Configure httpd service from installer instead of directly from RPM

File httpd.service was created by RPM, what causes that httpd service may fail due IPA specific configuration even if IPA wasn't installed or was uninstalled (without erasing RPMs). With this patch httpd service is configured by httpd.d/ipa.conf during IPA installation and this config is removed by uninstaller, so no residual http configuration related to IPA should stay there. https://fedorahosted.org/freeipa/ticket/5681 Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
2025-02-25 18:55:28 -06:00 · 2016-03-16 09:04:42 +01:00
parent 822186b271
commit 586fee293f
9 changed files with 60 additions and 9 deletions
--- a/freeipa.spec.in
+++ b/freeipa.spec.in
@@ -832,7 +832,6 @@ mkdir -p %{buildroot}%{_unitdir}
 mkdir -p %{buildroot}%{etc_systemd_dir}
 install -m 644 init/systemd/ipa.service %{buildroot}%{_unitdir}/ipa.service
 install -m 644 init/systemd/ipa_memcached.service %{buildroot}%{_unitdir}/ipa_memcached.service
-install -m 644 init/systemd/httpd.service %{buildroot}%{etc_systemd_dir}/httpd.service
 install -m 644 init/systemd/ipa-custodia.service %{buildroot}%{_unitdir}/ipa-custodia.service
 # END
 mkdir -p %{buildroot}/%{_localstatedir}/lib/ipa/backup
@@ -1143,7 +1142,7 @@ fi
 %{_tmpfilesdir}/%{name}.conf
 %attr(644,root,root) %{_unitdir}/ipa_memcached.service
 %attr(644,root,root) %{_unitdir}/ipa-custodia.service
-%attr(644,root,root) %{etc_systemd_dir}/httpd.service
+%ghost %attr(644,root,root) %{etc_systemd_dir}/httpd.d/ipa.conf
 # END
 %dir %{_usr}/share/ipa
 %{_usr}/share/ipa/wsgi.py*
--- a/init/systemd/httpd.service
+++ b/init/systemd/httpd.service
@@ -1,7 +0,0 @@
-.include /usr/lib/systemd/system/httpd.service
-
-[Service]
-Environment=KRB5CCNAME=/var/run/httpd/ipa/krbcache/krb5ccache
-Environment=KDCPROXY_CONFIG=/etc/ipa/kdcproxy/kdcproxy.conf
-ExecStartPre=/usr/libexec/ipa/ipa-httpd-kdcproxy
-ExecStopPost=-/usr/bin/kdestroy -A
--- a/install/share/Makefile.am
+++ b/install/share/Makefile.am
@@ -88,6 +88,7 @@ app_DATA =				\
 	kdcproxy.conf			\
 	kdcproxy-enable.uldif		\
 	kdcproxy-disable.uldif		\
+	ipa-httpd.conf.template		\
 	$(NULL)

 EXTRA_DIST =				\
--- a/install/share/ipa-httpd.conf.template
+++ b/install/share/ipa-httpd.conf.template
@@ -0,0 +1,7 @@
+# Do not edit. Created by IPA installer.
+
+[Service]
+Environment=KRB5CCNAME=$KRB5CC_HTTPD
+Environment=KDCPROXY_CONFIG=$KDCPROXY_CONFIG
+ExecStartPre=$IPA_HTTPD_KDCPROXY
+ExecStopPost=$POST
--- a/ipaplatform/base/paths.py
+++ b/ipaplatform/base/paths.py
@@ -127,6 +127,8 @@ class BasePathNamespace(object):
    SYSCONFIG_PKI_TOMCAT = "/etc/sysconfig/pki-tomcat"
    SYSCONFIG_PKI_TOMCAT_PKI_TOMCAT_DIR = "/etc/sysconfig/pki/tomcat/pki-tomcat"
    ETC_SYSTEMD_SYSTEM_DIR = "/etc/systemd/system/"
+    SYSTEMD_SYSTEM_HTTPD_D_DIR = "/etc/systemd/system/httpd.d/"
+    SYSTEMD_SYSTEM_HTTPD_IPA_CONF = "/etc/systemd/system/httpd.d/ipa.conf"
    SYSTEMD_CERTMONGER_SERVICE = "/etc/systemd/system/multi-user.target.wants/certmonger.service"
    SYSTEMD_IPA_SERVICE = "/etc/systemd/system/multi-user.target.wants/ipa.service"
    SYSTEMD_SSSD_SERVICE = "/etc/systemd/system/multi-user.target.wants/sssd.service"
@@ -197,6 +199,7 @@ class BasePathNamespace(object):
    GENERATE_RNDC_KEY = "/usr/libexec/generate-rndc-key.sh"
    IPA_DNSKEYSYNCD_REPLICA = "/usr/libexec/ipa/ipa-dnskeysync-replica"
    IPA_DNSKEYSYNCD = "/usr/libexec/ipa/ipa-dnskeysyncd"
+    IPA_HTTPD_KDCPROXY = "/usr/libexec/ipa/ipa-httpd-kdcproxy"
    IPA_ODS_EXPORTER = "/usr/libexec/ipa/ipa-ods-exporter"
    DNSSEC_KEYFROMLABEL = "/usr/sbin/dnssec-keyfromlabel-pkcs11"
    GETSEBOOL = "/usr/sbin/getsebool"
--- a/ipaplatform/base/tasks.py
+++ b/ipaplatform/base/tasks.py
@@ -236,3 +236,11 @@ class BaseTaskNamespace(object):
        :return: object implementing proper __cmp__ method for version compare
        """
        return parse_version(version)
+
+    def configure_httpd_service_ipa_conf(self):
+        """Configure httpd service to work with IPA"""
+        raise NotImplementedError()
+
+    def remove_httpd_service_ipa_conf(self):
+        """Remove configuration of httpd service of IPA"""
+        raise NotImplementedError()
--- a/ipaplatform/redhat/tasks.py
+++ b/ipaplatform/redhat/tasks.py
@@ -460,5 +460,34 @@ class RedHatTaskNamespace(BaseTaskNamespace):
        """
        return IPAVersion(version)

+    def configure_httpd_service_ipa_conf(self):
+        """Create systemd config for httpd service to work with IPA
+        """
+        if not os.path.exists(paths.SYSTEMD_SYSTEM_HTTPD_D_DIR):
+            os.mkdir(paths.SYSTEMD_SYSTEM_HTTPD_D_DIR, 0o755)
+
+        ipautil.copy_template_file(
+            os.path.join(ipautil.SHARE_DIR, 'ipa-httpd.conf.template'),
+            paths.SYSTEMD_SYSTEM_HTTPD_IPA_CONF,
+            dict(
+                KRB5CC_HTTPD=paths.KRB5CC_HTTPD,
+                KDCPROXY_CONFIG=paths.KDCPROXY_CONFIG,
+                IPA_HTTPD_KDCPROXY=paths.IPA_HTTPD_KDCPROXY,
+                POST='-{kdestroy} -A'.format(kdestroy=paths.KDESTROY)
+            )
+        )
+
+        os.chmod(paths.SYSTEMD_SYSTEM_HTTPD_IPA_CONF, 0o644)
+        self.restore_context(paths.SYSTEMD_SYSTEM_HTTPD_IPA_CONF)
+
+    def remove_httpd_service_ipa_conf(self):
+        """Remove systemd config for httpd service of IPA"""
+        try:
+            os.unlink(paths.SYSTEMD_SYSTEM_HTTPD_IPA_CONF)
+        except OSError as e:
+            root_logger.error(
+                'Error removing %s: %s',
+                paths.SYSTEMD_SYSTEM_HTTPD_IPA_CONF, e
+            )

 tasks = RedHatTaskNamespace()
--- a/ipaserver/install/httpinstance.py
+++ b/ipaserver/install/httpinstance.py
@@ -225,6 +225,8 @@ class HTTPInstance(service.Service):
            [paths.KDESTROY, '-A'], runas=HTTPD_USER, raiseonerr=False, env={})

    def __configure_http(self):
+        self.update_httpd_service_ipa_conf()
+
        target_fname = paths.HTTPD_IPA_CONF
        http_txt = ipautil.template_file(ipautil.SHARE_DIR + "ipa.conf", self.sub_dict)
        self.fstore.backup_file(paths.HTTPD_IPA_CONF)
@@ -479,6 +481,9 @@ class HTTPInstance(service.Service):
        except Exception as e:
            root_logger.critical("Unable to start oddjobd: {0}".format(str(e)))

+    def update_httpd_service_ipa_conf(self):
+        tasks.configure_httpd_service_ipa_conf()
+
    def uninstall(self):
        if self.is_configured():
            self.print_msg("Unconfiguring web server")
@@ -533,6 +538,7 @@ class HTTPInstance(service.Service):
        installutils.remove_file(paths.HTTPD_IPA_PKI_PROXY_CONF)
        installutils.remove_file(paths.HTTPD_IPA_KDCPROXY_CONF_SYMLINK)
        installutils.remove_file(paths.HTTPD_IPA_KDCPROXY_CONF)
+        tasks.remove_httpd_service_ipa_conf()

        # Restore SELinux boolean states
        boolean_states = {name: self.restore_state(name)
--- a/ipaserver/install/server/upgrade.py
+++ b/ipaserver/install/server/upgrade.py
@@ -1376,6 +1376,10 @@ def update_mod_nss_cipher_suite(http):
        'cipher_suite_updated',
        httpinstance.NSS_CIPHER_REVISION)

+def update_ipa_httpd_service_conf(http):
+    root_logger.info('[Updating HTTPD service IPA configuration]')
+    http.update_httpd_service_ipa_conf()
+

 def ds_enable_sidgen_extdom_plugins(ds):
    """For AD trust agents, make sure we enable sidgen and extdom plugins
@@ -1562,6 +1566,7 @@ def upgrade_configuration():
        http.enable_kdcproxy()

    http.stop()
+    update_ipa_httpd_service_conf(http)
    update_mod_nss_protocol(http)
    update_mod_nss_cipher_suite(http)
    fix_trust_flags()