Switch httpd to use default CCACHE

Stock httpd no longer uses systemd EnvironmentFile option which is making FreeIPA's KRB5CCNAME setting ineffective. This can lead in hard to debug problems during subsequent ipa-server-install's where HTTP may use a stale CCACHE in the default kernel keyring CCACHE. Avoid forcing custom CCACHE and switch to system one, just make sure that it is properly cleaned by kdestroy run as "apache" user during FreeIPA server installation process. https://fedorahosted.org/freeipa/ticket/4084
2025-02-25 18:55:28 -06:00 · 2014-01-16 14:12:29 +01:00 · 2014-01-16 14:12:29 +01:00 · f49c26db2c
commit f49c26db2c
parent 252ad0b8c1
2 changed files with 9 additions and 20 deletions
--- a/install/tools/ipa-upgradeconfig
+++ b/install/tools/ipa-upgradeconfig
@ -1043,10 +1043,15 @@ def main():
    update_dbmodules(api.env.realm)
    uninstall_ipa_kpasswd()

+    removed_sysconfig_file = '/etc/sysconfig/httpd'
+    if fstore.has_file(removed_sysconfig_file):
+        root_logger.info('Restoring %s as it is no longer required',
+            removed_sysconfig_file)
+        fstore.restore_file(removed_sysconfig_file)
+
    http = httpinstance.HTTPInstance(fstore)
    http.remove_httpd_ccache()
    http.configure_selinux_for_httpd()
-    http.configure_httpd_ccache()
    http.change_mod_nss_port_from_http()

    ds = dsinstance.DsInstance()
--- a/ipaserver/install/httpinstance.py
+++ b/ipaserver/install/httpinstance.py
@ -126,7 +126,6 @@ class HTTPInstance(service.Service):
        self.step("creating a keytab for httpd", self.__create_http_keytab)
        self.step("clean up any existing httpd ccache", self.remove_httpd_ccache)
        self.step("configuring SELinux for httpd", self.configure_selinux_for_httpd)
-        self.step("configure httpd ccache", self.configure_httpd_ccache)
        self.step("restarting httpd", self.__start)
        self.step("configuring httpd to start on boot", self.__enable)

@ -217,24 +216,9 @@ class HTTPInstance(service.Service):

    def remove_httpd_ccache(self):
        # Clean up existing ccache
-        pent = pwd.getpwnam("apache")
-        installutils.remove_file('/tmp/krb5cc_%d' % pent.pw_uid)
-
-    def configure_httpd_ccache(self):
-        pent = pwd.getpwnam("apache")
-        ccache = '/tmp/krb5cc_%d' % pent.pw_uid
-        filepath = '/etc/sysconfig/httpd'
-        if not os.path.exists(filepath):
-            # file doesn't exist; create it with correct ownership & mode
-            open(filepath, 'a').close()
-            os.chmod(filepath,
-                stat.S_IRUSR | stat.S_IWUSR | stat.S_IRGRP | stat.S_IROTH)
-            os.chown(filepath, 0, 0)
-
-        replacevars = {'KRB5CCNAME': ccache}
-        old_values = ipautil.backup_config_and_replace_variables(
-            self.fstore, filepath, replacevars=replacevars)
-        ipaservices.restore_context(filepath)
+        # Make sure that empty env is passed to avoid passing KRB5CCNAME from
+        # current env
+        ipautil.run(['kdestroy'], runas='apache', raiseonerr=False, env={})

    def __configure_http(self):
        target_fname = '/etc/httpd/conf.d/ipa.conf'