IntenseWebs/freeipa
3
0
Fork 0
mirror of https://salsa.debian.org/freeipa-team/freeipa.git synced 2025-02-25 18:55:28 -06:00
Code Issues Packages Projects Releases Wiki Activity

Configure httpd service from installer instead of directly from RPM

Browse Source 
File httpd.service was created by RPM, what causes that httpd service may
fail due IPA specific configuration even if IPA wasn't installed or was
uninstalled (without erasing RPMs).

With this patch httpd service is configured by httpd.d/ipa.conf during
IPA installation and this config is removed by uninstaller, so no
residual http configuration related to IPA should stay there.

https://fedorahosted.org/freeipa/ticket/5681

Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
This commit is contained in:
Martin Basti
2016-03-16 09:04:42 +01:00
parent 822186b271
commit 586fee293f
9 changed files with 60 additions and 9 deletions
Download Patch File Download Diff File Expand all files Collapse all files

3
freeipa.spec.in
View File

@@ -832,7 +832,6 @@ mkdir -p %{buildroot}%{_unitdir}
mkdir -p %{buildroot}%{etc_systemd_dir} mkdir -p %{buildroot}%{etc_systemd_dir}
install -m 644 init/systemd/ipa.service %{buildroot}%{_unitdir}/ipa.service install -m 644 init/systemd/ipa.service %{buildroot}%{_unitdir}/ipa.service
install -m 644 init/systemd/ipa_memcached.service %{buildroot}%{_unitdir}/ipa_memcached.service install -m 644 init/systemd/ipa_memcached.service %{buildroot}%{_unitdir}/ipa_memcached.service
install -m 644 init/systemd/httpd.service %{buildroot}%{etc_systemd_dir}/httpd.service
install -m 644 init/systemd/ipa-custodia.service %{buildroot}%{_unitdir}/ipa-custodia.service install -m 644 init/systemd/ipa-custodia.service %{buildroot}%{_unitdir}/ipa-custodia.service
# END # END
mkdir -p %{buildroot}/%{_localstatedir}/lib/ipa/backup mkdir -p %{buildroot}/%{_localstatedir}/lib/ipa/backup
@@ -1143,7 +1142,7 @@ fi
%{_tmpfilesdir}/%{name}.conf %{_tmpfilesdir}/%{name}.conf
%attr(644,root,root) %{_unitdir}/ipa_memcached.service %attr(644,root,root) %{_unitdir}/ipa_memcached.service
%attr(644,root,root) %{_unitdir}/ipa-custodia.service %attr(644,root,root) %{_unitdir}/ipa-custodia.service
%attr(644,root,root) %{etc_systemd_dir}/httpd.service %ghost %attr(644,root,root) %{etc_systemd_dir}/httpd.d/ipa.conf
# END # END
%dir %{_usr}/share/ipa %dir %{_usr}/share/ipa
%{_usr}/share/ipa/wsgi.py* %{_usr}/share/ipa/wsgi.py*

7
init/systemd/httpd.service
View File

@@ -1,7 +0,0 @@
.include /usr/lib/systemd/system/httpd.service
[Service]
Environment=KRB5CCNAME=/var/run/httpd/ipa/krbcache/krb5ccache
Environment=KDCPROXY_CONFIG=/etc/ipa/kdcproxy/kdcproxy.conf
ExecStartPre=/usr/libexec/ipa/ipa-httpd-kdcproxy
ExecStopPost=-/usr/bin/kdestroy -A

1
install/share/Makefile.am
View File

@@ -88,6 +88,7 @@ app_DATA = \
kdcproxy.conf \ kdcproxy.conf \
kdcproxy-enable.uldif \ kdcproxy-enable.uldif \
kdcproxy-disable.uldif \ kdcproxy-disable.uldif \
ipa-httpd.conf.template \
$(NULL) $(NULL)
EXTRA_DIST = \ EXTRA_DIST = \

7
install/share/ipa-httpd.conf.template Normal file
View File

@@ -0,0 +1,7 @@
# Do not edit. Created by IPA installer.
[Service]
Environment=KRB5CCNAME=$KRB5CC_HTTPD
Environment=KDCPROXY_CONFIG=$KDCPROXY_CONFIG
ExecStartPre=$IPA_HTTPD_KDCPROXY
ExecStopPost=$POST

3
ipaplatform/base/paths.py
View File

@@ -127,6 +127,8 @@ class BasePathNamespace(object):
SYSCONFIG_PKI_TOMCAT = "/etc/sysconfig/pki-tomcat" SYSCONFIG_PKI_TOMCAT = "/etc/sysconfig/pki-tomcat"
SYSCONFIG_PKI_TOMCAT_PKI_TOMCAT_DIR = "/etc/sysconfig/pki/tomcat/pki-tomcat" SYSCONFIG_PKI_TOMCAT_PKI_TOMCAT_DIR = "/etc/sysconfig/pki/tomcat/pki-tomcat"
ETC_SYSTEMD_SYSTEM_DIR = "/etc/systemd/system/" ETC_SYSTEMD_SYSTEM_DIR = "/etc/systemd/system/"
SYSTEMD_SYSTEM_HTTPD_D_DIR = "/etc/systemd/system/httpd.d/"
SYSTEMD_SYSTEM_HTTPD_IPA_CONF = "/etc/systemd/system/httpd.d/ipa.conf"
SYSTEMD_CERTMONGER_SERVICE = "/etc/systemd/system/multi-user.target.wants/certmonger.service" SYSTEMD_CERTMONGER_SERVICE = "/etc/systemd/system/multi-user.target.wants/certmonger.service"
SYSTEMD_IPA_SERVICE = "/etc/systemd/system/multi-user.target.wants/ipa.service" SYSTEMD_IPA_SERVICE = "/etc/systemd/system/multi-user.target.wants/ipa.service"
SYSTEMD_SSSD_SERVICE = "/etc/systemd/system/multi-user.target.wants/sssd.service" SYSTEMD_SSSD_SERVICE = "/etc/systemd/system/multi-user.target.wants/sssd.service"
@@ -197,6 +199,7 @@ class BasePathNamespace(object):
GENERATE_RNDC_KEY = "/usr/libexec/generate-rndc-key.sh" GENERATE_RNDC_KEY = "/usr/libexec/generate-rndc-key.sh"
IPA_DNSKEYSYNCD_REPLICA = "/usr/libexec/ipa/ipa-dnskeysync-replica" IPA_DNSKEYSYNCD_REPLICA = "/usr/libexec/ipa/ipa-dnskeysync-replica"
IPA_DNSKEYSYNCD = "/usr/libexec/ipa/ipa-dnskeysyncd" IPA_DNSKEYSYNCD = "/usr/libexec/ipa/ipa-dnskeysyncd"
IPA_HTTPD_KDCPROXY = "/usr/libexec/ipa/ipa-httpd-kdcproxy"
IPA_ODS_EXPORTER = "/usr/libexec/ipa/ipa-ods-exporter" IPA_ODS_EXPORTER = "/usr/libexec/ipa/ipa-ods-exporter"
DNSSEC_KEYFROMLABEL = "/usr/sbin/dnssec-keyfromlabel-pkcs11" DNSSEC_KEYFROMLABEL = "/usr/sbin/dnssec-keyfromlabel-pkcs11"
GETSEBOOL = "/usr/sbin/getsebool" GETSEBOOL = "/usr/sbin/getsebool"

8
ipaplatform/base/tasks.py
View File

@@ -236,3 +236,11 @@ class BaseTaskNamespace(object):
:return: object implementing proper __cmp__ method for version compare :return: object implementing proper __cmp__ method for version compare
""" """
return parse_version(version) return parse_version(version)
def configure_httpd_service_ipa_conf(self):
"""Configure httpd service to work with IPA"""
raise NotImplementedError()
def remove_httpd_service_ipa_conf(self):
"""Remove configuration of httpd service of IPA"""
raise NotImplementedError()

29
ipaplatform/redhat/tasks.py
View File

@@ -460,5 +460,34 @@ class RedHatTaskNamespace(BaseTaskNamespace):
""" """
return IPAVersion(version) return IPAVersion(version)
def configure_httpd_service_ipa_conf(self):
"""Create systemd config for httpd service to work with IPA
"""
if not os.path.exists(paths.SYSTEMD_SYSTEM_HTTPD_D_DIR):
os.mkdir(paths.SYSTEMD_SYSTEM_HTTPD_D_DIR, 0o755)
ipautil.copy_template_file(
os.path.join(ipautil.SHARE_DIR, 'ipa-httpd.conf.template'),
paths.SYSTEMD_SYSTEM_HTTPD_IPA_CONF,
dict(
KRB5CC_HTTPD=paths.KRB5CC_HTTPD,
KDCPROXY_CONFIG=paths.KDCPROXY_CONFIG,
IPA_HTTPD_KDCPROXY=paths.IPA_HTTPD_KDCPROXY,
POST='-{kdestroy} -A'.format(kdestroy=paths.KDESTROY)
)
)
os.chmod(paths.SYSTEMD_SYSTEM_HTTPD_IPA_CONF, 0o644)
self.restore_context(paths.SYSTEMD_SYSTEM_HTTPD_IPA_CONF)
def remove_httpd_service_ipa_conf(self):
"""Remove systemd config for httpd service of IPA"""
try:
os.unlink(paths.SYSTEMD_SYSTEM_HTTPD_IPA_CONF)
except OSError as e:
root_logger.error(
'Error removing %s: %s',
paths.SYSTEMD_SYSTEM_HTTPD_IPA_CONF, e
)
tasks = RedHatTaskNamespace() tasks = RedHatTaskNamespace()

6
ipaserver/install/httpinstance.py
View File

@@ -225,6 +225,8 @@ class HTTPInstance(service.Service):
[paths.KDESTROY, '-A'], runas=HTTPD_USER, raiseonerr=False, env={}) [paths.KDESTROY, '-A'], runas=HTTPD_USER, raiseonerr=False, env={})
def __configure_http(self): def __configure_http(self):
self.update_httpd_service_ipa_conf()
target_fname = paths.HTTPD_IPA_CONF target_fname = paths.HTTPD_IPA_CONF
http_txt = ipautil.template_file(ipautil.SHARE_DIR + "ipa.conf", self.sub_dict) http_txt = ipautil.template_file(ipautil.SHARE_DIR + "ipa.conf", self.sub_dict)
self.fstore.backup_file(paths.HTTPD_IPA_CONF) self.fstore.backup_file(paths.HTTPD_IPA_CONF)
@@ -479,6 +481,9 @@ class HTTPInstance(service.Service):
except Exception as e: except Exception as e:
root_logger.critical("Unable to start oddjobd: {0}".format(str(e))) root_logger.critical("Unable to start oddjobd: {0}".format(str(e)))
def update_httpd_service_ipa_conf(self):
tasks.configure_httpd_service_ipa_conf()
def uninstall(self): def uninstall(self):
if self.is_configured(): if self.is_configured():
self.print_msg("Unconfiguring web server") self.print_msg("Unconfiguring web server")
@@ -533,6 +538,7 @@ class HTTPInstance(service.Service):
installutils.remove_file(paths.HTTPD_IPA_PKI_PROXY_CONF) installutils.remove_file(paths.HTTPD_IPA_PKI_PROXY_CONF)
installutils.remove_file(paths.HTTPD_IPA_KDCPROXY_CONF_SYMLINK) installutils.remove_file(paths.HTTPD_IPA_KDCPROXY_CONF_SYMLINK)
installutils.remove_file(paths.HTTPD_IPA_KDCPROXY_CONF) installutils.remove_file(paths.HTTPD_IPA_KDCPROXY_CONF)
tasks.remove_httpd_service_ipa_conf()
# Restore SELinux boolean states # Restore SELinux boolean states
boolean_states = {name: self.restore_state(name) boolean_states = {name: self.restore_state(name)

5
ipaserver/install/server/upgrade.py
View File

@@ -1376,6 +1376,10 @@ def update_mod_nss_cipher_suite(http):
'cipher_suite_updated', 'cipher_suite_updated',
httpinstance.NSS_CIPHER_REVISION) httpinstance.NSS_CIPHER_REVISION)
def update_ipa_httpd_service_conf(http):
root_logger.info('[Updating HTTPD service IPA configuration]')
http.update_httpd_service_ipa_conf()
def ds_enable_sidgen_extdom_plugins(ds): def ds_enable_sidgen_extdom_plugins(ds):
"""For AD trust agents, make sure we enable sidgen and extdom plugins """For AD trust agents, make sure we enable sidgen and extdom plugins
@@ -1562,6 +1566,7 @@ def upgrade_configuration():
http.enable_kdcproxy() http.enable_kdcproxy()
http.stop() http.stop()
update_ipa_httpd_service_conf(http)
update_mod_nss_protocol(http) update_mod_nss_protocol(http)
update_mod_nss_cipher_suite(http) update_mod_nss_cipher_suite(http)
fix_trust_flags() fix_trust_flags()