Configure httpd service from installer instead of directly from RPM

File httpd.service was created by RPM, what causes that httpd service may
fail due IPA specific configuration even if IPA wasn't installed or was
uninstalled (without erasing RPMs).

With this patch httpd service is configured by httpd.d/ipa.conf during
IPA installation and this config is removed by uninstaller, so no
residual http configuration related to IPA should stay there.

https://fedorahosted.org/freeipa/ticket/5681

Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>

3 files changed, 40 insertions, 0 deletions

diff --git a/ipaplatform/base/paths.py b/ipaplatform/base/paths.py
index 4aa55d870..585a5d26e 100644
--- a/ipaplatform/base/paths.py
+++ b/ipaplatform/base/paths.py
@@ -127,6 +127,8 @@ class BasePathNamespace(object):
     SYSCONFIG_PKI_TOMCAT = "/etc/sysconfig/pki-tomcat"
     SYSCONFIG_PKI_TOMCAT_PKI_TOMCAT_DIR = "/etc/sysconfig/pki/tomcat/pki-tomcat"
     ETC_SYSTEMD_SYSTEM_DIR = "/etc/systemd/system/"
+    SYSTEMD_SYSTEM_HTTPD_D_DIR = "/etc/systemd/system/httpd.d/"
+    SYSTEMD_SYSTEM_HTTPD_IPA_CONF = "/etc/systemd/system/httpd.d/ipa.conf"
     SYSTEMD_CERTMONGER_SERVICE = "/etc/systemd/system/multi-user.target.wants/certmonger.service"
     SYSTEMD_IPA_SERVICE = "/etc/systemd/system/multi-user.target.wants/ipa.service"
     SYSTEMD_SSSD_SERVICE = "/etc/systemd/system/multi-user.target.wants/sssd.service"
@@ -197,6 +199,7 @@ class BasePathNamespace(object):
     GENERATE_RNDC_KEY = "/usr/libexec/generate-rndc-key.sh"
     IPA_DNSKEYSYNCD_REPLICA = "/usr/libexec/ipa/ipa-dnskeysync-replica"
     IPA_DNSKEYSYNCD = "/usr/libexec/ipa/ipa-dnskeysyncd"
+    IPA_HTTPD_KDCPROXY = "/usr/libexec/ipa/ipa-httpd-kdcproxy"
     IPA_ODS_EXPORTER = "/usr/libexec/ipa/ipa-ods-exporter"
     DNSSEC_KEYFROMLABEL = "/usr/sbin/dnssec-keyfromlabel-pkcs11"
     GETSEBOOL = "/usr/sbin/getsebool"
diff --git a/ipaplatform/base/tasks.py b/ipaplatform/base/tasks.py
index 573287c6b..f5fb2b155 100644
--- a/ipaplatform/base/tasks.py
+++ b/ipaplatform/base/tasks.py
@@ -236,3 +236,11 @@ class BaseTaskNamespace(object):
         :return: object implementing proper __cmp__ method for version compare
         """
         return parse_version(version)
+
+    def configure_httpd_service_ipa_conf(self):
+        """Configure httpd service to work with IPA"""
+        raise NotImplementedError()
+
+    def remove_httpd_service_ipa_conf(self):
+        """Remove configuration of httpd service of IPA"""
+        raise NotImplementedError()
diff --git a/ipaplatform/redhat/tasks.py b/ipaplatform/redhat/tasks.py
index 7c29b51e1..4be9a146e 100644
--- a/ipaplatform/redhat/tasks.py
+++ b/ipaplatform/redhat/tasks.py
@@ -460,5 +460,34 @@ class RedHatTaskNamespace(BaseTaskNamespace):
         """
         return IPAVersion(version)
 
+    def configure_httpd_service_ipa_conf(self):
+        """Create systemd config for httpd service to work with IPA
+        """
+        if not os.path.exists(paths.SYSTEMD_SYSTEM_HTTPD_D_DIR):
+            os.mkdir(paths.SYSTEMD_SYSTEM_HTTPD_D_DIR, 0o755)
+
+        ipautil.copy_template_file(
+            os.path.join(ipautil.SHARE_DIR, 'ipa-httpd.conf.template'),
+            paths.SYSTEMD_SYSTEM_HTTPD_IPA_CONF,
+            dict(
+                KRB5CC_HTTPD=paths.KRB5CC_HTTPD,
+                KDCPROXY_CONFIG=paths.KDCPROXY_CONFIG,
+                IPA_HTTPD_KDCPROXY=paths.IPA_HTTPD_KDCPROXY,
+                POST='-{kdestroy} -A'.format(kdestroy=paths.KDESTROY)
+            )
+        )
+
+        os.chmod(paths.SYSTEMD_SYSTEM_HTTPD_IPA_CONF, 0o644)
+        self.restore_context(paths.SYSTEMD_SYSTEM_HTTPD_IPA_CONF)
+
+    def remove_httpd_service_ipa_conf(self):
+        """Remove systemd config for httpd service of IPA"""
+        try:
+            os.unlink(paths.SYSTEMD_SYSTEM_HTTPD_IPA_CONF)
+        except OSError as e:
+            root_logger.error(
+                'Error removing %s: %s',
+                paths.SYSTEMD_SYSTEM_HTTPD_IPA_CONF, e
+            )
 
 tasks = RedHatTaskNamespace()