From 97d3a2420f5b29d3777c1661c27a7cc6b157a2d5 Mon Sep 17 00:00:00 2001 From: Martin Kosek Date: Thu, 16 Jan 2014 14:12:29 +0100 Subject: [PATCH 4/9] Switch httpd to use default CCACHE Stock httpd no longer uses systemd EnvironmentFile option which is making FreeIPA's KRB5CCNAME setting ineffective. This can lead in hard to debug problems during subsequent ipa-server-install's where HTTP may use a stale CCACHE in the default kernel keyring CCACHE. Avoid forcing custom CCACHE and switch to system one, just make sure that it is properly cleaned by kdestroy run as "apache" user during FreeIPA server installation process. https://fedorahosted.org/freeipa/ticket/4084 --- install/tools/ipa-upgradeconfig | 7 ++++++- ipaserver/install/httpinstance.py | 22 +++------------------- 2 files changed, 9 insertions(+), 20 deletions(-) diff --git a/install/tools/ipa-upgradeconfig b/install/tools/ipa-upgradeconfig index 41c51263d5fc8b3a0e2f28bab89fc9d2d184fdca..cf9fe0e040e56bb75ca8d53e28586911caeffb2b 100644 --- a/install/tools/ipa-upgradeconfig +++ b/install/tools/ipa-upgradeconfig @@ -1043,10 +1043,15 @@ def main(): update_dbmodules(api.env.realm) uninstall_ipa_kpasswd() + removed_sysconfig_file = '/etc/sysconfig/httpd' + if fstore.has_file(removed_sysconfig_file): + root_logger.info('Restoring %s as it is no longer required', + removed_sysconfig_file) + fstore.restore_file(removed_sysconfig_file) + http = httpinstance.HTTPInstance(fstore) http.remove_httpd_ccache() http.configure_selinux_for_httpd() - http.configure_httpd_ccache() http.change_mod_nss_port_to_http() ds = dsinstance.DsInstance() diff --git a/ipaserver/install/httpinstance.py b/ipaserver/install/httpinstance.py index 689e657e291b93d90038937a61f67915c0d582ec..9c9205883b38dfb854fb2885d3692a7053866b63 100644 --- a/ipaserver/install/httpinstance.py +++ b/ipaserver/install/httpinstance.py @@ -126,7 +126,6 @@ def create_instance(self, realm, fqdn, domain_name, dm_password=None, self.step("creating a keytab for httpd", self.__create_http_keytab) self.step("clean up any existing httpd ccache", self.remove_httpd_ccache) self.step("configuring SELinux for httpd", self.configure_selinux_for_httpd) - self.step("configure httpd ccache", self.configure_httpd_ccache) self.step("restarting httpd", self.__start) self.step("configuring httpd to start on boot", self.__enable) @@ -217,24 +216,9 @@ def __create_http_keytab(self): def remove_httpd_ccache(self): # Clean up existing ccache - pent = pwd.getpwnam("apache") - installutils.remove_file('/tmp/krb5cc_%d' % pent.pw_uid) - - def configure_httpd_ccache(self): - pent = pwd.getpwnam("apache") - ccache = '/tmp/krb5cc_%d' % pent.pw_uid - filepath = '/etc/sysconfig/httpd' - if not os.path.exists(filepath): - # file doesn't exist; create it with correct ownership & mode - open(filepath, 'a').close() - os.chmod(filepath, - stat.S_IRUSR | stat.S_IWUSR | stat.S_IRGRP | stat.S_IROTH) - os.chown(filepath, 0, 0) - - replacevars = {'KRB5CCNAME': ccache} - old_values = ipautil.backup_config_and_replace_variables( - self.fstore, filepath, replacevars=replacevars) - ipaservices.restore_context(filepath) + # Make sure that empty env is passed to avoid passing KRB5CCNAME from + # current env + ipautil.run(['kdestroy'], runas='apache', raiseonerr=False, env={}) def __configure_http(self): target_fname = '/etc/httpd/conf.d/ipa.conf' -- 1.8.5.3