Backup ipa-specific httpd unit-file #607

stlaz · 2017-03-16T09:34:56Z

On backup-restore, the ipa unit file for httpd was not backed up.
This file however contains setting for httpd to communicate with
gssproxy so not backing it up will result in httpd not knowing
how to get credentials.

https://pagure.io/freeipa/issue/6748

tiran · 2017-03-16T09:57:56Z

LGTM

Did you check if there are more files missing after backup, uninstall, restore? You could use find /etc /usr /var >before_uninstall before uninstall and after restore, then compare the files with diff.

stlaz · 2017-03-16T11:24:44Z

Thanks, @tiran, this is a good idea, I noticed also KDCProxy conf symlink was missing.

tiran · 2017-03-16T11:27:23Z

The symlink is generated by a script when httpd is started.

stlaz · 2017-03-16T11:42:12Z

Ah, right.

stlaz · 2017-03-16T15:22:18Z

We need to perform paths.SYSTEMCTL --system daemon-reload here as well.

On backup-restore, the ipa unit file for httpd was not backed up. This file however contains setting for httpd to communicate with gssproxy so not backing it up will result in httpd not knowing how to get credentials. https://pagure.io/freeipa/issue/6748

MartinBasti · 2017-03-22T15:47:43Z

After restore I cannot connect to webUI

[Wed Mar 22 16:43:48.779900 2017] [wsgi:error] [pid 100377] [remote 2620:52:0:2280:206a:7885:fe7b:1356:184] mod_wsgi (pid=100377): Exception occurred processing WSGI script '/usr/share/ipa/wsgi.py'.
[Wed Mar 22 16:43:48.780002 2017] [wsgi:error] [pid 100377] [remote 2620:52:0:2280:206a:7885:fe7b:1356:184] Traceback (most recent call last):
[Wed Mar 22 16:43:48.780059 2017] [wsgi:error] [pid 100377] [remote 2620:52:0:2280:206a:7885:fe7b:1356:184]   File "/usr/share/ipa/wsgi.py", line 51, in application
[Wed Mar 22 16:43:48.780592 2017] [wsgi:error] [pid 100377] [remote 2620:52:0:2280:206a:7885:fe7b:1356:184]     return api.Backend.wsgi_dispatch(environ, start_response)
[Wed Mar 22 16:43:48.780618 2017] [wsgi:error] [pid 100377] [remote 2620:52:0:2280:206a:7885:fe7b:1356:184]   File "/usr/lib/python2.7/site-packages/ipaserver/rpcserver.py", line 262, in __call__
[Wed Mar 22 16:43:48.781029 2017] [wsgi:error] [pid 100377] [remote 2620:52:0:2280:206a:7885:fe7b:1356:184]     return self.route(environ, start_response)
[Wed Mar 22 16:43:48.781050 2017] [wsgi:error] [pid 100377] [remote 2620:52:0:2280:206a:7885:fe7b:1356:184]   File "/usr/lib/python2.7/site-packages/ipaserver/rpcserver.py", line 274, in route
[Wed Mar 22 16:43:48.781086 2017] [wsgi:error] [pid 100377] [remote 2620:52:0:2280:206a:7885:fe7b:1356:184]     return app(environ, start_response)
[Wed Mar 22 16:43:48.781110 2017] [wsgi:error] [pid 100377] [remote 2620:52:0:2280:206a:7885:fe7b:1356:184]   File "/usr/lib/python2.7/site-packages/ipaserver/rpcserver.py", line 913, in __call__
[Wed Mar 22 16:43:48.781146 2017] [wsgi:error] [pid 100377] [remote 2620:52:0:2280:206a:7885:fe7b:1356:184]     self.kinit(user_principal, password, ipa_ccache_name)
[Wed Mar 22 16:43:48.781162 2017] [wsgi:error] [pid 100377] [remote 2620:52:0:2280:206a:7885:fe7b:1356:184]   File "/usr/lib/python2.7/site-packages/ipaserver/rpcserver.py", line 947, in kinit
[Wed Mar 22 16:43:48.781180 2017] [wsgi:error] [pid 100377] [remote 2620:52:0:2280:206a:7885:fe7b:1356:184]     kinit_armor(armor_path)
[Wed Mar 22 16:43:48.781215 2017] [wsgi:error] [pid 100377] [remote 2620:52:0:2280:206a:7885:fe7b:1356:184]   File "/usr/lib/python2.7/site-packages/ipalib/install/kinit.py", line 125, in kinit_armor
[Wed Mar 22 16:43:48.781306 2017] [wsgi:error] [pid 100377] [remote 2620:52:0:2280:206a:7885:fe7b:1356:184]     run(args, env=env, raiseonerr=True, capture_error=True)
[Wed Mar 22 16:43:48.781331 2017] [wsgi:error] [pid 100377] [remote 2620:52:0:2280:206a:7885:fe7b:1356:184]   File "/usr/lib/python2.7/site-packages/ipapython/ipautil.py", line 495, in run
[Wed Mar 22 16:43:48.781788 2017] [wsgi:error] [pid 100377] [remote 2620:52:0:2280:206a:7885:fe7b:1356:184]     raise CalledProcessError(p.returncode, arg_string, str(output))
[Wed Mar 22 16:43:48.781873 2017] [wsgi:error] [pid 100377] [remote 2620:52:0:2280:206a:7885:fe7b:1356:184] CalledProcessError: Command '/usr/bin/kinit -n -c /var/run/ipa/ccaches/armor_100377' returned non-zero exit status 1

KDc log

Mar 22 16:43:48 vm-126.abc.idm.lab.eng.brq.redhat.com krb5kdc[100354](info): AS_REQ (6 etypes {18 17 16 23 25 26}) 10.34.78.126: ISSUE: authtime 1490197428, etypes {rep=18 tkt=18 ses=18}, WELLKNOWN/ANONYMOUS@ABC.IDM.LAB.ENG.BRQ.REDHAT.COM for krbtgt/ABC.IDM.LAB.ENG.BRQ.REDHAT.COM@ABC.IDM.LAB.ENG.BRQ.REDHAT.COM
Mar 22 16:43:48 vm-126.abc.idm.lab.eng.brq.redhat.com krb5kdc[100354](info): closing down fd 11
Mar 22 16:43:48 vm-126.abc.idm.lab.eng.brq.redhat.com krb5kdc[100357](info): AS_REQ (6 etypes {18 17 16 23 25 26}) 10.34.78.126: NEEDED_PREAUTH: WELLKNOWN/ANONYMOUS@ABC.IDM.LAB.ENG.BRQ.REDHAT.COM for krbtgt/ABC.IDM.LAB.ENG.BRQ.REDHAT.COM@ABC.IDM.LAB.ENG.BRQ.REDHAT.COM, Additional pre-authentication required
Mar 22 16:43:48 vm-126.abc.idm.lab.eng.brq.redhat.com krb5kdc[100357](info): closing down fd 11

MartinBasti · 2017-03-22T15:49:21Z

However it fixed issue listed in ticket, so this can resolved in separate PR.

tkrizek · 2017-03-23T09:14:02Z

master:

2612c09 Backup ipa-specific httpd unit-file
ipa-4-5:
59342a7 Backup ipa-specific httpd unit-file

stlaz force-pushed the backup_fix branch from 510da02 to d684e43 Compare March 16, 2017 11:26

stlaz force-pushed the backup_fix branch from d684e43 to 657ac16 Compare March 16, 2017 11:41

stlaz force-pushed the backup_fix branch from 657ac16 to 6c29861 Compare March 16, 2017 15:30

MartinBasti self-assigned this Mar 20, 2017

MartinBasti added the ack Pull Request approved, can be merged label Mar 22, 2017

tkrizek added the pushed Pull Request has already been pushed label Mar 23, 2017

tkrizek closed this Mar 23, 2017

Backup ipa-specific httpd unit-file #607

Backup ipa-specific httpd unit-file #607

stlaz commented Mar 16, 2017 •

edited by tkrizek

tiran commented Mar 16, 2017

stlaz commented Mar 16, 2017

tiran commented Mar 16, 2017

stlaz commented Mar 16, 2017

stlaz commented Mar 16, 2017

MartinBasti commented Mar 22, 2017

MartinBasti commented Mar 22, 2017

tkrizek commented Mar 23, 2017

Backup ipa-specific httpd unit-file #607

Backup ipa-specific httpd unit-file #607

Conversation

stlaz commented Mar 16, 2017 • edited by tkrizek

tiran commented Mar 16, 2017

stlaz commented Mar 16, 2017

tiran commented Mar 16, 2017

stlaz commented Mar 16, 2017

stlaz commented Mar 16, 2017

MartinBasti commented Mar 22, 2017

MartinBasti commented Mar 22, 2017

tkrizek commented Mar 23, 2017

stlaz commented Mar 16, 2017 •

edited by tkrizek