freeipa

Clone
Source Code
GIT

#4973 Server cannot be installed by cloudinit/rpm
Closed: Fixed None Opened 9 years ago by mkosek.

Closed: Fixed
Reopen Issue

When FreeIPA is being installed within cloudinit or RPM scriptlet, it is being executed with a SELinux context other than the root's unconfined_t. Unfortunately, this has an effect on Apache keyring CCACHE, as kdestroy is run within the installation process which forces re-creation of the keyring which then cannot be accessed by the Apache process.

This issue is related to #4815 (see Dan's assessment), where this problem was solved by removing the kdestroy during upgrade. However, we need to solve the clean installation too.

A workaround for this issue is running

# sed -i -E 's/(self\.step.+remove_httpd_ccache)/#\1/g' /usr/lib/python2.7/site-packages/ipaserver/install/httpinstance.py

before installation, which confirms the kdestroy is to blame.

  • Martin's test:

    # cat /etc/systemd/system/httpd.service 
.include /lib/systemd/system/httpd.service
[Service]
Environment=KRB5CCNAME=/tmp/krb5cc_apache

  • Simo: we can have separate ipa-httpd.service and include the original service way

  • Martin: +1 for separate service name

master:

  • 9a1a409 provide dedicated ccache file for httpd

master:

  • 7ff7b1f move IPA-related http runtime directories to common subdirectory
  • 5a741b6 explicitly destroy httpd service ccache file during httpinstance removal

Metadata Update from @mkosek:
- Issue assigned to mbabinsk
- Issue set to the milestone: FreeIPA 4.2
7 years ago

Login to comment on this ticket.

Metadata
None
None
None
important
None
None
None
None
defect
None
None
IPA
None
1
None
None
None
None
todo
None
None
None
Powered by Pagure 5.13.3
DocumentationFile an IssueAboutSSH Hostkey/Fingerprint
© Red Hat, Inc. and others.