ -88,6 +88,7 @@ app_DATA =\
kdcproxy.conf \
kdcproxy-enable.uldif \
kdcproxy-disable.uldi
Re: [Freeipa-devel] [PATCH 0441] Configure httpd service from installer
21.04.2016, 20:50, Martin Basti kirjoitti: > > > On 21.04.2016 19:28, Stanislav Laznicka wrote: >> On 04/21/2016 11:19 AM, Martin Basti wrote: >>> >>> >>> On 20.04.2016 17:27, Martin Basti wrote: On 24.03.2016 14:27, Martin Basti wrote: > > > On 24.03.2016 13:55, Jan Cholasta wrote: >> On 18.3.2016 23:27, Timo Aaltonen wrote: >>> On 17.03.2016 18:36, Martin Basti wrote: https://fedorahosted.org/freeipa/ticket/5681 >>> >>> would be nicer if ipa-httpd.conf was a template with the current >>> hardcoded values replaced with platform paths.. >> >> +1, I would also prefer if the file was renamed to >> init/systemd/httpd.conf rather than install/share/ipa-httpd.conf. > ipa-httpd.conf.template should be in /user/share/ipa, directory > init/systemd copied only to rpm and then copied to > /etc/systemd/system AFAIK > >> >>> >>> >>> not relevant to this patch, but there are others candidates for >>> templates like: >>> >>> daemons/dnssec/ipa-dnskeysyncd.service >>> daemons/dnssec/ipa-ods-exporter.service >>> install/conf/ipa.conf >> > Updated patch attached, sorry for delay. >>> Updated patch attached (fixed unused import). >>> >>> >> >> Seems to work as expected. However, wouldn't it be better to use >> installutils.remove_file instead of remove_httpd_service_ipa_conf (or >> at least log the possible error during os.unlink) to get the same >> behavior as with the other config files? > > It could be, but because I created platform specific method for adding > httpd service config, it seems natural to me to create inverse operation > platform specific too. > I have no strong opinion about this, Timo what might be better, you use > platform specific code more than we? :) Well, with this patch in I'd just reuse the methods from RedHatTaskNamespace() just like some others are being used right now. Systemd is all I support anyway. -- t -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCH 0441] Configure httpd service from installer
On 21.04.2016 19:28, Stanislav Laznicka wrote: On 04/21/2016 11:19 AM, Martin Basti wrote: On 20.04.2016 17:27, Martin Basti wrote: On 24.03.2016 14:27, Martin Basti wrote: On 24.03.2016 13:55, Jan Cholasta wrote: On 18.3.2016 23:27, Timo Aaltonen wrote: On 17.03.2016 18:36, Martin Basti wrote: https://fedorahosted.org/freeipa/ticket/5681 would be nicer if ipa-httpd.conf was a template with the current hardcoded values replaced with platform paths.. +1, I would also prefer if the file was renamed to init/systemd/httpd.conf rather than install/share/ipa-httpd.conf. ipa-httpd.conf.template should be in /user/share/ipa, directory init/systemd copied only to rpm and then copied to /etc/systemd/system AFAIK not relevant to this patch, but there are others candidates for templates like: daemons/dnssec/ipa-dnskeysyncd.service daemons/dnssec/ipa-ods-exporter.service install/conf/ipa.conf Updated patch attached, sorry for delay. Updated patch attached (fixed unused import). Seems to work as expected. However, wouldn't it be better to use installutils.remove_file instead of remove_httpd_service_ipa_conf (or at least log the possible error during os.unlink) to get the same behavior as with the other config files? It could be, but because I created platform specific method for adding httpd service config, it seems natural to me to create inverse operation platform specific too. I have no strong opinion about this, Timo what might be better, you use platform specific code more than we? :) Martin -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCH 0441] Configure httpd service from installer
On 04/21/2016 11:19 AM, Martin Basti wrote: On 20.04.2016 17:27, Martin Basti wrote: On 24.03.2016 14:27, Martin Basti wrote: On 24.03.2016 13:55, Jan Cholasta wrote: On 18.3.2016 23:27, Timo Aaltonen wrote: On 17.03.2016 18:36, Martin Basti wrote: https://fedorahosted.org/freeipa/ticket/5681 would be nicer if ipa-httpd.conf was a template with the current hardcoded values replaced with platform paths.. +1, I would also prefer if the file was renamed to init/systemd/httpd.conf rather than install/share/ipa-httpd.conf. ipa-httpd.conf.template should be in /user/share/ipa, directory init/systemd copied only to rpm and then copied to /etc/systemd/system AFAIK not relevant to this patch, but there are others candidates for templates like: daemons/dnssec/ipa-dnskeysyncd.service daemons/dnssec/ipa-ods-exporter.service install/conf/ipa.conf Updated patch attached, sorry for delay. Updated patch attached (fixed unused import). Seems to work as expected. However, wouldn't it be better to use installutils.remove_file instead of remove_httpd_service_ipa_conf (or at least log the possible error during os.unlink) to get the same behavior as with the other config files? -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCH 0441] Configure httpd service from installer
On 20.04.2016 17:27, Martin Basti wrote:
On 24.03.2016 14:27, Martin Basti wrote:
On 24.03.2016 13:55, Jan Cholasta wrote:
On 18.3.2016 23:27, Timo Aaltonen wrote:
On 17.03.2016 18:36, Martin Basti wrote:
https://fedorahosted.org/freeipa/ticket/5681
would be nicer if ipa-httpd.conf was a template with the current
hardcoded values replaced with platform paths..
+1, I would also prefer if the file was renamed to
init/systemd/httpd.conf rather than install/share/ipa-httpd.conf.
ipa-httpd.conf.template should be in /user/share/ipa, directory
init/systemd copied only to rpm and then copied to
/etc/systemd/system AFAIK
not relevant to this patch, but there are others candidates for
templates like:
daemons/dnssec/ipa-dnskeysyncd.service
daemons/dnssec/ipa-ods-exporter.service
install/conf/ipa.conf
Updated patch attached, sorry for delay.
Updated patch attached (fixed unused import).
From c828c7d4bd45b783862c8bba63adacfb035b25db Mon Sep 17 00:00:00 2001
From: Martin Basti
Date: Wed, 16 Mar 2016 09:04:42 +0100
Subject: [PATCH] Configure httpd service from installer instead of directly
from RPM
File httpd.service was created by RPM, what causes that httpd service may
fail due IPA specific configuration even if IPA wasn't installed or was
uninstalled (without erasing RPMs).
With this patch httpd service is configured by httpd.d/ipa.conf during
IPA installation and this config is removed by uninstaller, so no
residual http configuration related to IPA should stay there.
https://fedorahosted.org/freeipa/ticket/5681
---
freeipa.spec.in | 3 +--
init/systemd/httpd.service| 7 ---
install/share/Makefile.am | 1 +
install/share/ipa-httpd.conf.template | 7 +++
ipaplatform/base/paths.py | 3 +++
ipaplatform/base/tasks.py | 8
ipaplatform/redhat/tasks.py | 26 ++
ipaserver/install/httpinstance.py | 6 ++
ipaserver/install/server/upgrade.py | 5 +
9 files changed, 57 insertions(+), 9 deletions(-)
delete mode 100644 init/systemd/httpd.service
create mode 100644 install/share/ipa-httpd.conf.template
diff --git a/freeipa.spec.in b/freeipa.spec.in
index 1ded3048873fb9d4cb97b7aca52132345c209a96..aaa40cc9a2246ed1d244e160edf935da216c75c5 100644
--- a/freeipa.spec.in
+++ b/freeipa.spec.in
@@ -832,7 +832,6 @@ mkdir -p %{buildroot}%{_unitdir}
mkdir -p %{buildroot}%{etc_systemd_dir}
install -m 644 init/systemd/ipa.service %{buildroot}%{_unitdir}/ipa.service
install -m 644 init/systemd/ipa_memcached.service %{buildroot}%{_unitdir}/ipa_memcached.service
-install -m 644 init/systemd/httpd.service %{buildroot}%{etc_systemd_dir}/httpd.service
install -m 644 init/systemd/ipa-custodia.service %{buildroot}%{_unitdir}/ipa-custodia.service
# END
mkdir -p %{buildroot}/%{_localstatedir}/lib/ipa/backup
@@ -1143,7 +1142,7 @@ fi
%{_tmpfilesdir}/%{name}.conf
%attr(644,root,root) %{_unitdir}/ipa_memcached.service
%attr(644,root,root) %{_unitdir}/ipa-custodia.service
-%attr(644,root,root) %{etc_systemd_dir}/httpd.service
+%ghost %attr(644,root,root) %{etc_systemd_dir}/httpd.d/ipa.conf
# END
%dir %{_usr}/share/ipa
%{_usr}/share/ipa/wsgi.py*
diff --git a/init/systemd/httpd.service b/init/systemd/httpd.service
deleted file mode 100644
index 7ce8f04d8b9bb3663e59d4fdc610af0eb4478178..
--- a/init/systemd/httpd.service
+++ /dev/null
@@ -1,7 +0,0 @@
-.include /usr/lib/systemd/system/httpd.service
-
-[Service]
-Environment=KRB5CCNAME=/var/run/httpd/ipa/krbcache/krb5ccache
-Environment=KDCPROXY_CONFIG=/etc/ipa/kdcproxy/kdcproxy.conf
-ExecStartPre=/usr/libexec/ipa/ipa-httpd-kdcproxy
-ExecStopPost=-/usr/bin/kdestroy -A
diff --git a/install/share/Makefile.am b/install/share/Makefile.am
index b4cb8312471a68d8cd855f542478afe10d200c39..3a3bd2699efaf45ab79dd0257c2d26e7952891eb 100644
--- a/install/share/Makefile.am
+++ b/install/share/Makefile.am
@@ -88,6 +88,7 @@ app_DATA =\
kdcproxy.conf \
kdcproxy-enable.uldif \
kdcproxy-disable.uldif \
+ ipa-httpd.conf.template \
$(NULL)
EXTRA_DIST =\
diff --git a/install/share/ipa-httpd.conf.template b/install/share/ipa-httpd.conf.template
new file mode 100644
index ..a907d73cccac13cbb9d99423a1b739a48ad4f769
--- /dev/null
+++ b/install/share/ipa-httpd.conf.template
@@ -0,0 +1,7 @@
+# Do not edit. Created by IPA installer.
+
+[Service]
+Environment=KRB5CCNAME=$KRB5CC_HTTPD
+Environment=KDCPROXY_CONFIG=$KDCPROXY_CONFIG
+ExecStartPre=$IPA_HTTPD_KDCPROXY
+ExecStopPost=$POST
diff --git a/ipaplatform/base/paths.py b/ipaplatform/base/paths.py
index 4aa55d870bc9fbea1f67d28fef9bbb3c0a2d836f..585a5d26ed32a5f60cdb5d28de05b6468d03baa6 100644
--- a/ipaplatform/base/paths.py
+++ b/ipaplatform/base/paths.py
@@ -127,6 +127,8 @@ class BasePathNamespace(object):
SYSCONFIG_PKI_TOMCAT = "/etc/sysconfig/pki-tomcat"
SYSCONFIG_PKI_TOMCAT_PKI_TOMCA
Re: [Freeipa-devel] [PATCH 0441] Configure httpd service from installer
On 24.03.2016 14:27, Martin Basti wrote:
On 24.03.2016 13:55, Jan Cholasta wrote:
On 18.3.2016 23:27, Timo Aaltonen wrote:
On 17.03.2016 18:36, Martin Basti wrote:
https://fedorahosted.org/freeipa/ticket/5681
would be nicer if ipa-httpd.conf was a template with the current
hardcoded values replaced with platform paths..
+1, I would also prefer if the file was renamed to
init/systemd/httpd.conf rather than install/share/ipa-httpd.conf.
ipa-httpd.conf.template should be in /user/share/ipa, directory
init/systemd copied only to rpm and then copied to /etc/systemd/system
AFAIK
not relevant to this patch, but there are others candidates for
templates like:
daemons/dnssec/ipa-dnskeysyncd.service
daemons/dnssec/ipa-ods-exporter.service
install/conf/ipa.conf
Updated patch attached, sorry for delay.
From 63f59d4e81b7e034b60f1d2ccf1c8a6d2885aeac Mon Sep 17 00:00:00 2001
From: Martin Basti
Date: Wed, 16 Mar 2016 09:04:42 +0100
Subject: [PATCH] Configure httpd service from installer instead of directly
from RPM
File httpd.service was created by RPM, what causes that httpd service may
fail due IPA specific configuration even if IPA wasn't installed or was
uninstalled (without erasing RPMs).
With this patch httpd service is configured by httpd.d/ipa.conf during
IPA installation and this config is removed by uninstaller, so no
residual http configuration related to IPA should stay there.
https://fedorahosted.org/freeipa/ticket/5681
---
freeipa.spec.in | 3 +--
init/systemd/httpd.service| 7 ---
install/share/Makefile.am | 1 +
install/share/ipa-httpd.conf.template | 7 +++
ipaplatform/base/paths.py | 3 +++
ipaplatform/base/tasks.py | 8
ipaplatform/redhat/tasks.py | 27 +++
ipaserver/install/httpinstance.py | 6 ++
ipaserver/install/server/upgrade.py | 5 +
9 files changed, 58 insertions(+), 9 deletions(-)
delete mode 100644 init/systemd/httpd.service
create mode 100644 install/share/ipa-httpd.conf.template
diff --git a/freeipa.spec.in b/freeipa.spec.in
index 1ded3048873fb9d4cb97b7aca52132345c209a96..aaa40cc9a2246ed1d244e160edf935da216c75c5 100644
--- a/freeipa.spec.in
+++ b/freeipa.spec.in
@@ -832,7 +832,6 @@ mkdir -p %{buildroot}%{_unitdir}
mkdir -p %{buildroot}%{etc_systemd_dir}
install -m 644 init/systemd/ipa.service %{buildroot}%{_unitdir}/ipa.service
install -m 644 init/systemd/ipa_memcached.service %{buildroot}%{_unitdir}/ipa_memcached.service
-install -m 644 init/systemd/httpd.service %{buildroot}%{etc_systemd_dir}/httpd.service
install -m 644 init/systemd/ipa-custodia.service %{buildroot}%{_unitdir}/ipa-custodia.service
# END
mkdir -p %{buildroot}/%{_localstatedir}/lib/ipa/backup
@@ -1143,7 +1142,7 @@ fi
%{_tmpfilesdir}/%{name}.conf
%attr(644,root,root) %{_unitdir}/ipa_memcached.service
%attr(644,root,root) %{_unitdir}/ipa-custodia.service
-%attr(644,root,root) %{etc_systemd_dir}/httpd.service
+%ghost %attr(644,root,root) %{etc_systemd_dir}/httpd.d/ipa.conf
# END
%dir %{_usr}/share/ipa
%{_usr}/share/ipa/wsgi.py*
diff --git a/init/systemd/httpd.service b/init/systemd/httpd.service
deleted file mode 100644
index 7ce8f04d8b9bb3663e59d4fdc610af0eb4478178..
--- a/init/systemd/httpd.service
+++ /dev/null
@@ -1,7 +0,0 @@
-.include /usr/lib/systemd/system/httpd.service
-
-[Service]
-Environment=KRB5CCNAME=/var/run/httpd/ipa/krbcache/krb5ccache
-Environment=KDCPROXY_CONFIG=/etc/ipa/kdcproxy/kdcproxy.conf
-ExecStartPre=/usr/libexec/ipa/ipa-httpd-kdcproxy
-ExecStopPost=-/usr/bin/kdestroy -A
diff --git a/install/share/Makefile.am b/install/share/Makefile.am
index b4cb8312471a68d8cd855f542478afe10d200c39..3a3bd2699efaf45ab79dd0257c2d26e7952891eb 100644
--- a/install/share/Makefile.am
+++ b/install/share/Makefile.am
@@ -88,6 +88,7 @@ app_DATA =\
kdcproxy.conf \
kdcproxy-enable.uldif \
kdcproxy-disable.uldif \
+ ipa-httpd.conf.template \
$(NULL)
EXTRA_DIST =\
diff --git a/install/share/ipa-httpd.conf.template b/install/share/ipa-httpd.conf.template
new file mode 100644
index ..a907d73cccac13cbb9d99423a1b739a48ad4f769
--- /dev/null
+++ b/install/share/ipa-httpd.conf.template
@@ -0,0 +1,7 @@
+# Do not edit. Created by IPA installer.
+
+[Service]
+Environment=KRB5CCNAME=$KRB5CC_HTTPD
+Environment=KDCPROXY_CONFIG=$KDCPROXY_CONFIG
+ExecStartPre=$IPA_HTTPD_KDCPROXY
+ExecStopPost=$POST
diff --git a/ipaplatform/base/paths.py b/ipaplatform/base/paths.py
index 4aa55d870bc9fbea1f67d28fef9bbb3c0a2d836f..585a5d26ed32a5f60cdb5d28de05b6468d03baa6 100644
--- a/ipaplatform/base/paths.py
+++ b/ipaplatform/base/paths.py
@@ -127,6 +127,8 @@ class BasePathNamespace(object):
SYSCONFIG_PKI_TOMCAT = "/etc/sysconfig/pki-tomcat"
SYSCONFIG_PKI_TOMCAT_PKI_TOMCAT_DIR = "/etc/sysconfig/pki/tomcat/pki-tomcat"
ETC_SYSTEMD_SYSTEM_DIR = "/etc/systemd/s
Re: [Freeipa-devel] [PATCH 0441] Configure httpd service from installer
Jan Cholasta wrote: On 18.3.2016 15:12, Martin Babinsky wrote: On 03/17/2016 05:36 PM, Martin Basti wrote: https://fedorahosted.org/freeipa/ticket/5681 Patch attached. Hi Martin, Nitpick attack: Please fix the commit message: "File httpd.service was created by RPM, what causes that httpd service may", should be "..., which causes" Otherwise the code looks good and works as expected. However, you still cannot start httpd.service after ipa-server uninstallation because some leftovers in /ipa/httpd/alias cause mod_nss to fail (see http error_log): """ [Fri Mar 18 12:43:29.320276 2016] [suexec:notice] [pid 2033] AH01232: suEXEC mechanism enabled (wrapper: /usr/sbin/suexec) [Fri Mar 18 12:43:29.320288 2016] [:warn] [pid 2033] NSSSessionCacheTimeout is deprecated. Ignoring. [Fri Mar 18 12:43:29.444287 2016] [:error] [pid 2033] Password for slot internal is incorrect. [Fri Mar 18 12:43:29.446090 2016] [:error] [pid 2033] NSS initialization failed. Certificate database: /etc/httpd/alias. [Fri Mar 18 12:43:29.446100 2016] [:error] [pid 2033] SSL Library Error: -8177 The security password entered is incorrect """ I guess that this is beyond this patch, since I think it is related to https://fedorahosted.org/freeipa/ticket/4639 but I am not sure. CC'ing Jan who owns the ticket. It seems so, on uninstall we restore mod_nss config, so httpd uses the default password (whatever that is), but the database still uses the password set by us on install. The default password is blank, so no auth is required. IIRC the reason we didn't move NSS databases around between installs is the case where there is already a private key that needs to be maintained. rob -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCH 0441] Configure httpd service from installer
On 24.03.2016 13:55, Jan Cholasta wrote: On 18.3.2016 23:27, Timo Aaltonen wrote: On 17.03.2016 18:36, Martin Basti wrote: https://fedorahosted.org/freeipa/ticket/5681 would be nicer if ipa-httpd.conf was a template with the current hardcoded values replaced with platform paths.. +1, I would also prefer if the file was renamed to init/systemd/httpd.conf rather than install/share/ipa-httpd.conf. ipa-httpd.conf.template should be in /user/share/ipa, directory init/systemd copied only to rpm and then copied to /etc/systemd/system AFAIK not relevant to this patch, but there are others candidates for templates like: daemons/dnssec/ipa-dnskeysyncd.service daemons/dnssec/ipa-ods-exporter.service install/conf/ipa.conf -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCH 0441] Configure httpd service from installer
On 18.3.2016 15:12, Martin Babinsky wrote: On 03/17/2016 05:36 PM, Martin Basti wrote: https://fedorahosted.org/freeipa/ticket/5681 Patch attached. Hi Martin, Nitpick attack: Please fix the commit message: "File httpd.service was created by RPM, what causes that httpd service may", should be "..., which causes" Otherwise the code looks good and works as expected. However, you still cannot start httpd.service after ipa-server uninstallation because some leftovers in /ipa/httpd/alias cause mod_nss to fail (see http error_log): """ [Fri Mar 18 12:43:29.320276 2016] [suexec:notice] [pid 2033] AH01232: suEXEC mechanism enabled (wrapper: /usr/sbin/suexec) [Fri Mar 18 12:43:29.320288 2016] [:warn] [pid 2033] NSSSessionCacheTimeout is deprecated. Ignoring. [Fri Mar 18 12:43:29.444287 2016] [:error] [pid 2033] Password for slot internal is incorrect. [Fri Mar 18 12:43:29.446090 2016] [:error] [pid 2033] NSS initialization failed. Certificate database: /etc/httpd/alias. [Fri Mar 18 12:43:29.446100 2016] [:error] [pid 2033] SSL Library Error: -8177 The security password entered is incorrect """ I guess that this is beyond this patch, since I think it is related to https://fedorahosted.org/freeipa/ticket/4639 but I am not sure. CC'ing Jan who owns the ticket. It seems so, on uninstall we restore mod_nss config, so httpd uses the default password (whatever that is), but the database still uses the password set by us on install. -- Jan Cholasta -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCH 0441] Configure httpd service from installer
On 18.3.2016 23:27, Timo Aaltonen wrote: On 17.03.2016 18:36, Martin Basti wrote: https://fedorahosted.org/freeipa/ticket/5681 would be nicer if ipa-httpd.conf was a template with the current hardcoded values replaced with platform paths.. +1, I would also prefer if the file was renamed to init/systemd/httpd.conf rather than install/share/ipa-httpd.conf. not relevant to this patch, but there are others candidates for templates like: daemons/dnssec/ipa-dnskeysyncd.service daemons/dnssec/ipa-ods-exporter.service install/conf/ipa.conf -- Jan Cholasta -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCH 0441] Configure httpd service from installer
On 03/17/2016 05:36 PM, Martin Basti wrote: https://fedorahosted.org/freeipa/ticket/5681 Patch attached. Hi Martin, Nitpick attack: Please fix the commit message: "File httpd.service was created by RPM, what causes that httpd service may", should be "..., which causes" Otherwise the code looks good and works as expected. However, you still cannot start httpd.service after ipa-server uninstallation because some leftovers in /ipa/httpd/alias cause mod_nss to fail (see http error_log): """ [Fri Mar 18 12:43:29.320276 2016] [suexec:notice] [pid 2033] AH01232: suEXEC mechanism enabled (wrapper: /usr/sbin/suexec) [Fri Mar 18 12:43:29.320288 2016] [:warn] [pid 2033] NSSSessionCacheTimeout is deprecated. Ignoring. [Fri Mar 18 12:43:29.444287 2016] [:error] [pid 2033] Password for slot internal is incorrect. [Fri Mar 18 12:43:29.446090 2016] [:error] [pid 2033] NSS initialization failed. Certificate database: /etc/httpd/alias. [Fri Mar 18 12:43:29.446100 2016] [:error] [pid 2033] SSL Library Error: -8177 The security password entered is incorrect """ I guess that this is beyond this patch, since I think it is related to https://fedorahosted.org/freeipa/ticket/4639 but I am not sure. CC'ing Jan who owns the ticket. -- Martin^3 Babinsky -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCH 0441] Configure httpd service from installer
On 17.03.2016 18:36, Martin Basti wrote: https://fedorahosted.org/freeipa/ticket/5681 would be nicer if ipa-httpd.conf was a template with the current hardcoded values replaced with platform paths.. not relevant to this patch, but there are others candidates for templates like: daemons/dnssec/ipa-dnskeysyncd.service daemons/dnssec/ipa-ods-exporter.service install/conf/ipa.conf -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
