[Freeipa-users] Re: /run/ipa/ccaches filling
Ok. Makes sense. I’ll use that solution too. > On Aug 14, 2022, at 4:35 PM, Jochen Kellner wrote: > > Charles Hedrick via FreeIPA-users > writes: > >> it's active, but it seems not to do anything: >> >> ● ipa-ccache-sweep.timer - Remove Expired Kerberos Credential Caches >> Loaded: loaded (/usr/lib/systemd/system/ipa-ccache-sweep.timer; enabled; >> vendor preset: disabled) >> - >> >> I believe the intent is that it should run every 12 hours. It doesn't >> seem to be doing so. From a web discussion: > > That's the same on my system... I did enable and start the timer with my > local ansible plav - but that only worked for the current boot. > >> OnUnitActiveSec does indeed refer to the time since the service >> referred to by the timer has run. But if you only use OnUnitActiveSec >> and no other trigger then issue the command to start or enable >> foo.timer, foo.service will never run. Why would it, no trigger would >> ever be activated in the first place: something needs to trigger the >> first run of foo.service in order to for you to ever have 3 seconds >> pass since it was last run. >> >> So in other words, OnUnitActiveSec can be used to define the interval >> between repetitions, but another trigger (like OnActiveSec or >> OnBootSec) would be needed to trigger the first run of foo.service to >> get the ball rolling. > > In other words: you must also enable the > /usr/lib/systemd/system/ipa-ccache-sweep.service. > That way it will run once at system reboot and later every 12 > hours. I've just changed my playbook and I'll see with the next reboot > how that works out. > > Jochen > > -- > This space is intentionally left blank. ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
[Freeipa-users] Re: /run/ipa/ccaches filling
Charles Hedrick via FreeIPA-users writes: > it's active, but it seems not to do anything: > > ● ipa-ccache-sweep.timer - Remove Expired Kerberos Credential Caches > Loaded: loaded (/usr/lib/systemd/system/ipa-ccache-sweep.timer; enabled; > vendor preset: disabled) > - > > I believe the intent is that it should run every 12 hours. It doesn't > seem to be doing so. From a web discussion: That's the same on my system... I did enable and start the timer with my local ansible plav - but that only worked for the current boot. > OnUnitActiveSec does indeed refer to the time since the service > referred to by the timer has run. But if you only use OnUnitActiveSec > and no other trigger then issue the command to start or enable > foo.timer, foo.service will never run. Why would it, no trigger would > ever be activated in the first place: something needs to trigger the > first run of foo.service in order to for you to ever have 3 seconds > pass since it was last run. > > So in other words, OnUnitActiveSec can be used to define the interval > between repetitions, but another trigger (like OnActiveSec or > OnBootSec) would be needed to trigger the first run of foo.service to > get the ball rolling. In other words: you must also enable the /usr/lib/systemd/system/ipa-ccache-sweep.service. That way it will run once at system reboot and later every 12 hours. I've just changed my playbook and I'll see with the next reboot how that works out. Jochen -- This space is intentionally left blank. ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
[Freeipa-users] Re: /run/ipa/ccaches filling
it's active, but it seems not to do anything: ● ipa-ccache-sweep.timer - Remove Expired Kerberos Credential Caches Loaded: loaded (/usr/lib/systemd/system/ipa-ccache-sweep.timer; enabled; vendor preset: disabled) Active: active (elapsed) since Thu 2022-08-11 11:22:44 EDT; 3 days ago Until: Thu 2022-08-11 11:22:44 EDT; 3 days ago Trigger: n/a Triggers: ● ipa-ccache-sweep.service [Unit] Description=Remove Expired Kerberos Credential Caches [Timer] OnUnitActiveSec=12h [Install] WantedBy=timers.target - I believe the intent is that it should run every 12 hours. It doesn't seem to be doing so. From a web discussion: OnUnitActiveSec does indeed refer to the time since the service referred to by the timer has run. But if you only use OnUnitActiveSec and no other trigger then issue the command to start or enable foo.timer, foo.service will never run. Why would it, no trigger would ever be activated in the first place: something needs to trigger the first run of foo.service in order to for you to ever have 3 seconds pass since it was last run. So in other words, OnUnitActiveSec can be used to define the interval between repetitions, but another trigger (like OnActiveSec or OnBootSec) would be needed to trigger the first run of foo.service to get the ball rolling. From: Jochen Kellner Sent: Sunday, August 14, 2022 12:39 PM To: Charles Hedrick via FreeIPA-users Cc: Charles Hedrick Subject: Re: [Freeipa-users] /run/ipa/ccaches filling Charles Hedrick via FreeIPA-users writes: > RHEL 9.0. /run/ipa/ccaches is filling with credential caches. Many are too > old to be valid. > > I assume it's safe to have a cron job delete any more than a day old? > (that's our maxmum lifetime.) I can't see the lifetime directly, > because they are encrypted. On my system I have a (disabled( systemd-timer named ipa-ccache-sweep.timer. My guess would be that it get's enabled on new installs, but somehow missed on updates. See the release notes of 4.9.9: https://www.freeipa.org/page/Releases/4.9.9 Jochen -- This space is intentionally left blank. ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
[Freeipa-users] Re: /run/ipa/ccaches filling
Charles Hedrick via FreeIPA-users writes: > RHEL 9.0. /run/ipa/ccaches is filling with credential caches. Many are too > old to be valid. > > I assume it's safe to have a cron job delete any more than a day old? > (that's our maxmum lifetime.) I can't see the lifetime directly, > because they are encrypted. On my system I have a (disabled( systemd-timer named ipa-ccache-sweep.timer. My guess would be that it get's enabled on new installs, but somehow missed on updates. See the release notes of 4.9.9: https://www.freeipa.org/page/Releases/4.9.9 Jochen -- This space is intentionally left blank. ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue