summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorMartin Kosek <mkosek@redhat.com>2014-01-16 14:12:29 +0100
committerMartin Kosek <mkosek@redhat.com>2014-01-16 14:12:29 +0100
commit3900c6dd598971c42481da90b21d200eb2ab1922 (patch)
tree40ded0deb53afbbbda17bf293f858221b1e14ad3
parentf5e69b15a070ea94e8651fa8e0d51eb13031219c (diff)
downloadfreeipa-4084.zip
freeipa-4084.tar.gz
freeipa-4084.tar.xz
Switch httpd to use default CCACHE4084
Stock httpd no longer uses systemd EnvironmentFile option which is making FreeIPA's KRB5CCNAME setting ineffective. This can lead in hard to debug problems during subsequent ipa-server-install's where HTTP may use a stale CCACHE in the default kernel keyring CCACHE. Avoid forcing custom CCACHE and switch to system one, just make sure that it is properly cleaned by kdestroy run as "apache" user during FreeIPA server installation process. https://fedorahosted.org/freeipa/ticket/4084
-rw-r--r--install/tools/ipa-upgradeconfig7
-rw-r--r--ipaserver/install/httpinstance.py22
2 files changed, 9 insertions, 20 deletions
diff --git a/install/tools/ipa-upgradeconfig b/install/tools/ipa-upgradeconfig
index ed4852c..b281eb4 100644
--- a/install/tools/ipa-upgradeconfig
+++ b/install/tools/ipa-upgradeconfig
@@ -1043,10 +1043,15 @@ def main():
update_dbmodules(api.env.realm)
uninstall_ipa_kpasswd()
+ removed_sysconfig_file = '/etc/sysconfig/httpd'
+ if fstore.has_file(removed_sysconfig_file):
+ root_logger.info('Restoring %s as it is no longer required',
+ removed_sysconfig_file)
+ fstore.restore_file(removed_sysconfig_file)
+
http = httpinstance.HTTPInstance(fstore)
http.remove_httpd_ccache()
http.configure_selinux_for_httpd()
- http.configure_httpd_ccache()
http.change_mod_nss_port_from_http()
ds = dsinstance.DsInstance()
diff --git a/ipaserver/install/httpinstance.py b/ipaserver/install/httpinstance.py
index e61a0c6..12cb2e0 100644
--- a/ipaserver/install/httpinstance.py
+++ b/ipaserver/install/httpinstance.py
@@ -126,7 +126,6 @@ class HTTPInstance(service.Service):
self.step("creating a keytab for httpd", self.__create_http_keytab)
self.step("clean up any existing httpd ccache", self.remove_httpd_ccache)
self.step("configuring SELinux for httpd", self.configure_selinux_for_httpd)
- self.step("configure httpd ccache", self.configure_httpd_ccache)
self.step("restarting httpd", self.__start)
self.step("configuring httpd to start on boot", self.__enable)
@@ -217,24 +216,9 @@ class HTTPInstance(service.Service):
def remove_httpd_ccache(self):
# Clean up existing ccache
- pent = pwd.getpwnam("apache")
- installutils.remove_file('/tmp/krb5cc_%d' % pent.pw_uid)
-
- def configure_httpd_ccache(self):
- pent = pwd.getpwnam("apache")
- ccache = '/tmp/krb5cc_%d' % pent.pw_uid
- filepath = '/etc/sysconfig/httpd'
- if not os.path.exists(filepath):
- # file doesn't exist; create it with correct ownership & mode
- open(filepath, 'a').close()
- os.chmod(filepath,
- stat.S_IRUSR | stat.S_IWUSR | stat.S_IRGRP | stat.S_IROTH)
- os.chown(filepath, 0, 0)
-
- replacevars = {'KRB5CCNAME': ccache}
- old_values = ipautil.backup_config_and_replace_variables(
- self.fstore, filepath, replacevars=replacevars)
- ipaservices.restore_context(filepath)
+ # Make sure that empty env is passed to avoid passing KRB5CCNAME from
+ # current env
+ ipautil.run(['kdestroy'], runas='apache', raiseonerr=False, env={})
def __configure_http(self):
target_fname = '/etc/httpd/conf.d/ipa.conf'