Fix error detection when starting kpropd/kadmind

- drop a patch we're not applying
- wrap kadmind and kpropd in scripts which check for the presence/absence
  of files which dictate particular exit codes before exec'ing the actual
  binaries, instead of trying to use ConditionPathExists in the unit files
  to accomplish that, so that we exit with failure properly when what we
  expect isn't actually in effect on the system (#800343)
This commit is contained in:
Nalin Dahyabhai 2013-08-15 00:10:24 -04:00
parent 272aaeef17
commit ee18500d9b
5 changed files with 41 additions and 7 deletions

10
_kadmind Normal file
View File

@ -0,0 +1,10 @@
#!/bin/sh
kadmind=/usr/sbin/kadmind
if test -f /var/kerberos/krb5kdc/kpropd.acl ; then
echo $"Error. This appears to be a slave server, found kpropd.acl"
exit 6
fi
if ! test -x "$kadmind" ; then
exit 5
fi
exec "$kadmind" "$@"

10
_kpropd Normal file
View File

@ -0,0 +1,10 @@
#!/bin/sh
kpropd=/usr/sbin/kpropd
if ! test -f /var/kerberos/krb5kdc/kpropd.acl ; then
echo $"Error. This does not appear to be a slave server, kpropd.acl not found"
exit 6
fi
if ! test -x "$kpropd" ; then
exit 5
fi
exec "$kpropd" "$@"

View File

@ -1,13 +1,12 @@
[Unit] [Unit]
Description=Kerberos 5 Password-changing and Administration Description=Kerberos 5 Password-changing and Administration
After=syslog.target network.target After=syslog.target network.target
ConditionPathExists=!/var/kerberos/krb5kdc/kpropd.acl
[Service] [Service]
Type=forking Type=forking
PIDFile=/var/run/kadmind.pid PIDFile=/var/run/kadmind.pid
EnvironmentFile=-/etc/sysconfig/kadmin EnvironmentFile=-/etc/sysconfig/kadmin
ExecStart=/usr/sbin/kadmind -P /var/run/kadmind.pid $KADMIND_ARGS ExecStart=/usr/sbin/_kadmind -P /var/run/kadmind.pid $KADMIND_ARGS
ExecReload=/bin/kill -HUP $MAINPID ExecReload=/bin/kill -HUP $MAINPID
[Install] [Install]

View File

@ -1,11 +1,10 @@
[Unit] [Unit]
Description=Kerberos 5 Propagation Description=Kerberos 5 Propagation
After=syslog.target network.target After=syslog.target network.target
ConditionPathExists=/var/kerberos/krb5kdc/kpropd.acl
[Service] [Service]
Type=forking Type=forking
ExecStart=/usr/sbin/kpropd -S ExecStart=/usr/sbin/_kpropd -S
[Install] [Install]
WantedBy=multi-user.target WantedBy=multi-user.target

View File

@ -32,7 +32,7 @@
Summary: The Kerberos network authentication system Summary: The Kerberos network authentication system
Name: krb5 Name: krb5
Version: 1.11.3 Version: 1.11.3
Release: 7%{?dist} Release: 8%{?dist}
# Maybe we should explode from the now-available-to-everybody tarball instead? # Maybe we should explode from the now-available-to-everybody tarball instead?
# http://web.mit.edu/kerberos/dist/krb5/1.11/krb5-1.11.3-signed.tar # http://web.mit.edu/kerberos/dist/krb5/1.11/krb5-1.11.3-signed.tar
Source0: krb5-%{version}.tar.gz Source0: krb5-%{version}.tar.gz
@ -45,6 +45,8 @@ Source2: kprop.service
Source4: kadmin.service Source4: kadmin.service
Source5: krb5kdc.service Source5: krb5kdc.service
Source6: krb5.conf Source6: krb5.conf
Source7: _kpropd
Source8: _kadmind
Source10: kdc.conf Source10: kdc.conf
Source11: kadm5.acl Source11: kadm5.acl
Source19: krb5kdc.sysconfig Source19: krb5kdc.sysconfig
@ -76,7 +78,6 @@ Patch59: krb5-1.10-kpasswd_tcp.patch
Patch60: krb5-1.11-pam.patch Patch60: krb5-1.11-pam.patch
Patch63: krb5-1.11-selinux-label.patch Patch63: krb5-1.11-selinux-label.patch
Patch71: krb5-1.11-dirsrv-accountlock.patch Patch71: krb5-1.11-dirsrv-accountlock.patch
Patch75: krb5-pkinit-debug.patch
Patch86: krb5-1.9-debuginfo.patch Patch86: krb5-1.9-debuginfo.patch
Patch105: krb5-kvno-230379.patch Patch105: krb5-kvno-230379.patch
Patch113: krb5-1.11-alpha1-init.patch Patch113: krb5-1.11-alpha1-init.patch
@ -306,7 +307,6 @@ ln -s NOTICE LICENSE
%patch56 -p1 -b .doublelog %patch56 -p1 -b .doublelog
%patch59 -p1 -b .kpasswd_tcp %patch59 -p1 -b .kpasswd_tcp
%patch71 -p1 -b .dirsrv-accountlock %{?_rawbuild} %patch71 -p1 -b .dirsrv-accountlock %{?_rawbuild}
#%patch75 -p1 -b .pkinit-debug
%patch86 -p0 -b .debuginfo %patch86 -p0 -b .debuginfo
%patch105 -p1 -b .kvno %patch105 -p1 -b .kvno
%patch113 -p1 -b .init %patch113 -p1 -b .init
@ -507,6 +507,12 @@ for unit in \
# is an upgrade-time problem I'm in no hurry to deal with. # is an upgrade-time problem I'm in no hurry to deal with.
install -pm 644 ${unit} $RPM_BUILD_ROOT%{_unitdir} install -pm 644 ${unit} $RPM_BUILD_ROOT%{_unitdir}
done done
mkdir -p $RPM_BUILD_ROOT%{_sbindir}
for wrapper in \
%{SOURCE7} \
%{SOURCE8} ; do
install -pm 755 ${wrapper} $RPM_BUILD_ROOT%{_sbindir}/
done
%else %else
mkdir -p $RPM_BUILD_ROOT/etc/rc.d/init.d mkdir -p $RPM_BUILD_ROOT/etc/rc.d/init.d
for init in \ for init in \
@ -771,12 +777,14 @@ exit 0
%{_sbindir}/kadmin.local %{_sbindir}/kadmin.local
%{_mandir}/man8/kadmin.local.8* %{_mandir}/man8/kadmin.local.8*
%{_sbindir}/kadmind %{_sbindir}/kadmind
%{_sbindir}/_kadmind
%{_mandir}/man8/kadmind.8* %{_mandir}/man8/kadmind.8*
%{_sbindir}/kdb5_util %{_sbindir}/kdb5_util
%{_mandir}/man8/kdb5_util.8* %{_mandir}/man8/kdb5_util.8*
%{_sbindir}/kprop %{_sbindir}/kprop
%{_mandir}/man8/kprop.8* %{_mandir}/man8/kprop.8*
%{_sbindir}/kpropd %{_sbindir}/kpropd
%{_sbindir}/_kpropd
%{_mandir}/man8/kpropd.8* %{_mandir}/man8/kpropd.8*
%{_sbindir}/kproplog %{_sbindir}/kproplog
%{_mandir}/man8/kproplog.8* %{_mandir}/man8/kproplog.8*
@ -902,6 +910,14 @@ exit 0
%{_sbindir}/uuserver %{_sbindir}/uuserver
%changelog %changelog
* Thu Aug 15 2013 Nalin Dahyabhai <nalin@redhat.com> 1.11.3-8
- drop a patch we weren't not applying (build tooling)
- wrap kadmind and kpropd in scripts which check for the presence/absence
of files which dictate particular exit codes before exec'ing the actual
binaries, instead of trying to use ConditionPathExists in the unit files
to accomplish that, so that we exit with failure properly when what we
expect isn't actually in effect on the system (#800343)
* Mon Jul 29 2013 Nalin Dahyabhai <nalin@redhat.com> 1.11.3-7 * Mon Jul 29 2013 Nalin Dahyabhai <nalin@redhat.com> 1.11.3-7
- attempt to account for UnversionedDocdirs for the -libs subpackage - attempt to account for UnversionedDocdirs for the -libs subpackage