[Freeipa-devel] [PATCH] 452 httpd should destroy all CCACHEs

Martin Kosek mkosek at redhat.com
Wed Jan 22 16:19:48 UTC 2014 

On 01/22/2014 04:42 PM, Simo Sorce wrote:
> On Wed, 2014-01-22 at 16:14 +0100, Martin Kosek wrote:
>> On 01/22/2014 03:39 PM, Simo Sorce wrote:
>>> On Wed, 2014-01-22 at 12:42 +0100, Petr Viktorin wrote:
>>>> On 01/21/2014 05:12 PM, Martin Kosek wrote:
>>>>> On 01/21/2014 03:07 PM, Petr Viktorin wrote:
>>>>>> On 01/16/2014 02:16 PM, Martin Kosek wrote:
>>>>>>> [freeipa-mkosek-448-add-runas-option-to-run-function.patch]:
>>>>>>>
>>>>>>> Run function can now run the specified command as different user by
>>>>>>> setting the EUID and EGID for executed process.
>>>>>>
>>>>>> Please add the new argument to the docstring, otherwise ACK
>>>>>>
>>>>>>> [freeipa-mkosek-449-switch-httpd-to-use-default-ccache.patch]:
>>>>>>>
>>>>>>> Stock httpd no longer uses systemd EnvironmentFile option which is
>>>>>>> making FreeIPA's KRB5CCNAME setting ineffective. This can lead in hard
>>>>>>> to debug problems during subsequent ipa-server-install's where HTTP
>>>>>>> may use a stale CCACHE in the default kernel keyring CCACHE.
>>>>>>>
>>>>>>> Avoid forcing custom CCACHE and switch to system one, just make sure
>>>>>>> that it is properly cleaned by kdestroy run as "apache" user during
>>>>>>> FreeIPA server installation process.
>>>>>>>
>>>>>>> https://fedorahosted.org/freeipa/ticket/4084
>>>>>>
>>>>>> This does not fix the issue for me.
>>>>>> On a fresh f20 machine, I installed the server, uninstalled it, and installed
>>>>>> again. The second installation failed with the ipa-client-install error
>>>>>> described in the ticket.
>>>>>>
>>>>>
>>>>> On your VM, I saw the method I use for running a command as different process
>>>>> was indeed not effective. I had to change both effective and real UID/GID to
>>>>> make the kdestroy function working.
>>>>>
>>>>> I also added the missing docstrings in 448, both for runas as well as other
>>>>> missing options.
>>>>
>>>> Great, thank you! ACK, fixed a typo in the docstring and pushed to 
>>>> master: f49c26db2c38e5b60a6be990b95c2926ecfa6247
>>>>
>>>> For the record, this problem appeared in an install-uninstall-install 
>>>> cycle with no reboot. It's unlikely to appear in the wild, but happens 
>>>> all the time in CI and on some developers' workflows.
>>>>
>>>
>>> Arghh sorry to come in late, but the second patch is not sufficient :-(
>>>
>>> You should run kdestroy -A to remove all ccaches, even non primary ones,
>>> so that non primary ones are not mistakenly picked up later.
>>> kdestroy w/o -A will only destroy the primary one if any is selected.
>>>
>>> Simo.
>>
>> Ok, thanks for the warning. Current patch worked in my environment, but is
>> better to do it correctly. Attaching a patch to fix that.
> 
> Ack to the patch

Pushed to master.

> 
>> BTW, given you read this patch now - are you OK with the approach? Is it fine
>> with you that we do not insist on FILE CCACHE for httpd but just use the default?
> 
> Yeah, I see no problem, people can always change the system wide default
> or add their own unit file if they really have an issue with this, so it
> is not like a change that pins us down in any specifically bad way.
> 
> Simo.
> 

Ok. Thanks,
Martin

More information about the Freeipa-devel mailing list