When FreeIPA is being installed within cloudinit or RPM scriptlet, it is being executed with a SELinux context other than the root's unconfined_t. Unfortunately, this has an effect on Apache keyring CCACHE, as kdestroy is run within the installation process which forces re-creation of the keyring which then cannot be accessed by the Apache process.
unconfined_t
kdestroy
This issue is related to #4815 (see Dan's assessment), where this problem was solved by removing the kdestroy during upgrade. However, we need to solve the clean installation too.
A workaround for this issue is running
# sed -i -E 's/(self\.step.+remove_httpd_ccache)/#\1/g' /usr/lib/python2.7/site-packages/ipaserver/install/httpinstance.py
before installation, which confirms the kdestroy is to blame.
Martin's test:
# cat /etc/systemd/system/httpd.service .include /lib/systemd/system/httpd.service [Service] Environment=KRB5CCNAME=/tmp/krb5cc_apache
Simo: we can have separate ipa-httpd.service and include the original service way
master:
Metadata Update from @mkosek: - Issue assigned to mbabinsk - Issue set to the milestone: FreeIPA 4.2
Login to comment on this ticket.