[Freeipa-devel] [PATCH 0031] provide a dedicated ccache file to httpd
Alexander Bokovoy
abokovoy at redhat.com
Thu Apr 30 06:23:25 UTC 2015
On Thu, 30 Apr 2015, Jan Cholasta wrote:
>Hi,
>
>Dne 29.4.2015 v 19:42 Martin Babinsky napsal(a):
>>The attached patch is a merge of PATCHES 0031-0032 incorporating Simo's
>>and Martin's suggestions (see e.g.
>>https://www.redhat.com/archives/freeipa-devel/2015-April/msg00327.html
>>for reference).
>>
>>https://fedorahosted.org/freeipa/ticket/4973
>
>IMHO we should set the environment variable in
>/etc/systemd/system/httpd.service, instead of providing a new service
>file, because we are just changing configuration, not creating a new
>concurrent httpd instance, as is the case with ipa-memcached, and also
>not using alternative httpd implementation which masks the current
>one, as is the case with bind-pkcs11. It would simplify the whole
>thing significantly and it's even recommended in httpd.service to do
I agree.
>so:
>
> # For example, to pass additional options (for instance, -D
>definitions) to the
> # httpd binary at startup, you need to create a file named
> # "/etc/systemd/system/httpd.service" containing:
> # .include /lib/systemd/system/httpd.service
> # [Service]
> # Environment=OPTIONS=-DMY_DEFINE
>
>(BTW I wonder why /etc/sysconfig/httpd support was removed from httpd
>in Fedora (<http://pkgs.fedoraproject.org/cgit/httpd.git/commit/?id=0b19f7b6e1a47c6167a8ab43b4a9d1e759b54721>),
>it seems like a better place to customize environment variables,
>rather than having to create a modified service file...)
We had discussion with Joe Orton (httpd maintainer) a while ago and his
arguments were following:
----
Hi guys, we made that change to adopt what is considered "best practice"
for systemd. The change is not in RHEL7, only Fedora >= 20.
I would not say we are strongly wedded to that change, but the use case
you provide seems very weak. /etc/sysconfig/httpd is intended to be
user-configurable and if users do "rm -f /etc/sysconfig/httpd" then
Fedora packages should keep working correctly. Can we find a more
robust way to achieve the same results? Why is it required that the
environment variable is set globally within /usr/sbin/httpd?
... [and later in dicussion]
I'd argue that in this case you should not be using httpd.service as-is;
instead it would be correct to create an "httpd-ipa.service" unit file
or similar, which can ".include" the system httpd.service, and sets up
the appropriate Environment= (or EnvironmentFile=) directly.
Also, if the intent is to purely to change mod_auth_kerb's interaction
with libkrb5 is there no way to do this via the libkrb API - or
mod_auth_kerb's existing use thereof?
The use of /etc/sysconfig/httpd has historically been a mild PITA and
I'm not seeing a compelling reason to revert the decision to kill it
here.
----
>Anyway, I would prefer if we set it in a way that works on non-systemd
>distros as well. Can't we just set "GssapiCredStore
>ccache:FILE:/var/run/httpd/krbcache/krb5ccache" in
>/etc/httpd/conf.d/ipa.conf?
It is not just mod_auth_gssapi, it is needed for users of the
credentials obtained by mod_auth_gssapi. mod_auth_gssapi only sets
KRB5CCNAME value when there is delegation of credentials in use and
there is something to delegate.
--
/ Alexander Bokovoy
More information about the Freeipa-devel
mailing list