On 21.04.2016 22:55, Timo Aaltonen wrote:
21.04.2016, 20:50, Martin Basti kirjoitti:
On 21.04.2016 19:28, Stanislav Laznicka wrote:
On 04/21/2016 11:19 AM, Martin Basti wrote:
On 20.04.2016 17:27, Martin Basti wrote:
On 24.03.2016 14:27, Martin Basti wrote:
On 24.03.2016 13:55, Jan Cholasta wrote:
On 18.3.2016 23:27, Timo Aaltonen wrote:
On 17.03.2016 18:36, Martin Basti wrote:
https://fedorahosted.org/freeipa/ticket/5681
would be nicer if ipa-httpd.conf was a template with the current
hardcoded values replaced with platform paths..
+1, I would also prefer if the file was renamed to
init/systemd/httpd.conf rather than install/share/ipa-httpd.conf.
ipa-httpd.conf.template should be in /user/share/ipa, directory
init/systemd copied only to rpm and then copied to
/etc/systemd/system AFAIK
not relevant to this patch, but there are others candidates for
templates like:
daemons/dnssec/ipa-dnskeysyncd.service
daemons/dnssec/ipa-ods-exporter.service
install/conf/ipa.conf
Updated patch attached, sorry for delay.
Updated patch attached (fixed unused import).
Seems to work as expected. However, wouldn't it be better to use
installutils.remove_file instead of remove_httpd_service_ipa_conf (or
at least log the possible error during os.unlink) to get the same
behavior as with the other config files?
It could be, but because I created platform specific method for adding
httpd service config, it seems natural to me to create inverse operation
platform specific too.
I have no strong opinion about this, Timo what might be better, you use
platform specific code more than we? :)
Well, with this patch in I'd just reuse the methods from
RedHatTaskNamespace() just like some others are being used right now.
Systemd is all I support anyway.
Updated patch attached, missing log added
From 263ff915870ab307b7191500b71db933e92fb505 Mon Sep 17 00:00:00 2001
From: Martin Basti <mba...@redhat.com>
Date: Wed, 16 Mar 2016 09:04:42 +0100
Subject: [PATCH] Configure httpd service from installer instead of directly
from RPM
File httpd.service was created by RPM, what causes that httpd service may
fail due IPA specific configuration even if IPA wasn't installed or was
uninstalled (without erasing RPMs).
With this patch httpd service is configured by httpd.d/ipa.conf during
IPA installation and this config is removed by uninstaller, so no
residual http configuration related to IPA should stay there.
https://fedorahosted.org/freeipa/ticket/5681
---
freeipa.spec.in | 3 +--
init/systemd/httpd.service | 7 -------
install/share/Makefile.am | 1 +
install/share/ipa-httpd.conf.template | 7 +++++++
ipaplatform/base/paths.py | 3 +++
ipaplatform/base/tasks.py | 8 ++++++++
ipaplatform/redhat/tasks.py | 29 +++++++++++++++++++++++++++++
ipaserver/install/httpinstance.py | 6 ++++++
ipaserver/install/server/upgrade.py | 5 +++++
9 files changed, 60 insertions(+), 9 deletions(-)
delete mode 100644 init/systemd/httpd.service
create mode 100644 install/share/ipa-httpd.conf.template
diff --git a/freeipa.spec.in b/freeipa.spec.in
index 1ded3048873fb9d4cb97b7aca52132345c209a96..aaa40cc9a2246ed1d244e160edf935da216c75c5 100644
--- a/freeipa.spec.in
+++ b/freeipa.spec.in
@@ -832,7 +832,6 @@ mkdir -p %{buildroot}%{_unitdir}
mkdir -p %{buildroot}%{etc_systemd_dir}
install -m 644 init/systemd/ipa.service %{buildroot}%{_unitdir}/ipa.service
install -m 644 init/systemd/ipa_memcached.service %{buildroot}%{_unitdir}/ipa_memcached.service
-install -m 644 init/systemd/httpd.service %{buildroot}%{etc_systemd_dir}/httpd.service
install -m 644 init/systemd/ipa-custodia.service %{buildroot}%{_unitdir}/ipa-custodia.service
# END
mkdir -p %{buildroot}/%{_localstatedir}/lib/ipa/backup
@@ -1143,7 +1142,7 @@ fi
%{_tmpfilesdir}/%{name}.conf
%attr(644,root,root) %{_unitdir}/ipa_memcached.service
%attr(644,root,root) %{_unitdir}/ipa-custodia.service
-%attr(644,root,root) %{etc_systemd_dir}/httpd.service
+%ghost %attr(644,root,root) %{etc_systemd_dir}/httpd.d/ipa.conf
# END
%dir %{_usr}/share/ipa
%{_usr}/share/ipa/wsgi.py*
diff --git a/init/systemd/httpd.service b/init/systemd/httpd.service
deleted file mode 100644
index 7ce8f04d8b9bb3663e59d4fdc610af0eb4478178..0000000000000000000000000000000000000000
--- a/init/systemd/httpd.service
+++ /dev/null
@@ -1,7 +0,0 @@
-.include /usr/lib/systemd/system/httpd.service
-
-[Service]
-Environment=KRB5CCNAME=/var/run/httpd/ipa/krbcache/krb5ccache
-Environment=KDCPROXY_CONFIG=/etc/ipa/kdcproxy/kdcproxy.conf
-ExecStartPre=/usr/libexec/ipa/ipa-httpd-kdcproxy
-ExecStopPost=-/usr/bin/kdestroy -A
diff --git a/install/share/Makefile.am b/install/share/Makefile.am
index b4cb8312471a68d8cd855f542478afe10d200c39..3a3bd2699efaf45ab79dd0257c2d26e7952891eb 100644
--- a/install/share/Makefile.am
+++ b/install/share/Makefile.am
@@ -88,6 +88,7 @@ app_DATA = \
kdcproxy.conf \
kdcproxy-enable.uldif \
kdcproxy-disable.uldif \
+ ipa-httpd.conf.template \
$(NULL)
EXTRA_DIST = \
diff --git a/install/share/ipa-httpd.conf.template b/install/share/ipa-httpd.conf.template
new file mode 100644
index 0000000000000000000000000000000000000000..a907d73cccac13cbb9d99423a1b739a48ad4f769
--- /dev/null
+++ b/install/share/ipa-httpd.conf.template
@@ -0,0 +1,7 @@
+# Do not edit. Created by IPA installer.
+
+[Service]
+Environment=KRB5CCNAME=$KRB5CC_HTTPD
+Environment=KDCPROXY_CONFIG=$KDCPROXY_CONFIG
+ExecStartPre=$IPA_HTTPD_KDCPROXY
+ExecStopPost=$POST
diff --git a/ipaplatform/base/paths.py b/ipaplatform/base/paths.py
index 4aa55d870bc9fbea1f67d28fef9bbb3c0a2d836f..585a5d26ed32a5f60cdb5d28de05b6468d03baa6 100644
--- a/ipaplatform/base/paths.py
+++ b/ipaplatform/base/paths.py
@@ -127,6 +127,8 @@ class BasePathNamespace(object):
SYSCONFIG_PKI_TOMCAT = "/etc/sysconfig/pki-tomcat"
SYSCONFIG_PKI_TOMCAT_PKI_TOMCAT_DIR = "/etc/sysconfig/pki/tomcat/pki-tomcat"
ETC_SYSTEMD_SYSTEM_DIR = "/etc/systemd/system/"
+ SYSTEMD_SYSTEM_HTTPD_D_DIR = "/etc/systemd/system/httpd.d/"
+ SYSTEMD_SYSTEM_HTTPD_IPA_CONF = "/etc/systemd/system/httpd.d/ipa.conf"
SYSTEMD_CERTMONGER_SERVICE = "/etc/systemd/system/multi-user.target.wants/certmonger.service"
SYSTEMD_IPA_SERVICE = "/etc/systemd/system/multi-user.target.wants/ipa.service"
SYSTEMD_SSSD_SERVICE = "/etc/systemd/system/multi-user.target.wants/sssd.service"
@@ -197,6 +199,7 @@ class BasePathNamespace(object):
GENERATE_RNDC_KEY = "/usr/libexec/generate-rndc-key.sh"
IPA_DNSKEYSYNCD_REPLICA = "/usr/libexec/ipa/ipa-dnskeysync-replica"
IPA_DNSKEYSYNCD = "/usr/libexec/ipa/ipa-dnskeysyncd"
+ IPA_HTTPD_KDCPROXY = "/usr/libexec/ipa/ipa-httpd-kdcproxy"
IPA_ODS_EXPORTER = "/usr/libexec/ipa/ipa-ods-exporter"
DNSSEC_KEYFROMLABEL = "/usr/sbin/dnssec-keyfromlabel-pkcs11"
GETSEBOOL = "/usr/sbin/getsebool"
diff --git a/ipaplatform/base/tasks.py b/ipaplatform/base/tasks.py
index 573287c6bf732991946a75c8817899ee6c1842e3..f5fb2b155020c213769830dd48ccc3b36bbd9e64 100644
--- a/ipaplatform/base/tasks.py
+++ b/ipaplatform/base/tasks.py
@@ -236,3 +236,11 @@ class BaseTaskNamespace(object):
:return: object implementing proper __cmp__ method for version compare
"""
return parse_version(version)
+
+ def configure_httpd_service_ipa_conf(self):
+ """Configure httpd service to work with IPA"""
+ raise NotImplementedError()
+
+ def remove_httpd_service_ipa_conf(self):
+ """Remove configuration of httpd service of IPA"""
+ raise NotImplementedError()
diff --git a/ipaplatform/redhat/tasks.py b/ipaplatform/redhat/tasks.py
index 7c29b51e1eb354f03acda815e89e552eea004a17..4be9a146e8fa1e78a454d92cba05484e7817f56d 100644
--- a/ipaplatform/redhat/tasks.py
+++ b/ipaplatform/redhat/tasks.py
@@ -460,5 +460,34 @@ class RedHatTaskNamespace(BaseTaskNamespace):
"""
return IPAVersion(version)
+ def configure_httpd_service_ipa_conf(self):
+ """Create systemd config for httpd service to work with IPA
+ """
+ if not os.path.exists(paths.SYSTEMD_SYSTEM_HTTPD_D_DIR):
+ os.mkdir(paths.SYSTEMD_SYSTEM_HTTPD_D_DIR, 0o755)
+
+ ipautil.copy_template_file(
+ os.path.join(ipautil.SHARE_DIR, 'ipa-httpd.conf.template'),
+ paths.SYSTEMD_SYSTEM_HTTPD_IPA_CONF,
+ dict(
+ KRB5CC_HTTPD=paths.KRB5CC_HTTPD,
+ KDCPROXY_CONFIG=paths.KDCPROXY_CONFIG,
+ IPA_HTTPD_KDCPROXY=paths.IPA_HTTPD_KDCPROXY,
+ POST='-{kdestroy} -A'.format(kdestroy=paths.KDESTROY)
+ )
+ )
+
+ os.chmod(paths.SYSTEMD_SYSTEM_HTTPD_IPA_CONF, 0o644)
+ self.restore_context(paths.SYSTEMD_SYSTEM_HTTPD_IPA_CONF)
+
+ def remove_httpd_service_ipa_conf(self):
+ """Remove systemd config for httpd service of IPA"""
+ try:
+ os.unlink(paths.SYSTEMD_SYSTEM_HTTPD_IPA_CONF)
+ except OSError as e:
+ root_logger.error(
+ 'Error removing %s: %s',
+ paths.SYSTEMD_SYSTEM_HTTPD_IPA_CONF, e
+ )
tasks = RedHatTaskNamespace()
diff --git a/ipaserver/install/httpinstance.py b/ipaserver/install/httpinstance.py
index b0fbe6926a9e89b122ed52178dba02d3d92aacfd..00f890175ae583f485797da6f913a7f83b302df3 100644
--- a/ipaserver/install/httpinstance.py
+++ b/ipaserver/install/httpinstance.py
@@ -225,6 +225,8 @@ class HTTPInstance(service.Service):
[paths.KDESTROY, '-A'], runas=HTTPD_USER, raiseonerr=False, env={})
def __configure_http(self):
+ self.update_httpd_service_ipa_conf()
+
target_fname = paths.HTTPD_IPA_CONF
http_txt = ipautil.template_file(ipautil.SHARE_DIR + "ipa.conf", self.sub_dict)
self.fstore.backup_file(paths.HTTPD_IPA_CONF)
@@ -479,6 +481,9 @@ class HTTPInstance(service.Service):
except Exception as e:
root_logger.critical("Unable to start oddjobd: {0}".format(str(e)))
+ def update_httpd_service_ipa_conf(self):
+ tasks.configure_httpd_service_ipa_conf()
+
def uninstall(self):
if self.is_configured():
self.print_msg("Unconfiguring web server")
@@ -533,6 +538,7 @@ class HTTPInstance(service.Service):
installutils.remove_file(paths.HTTPD_IPA_PKI_PROXY_CONF)
installutils.remove_file(paths.HTTPD_IPA_KDCPROXY_CONF_SYMLINK)
installutils.remove_file(paths.HTTPD_IPA_KDCPROXY_CONF)
+ tasks.remove_httpd_service_ipa_conf()
# Restore SELinux boolean states
boolean_states = {name: self.restore_state(name)
diff --git a/ipaserver/install/server/upgrade.py b/ipaserver/install/server/upgrade.py
index 3e60cfd3630c359268cf16219527088b5c63ba86..4f3a2cb065319a26bfa517b4d1d2cb4b41fb486d 100644
--- a/ipaserver/install/server/upgrade.py
+++ b/ipaserver/install/server/upgrade.py
@@ -1376,6 +1376,10 @@ def update_mod_nss_cipher_suite(http):
'cipher_suite_updated',
httpinstance.NSS_CIPHER_REVISION)
+def update_ipa_httpd_service_conf(http):
+ root_logger.info('[Updating HTTPD service IPA configuration]')
+ http.update_httpd_service_ipa_conf()
+
def ds_enable_sidgen_extdom_plugins(ds):
"""For AD trust agents, make sure we enable sidgen and extdom plugins
@@ -1562,6 +1566,7 @@ def upgrade_configuration():
http.enable_kdcproxy()
http.stop()
+ update_ipa_httpd_service_conf(http)
update_mod_nss_protocol(http)
update_mod_nss_cipher_suite(http)
fix_trust_flags()
--
2.5.5
--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
