[Freeipa-devel] [PATCH 0031] provide a dedicated ccache file to httpd

Mon May 4 08:50:10 UTC 2015

On 04/30/2015 08:23 AM, Alexander Bokovoy wrote:
> On Thu, 30 Apr 2015, Jan Cholasta wrote:
>> Hi,
>>
>> Dne 29.4.2015 v 19:42 Martin Babinsky napsal(a):
>>> The attached patch is a merge of PATCHES 0031-0032 incorporating Simo's
>>> and Martin's suggestions (see e.g.
>>> https://www.redhat.com/archives/freeipa-devel/2015-April/msg00327.html
>>> for reference).
>>>
>>> https://fedorahosted.org/freeipa/ticket/4973
>>
>> IMHO we should set the environment variable in
>> /etc/systemd/system/httpd.service, instead of providing a new service
>> file, because we are just changing configuration, not creating a new
>> concurrent httpd instance, as is the case with ipa-memcached, and also
>> not using alternative httpd implementation which masks the current
>> one, as is the case with bind-pkcs11. It would simplify the whole
>> thing significantly and it's even recommended in httpd.service to do
> I agree.
>
>> so:
>>
>>    # For example, to pass additional options (for instance, -D
>> definitions) to the
>>    # httpd binary at startup, you need to create a file named
>>    # "/etc/systemd/system/httpd.service" containing:
>>    #    .include /lib/systemd/system/httpd.service
>>    #    [Service]
>>    #    Environment=OPTIONS=-DMY_DEFINE
>>
>> (BTW I wonder why /etc/sysconfig/httpd support was removed from httpd
>> in Fedora
>> (<http://pkgs.fedoraproject.org/cgit/httpd.git/commit/?id=0b19f7b6e1a47c6167a8ab43b4a9d1e759b54721>),
>> it seems like a better place to customize environment variables,
>> rather than having to create a modified service file...)
> We had discussion with Joe Orton (httpd maintainer) a while ago and his
> arguments were following:
> ----
> Hi guys, we made that change to adopt what is considered "best practice"
> for systemd.  The change is not in RHEL7, only Fedora >= 20.
>
> I would not say we are strongly wedded to that change, but the use case
> you provide seems very weak.  /etc/sysconfig/httpd is intended to be
> user-configurable and if users do "rm -f /etc/sysconfig/httpd" then
> Fedora packages should keep working correctly.  Can we find a more
> robust way to achieve the same results?  Why is it required that the
> environment variable is set globally within /usr/sbin/httpd?
>
> ... [and later in dicussion]
>
> I'd argue that in this case you should not be using httpd.service as-is;
> instead it would be correct to create an "httpd-ipa.service" unit file
> or similar, which can ".include" the system httpd.service, and sets up
> the appropriate Environment= (or EnvironmentFile=) directly.
>
> Also, if the intent is to purely to change mod_auth_kerb's interaction
> with libkrb5 is there no way to do this via the libkrb API - or
> mod_auth_kerb's existing use thereof?
>
> The use of /etc/sysconfig/httpd has historically been a mild PITA and
> I'm not seeing a compelling reason to revert the decision to kill it
> here.
> ----
>
>> Anyway, I would prefer if we set it in a way that works on non-systemd
>> distros as well. Can't we just set "GssapiCredStore
>> ccache:FILE:/var/run/httpd/krbcache/krb5ccache" in
>> /etc/httpd/conf.d/ipa.conf?
> It is not just mod_auth_gssapi, it is needed for users of the
> credentials obtained by mod_auth_gssapi. mod_auth_gssapi only sets
> KRB5CCNAME value when there is delegation of credentials in use and
> there is something to delegate.
>
>

Ok, attaching updated patches. After the discussion with Martin^1 we 
decided to play it safe and put KRB5CCNAME into 
/etc/systemd/system/httpd.service.

-- 
Martin^3 Babinsky
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-mbabinsk-0031.2-provide-dedicated-ccache-file-for-httpd.patch
Type: text/x-patch
Size: 2384 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20150504/0d4857a8/attachment.bin>