freeipa

Clone
Source Code
GIT

#5508 ipa-server ships /etc/systemd/system/httpd.service which should be used by local administrator
Closed: fixed 4 years ago by abbra. Opened 8 years ago by pvoborni.

Closed: fixed
Reopen Issue

Ticket was cloned from Red Hat Bugzilla (product Red Hat Enterprise Linux 7): Bug 1287644

Description of problem:

The ipa-server package ships /etc/systemd/system/httpd.service.

The man page systemd-system.conf(5) says:

       When packages need to customize the configuration, they can install
       configuration snippets in /usr/lib/systemd/*.conf.d/. Files in /etc/
       are reserved for the local administrator, who may use this logic to
       override the configuration files installed by vendor packages.

Version-Release number of selected component (if applicable):

ipa-server-4.2.0-15.el7.x86_64

How reproducible:

Deterministic.

Steps to Reproduce:
1. Verify /etc/systemd/system/httpd.service is not present.
2. yum install -y ipa-server
3. rpm -qf /etc/systemd/system/httpd.service

Actual results:

ipa-server-4.2.0-15.el7.x86_64

Expected results:

error: file /etc/systemd/system/httpd.service: No such file or directory

Additional info:

Having httpd.service installed by default in /etc makes it hard to distinguish
genuine changes by the admin from those done by future versions of packages,
especially for containerized deployments.

The file is used for Kerberos ccache and KDC Proxy. ipa-httpd-kdcproxy enables or disables KDC Proxy feature by adding / removing a symlink to /etc/httpd/conf.d/

.include /usr/lib/systemd/system/httpd.service

[Service]
Environment=KRB5CCNAME=/var/run/httpd/ipa/krbcache/krb5ccache
Environment=KDCPROXY_CONFIG=/etc/ipa/kdcproxy/kdcproxy.conf
ExecStartPre=/usr/libexec/ipa/ipa-httpd-kdcproxy
ExecStopPost=-/usr/bin/kdestroy -A
  • mkosek: If all that is needed is to start adding the config file to /usr/lib/systemd/*.conf.d/ or /usr/lib/systemd/user/..., it should be doable in 4.4 for making Jan's life with containers easier. 4.3.x in that case?
  • H: /usr/lib/systemd/system/httpd.service is owned by httpd, IIRC they removed the possibility to set environment variables in /etc/sysconfig/httpd because it's not The systemd way™, hence our httpd.service in /etc/systemd/system
  • mkosek: I would do more drastic changes and create own httpd service only together with https://fedorahosted.org/freeipa/ticket/4431, i.e. providing our own hardened httpd.conf to comply with chosen TSIGs
  • H: create and use ipa-httpd.service? or persuade httpd maintainers that /etc/sysconfig/httpd is actually a good idea? Use httpd.service.d/ in /usr.
  • Christian: httpd.service is also used to add/remove symlink for kdcproxy
  • ab: we can and should provide /etc/systemd/system/httpd.service only as outcome of running ipa-server-install/ipa-replica-install, not in the package.
  • mkosek: do Jan's easyfix in 4.4, we can track the more drastic/rename change in 4431

Metadata Update from @pvoborni:
- Issue assigned to someone
- Issue set to the milestone: FreeIPA 4.5 backlog
7 years ago

commit 64db059
Author: Christian Heimes cheimes@redhat.com
Date: Tue Aug 2 16:58:07 2016 +0200

Correct path to HTTPD's systemd service directory

Ticket #5681 and commit 586fee293f42388510fa5436af19460bbe1fdec5 changed
the location of the ipa.conf for Apache HTTPD. The variables
SYSTEMD_SYSTEM_HTTPD_D_DIR and SYSTEMD_SYSTEM_HTTPD_IPA_CONF point to
the wrong directory /etc/systemd/system/httpd.d/. The path is corrected
to  /etc/systemd/system/httpd.service.d/.

https://fedorahosted.org/freeipa/ticket/6158
https://bugzilla.redhat.com/show_bug.cgi?id=1362537
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Abhijeet Kasurde <akasurde@redhat.com>

Metadata Update from @abbra:
- Issue close_status updated to: fixed
- Issue status updated to: Closed (was: Open)
4 years ago

Note that the commit is not the first one (it references the original one) but this commit is the final one in moving to a snippet.

Login to comment on this ticket.

Metadata
None
None
None
normal
None
None
None
None
defect
None
None
IPA
None
0
None
None
None
None
https://bugzilla.redhat.com/show_bug.cgi?id=1287644
None
None
None
Powered by Pagure 5.13.3
DocumentationFile an IssueAboutSSH Hostkey/Fingerprint
© Red Hat, Inc. and others.