[Freeipa-devel] [PATCH 0031] provide a dedicated ccache file to httpd

Tue May 12 05:50:20 UTC 2015

On Mon, 04 May 2015, Martin Babinsky wrote:
>On 04/30/2015 08:23 AM, Alexander Bokovoy wrote:
>>On Thu, 30 Apr 2015, Jan Cholasta wrote:
>>>Hi,
>>>
>>>Dne 29.4.2015 v 19:42 Martin Babinsky napsal(a):
>>>>The attached patch is a merge of PATCHES 0031-0032 incorporating Simo's
>>>>and Martin's suggestions (see e.g.
>>>>https://www.redhat.com/archives/freeipa-devel/2015-April/msg00327.html
>>>>for reference).
>>>>
>>>>https://fedorahosted.org/freeipa/ticket/4973
>>>
>>>IMHO we should set the environment variable in
>>>/etc/systemd/system/httpd.service, instead of providing a new service
>>>file, because we are just changing configuration, not creating a new
>>>concurrent httpd instance, as is the case with ipa-memcached, and also
>>>not using alternative httpd implementation which masks the current
>>>one, as is the case with bind-pkcs11. It would simplify the whole
>>>thing significantly and it's even recommended in httpd.service to do
>>I agree.
>>
>>>so:
>>>
>>>   # For example, to pass additional options (for instance, -D
>>>definitions) to the
>>>   # httpd binary at startup, you need to create a file named
>>>   # "/etc/systemd/system/httpd.service" containing:
>>>   #    .include /lib/systemd/system/httpd.service
>>>   #    [Service]
>>>   #    Environment=OPTIONS=-DMY_DEFINE
>>>
>>>(BTW I wonder why /etc/sysconfig/httpd support was removed from httpd
>>>in Fedora
>>>(<http://pkgs.fedoraproject.org/cgit/httpd.git/commit/?id=0b19f7b6e1a47c6167a8ab43b4a9d1e759b54721>),
>>>it seems like a better place to customize environment variables,
>>>rather than having to create a modified service file...)
>>We had discussion with Joe Orton (httpd maintainer) a while ago and his
>>arguments were following:
>>----
>>Hi guys, we made that change to adopt what is considered "best practice"
>>for systemd.  The change is not in RHEL7, only Fedora >= 20.
>>
>>I would not say we are strongly wedded to that change, but the use case
>>you provide seems very weak.  /etc/sysconfig/httpd is intended to be
>>user-configurable and if users do "rm -f /etc/sysconfig/httpd" then
>>Fedora packages should keep working correctly.  Can we find a more
>>robust way to achieve the same results?  Why is it required that the
>>environment variable is set globally within /usr/sbin/httpd?
>>
>>... [and later in dicussion]
>>
>>I'd argue that in this case you should not be using httpd.service as-is;
>>instead it would be correct to create an "httpd-ipa.service" unit file
>>or similar, which can ".include" the system httpd.service, and sets up
>>the appropriate Environment= (or EnvironmentFile=) directly.
>>
>>Also, if the intent is to purely to change mod_auth_kerb's interaction
>>with libkrb5 is there no way to do this via the libkrb API - or
>>mod_auth_kerb's existing use thereof?
>>
>>The use of /etc/sysconfig/httpd has historically been a mild PITA and
>>I'm not seeing a compelling reason to revert the decision to kill it
>>here.
>>----
>>
>>>Anyway, I would prefer if we set it in a way that works on non-systemd
>>>distros as well. Can't we just set "GssapiCredStore
>>>ccache:FILE:/var/run/httpd/krbcache/krb5ccache" in
>>>/etc/httpd/conf.d/ipa.conf?
>>It is not just mod_auth_gssapi, it is needed for users of the
>>credentials obtained by mod_auth_gssapi. mod_auth_gssapi only sets
>>KRB5CCNAME value when there is delegation of credentials in use and
>>there is something to delegate.
>>
>>
>
>Ok, attaching updated patches. After the discussion with Martin^1 we 
>decided to play it safe and put KRB5CCNAME into 
>/etc/systemd/system/httpd.service.
>
>-- 
>Martin^3 Babinsky

>From 6042f4ce093890394da4f6e625d5cc745b285c35 Mon Sep 17 00:00:00 2001
>From: Martin Babinsky <mbabinsk at redhat.com>
>Date: Tue, 28 Apr 2015 16:24:02 +0200
>Subject: [PATCH] provide dedicated ccache file for httpd
>
>httpd service stores Kerberos credentials in kernel keyring which gets
>destroyed and recreated during service install/upgrade, causing problems when
>the process is run under SELinux context other than 'unconfined_t'. This patch
>enables HTTPInstance to set up a dedicated CCache file for Apache to store
>credentials.
>
>https://fedorahosted.org/freeipa/ticket/4973
>---
> freeipa.spec.in            | 4 ++++
> init/systemd/httpd.service | 4 ++++
> 2 files changed, 8 insertions(+)
> create mode 100644 init/systemd/httpd.service
>
>diff --git a/freeipa.spec.in b/freeipa.spec.in
>index 608242b5adbc43efbbf0ae30a6d7a933bebc1084..664162fe918f03049c27f70c9e7f852a11c50a8c 100644
>--- a/freeipa.spec.in
>+++ b/freeipa.spec.in
>@@ -12,6 +12,7 @@
> %endif
> 
> %global plugin_dir %{_libdir}/dirsrv/plugins
>+%global etc_systemd_dir %{_sysconfdir}/systemd/system
> %global gettext_domain ipa
> %if 0%{?rhel}
> %global platform_module rhel
>@@ -470,8 +471,10 @@ touch %{buildroot}%{_libdir}/krb5/plugins/libkrb5/winbind_krb5_locator.so
> 
> # NOTE: systemd specific section
> mkdir -p %{buildroot}%{_unitdir}
>+mkdir -p %{buildroot}%{etc_systemd_dir}
> install -m 644 init/systemd/ipa.service %{buildroot}%{_unitdir}/ipa.service
> install -m 644 init/systemd/ipa_memcached.service %{buildroot}%{_unitdir}/ipa_memcached.service
>+install -m 644 init/systemd/httpd.service %{buildroot}%{etc_systemd_dir}/httpd.service
> # END
> mkdir -p %{buildroot}/%{_localstatedir}/lib/ipa/backup
> %endif # ONLY_CLIENT
>@@ -691,6 +694,7 @@ fi
> %attr(644,root,root) %{_unitdir}/ipa-dnskeysyncd.service
> %attr(644,root,root) %{_unitdir}/ipa-ods-exporter.socket
> %attr(644,root,root) %{_unitdir}/ipa-ods-exporter.service
>+%attr(644,root,root) %{etc_systemd_dir}/httpd.service
There is a minor issue: a lack of

Requires: /etc/systemd/system

which is needed because of /etc/systemd/system directory owned by a
different package. We require systemd-units which is provided by systemd
package as well so it is sort of mitigated by that but it would
good to be explicit in the require. And yes, you can require the
directory because systemd provides it:

$ rpm -q --whatprovides /etc/systemd/system
systemd-219-13.fc22.x86_64

Otherwise, ACK.

-- 
/ Alexander Bokovoy