During my investigation of #10946 I noticed that the cache directory that mod_auth_gssapi uses is filled with a lot of files:
mod_auth_gssapi
# ls -1 /run/ipa/ccaches/ | wc -l 104218
In the mod_auth_gssapi there is the mention of that happenning with an option that IPA has turned on: https://github.com/gssapi/mod_auth_gssapi#gssapidelegccacheunique
Note: Consuming application must delete the ccache otherwise it will litter the filesystem if sessions are used. An example sweeper can be found in the contrib directory. If using with gssproxy, see note at the top of that file.
The sweeper script that they mention is at: https://github.com/gssapi/mod_auth_gssapi/blob/master/contrib/sweeper.py It is not shipped with the mod_auth_gssapi RPM unfortunately. I think we should deploy it on the IPA servers and run it in a cron. It will delete files that contain expired credentials only, so it should be safe to run frequently. I think once a day would be reasonable.
Yeah, we should definitely get this deployed.
Happy to help someone submit a PR for this. ;)
Metadata Update from @kevin: - Issue priority set to: Waiting on Assignee (was: Needs Review) - Issue tagged with: medium-gain, medium-trouble, ops
Metadata Update from @aheath1992: - Issue assigned to aheath1992
@kevin I created a diff to review before I make a PR, let me know if it looks alright and I'll get a PR created:
https://paste.centos.org/view/c0a037a5
That looks reasonable. You will need of course to check in the sweeper.py file into roles/ipa/server/files/
Hopefully the script doesn't output anything in normal conditions. If it has output we only want to see if it there's errors/problems. (but we can adjust this after the fact)
So, I merged the PR and tried it on staging.
First:
The script can't be called by 'python3 sweeper' python3: can't open file 'sweeper': [Errno 2] No such file or directory
So, it needs to just be 'sweeper'
But it also needs a directory:
usage: sweeper [-h] [-g] dirs [dirs ...] sweeper: error: the following arguments are required: dirs
I passed it:
/run/ipa/ccaches/
but it outputs a bunch of:
System looks okay; running sweeper... Sweeping /run/ipa/ccaches/ Not deleting noggin@STG.FEDORAPROJECT.ORG-845dCY due to error Major (851968): Unspecified GSS failure. Minor code may provide more information, Minor (39756044): Credential cache is empty Not deleting noggin@STG.FEDORAPROJECT.ORG-R9hOAk due to error Major (851968): Unspecified GSS failure. Minor code may provide more information, Minor (39756044): Credential cache is empty Not deleting noggin@STG.FEDORAPROJECT.ORG-ObrW5J due to error Major (851968): Unspecified GSS failure. Minor code may provide more information, Minor (39756044): Credential cache is empty Not deleting noggin@STG.FEDORAPROJECT.ORG-73ntVF due to error Major (851968): Unspecified GSS failure. Minor code may provide more information, Minor (39756044): Credential cache is empty ...
I think I found out what was the problem, the sweeper script needs access to gssproxy and that is provided by adding it the -g parameter.
-g
So I ran this on ipa01.stg:
ipa01.stg
[root@ipa01 ~][STG]# sweeper -g /run/ipa/ccaches/ System looks okay; running sweeper... Sweeping /run/ipa/ccaches/ Sweeper finished successfully!
And here is the result:
[root@ipa01 ~][STG]# ls -1 /run/ipa/ccaches/ | wc -l 34
Is the sweeper already in ansible role?
It's in, but commented out.
We could push a PR to uncomment it and fix the way it's called in staging only, then remember to fix it in prod after the freeze?
@aheath1992 can you submit a PR for that? Or would someone else like to?
@kevin I can take care of the PR
Metadata Update from @aheath1992: - Issue close_status updated to: Fixed with Explanation - Issue status updated to: Closed (was: Open)
We still need to enable this on production after freeze.
Login to comment on this ticket.