summaryrefslogtreecommitdiffstats
path: root/init
Commit message (Collapse)AuthorAgeFilesLines
* Build: create /var/run directories at install timePetr Spacek2016-11-091-0/+10
| | | | | | | | | | | | | | | | | | | | | Directory creating was moved from SPEC file to install-data-hook. At the same time, it is using systemd-tmpfiles to create the directories so we do not risk any inconsistency between SPEC file and tmpfilesd configuration. systemd-tmpfiles call is non-critical on purpose: The build would fail when run under unprivileged user because systemd-tmpfiles tries to change ownership. Luckily it creates all the files and just do not change ownership so it works even under unprivileged user. Interestingly, systemd-tmpfiles continues if user does not have sufficient permissions to change ownership but fails if target username does not exist at all. For this reason there is BuildRequires on httpd. https://fedorahosted.org/freeipa/ticket/6418 Reviewed-By: Martin Basti <mbasti@redhat.com> Reviewed-By: Christian Heimes <cheimes@redhat.com>
* Build: integrate init and init/systemd into build systemPetr Spacek2016-11-0913-25/+79
| | | | | | | | | | | | | | | | | | | At the same time, I've renamed tmpfilesd config file to static name "ipa.conf" instead of using package-specific name. It had no purpose and just complicated build and packaging. Variable substitution into configuration has to be done in Makefile and not in Autoconf as documented in: Autoconf v2.69 manual chapter 4.8.2 Installation Directory Variables: ... Most of these variables have values that rely on prefix or exec_prefix. ... Similarly, you should not rely on AC_CONFIG_FILES to replace bindir and friends in your shell scripts and other files; instead, let make manage their replacement. https://fedorahosted.org/freeipa/ticket/6418 Reviewed-By: Martin Basti <mbasti@redhat.com> Reviewed-By: Christian Heimes <cheimes@redhat.com>
* Build: remove init/SystemV directoryPetr Spacek2016-11-092-160/+0
| | | | | | | | | | FreeIPA has hard dependency on systemd for a long time already. SystemV directory was just polluting the tarball (while being useless). https://fedorahosted.org/freeipa/ticket/6418 Reviewed-By: Martin Basti <mbasti@redhat.com> Reviewed-By: Christian Heimes <cheimes@redhat.com>
* Configure httpd service from installer instead of directly from RPMMartin Basti2016-04-221-7/+0
| | | | | | | | | | | | | | File httpd.service was created by RPM, what causes that httpd service may fail due IPA specific configuration even if IPA wasn't installed or was uninstalled (without erasing RPMs). With this patch httpd service is configured by httpd.d/ipa.conf during IPA installation and this config is removed by uninstaller, so no residual http configuration related to IPA should stay there. https://fedorahosted.org/freeipa/ticket/5681 Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
* Add ipa-custodia serviceSimo Sorce2015-10-151-0/+13
| | | | | | | | | | Add a customized Custodia daemon and enable it after installation. Generates server keys and loads them in LDAP autonomously on install or update. Provides client code classes too. Signed-off-by: Simo Sorce <simo@redhat.com> Reviewed-By: Jan Cholasta <jcholast@redhat.com>
* destroy httpd ccache after stopping the serviceMartin Babinsky2015-09-231-0/+1
| | | | | | | | | This will force recreation of the file-based ccache after IPA restore and prevent a mismatch between cached and restored Kerberos keys. https://fedorahosted.org/freeipa/ticket/5296 Reviewed-By: Martin Basti <mbasti@redhat.com>
* Provide Kerberos over HTTP (MS-KKDCP)Christian Heimes2015-06-241-0/+2
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Add integration of python-kdcproxy into FreeIPA to support the MS Kerberos KDC proxy protocol (MS-KKDCP), to allow KDC and KPASSWD client requests over HTTP and HTTPS. - freeipa-server now depends on python-kdcproxy >= 0.3. All kdcproxy dependencies are already satisfied. - The service's state is configured in cn=KDC,cn=$FQDN,cn=masters,cn=ipa, cn=etc,$SUFFIX. It's enabled, when ipaConfigString=kdcProxyEnabled is present. - The installers and update create a new Apache config file /etc/ipa/kdcproxy/ipa-kdc-proxy.conf that mounts a WSGI app on /KdcProxy. The app is run inside its own WSGI daemon group with a different uid and gid than the webui. - A ExecStartPre script in httpd.service symlinks the config file to /etc/httpd/conf.d/ iff ipaConfigString=kdcProxyEnabled is present. - The httpd.service also sets KDCPROXY_CONFIG=/etc/ipa/kdcproxy.conf, so that an existing config is not used. SetEnv from Apache config does not work here, because it doesn't set an OS env var. - python-kdcproxy is configured to *not* use DNS SRV lookups. The location of KDC and KPASSWD servers are read from /etc/krb5.conf. - The state of the service can be modified with two ldif files for ipa-ldap-updater. No CLI script is offered yet. https://www.freeipa.org/page/V4/KDC_Proxy https://fedorahosted.org/freeipa/ticket/4801 Reviewed-By: Nathaniel McCallum <npmccallum@redhat.com> Reviewed-By: Simo Sorce <ssorce@redhat.com>
* move IPA-related http runtime directories to common subdirectoryMartin Babinsky2015-05-192-2/+4
| | | | | | | | | | | | | | When both 'mod_auth_kerb' and 'mod_auth_gssapi' are installed at the same time, they use common directory for storing Apache ccache file. Uninstallation of 'mod_auth_kerb' removes this directory leading to invalid CCache path for httpd and authentication failure. Using an IPA-specific directory for credential storage during apache runtime avoids this issue. https://fedorahosted.org/freeipa/ticket/4973 Reviewed-By: David Kupka <dkupka@redhat.com>
* provide dedicated ccache file for httpdMartin Babinsky2015-05-121-0/+4
| | | | | | | | | | | | | httpd service stores Kerberos credentials in kernel keyring which gets destroyed and recreated during service install/upgrade, causing problems when the process is run under SELinux context other than 'unconfined_t'. This patch enables HTTPInstance to set up a dedicated CCache file for Apache to store credentials. https://fedorahosted.org/freeipa/ticket/4973 Reviewed-By: Jan Cholasta <jcholast@redhat.com> Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
* Use mod_auth_gssapi instead of mod_auth_kerb.David Kupka2015-03-301-0/+1
| | | | | | | | | https://fedorahosted.org/freeipa/ticket/4190 Reviewed-By: Jan Cholasta <jcholast@redhat.com> Reviewed-By: Petr Vobornik <pvoborni@redhat.com> Reviewed-By: Rob Crittenden <rcritten@redhat.com> Reviewed-By: Simo Sorce <ssorce@redhat.com>
* DNSSEC: add ipa dnssec daemonsPetr Spacek2014-10-212-0/+0
| | | | | | | | | | | | Tickets: https://fedorahosted.org/freeipa/ticket/3801 https://fedorahosted.org/freeipa/ticket/4417 Design: https://fedorahosted.org/bind-dyndb-ldap/wiki/BIND9/Design/DNSSEC Reviewed-By: Jan Cholasta <jcholast@redhat.com> Reviewed-By: David Kupka <dkupka@redhat.com>
* Remove systemd upgrader as it is not used anymoreAlexander Bokovoy2013-08-151-95/+0
|
* Avoid exporting KRB5_KTNAME in dirsrv envMartin Kosek2013-05-241-1/+0
| | | | | The variable is already defined, exporting in dirsrv systemd environment is not needed and produces a (benign) error.
* Remove syslog.target from ipa.serverMartin Kosek2013-03-291-2/+2
| | | | | | | | This required target is no longer needed as systemd from version 38 has its own journal which is also in the basic set of service unit requirementes. https://fedorahosted.org/freeipa/ticket/3511
* Get list of service from LDAP only at startupSimo Sorce2012-11-011-0/+1
| | | | | | | | | | We check (possibly different) data from LDAP only at (re)start. This way we always shutdown exactly the services we started even if the list changed in the meanwhile (we avoid leaving a service running even if it was removed from LDAP as the admin decided it should not be started in future). This should also fix a problematic deadlock with systemd when we try to read the list of service from LDAP at shutdown.
* Disable false pylint error in freeipa-systemd-upgradeRob Crittenden2012-02-151-1/+1
|
* Add ipa_memcached serviceJohn Dennis2012-02-094-0/+138
| | | | | | | | | | | | | | | | | | | | | | | * Adds ipa_memcached SystemV initscript * Adds ipa_memcached service file and tmpfiles.d/ipa.conf to recreate /var/run/ipa_memcached on reboot. * Adds ipa_memcached config file * Adds memcacheinstnace.py to manage ipa_memcaced as as SimpleService object. * Updates the IPA service list to include ipa_memcached, at service positon 39, httpd is position 40 * Updates the spec file: - requires the memcached daemon and python client - installs service or initscripts depending on OS - installs config file - creates /var/run/ipa_memcached directory * Modifies ipa-server-install to install ipa_memcached
* Handle upgrade issues with systemd in Fedora 16 and aboveAlexander Bokovoy2012-02-081-0/+96
| | | | | | | | | | | | Since 389-ds-base-1.2.10-0.8.a7 Directory Server's systemd settings are configured via /etc/sysconfig/dirsrv.systemd. It means logic change in systemd/fedora16 platform of FreeIPA. Additionally, existing installs need to be handled during upgrade. Fixes: https://fedorahosted.org/freeipa/ticket/2117 https://fedorahosted.org/freeipa/ticket/2300
* Add support for systemd environments and use it to support Fedora 16Alexander Bokovoy2011-10-242-0/+54
https://fedorahosted.org/freeipa/ticket/1192