[Freeipa-devel] [PATCH 0031] provide a dedicated ccache file to httpd

Martin Babinsky mbabinsk at redhat.com
Tue May 12 08:05:22 UTC 2015 

On 05/12/2015 07:50 AM, Alexander Bokovoy wrote:
> On Mon, 04 May 2015, Martin Babinsky wrote:
>> On 04/30/2015 08:23 AM, Alexander Bokovoy wrote:
>>> On Thu, 30 Apr 2015, Jan Cholasta wrote:
>>>> Hi,
>>>>
>>>> Dne 29.4.2015 v 19:42 Martin Babinsky napsal(a):
>>>>> The attached patch is a merge of PATCHES 0031-0032 incorporating
>>>>> Simo's
>>>>> and Martin's suggestions (see e.g.
>>>>> https://www.redhat.com/archives/freeipa-devel/2015-April/msg00327.html
>>>>> for reference).
>>>>>
>>>>> https://fedorahosted.org/freeipa/ticket/4973
>>>>
>>>> IMHO we should set the environment variable in
>>>> /etc/systemd/system/httpd.service, instead of providing a new service
>>>> file, because we are just changing configuration, not creating a new
>>>> concurrent httpd instance, as is the case with ipa-memcached, and also
>>>> not using alternative httpd implementation which masks the current
>>>> one, as is the case with bind-pkcs11. It would simplify the whole
>>>> thing significantly and it's even recommended in httpd.service to do
>>> I agree.
>>>
>>>> so:
>>>>
>>>>   # For example, to pass additional options (for instance, -D
>>>> definitions) to the
>>>>   # httpd binary at startup, you need to create a file named
>>>>   # "/etc/systemd/system/httpd.service" containing:
>>>>   #    .include /lib/systemd/system/httpd.service
>>>>   #    [Service]
>>>>   #    Environment=OPTIONS=-DMY_DEFINE
>>>>
>>>> (BTW I wonder why /etc/sysconfig/httpd support was removed from httpd
>>>> in Fedora
>>>> (<http://pkgs.fedoraproject.org/cgit/httpd.git/commit/?id=0b19f7b6e1a47c6167a8ab43b4a9d1e759b54721>),
>>>>
>>>> it seems like a better place to customize environment variables,
>>>> rather than having to create a modified service file...)
>>> We had discussion with Joe Orton (httpd maintainer) a while ago and his
>>> arguments were following:
>>> ----
>>> Hi guys, we made that change to adopt what is considered "best practice"
>>> for systemd.  The change is not in RHEL7, only Fedora >= 20.
>>>
>>> I would not say we are strongly wedded to that change, but the use case
>>> you provide seems very weak.  /etc/sysconfig/httpd is intended to be
>>> user-configurable and if users do "rm -f /etc/sysconfig/httpd" then
>>> Fedora packages should keep working correctly.  Can we find a more
>>> robust way to achieve the same results?  Why is it required that the
>>> environment variable is set globally within /usr/sbin/httpd?
>>>
>>> ... [and later in dicussion]
>>>
>>> I'd argue that in this case you should not be using httpd.service as-is;
>>> instead it would be correct to create an "httpd-ipa.service" unit file
>>> or similar, which can ".include" the system httpd.service, and sets up
>>> the appropriate Environment= (or EnvironmentFile=) directly.
>>>
>>> Also, if the intent is to purely to change mod_auth_kerb's interaction
>>> with libkrb5 is there no way to do this via the libkrb API - or
>>> mod_auth_kerb's existing use thereof?
>>>
>>> The use of /etc/sysconfig/httpd has historically been a mild PITA and
>>> I'm not seeing a compelling reason to revert the decision to kill it
>>> here.
>>> ----
>>>
>>>> Anyway, I would prefer if we set it in a way that works on non-systemd
>>>> distros as well. Can't we just set "GssapiCredStore
>>>> ccache:FILE:/var/run/httpd/krbcache/krb5ccache" in
>>>> /etc/httpd/conf.d/ipa.conf?
>>> It is not just mod_auth_gssapi, it is needed for users of the
>>> credentials obtained by mod_auth_gssapi. mod_auth_gssapi only sets
>>> KRB5CCNAME value when there is delegation of credentials in use and
>>> there is something to delegate.
>>>
>>>
>>
>> Ok, attaching updated patches. After the discussion with Martin^1 we
>> decided to play it safe and put KRB5CCNAME into
>> /etc/systemd/system/httpd.service.
>>
>> --
>> Martin^3 Babinsky
>
>> From 6042f4ce093890394da4f6e625d5cc745b285c35 Mon Sep 17 00:00:00 2001
>> From: Martin Babinsky <mbabinsk at redhat.com>
>> Date: Tue, 28 Apr 2015 16:24:02 +0200
>> Subject: [PATCH] provide dedicated ccache file for httpd
>>
>> httpd service stores Kerberos credentials in kernel keyring which gets
>> destroyed and recreated during service install/upgrade, causing
>> problems when
>> the process is run under SELinux context other than 'unconfined_t'.
>> This patch
>> enables HTTPInstance to set up a dedicated CCache file for Apache to
>> store
>> credentials.
>>
>> https://fedorahosted.org/freeipa/ticket/4973
>> ---
>> freeipa.spec.in            | 4 ++++
>> init/systemd/httpd.service | 4 ++++
>> 2 files changed, 8 insertions(+)
>> create mode 100644 init/systemd/httpd.service
>>
>> diff --git a/freeipa.spec.in b/freeipa.spec.in
>> index
>> 608242b5adbc43efbbf0ae30a6d7a933bebc1084..664162fe918f03049c27f70c9e7f852a11c50a8c
>> 100644
>> --- a/freeipa.spec.in
>> +++ b/freeipa.spec.in
>> @@ -12,6 +12,7 @@
>> %endif
>>
>> %global plugin_dir %{_libdir}/dirsrv/plugins
>> +%global etc_systemd_dir %{_sysconfdir}/systemd/system
>> %global gettext_domain ipa
>> %if 0%{?rhel}
>> %global platform_module rhel
>> @@ -470,8 +471,10 @@ touch
>> %{buildroot}%{_libdir}/krb5/plugins/libkrb5/winbind_krb5_locator.so
>>
>> # NOTE: systemd specific section
>> mkdir -p %{buildroot}%{_unitdir}
>> +mkdir -p %{buildroot}%{etc_systemd_dir}
>> install -m 644 init/systemd/ipa.service
>> %{buildroot}%{_unitdir}/ipa.service
>> install -m 644 init/systemd/ipa_memcached.service
>> %{buildroot}%{_unitdir}/ipa_memcached.service
>> +install -m 644 init/systemd/httpd.service
>> %{buildroot}%{etc_systemd_dir}/httpd.service
>> # END
>> mkdir -p %{buildroot}/%{_localstatedir}/lib/ipa/backup
>> %endif # ONLY_CLIENT
>> @@ -691,6 +694,7 @@ fi
>> %attr(644,root,root) %{_unitdir}/ipa-dnskeysyncd.service
>> %attr(644,root,root) %{_unitdir}/ipa-ods-exporter.socket
>> %attr(644,root,root) %{_unitdir}/ipa-ods-exporter.service
>> +%attr(644,root,root) %{etc_systemd_dir}/httpd.service
> There is a minor issue: a lack of
>
> Requires: /etc/systemd/system
>
> which is needed because of /etc/systemd/system directory owned by a
> different package. We require systemd-units which is provided by systemd
> package as well so it is sort of mitigated by that but it would
> good to be explicit in the require. And yes, you can require the
> directory because systemd provides it:
>
> $ rpm -q --whatprovides /etc/systemd/system
> systemd-219-13.fc22.x86_64
>
> Otherwise, ACK.
>
thank for review Alexander, attaching updated patch.

-- 
Martin^3 Babinsky
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-mbabinsk-0031.3-provide-dedicated-ccache-file-for-httpd.patch
Type: text/x-patch
Size: 2607 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20150512/52f7ab9d/attachment.bin>

More information about the Freeipa-devel mailing list