[Freeipa-devel] [PATCH 0031] provide a dedicated ccache file to httpd
Alexander Bokovoy
abokovoy at redhat.com
Thu May 14 05:12:28 UTC 2015
On Wed, 13 May 2015, Anthony Messina wrote:
>On Wednesday, May 13, 2015 02:58:40 PM Alexander Bokovoy wrote:
>> On Wed, 13 May 2015, Anthony Messina wrote:
>> >On Wednesday, May 13, 2015 01:28:44 PM Martin Babinsky wrote:
>> >> On 05/12/2015 06:47 PM, Alexander Bokovoy wrote:
>> >> > On Tue, 12 May 2015, Petr Vobornik wrote:
>> >> >> On 05/12/2015 11:22 AM, Alexander Bokovoy wrote:
>> >> >>> On Tue, 12 May 2015, Martin Babinsky wrote:
>> >> >>>>>> %attr(644,root,root) %{_unitdir}/ipa-ods-exporter.service
>> >> >>>>>> +%attr(644,root,root) %{etc_systemd_dir}/httpd.service
>> >> >>>>>
>> >> >>>>> There is a minor issue: a lack of
>> >> >>>>>
>> >> >>>>> Requires: /etc/systemd/system
>> >> >>>>>
>> >> >>>>> which is needed because of /etc/systemd/system directory owned by a
>> >> >>>>> different package. We require systemd-units which is provided by
>> >> >>>>> systemd
>> >> >>>>> package as well so it is sort of mitigated by that but it would
>> >> >>>>> good to be explicit in the require. And yes, you can require the
>> >> >>>>> directory because systemd provides it:
>> >> >>>>>
>> >> >>>>> $ rpm -q --whatprovides /etc/systemd/system
>> >> >>>>> systemd-219-13.fc22.x86_64
>> >> >>>>>
>> >> >>>>> Otherwise, ACK.
>> >> >>>>
>> >> >>>> thank for review Alexander, attaching updated patch.
>> >> >>>
>> >> >>> ACK
>> >> >>
>> >> >> Pushed to master: 9a1a409d63e30dcb939b672d352fc4aa7ba690fe
>> >> >
>> >> > We also need a tmpfiles config changes because otherwise
>> >> > /var/run/httpd/krbcache does not exist.
>> >> >
>> >> > Patch attached.
>> >>
>> >> ACK
>> >
>> >I'm not sure it matters, but mod_auth_kerb already sets up
>> >/var/run/httpd/krbcache via /lib/tmpfiles.d/httpd-krbcache.conf:
>> >d /var/run/httpd/krbcache 0700 apache apache
>>
>> We don't use mod_auth_kerb in Fedora 22 anymore, and mod_auth_gssapi
>> doesn't bring the same configuration in, so installing git master will
>> fail to operate due to missing directory.
>
>True, though mod_auth_gssapi has (at least for this user) uses beyond FreeIPA.
>Perhaps Simo would be willing to include the tmpfiles.d snippet in the
>"upstream" mod_auth_gssapi RPMs. -A
This is configuration specific to FreeIPA httpd service unit -- a
default httpd service unit in Fedora doesn't change Kerberos ccache
path and therefore uses kernel keyring for it where any file system path
is not required.
--
/ Alexander Bokovoy
More information about the Freeipa-devel
mailing list