systemd 239 complains about the legacy of ipa's tmpfiles which
are located on /var/run.
Fixes: https://pagure.io/freeipa/issue/7732
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Since ipaapi user is now created during RPM install and not in runtime,
we may switch back to shipping tmpfiles.d configuration directly in RPMs
and not create it in runtime, which is a preferred way to handle drop-in
configuration anyway.
This also means that the drop-in config will be shipped in /usr/lib
instead of /etc according to Fedora packaging guidelines.
This partially reverts commit 38c66896de.
https://pagure.io/freeipa/issue/7053
Reviewed-By: Tibor Dudlak <tdudlak@redhat.com>
* Use sd-notify in ipa-custodia.service
* Introduce libexec/ipa/ipa-custodia script. It comes with correct
default setting for IPA's config file. The new file also makes it
simpler to run IPA's custodia instance with its own SELinux context.
* ipapython no longer depends on custodia
The patch addresses three issues:
* https://bugzilla.redhat.com/show_bug.cgi?id=1430247
Forward compatibility with Custodia 0.3 in Fedora rawhide
* https://pagure.io/freeipa/issue/5825
Use sd-notify
* https://pagure.io/freeipa/issue/6788
Prepare for separate SELinux context
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
The file ipa.service defines
Requires=network.target
which means that ipa stack will be restarted each time the network stack
is restarted. This is not needed, and Wants=network.target will be sufficient.
https://fedorahosted.org/freeipa/ticket/6723
Reviewed-By: Tomas Krizek <tkrizek@redhat.com>
ipa.service unit defines Requires=gssproxy. Because of this, during
ipa-server-upgrade, the restart of gssproxy triggers a restart of ipa unit
(hence stopping LDAP server and breaking the connection api.Backend.ldap2).
Calls using this connection after gssproxy restart fail and ipa-server-upgrade
exits on failure.
The fix defines Wants=gssproxy to avoid the restart of ipa.service
https://fedorahosted.org/freeipa/ticket/6705
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
We do not want to generate runtime directories just because the packages
are installed, but only if the server is actually setup and run. Also this
will be needed later because we will create a user at install time and some
tmpfiles will need to be owned by this user.
As we are changing this code also rationalize the directory structure and
move it from the http rundir to the ipa specific rundir.
https://fedorahosted.org/freeipa/ticket/5959
Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Stop using memcache, use mod_auth_gssapi filesystem based ccaches.
Remove custom session handling, use mod_auth_gssapi and mod_session to
establish and keep a session cookie.
Add loopback to mod_auth_gssapi to do form absed auth and pass back a
valid session cookie.
And now that we do not remove ccaches files to move them to the
memcache, we can avoid the risk of pollutting the filesystem by keeping
a common ccache file for all instances of the same user.
https://fedorahosted.org/freeipa/ticket/5959
Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Directory creating was moved from SPEC file to install-data-hook.
At the same time, it is using systemd-tmpfiles to create the directories
so we do not risk any inconsistency between SPEC file and tmpfilesd
configuration.
systemd-tmpfiles call is non-critical on purpose: The build would fail
when run under unprivileged user because systemd-tmpfiles tries to
change ownership. Luckily it creates all the files and just do not
change ownership so it works even under unprivileged user.
Interestingly, systemd-tmpfiles continues if user does not have
sufficient permissions to change ownership but fails if target username
does not exist at all. For this reason there is BuildRequires on httpd.
https://fedorahosted.org/freeipa/ticket/6418
Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
At the same time, I've renamed tmpfilesd config file to static name
"ipa.conf" instead of using package-specific name. It had no purpose
and just complicated build and packaging.
Variable substitution into configuration has to be done in Makefile
and not in Autoconf as documented in:
Autoconf v2.69 manual chapter 4.8.2 Installation Directory Variables:
... Most of these variables have values that rely on prefix or
exec_prefix. ... Similarly, you should not rely on AC_CONFIG_FILES
to replace bindir and friends in your shell scripts and other files;
instead, let make manage their replacement.
https://fedorahosted.org/freeipa/ticket/6418
Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
FreeIPA has hard dependency on systemd for a long time already.
SystemV directory was just polluting the tarball (while being useless).
https://fedorahosted.org/freeipa/ticket/6418
Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
File httpd.service was created by RPM, what causes that httpd service may
fail due IPA specific configuration even if IPA wasn't installed or was
uninstalled (without erasing RPMs).
With this patch httpd service is configured by httpd.d/ipa.conf during
IPA installation and this config is removed by uninstaller, so no
residual http configuration related to IPA should stay there.
https://fedorahosted.org/freeipa/ticket/5681
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
Add a customized Custodia daemon and enable it after installation.
Generates server keys and loads them in LDAP autonomously on install
or update.
Provides client code classes too.
Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
This will force recreation of the file-based ccache after IPA restore and
prevent a mismatch between cached and restored Kerberos keys.
https://fedorahosted.org/freeipa/ticket/5296
Reviewed-By: Martin Basti <mbasti@redhat.com>
Add integration of python-kdcproxy into FreeIPA to support the MS
Kerberos KDC proxy protocol (MS-KKDCP), to allow KDC and KPASSWD
client requests over HTTP and HTTPS.
- freeipa-server now depends on python-kdcproxy >= 0.3. All kdcproxy
dependencies are already satisfied.
- The service's state is configured in cn=KDC,cn=$FQDN,cn=masters,cn=ipa,
cn=etc,$SUFFIX. It's enabled, when ipaConfigString=kdcProxyEnabled is
present.
- The installers and update create a new Apache config file
/etc/ipa/kdcproxy/ipa-kdc-proxy.conf that mounts a WSGI app on
/KdcProxy. The app is run inside its own WSGI daemon group with
a different uid and gid than the webui.
- A ExecStartPre script in httpd.service symlinks the config file to
/etc/httpd/conf.d/ iff ipaConfigString=kdcProxyEnabled is present.
- The httpd.service also sets KDCPROXY_CONFIG=/etc/ipa/kdcproxy.conf,
so that an existing config is not used. SetEnv from Apache config does
not work here, because it doesn't set an OS env var.
- python-kdcproxy is configured to *not* use DNS SRV lookups. The
location of KDC and KPASSWD servers are read from /etc/krb5.conf.
- The state of the service can be modified with two ldif files for
ipa-ldap-updater. No CLI script is offered yet.
https://www.freeipa.org/page/V4/KDC_Proxyhttps://fedorahosted.org/freeipa/ticket/4801
Reviewed-By: Nathaniel McCallum <npmccallum@redhat.com>
Reviewed-By: Simo Sorce <ssorce@redhat.com>
When both 'mod_auth_kerb' and 'mod_auth_gssapi' are installed at the same
time, they use common directory for storing Apache ccache file. Uninstallation
of 'mod_auth_kerb' removes this directory leading to invalid CCache path for
httpd and authentication failure.
Using an IPA-specific directory for credential storage during apache runtime
avoids this issue.
https://fedorahosted.org/freeipa/ticket/4973
Reviewed-By: David Kupka <dkupka@redhat.com>
httpd service stores Kerberos credentials in kernel keyring which gets
destroyed and recreated during service install/upgrade, causing problems when
the process is run under SELinux context other than 'unconfined_t'. This patch
enables HTTPInstance to set up a dedicated CCache file for Apache to store
credentials.
https://fedorahosted.org/freeipa/ticket/4973
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
https://fedorahosted.org/freeipa/ticket/4190
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Simo Sorce <ssorce@redhat.com>
This required target is no longer needed as systemd from version 38
has its own journal which is also in the basic set of service unit
requirementes.
https://fedorahosted.org/freeipa/ticket/3511
We check (possibly different) data from LDAP only at (re)start.
This way we always shutdown exactly the services we started even if the list
changed in the meanwhile (we avoid leaving a service running even if it was
removed from LDAP as the admin decided it should not be started in future).
This should also fix a problematic deadlock with systemd when we try to read
the list of service from LDAP at shutdown.
* Adds ipa_memcached SystemV initscript
* Adds ipa_memcached service file and tmpfiles.d/ipa.conf
to recreate /var/run/ipa_memcached on reboot.
* Adds ipa_memcached config file
* Adds memcacheinstnace.py to manage ipa_memcaced as
as SimpleService object.
* Updates the IPA service list to include ipa_memcached,
at service positon 39, httpd is position 40
* Updates the spec file:
- requires the memcached daemon and python client
- installs service or initscripts depending on OS
- installs config file
- creates /var/run/ipa_memcached directory
* Modifies ipa-server-install to install ipa_memcached
