[Freeipa-devel] [PATCHES 0031-0032] set up a dedicated CCache file for Apache during install/upgrade

Wed Apr 29 13:14:28 UTC 2015

On Wed, 2015-04-29 at 09:29 +0200, Martin Babinsky wrote:
> On 04/29/2015 09:09 AM, Martin Kosek wrote:
> > On 04/28/2015 05:42 PM, Martin Babinsky wrote:
> >> The attached patches address https://fedorahosted.org/freeipa/ticket/4973 and
> >> implement the solution proposed in Comment 2.
> >>
> >> Please review the hell out of them.
> >
> > Why did you split the work in 2 patches? It looks like you first did the first
> > approach of modifying httpd.service and then changed your mind and did the
> > ipa-httpd.service approach (which is what we agreed to).
> >
> I was thinking about it as a two distinct operations (modify existing 
> httpd.service to use KRB5CCNAME and rename httpd.service to 
> ipa-httpd.service). But I can merge them if needed.
> > Also, shouldn't ipa-httpd.service be contained in the package itself, like
> > ipa-dnskeysyncd and httpd.service masked during installation? Also, I do not
> > see any daemon-reload, so I am not sure if systemd would pick up the right
> > configuration in the first install.
> Martin^2 told me that generating service file from template is evil, so 
> I will put the full service file into init/systemd directory so that it 
> is already present in /etc/systemd/system after rpm install.
> >
> > Next, I was thinking what should be the ideal KRB5CCNAME for the HTTPD service.
> > You chose "/tmp/ipa-httpd.ccache", is it the best approach CCACHE type/path we
> > should use? This is mostly question to Simo, his mod_auth_gssapi will consume
> > the ccache.
> >
> I will ask Simo if there is some preferred way to name CCache files.

After discussing with Martin I think we should have only one patch,
which should simply change the service unit name used on systemd
systems, then provide the new unit file ready made (and installed by
RPMs directly).

The new unit file should basically just include the original httpd unit
file and set KRB5CCNAME to a default of /var/run/httpd/krb5ccache or
similar. We should avoid using /tmp if not necessary, even though in
most systemd based system it is easy to have private /tmp and the
default on Fedora I prefer avoid counting on it, as I am not sure what
is the default in systems like debian/ubuntu/suse etc..

For older sysv/rpm based  systems we just need to
change /etc/sysconfig/httpd I guess. Let's try to be consistent and use
the same cache controlled by us on newer and older systems alike.

Simo.