Remove non-sensical kdestroy on https stop #468
Conversation
ipaplatform/redhat/tasks.py
Outdated
| @@ -451,8 +451,7 @@ def configure_httpd_service_ipa_conf(self): | |||
| dict( | |||
| KRB5CC_HTTPD=paths.KRB5CC_HTTPD, | |||
| KDCPROXY_CONFIG=paths.KDCPROXY_CONFIG, | |||
| IPA_HTTPD_KDCPROXY=paths.IPA_HTTPD_KDCPROXY, | |||
| POST='-{kdestroy} -A'.format(kdestroy=paths.KDESTROY) | |||
| IPA_HTTPD_KDCPROXY=paths.IPA_HTTPD_KDCPROXY | |||
|
I would rather keep --- a/ipaplatform/redhat/tasks.py
+++ b/ipaplatform/redhat/tasks.py
@@ -452,7 +452,8 @@ class RedHatTaskNamespace(BaseTaskNamespace):
KRB5CC_HTTPD=paths.KRB5CC_HTTPD,
KDCPROXY_CONFIG=paths.KDCPROXY_CONFIG,
IPA_HTTPD_KDCPROXY=paths.IPA_HTTPD_KDCPROXY,
- POST='-{kdestroy} -A'.format(kdestroy=paths.KDESTROY)
+ POST='-{kdestroy} -c {ccache}'.format(
+ kdestroy=paths.KDESTROY, ccache=paths.KRB5CC_HTTPD)
)
)Otherwise we will bump into regressions caused by stale HTTPD ccaches left over when backing up/restoring IPA installation. I would demonstrate it on a failing backup/restore tests but they are completely messed up right now. |
|
Why do we back up ccache in the first place? |
|
We do not backup ccache, we back up apache keytab. During restore into installer server we back up old Kerberos keys, but without any mechanism to purge the new apache ccache acquired during the installation of new server you would end up with key mismatch and nothing would work until the ccache expires. As to why a) we backup Kerberos keys, and b) support restoring into running IPA server that is beyond me. |
|
If you don't backup the keytab then how do you expect to bring the server back up? Fetch new keys for all services? Full restore is very clearly documented as a recovery from complete failure in which case the restored master is the only one so there should be no mismatch between what was backed-up and what was restored. |
|
@rcritten can you please re-read my comment very slowly? I wrote that we do backup keytabs. |
|
And indeed I can reproduce the original failure reported in https://fedorahosted.org/freeipa/ticket/5296 with this PR. If I manually remove apache ccache (kdestroy -c /var/run/httpd/ipa/krbcache/krb5ccache) I can use the framework again. |
|
Rudeness is not necessary. You said: "As to why a) we backup Kerberos keys, and b) support restoring into running IPA server that is beyond me." The reason for a) is to restore an exact copy of what was backed up. As for b, the idea of restoring into a running IPA server to replace the existing install with a new one is something I discuss in some detail at http://www.freeipa.org/page/V3/Backup_and_Restore and outline the ton of problems associated with it. It was never intended to be supported due to these issues. |
|
I'm with @rcritten . If we need to clean up / remove some files during a restore, then these clean-ups should be handled by |
|
And AFAIK b) is not supported. @martbab , does something indicate otherwise? |
|
@rcritten I apologize for sounding rude. I misread your comment and interpreted it differently than intended. That said, if the restore to a running IPA server is not intended to be supported, why do we have a number of tests for this scenario? I have tried to find some discussion in the design page you posted but did not find any discussion of restore into running server, only the steps taken. @tiran I tend to agree with you now. It seemed like a good idea to purge ccaches in the unit file when we switched from KEYRING: to FILE: for apache. However the restore use-case is not the only one which can result into stale ccache, I can also think about requesting new Apache keytab, restarting the service and be left with a stale ccache and key mismatch again. |
|
@pvoborni this is the way how it this tested by QA, so that's why I added this kind of test to upstream. I disagree that |
|
@MartinBasti the unit files are the wrong place to destroy ccaches, especially given they run as a different user (root) and may not have access to destroy stuff when we start using KCM. |
|
@simo5 any ideas how this should be fixed? We cannot push this patch without additional fix of removing outdated ccache because it will cause permanent fail of CI for backup/restore and it will mask real issues. |
|
If this is about backup/restore, add a kdestroy ccache in the restore scripts, making sue it su - apache first |
|
how about @martbab comment?
|
|
If you request a new keytab you should clean up the cacche ? |
|
Could we use just keep the post command as "kdestroy -c {apache_ccache_path}"? Or is everything chrooted into name-spaced /tmp and we can not access the ccache file from within the unit file? |
|
Yes, when namespaced /tmp is used, unit file does not have any view into that. |
|
How about we use systemd PrivateTmp for temporary files? It is not only more secure but it also automatically removes all temporary files when the service is stopped: https://www.freedesktop.org/software/systemd/man/systemd.exec.html#PrivateTmp= |
|
@tiran we do use PrivateTmp already. This is not about PrivateTmp, though, because we don't store credentials caches in a private tmp. |
|
That's my point. Why is the ccache file not stored in
|
|
Uhm I just tried setting KRB5CCNAME=/tmp/krb5_httpd in my install and ... I found out we do not actually generate an httpd ccache, so why are we trying to destroy the ccache again ? |
| @@ -1,7 +1,7 @@ | |||
| # Do not edit. Created by IPA installer. | |||
|
|
|||
| [Service] | |||
| Environment=KRB5CCNAME=/tmp/krb5-httpd | |||
There was a problem hiding this comment.
I would rather revive paths.KRB5CC_HTTPD and substitute it to the template than having magic strings.
I also noticed that KRB5CC_HTTPD was left over in ipaplatform.debian.paths module.
There was a problem hiding this comment.
Thank you let's wait for Travis CI.
This kdestroy runs as root and wipes root's own ccachs ... this is totally inappropriate. Use a file ccache that ends up in the private tmp, so that if the service is restarted the file is automatically removed. https://fedorahosted.org/freeipa/ticket/6673 Signed-off-by: Simo Sorce <simo@redhat.com>
|
I have also noticed that the ccache is not created there, strange. However I think it is better to explicitly specify file-based ccache anyway just to be one the safe side. Otherwise everything seems to work as expected, even |
martbab
added
ack
|
Fixed upstream |
|
@pvoborni should the fix go also into 4-4 branch? see https://fedorahosted.org/freeipa/ticket/6673#comment:3 |
This kdestroy runs as root and wipes root's own ccachs ...
this is totally inappropriate.
https://fedorahosted.org/freeipa/ticket/6673
Signed-off-by: Simo Sorce simo@redhat.com