diff options
-rw-r--r-- | freeipa.spec.in | 3 | ||||
-rw-r--r-- | init/systemd/httpd.service | 7 | ||||
-rw-r--r-- | install/share/Makefile.am | 1 | ||||
-rw-r--r-- | install/share/ipa-httpd.conf.template | 7 | ||||
-rw-r--r-- | ipaplatform/base/paths.py | 3 | ||||
-rw-r--r-- | ipaplatform/base/tasks.py | 8 | ||||
-rw-r--r-- | ipaplatform/redhat/tasks.py | 29 | ||||
-rw-r--r-- | ipaserver/install/httpinstance.py | 6 | ||||
-rw-r--r-- | ipaserver/install/server/upgrade.py | 5 |
9 files changed, 60 insertions, 9 deletions
diff --git a/freeipa.spec.in b/freeipa.spec.in index 1ded30488..aaa40cc9a 100644 --- a/freeipa.spec.in +++ b/freeipa.spec.in @@ -832,7 +832,6 @@ mkdir -p %{buildroot}%{_unitdir} mkdir -p %{buildroot}%{etc_systemd_dir} install -m 644 init/systemd/ipa.service %{buildroot}%{_unitdir}/ipa.service install -m 644 init/systemd/ipa_memcached.service %{buildroot}%{_unitdir}/ipa_memcached.service -install -m 644 init/systemd/httpd.service %{buildroot}%{etc_systemd_dir}/httpd.service install -m 644 init/systemd/ipa-custodia.service %{buildroot}%{_unitdir}/ipa-custodia.service # END mkdir -p %{buildroot}/%{_localstatedir}/lib/ipa/backup @@ -1143,7 +1142,7 @@ fi %{_tmpfilesdir}/%{name}.conf %attr(644,root,root) %{_unitdir}/ipa_memcached.service %attr(644,root,root) %{_unitdir}/ipa-custodia.service -%attr(644,root,root) %{etc_systemd_dir}/httpd.service +%ghost %attr(644,root,root) %{etc_systemd_dir}/httpd.d/ipa.conf # END %dir %{_usr}/share/ipa %{_usr}/share/ipa/wsgi.py* diff --git a/init/systemd/httpd.service b/init/systemd/httpd.service deleted file mode 100644 index 7ce8f04d8..000000000 --- a/init/systemd/httpd.service +++ /dev/null @@ -1,7 +0,0 @@ -.include /usr/lib/systemd/system/httpd.service - -[Service] -Environment=KRB5CCNAME=/var/run/httpd/ipa/krbcache/krb5ccache -Environment=KDCPROXY_CONFIG=/etc/ipa/kdcproxy/kdcproxy.conf -ExecStartPre=/usr/libexec/ipa/ipa-httpd-kdcproxy -ExecStopPost=-/usr/bin/kdestroy -A diff --git a/install/share/Makefile.am b/install/share/Makefile.am index b4cb83124..3a3bd2699 100644 --- a/install/share/Makefile.am +++ b/install/share/Makefile.am @@ -88,6 +88,7 @@ app_DATA = \ kdcproxy.conf \ kdcproxy-enable.uldif \ kdcproxy-disable.uldif \ + ipa-httpd.conf.template \ $(NULL) EXTRA_DIST = \ diff --git a/install/share/ipa-httpd.conf.template b/install/share/ipa-httpd.conf.template new file mode 100644 index 000000000..a907d73cc --- /dev/null +++ b/install/share/ipa-httpd.conf.template @@ -0,0 +1,7 @@ +# Do not edit. Created by IPA installer. + +[Service] +Environment=KRB5CCNAME=$KRB5CC_HTTPD +Environment=KDCPROXY_CONFIG=$KDCPROXY_CONFIG +ExecStartPre=$IPA_HTTPD_KDCPROXY +ExecStopPost=$POST diff --git a/ipaplatform/base/paths.py b/ipaplatform/base/paths.py index 4aa55d870..585a5d26e 100644 --- a/ipaplatform/base/paths.py +++ b/ipaplatform/base/paths.py @@ -127,6 +127,8 @@ class BasePathNamespace(object): SYSCONFIG_PKI_TOMCAT = "/etc/sysconfig/pki-tomcat" SYSCONFIG_PKI_TOMCAT_PKI_TOMCAT_DIR = "/etc/sysconfig/pki/tomcat/pki-tomcat" ETC_SYSTEMD_SYSTEM_DIR = "/etc/systemd/system/" + SYSTEMD_SYSTEM_HTTPD_D_DIR = "/etc/systemd/system/httpd.d/" + SYSTEMD_SYSTEM_HTTPD_IPA_CONF = "/etc/systemd/system/httpd.d/ipa.conf" SYSTEMD_CERTMONGER_SERVICE = "/etc/systemd/system/multi-user.target.wants/certmonger.service" SYSTEMD_IPA_SERVICE = "/etc/systemd/system/multi-user.target.wants/ipa.service" SYSTEMD_SSSD_SERVICE = "/etc/systemd/system/multi-user.target.wants/sssd.service" @@ -197,6 +199,7 @@ class BasePathNamespace(object): GENERATE_RNDC_KEY = "/usr/libexec/generate-rndc-key.sh" IPA_DNSKEYSYNCD_REPLICA = "/usr/libexec/ipa/ipa-dnskeysync-replica" IPA_DNSKEYSYNCD = "/usr/libexec/ipa/ipa-dnskeysyncd" + IPA_HTTPD_KDCPROXY = "/usr/libexec/ipa/ipa-httpd-kdcproxy" IPA_ODS_EXPORTER = "/usr/libexec/ipa/ipa-ods-exporter" DNSSEC_KEYFROMLABEL = "/usr/sbin/dnssec-keyfromlabel-pkcs11" GETSEBOOL = "/usr/sbin/getsebool" diff --git a/ipaplatform/base/tasks.py b/ipaplatform/base/tasks.py index 573287c6b..f5fb2b155 100644 --- a/ipaplatform/base/tasks.py +++ b/ipaplatform/base/tasks.py @@ -236,3 +236,11 @@ class BaseTaskNamespace(object): :return: object implementing proper __cmp__ method for version compare """ return parse_version(version) + + def configure_httpd_service_ipa_conf(self): + """Configure httpd service to work with IPA""" + raise NotImplementedError() + + def remove_httpd_service_ipa_conf(self): + """Remove configuration of httpd service of IPA""" + raise NotImplementedError() diff --git a/ipaplatform/redhat/tasks.py b/ipaplatform/redhat/tasks.py index 7c29b51e1..4be9a146e 100644 --- a/ipaplatform/redhat/tasks.py +++ b/ipaplatform/redhat/tasks.py @@ -460,5 +460,34 @@ class RedHatTaskNamespace(BaseTaskNamespace): """ return IPAVersion(version) + def configure_httpd_service_ipa_conf(self): + """Create systemd config for httpd service to work with IPA + """ + if not os.path.exists(paths.SYSTEMD_SYSTEM_HTTPD_D_DIR): + os.mkdir(paths.SYSTEMD_SYSTEM_HTTPD_D_DIR, 0o755) + + ipautil.copy_template_file( + os.path.join(ipautil.SHARE_DIR, 'ipa-httpd.conf.template'), + paths.SYSTEMD_SYSTEM_HTTPD_IPA_CONF, + dict( + KRB5CC_HTTPD=paths.KRB5CC_HTTPD, + KDCPROXY_CONFIG=paths.KDCPROXY_CONFIG, + IPA_HTTPD_KDCPROXY=paths.IPA_HTTPD_KDCPROXY, + POST='-{kdestroy} -A'.format(kdestroy=paths.KDESTROY) + ) + ) + + os.chmod(paths.SYSTEMD_SYSTEM_HTTPD_IPA_CONF, 0o644) + self.restore_context(paths.SYSTEMD_SYSTEM_HTTPD_IPA_CONF) + + def remove_httpd_service_ipa_conf(self): + """Remove systemd config for httpd service of IPA""" + try: + os.unlink(paths.SYSTEMD_SYSTEM_HTTPD_IPA_CONF) + except OSError as e: + root_logger.error( + 'Error removing %s: %s', + paths.SYSTEMD_SYSTEM_HTTPD_IPA_CONF, e + ) tasks = RedHatTaskNamespace() diff --git a/ipaserver/install/httpinstance.py b/ipaserver/install/httpinstance.py index b0fbe6926..00f890175 100644 --- a/ipaserver/install/httpinstance.py +++ b/ipaserver/install/httpinstance.py @@ -225,6 +225,8 @@ class HTTPInstance(service.Service): [paths.KDESTROY, '-A'], runas=HTTPD_USER, raiseonerr=False, env={}) def __configure_http(self): + self.update_httpd_service_ipa_conf() + target_fname = paths.HTTPD_IPA_CONF http_txt = ipautil.template_file(ipautil.SHARE_DIR + "ipa.conf", self.sub_dict) self.fstore.backup_file(paths.HTTPD_IPA_CONF) @@ -479,6 +481,9 @@ class HTTPInstance(service.Service): except Exception as e: root_logger.critical("Unable to start oddjobd: {0}".format(str(e))) + def update_httpd_service_ipa_conf(self): + tasks.configure_httpd_service_ipa_conf() + def uninstall(self): if self.is_configured(): self.print_msg("Unconfiguring web server") @@ -533,6 +538,7 @@ class HTTPInstance(service.Service): installutils.remove_file(paths.HTTPD_IPA_PKI_PROXY_CONF) installutils.remove_file(paths.HTTPD_IPA_KDCPROXY_CONF_SYMLINK) installutils.remove_file(paths.HTTPD_IPA_KDCPROXY_CONF) + tasks.remove_httpd_service_ipa_conf() # Restore SELinux boolean states boolean_states = {name: self.restore_state(name) diff --git a/ipaserver/install/server/upgrade.py b/ipaserver/install/server/upgrade.py index 3e60cfd36..4f3a2cb06 100644 --- a/ipaserver/install/server/upgrade.py +++ b/ipaserver/install/server/upgrade.py @@ -1376,6 +1376,10 @@ def update_mod_nss_cipher_suite(http): 'cipher_suite_updated', httpinstance.NSS_CIPHER_REVISION) +def update_ipa_httpd_service_conf(http): + root_logger.info('[Updating HTTPD service IPA configuration]') + http.update_httpd_service_ipa_conf() + def ds_enable_sidgen_extdom_plugins(ds): """For AD trust agents, make sure we enable sidgen and extdom plugins @@ -1562,6 +1566,7 @@ def upgrade_configuration(): http.enable_kdcproxy() http.stop() + update_ipa_httpd_service_conf(http) update_mod_nss_protocol(http) update_mod_nss_cipher_suite(http) fix_trust_flags() |