Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Backup ipa-specific httpd unit-file #607

Closed
wants to merge 1 commit into from
Closed

Conversation

stlaz
Copy link
Contributor

@stlaz stlaz commented Mar 16, 2017

On backup-restore, the ipa unit file for httpd was not backed up.
This file however contains setting for httpd to communicate with
gssproxy so not backing it up will result in httpd not knowing
how to get credentials.

https://pagure.io/freeipa/issue/6748

@tiran
Copy link
Member

tiran commented Mar 16, 2017

LGTM

Did you check if there are more files missing after backup, uninstall, restore? You could use find /etc /usr /var >before_uninstall before uninstall and after restore, then compare the files with diff.

@stlaz
Copy link
Contributor Author

stlaz commented Mar 16, 2017

Thanks, @tiran, this is a good idea, I noticed also KDCProxy conf symlink was missing.

@tiran
Copy link
Member

tiran commented Mar 16, 2017

The symlink is generated by a script when httpd is started.

@stlaz
Copy link
Contributor Author

stlaz commented Mar 16, 2017

Ah, right.

@stlaz
Copy link
Contributor Author

stlaz commented Mar 16, 2017

We need to perform paths.SYSTEMCTL --system daemon-reload here as well.

On backup-restore, the ipa unit file for httpd was not backed up.
This file however contains setting for httpd to communicate with
gssproxy so not backing it up will result in httpd not knowing
how to get credentials.

https://pagure.io/freeipa/issue/6748
@MartinBasti
Copy link
Contributor

After restore I cannot connect to webUI

[Wed Mar 22 16:43:48.779900 2017] [wsgi:error] [pid 100377] [remote 2620:52:0:2280:206a:7885:fe7b:1356:184] mod_wsgi (pid=100377): Exception occurred processing WSGI script '/usr/share/ipa/wsgi.py'.
[Wed Mar 22 16:43:48.780002 2017] [wsgi:error] [pid 100377] [remote 2620:52:0:2280:206a:7885:fe7b:1356:184] Traceback (most recent call last):
[Wed Mar 22 16:43:48.780059 2017] [wsgi:error] [pid 100377] [remote 2620:52:0:2280:206a:7885:fe7b:1356:184]   File "/usr/share/ipa/wsgi.py", line 51, in application
[Wed Mar 22 16:43:48.780592 2017] [wsgi:error] [pid 100377] [remote 2620:52:0:2280:206a:7885:fe7b:1356:184]     return api.Backend.wsgi_dispatch(environ, start_response)
[Wed Mar 22 16:43:48.780618 2017] [wsgi:error] [pid 100377] [remote 2620:52:0:2280:206a:7885:fe7b:1356:184]   File "/usr/lib/python2.7/site-packages/ipaserver/rpcserver.py", line 262, in __call__
[Wed Mar 22 16:43:48.781029 2017] [wsgi:error] [pid 100377] [remote 2620:52:0:2280:206a:7885:fe7b:1356:184]     return self.route(environ, start_response)
[Wed Mar 22 16:43:48.781050 2017] [wsgi:error] [pid 100377] [remote 2620:52:0:2280:206a:7885:fe7b:1356:184]   File "/usr/lib/python2.7/site-packages/ipaserver/rpcserver.py", line 274, in route
[Wed Mar 22 16:43:48.781086 2017] [wsgi:error] [pid 100377] [remote 2620:52:0:2280:206a:7885:fe7b:1356:184]     return app(environ, start_response)
[Wed Mar 22 16:43:48.781110 2017] [wsgi:error] [pid 100377] [remote 2620:52:0:2280:206a:7885:fe7b:1356:184]   File "/usr/lib/python2.7/site-packages/ipaserver/rpcserver.py", line 913, in __call__
[Wed Mar 22 16:43:48.781146 2017] [wsgi:error] [pid 100377] [remote 2620:52:0:2280:206a:7885:fe7b:1356:184]     self.kinit(user_principal, password, ipa_ccache_name)
[Wed Mar 22 16:43:48.781162 2017] [wsgi:error] [pid 100377] [remote 2620:52:0:2280:206a:7885:fe7b:1356:184]   File "/usr/lib/python2.7/site-packages/ipaserver/rpcserver.py", line 947, in kinit
[Wed Mar 22 16:43:48.781180 2017] [wsgi:error] [pid 100377] [remote 2620:52:0:2280:206a:7885:fe7b:1356:184]     kinit_armor(armor_path)
[Wed Mar 22 16:43:48.781215 2017] [wsgi:error] [pid 100377] [remote 2620:52:0:2280:206a:7885:fe7b:1356:184]   File "/usr/lib/python2.7/site-packages/ipalib/install/kinit.py", line 125, in kinit_armor
[Wed Mar 22 16:43:48.781306 2017] [wsgi:error] [pid 100377] [remote 2620:52:0:2280:206a:7885:fe7b:1356:184]     run(args, env=env, raiseonerr=True, capture_error=True)
[Wed Mar 22 16:43:48.781331 2017] [wsgi:error] [pid 100377] [remote 2620:52:0:2280:206a:7885:fe7b:1356:184]   File "/usr/lib/python2.7/site-packages/ipapython/ipautil.py", line 495, in run
[Wed Mar 22 16:43:48.781788 2017] [wsgi:error] [pid 100377] [remote 2620:52:0:2280:206a:7885:fe7b:1356:184]     raise CalledProcessError(p.returncode, arg_string, str(output))
[Wed Mar 22 16:43:48.781873 2017] [wsgi:error] [pid 100377] [remote 2620:52:0:2280:206a:7885:fe7b:1356:184] CalledProcessError: Command '/usr/bin/kinit -n -c /var/run/ipa/ccaches/armor_100377' returned non-zero exit status 1

KDc log

Mar 22 16:43:48 vm-126.abc.idm.lab.eng.brq.redhat.com krb5kdc[100354](info): AS_REQ (6 etypes {18 17 16 23 25 26}) 10.34.78.126: ISSUE: authtime 1490197428, etypes {rep=18 tkt=18 ses=18}, WELLKNOWN/ANONYMOUS@ABC.IDM.LAB.ENG.BRQ.REDHAT.COM for krbtgt/ABC.IDM.LAB.ENG.BRQ.REDHAT.COM@ABC.IDM.LAB.ENG.BRQ.REDHAT.COM
Mar 22 16:43:48 vm-126.abc.idm.lab.eng.brq.redhat.com krb5kdc[100354](info): closing down fd 11
Mar 22 16:43:48 vm-126.abc.idm.lab.eng.brq.redhat.com krb5kdc[100357](info): AS_REQ (6 etypes {18 17 16 23 25 26}) 10.34.78.126: NEEDED_PREAUTH: WELLKNOWN/ANONYMOUS@ABC.IDM.LAB.ENG.BRQ.REDHAT.COM for krbtgt/ABC.IDM.LAB.ENG.BRQ.REDHAT.COM@ABC.IDM.LAB.ENG.BRQ.REDHAT.COM, Additional pre-authentication required
Mar 22 16:43:48 vm-126.abc.idm.lab.eng.brq.redhat.com krb5kdc[100357](info): closing down fd 11

@MartinBasti
Copy link
Contributor

However it fixed issue listed in ticket, so this can resolved in separate PR.

@MartinBasti MartinBasti added the ack Pull Request approved, can be merged label Mar 22, 2017
@tkrizek tkrizek added the pushed Pull Request has already been pushed label Mar 23, 2017
@tkrizek
Copy link
Contributor

tkrizek commented Mar 23, 2017

master:

  • 2612c09 Backup ipa-specific httpd unit-file
    ipa-4-5:

  • 59342a7 Backup ipa-specific httpd unit-file

@tkrizek tkrizek closed this Mar 23, 2017
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
ack Pull Request approved, can be merged pushed Pull Request has already been pushed
Projects
None yet
4 participants