diff options
author | Martin Kosek <mkosek@redhat.com> | 2014-01-16 14:12:29 +0100 |
---|---|---|
committer | Martin Kosek <mkosek@redhat.com> | 2014-01-16 14:12:29 +0100 |
commit | 3900c6dd598971c42481da90b21d200eb2ab1922 (patch) | |
tree | 40ded0deb53afbbbda17bf293f858221b1e14ad3 | |
parent | f5e69b15a070ea94e8651fa8e0d51eb13031219c (diff) | |
download | freeipa-4084.tar.gz freeipa-4084.tar.xz freeipa-4084.zip |
Switch httpd to use default CCACHE4084
Stock httpd no longer uses systemd EnvironmentFile option which is
making FreeIPA's KRB5CCNAME setting ineffective. This can lead in hard
to debug problems during subsequent ipa-server-install's where HTTP
may use a stale CCACHE in the default kernel keyring CCACHE.
Avoid forcing custom CCACHE and switch to system one, just make sure
that it is properly cleaned by kdestroy run as "apache" user during
FreeIPA server installation process.
https://fedorahosted.org/freeipa/ticket/4084
-rw-r--r-- | install/tools/ipa-upgradeconfig | 7 | ||||
-rw-r--r-- | ipaserver/install/httpinstance.py | 22 |
2 files changed, 9 insertions, 20 deletions
diff --git a/install/tools/ipa-upgradeconfig b/install/tools/ipa-upgradeconfig index ed4852c0..b281eb4e 100644 --- a/install/tools/ipa-upgradeconfig +++ b/install/tools/ipa-upgradeconfig @@ -1043,10 +1043,15 @@ def main(): update_dbmodules(api.env.realm) uninstall_ipa_kpasswd() + removed_sysconfig_file = '/etc/sysconfig/httpd' + if fstore.has_file(removed_sysconfig_file): + root_logger.info('Restoring %s as it is no longer required', + removed_sysconfig_file) + fstore.restore_file(removed_sysconfig_file) + http = httpinstance.HTTPInstance(fstore) http.remove_httpd_ccache() http.configure_selinux_for_httpd() - http.configure_httpd_ccache() http.change_mod_nss_port_from_http() ds = dsinstance.DsInstance() diff --git a/ipaserver/install/httpinstance.py b/ipaserver/install/httpinstance.py index e61a0c6d..12cb2e01 100644 --- a/ipaserver/install/httpinstance.py +++ b/ipaserver/install/httpinstance.py @@ -126,7 +126,6 @@ class HTTPInstance(service.Service): self.step("creating a keytab for httpd", self.__create_http_keytab) self.step("clean up any existing httpd ccache", self.remove_httpd_ccache) self.step("configuring SELinux for httpd", self.configure_selinux_for_httpd) - self.step("configure httpd ccache", self.configure_httpd_ccache) self.step("restarting httpd", self.__start) self.step("configuring httpd to start on boot", self.__enable) @@ -217,24 +216,9 @@ class HTTPInstance(service.Service): def remove_httpd_ccache(self): # Clean up existing ccache - pent = pwd.getpwnam("apache") - installutils.remove_file('/tmp/krb5cc_%d' % pent.pw_uid) - - def configure_httpd_ccache(self): - pent = pwd.getpwnam("apache") - ccache = '/tmp/krb5cc_%d' % pent.pw_uid - filepath = '/etc/sysconfig/httpd' - if not os.path.exists(filepath): - # file doesn't exist; create it with correct ownership & mode - open(filepath, 'a').close() - os.chmod(filepath, - stat.S_IRUSR | stat.S_IWUSR | stat.S_IRGRP | stat.S_IROTH) - os.chown(filepath, 0, 0) - - replacevars = {'KRB5CCNAME': ccache} - old_values = ipautil.backup_config_and_replace_variables( - self.fstore, filepath, replacevars=replacevars) - ipaservices.restore_context(filepath) + # Make sure that empty env is passed to avoid passing KRB5CCNAME from + # current env + ipautil.run(['kdestroy'], runas='apache', raiseonerr=False, env={}) def __configure_http(self): target_fname = '/etc/httpd/conf.d/ipa.conf' |