#11083 IPA does not clean up mod_auth_gssapi tokens
Closed: Fixed with Explanation 2 years ago by aheath1992. Opened 2 years ago by abompard.

During my investigation of #10946 I noticed that the cache directory that mod_auth_gssapi uses is filled with a lot of files:

# ls -1 /run/ipa/ccaches/ | wc -l
104218

In the mod_auth_gssapi there is the mention of that happenning with an option that IPA has turned on: https://github.com/gssapi/mod_auth_gssapi#gssapidelegccacheunique

Note: Consuming application must delete the ccache otherwise it will litter the filesystem if sessions are used. An example sweeper can be found in the contrib directory. If using with gssproxy, see note at the top of that file.

The sweeper script that they mention is at: https://github.com/gssapi/mod_auth_gssapi/blob/master/contrib/sweeper.py
It is not shipped with the mod_auth_gssapi RPM unfortunately.
I think we should deploy it on the IPA servers and run it in a cron. It will delete files that contain expired credentials only, so it should be safe to run frequently. I think once a day would be reasonable.


Yeah, we should definitely get this deployed.

Happy to help someone submit a PR for this. ;)

Metadata Update from @kevin:
- Issue priority set to: Waiting on Assignee (was: Needs Review)
- Issue tagged with: medium-gain, medium-trouble, ops

2 years ago

Metadata Update from @aheath1992:
- Issue assigned to aheath1992

2 years ago

@kevin
I created a diff to review before I make a PR, let me know if it looks alright and I'll get a PR created:

https://paste.centos.org/view/c0a037a5

That looks reasonable. You will need of course to check in the sweeper.py file into roles/ipa/server/files/

Hopefully the script doesn't output anything in normal conditions. If it has output we only want to see if it there's errors/problems.
(but we can adjust this after the fact)

So, I merged the PR and tried it on staging.

First:

The script can't be called by 'python3 sweeper'
python3: can't open file 'sweeper': [Errno 2] No such file or directory

So, it needs to just be 'sweeper'

But it also needs a directory:

usage: sweeper [-h] [-g] dirs [dirs ...]
sweeper: error: the following arguments are required: dirs

I passed it:

/run/ipa/ccaches/

but it outputs a bunch of:

System looks okay; running sweeper...
Sweeping /run/ipa/ccaches/
Not deleting noggin@STG.FEDORAPROJECT.ORG-845dCY due to error Major (851968): Unspecified GSS failure.  Minor code may provide more information, Minor (39756044): Credential cache is empty               
Not deleting noggin@STG.FEDORAPROJECT.ORG-R9hOAk due to error Major (851968): Unspecified GSS failure.  Minor code may provide more information, Minor (39756044): Credential cache is empty               
Not deleting noggin@STG.FEDORAPROJECT.ORG-ObrW5J due to error Major (851968): Unspecified GSS failure.  Minor code may provide more information, Minor (39756044): Credential cache is empty               
Not deleting noggin@STG.FEDORAPROJECT.ORG-73ntVF due to error Major (851968): Unspecified GSS failure.  Minor code may provide more information, Minor (39756044): Credential cache is empty
...

I think I found out what was the problem, the sweeper script needs access to gssproxy and that is provided by adding it the -g parameter.

So I ran this on ipa01.stg:

[root@ipa01 ~][STG]# sweeper -g /run/ipa/ccaches/
System looks okay; running sweeper...
Sweeping /run/ipa/ccaches/
Sweeper finished successfully!

And here is the result:

[root@ipa01 ~][STG]# ls -1 /run/ipa/ccaches/ | wc -l
34

Is the sweeper already in ansible role?

It's in, but commented out.

We could push a PR to uncomment it and fix the way it's called in staging only, then remember to fix it in prod after the freeze?

@aheath1992 can you submit a PR for that? Or would someone else like to?

Metadata Update from @aheath1992:
- Issue close_status updated to: Fixed with Explanation
- Issue status updated to: Closed (was: Open)

2 years ago

We still need to enable this on production after freeze.

Log in to comment on this ticket.

Metadata
Boards 1
ops Status: Backlog