URL: https://github.com/SSSD/sssd/pull/244 Author: lslebodn Title: #244: KCM: Modify krb5 snippet file kcm_default_ccache Action: opened
PR body: """ The file kcm_default_ccache must enable KCM ccache by default without any modification of the file.
The patch also fixes few issues. * /etc/krb5.conf.d is fedora/el7 specific and therefore should not be created by make. File will be installed to $datadir/sssd-kcm by default * /etc/krb5.conf.d/ should not be owned by sssd-kcm because it is owned by dependency of sssd-kcm (krb5-libs)
sh$ rpm -qf /etc/krb5.conf.d/ sssd-kcm-1.15.3-0.20170411.0929.gitdbeae4834.fc26.x86_64 krb5-libs-1.15.1-7.fc26.x86_64 """
To pull the PR as Git branch: git remote add ghsssd https://github.com/SSSD/sssd git fetch ghsssd pull/244/head:pr244 git checkout pr244
URL: https://github.com/SSSD/sssd/pull/244 Title: #244: KCM: Modify krb5 snippet file kcm_default_ccache
lslebodn commented: """ http://sssd-ci.duckdns.org/logs/job/68/29/summary.html """
See the full comment at https://github.com/SSSD/sssd/pull/244#issuecomment-296205113
URL: https://github.com/SSSD/sssd/pull/244 Title: #244: KCM: Modify krb5 snippet file kcm_default_ccache
fidencio commented: """ Adding "Changes requested" label by @jhrozek's review. """
See the full comment at https://github.com/SSSD/sssd/pull/244#issuecomment-298598024
URL: https://github.com/SSSD/sssd/pull/244 Title: #244: KCM: Modify krb5 snippet file kcm_default_ccache
Label: +Changes requested
URL: https://github.com/SSSD/sssd/pull/244 Title: #244: KCM: Modify krb5 snippet file kcm_default_ccache
Label: -Changes requested
URL: https://github.com/SSSD/sssd/pull/244 Title: #244: KCM: Modify krb5 snippet file kcm_default_ccache
lslebodn commented: """ Answered inline. """
See the full comment at https://github.com/SSSD/sssd/pull/244#issuecomment-298600497
URL: https://github.com/SSSD/sssd/pull/244 Title: #244: KCM: Modify krb5 snippet file kcm_default_ccache
jhrozek commented: """ Thanks, ACK """
See the full comment at https://github.com/SSSD/sssd/pull/244#issuecomment-298747620
URL: https://github.com/SSSD/sssd/pull/244 Title: #244: KCM: Modify krb5 snippet file kcm_default_ccache
Label: +Accepted
URL: https://github.com/SSSD/sssd/pull/244 Author: lslebodn Title: #244: KCM: Modify krb5 snippet file kcm_default_ccache Action: synchronized
To pull the PR as Git branch: git remote add ghsssd https://github.com/SSSD/sssd git fetch ghsssd pull/244/head:pr244 git checkout pr244
URL: https://github.com/SSSD/sssd/pull/244 Title: #244: KCM: Modify krb5 snippet file kcm_default_ccache
Label: -Accepted
URL: https://github.com/SSSD/sssd/pull/244 Title: #244: KCM: Modify krb5 snippet file kcm_default_ccache
lslebodn commented: """ When I was writing a SELinux policy to sssd-kcm I realized that info about configuration is a little bit confusing. There is missing info for enabling `sssd-secrets.socket` + enabling `sssd-kcm.service` is not necessary. It does not have any effect. Because it is a indirect; and enabling/disabling service with enable/disable socket
``` sh# systemctl disable sssd-kcm.service Removed /etc/systemd/system/sockets.target.wants/sssd-kcm.socket. sh# systemctl status sssd-kcm.service | grep Loaded Loaded: loaded (/usr/lib/systemd/system/sssd-kcm.service; indirect; vendor preset: disabled)
sh# systemctl enable sssd-kcm.service Created symlink /etc/systemd/system/sockets.target.wants/sssd-kcm.socket → /usr/lib/systemd/system/sssd-kcm.socket. sh# systemctl status sssd-kcm.service | grep Loaded Loaded: loaded (/usr/lib/systemd/system/sssd-kcm.service; indirect; vendor preset: disabled) ``` """
See the full comment at https://github.com/SSSD/sssd/pull/244#issuecomment-298835169
URL: https://github.com/SSSD/sssd/pull/244 Title: #244: KCM: Modify krb5 snippet file kcm_default_ccache
jhrozek commented: """ Hmm, since the include file now enables KCM (even though just in the upstream spec and not downstream), does the admin then need to manually enable the sockets? If yes, then I think it would irritate admins, shouldn't we enable the sockets automatically, then? """
See the full comment at https://github.com/SSSD/sssd/pull/244#issuecomment-299130445
URL: https://github.com/SSSD/sssd/pull/244 Title: #244: KCM: Modify krb5 snippet file kcm_default_ccache
lslebodn commented: """ Where/when/how do you want to enable sockets automatically? """
See the full comment at https://github.com/SSSD/sssd/pull/244#issuecomment-299413987
URL: https://github.com/SSSD/sssd/pull/244 Title: #244: KCM: Modify krb5 snippet file kcm_default_ccache
jhrozek commented: """ In the upstream specfile.
My concern is that installing the snippet would yield a half-working system where you need to enable sockets just to be able to kinit. """
See the full comment at https://github.com/SSSD/sssd/pull/244#issuecomment-299421272
URL: https://github.com/SSSD/sssd/pull/244 Title: #244: KCM: Modify krb5 snippet file kcm_default_ccache
lslebodn commented: """
My concern is that installing the snippet would yield a half-working system where you need to enable sockets just to be able to kinit.
I checked fedora packaging guidelines and it looks like sssd-kcm meets the criteria http://fedoraproject.org/wiki/Packaging:Systemd#Socket_activation http://fedoraproject.org/wiki/Packaging:DefaultServices
I think we can ship /usr/lib/systemd/system-preset/50-sssd-kcm.preset and In f27 it can be merged into /usr/lib/systemd/system-preset/99-default-disable.preset That would solve problem with enabling sockets.
But we would need to also start socket in %post scriptlet. I could not see anything related in packaging guidelines. And just 2/3 spec files in fedora start sockets in scriptlets (snapd, lvm2 and partially libvirt) @sgallagher, you should know whether it is allowed to start sockets :-) """
See the full comment at https://github.com/SSSD/sssd/pull/244#issuecomment-299441914
URL: https://github.com/SSSD/sssd/pull/244 Title: #244: KCM: Modify krb5 snippet file kcm_default_ccache
sgallagher commented: """ @lslebodn @jhrozek
It is *not* permissible for any package to ship a preset file except for `fedora-release` and `fedora-release-$EDITION`. If you want to request sssd-kcm to be enabled by default, you can please file a ticket on [Bugzilla](https://bugzilla.redhat.com/enter_bug.cgi?product=Fedora&format=fedora-s...) (using that link, as it has a template) and I will merge the request into `fedora-release`.
Also, do *not* attempt to start the socket in `%post` because this will break things if you're running in an installer environment (and there's no reliable way to detect when you are or are not in the installer environment).
A better workaround for now might be to have the `sssd.service` unit declare `Wants=sssd-kcm.socket` (which does not fail if sssd-kcm.socket is not installed or masked). """
See the full comment at https://github.com/SSSD/sssd/pull/244#issuecomment-299492374
URL: https://github.com/SSSD/sssd/pull/244 Title: #244: KCM: Modify krb5 snippet file kcm_default_ccache
lslebodn commented: """
A better workaround for now might be to have the sssd.service unit declare Wants=sssd-kcm.socket (which does not fail if sssd-kcm.socket is not installed or masked).
sssd-kcm can work without sssd.service. Wants is not a solution because sssd.service needn't run. sssd-kcm and sssd are two independent daemons.
Also, do not attempt to start the socket in %post because this will break things if you're running in an installer environment (and there's no reliable way to detect when you are or are not in the installer environment).
sssd-kcm would not be installed by default. So this would not be a problem for anaconda. And we just need a temporary solution until it will be properly tested. Then it can be enabled by default in f27. """
See the full comment at https://github.com/SSSD/sssd/pull/244#issuecomment-299507197
URL: https://github.com/SSSD/sssd/pull/244 Title: #244: KCM: Modify krb5 snippet file kcm_default_ccache
sgallagher commented: """ @lslebodn "sssd-kcm would not be installed by default" is not something you can guarantee. People can put it in their kickstarts and then problems happen.
Enabling services in %post is _forbidden_ in Fedora. Do not do it. For testing purposes, just tell end-users to call `systemctl [start|enable] sssd-kcm.service` manually. """
See the full comment at https://github.com/SSSD/sssd/pull/244#issuecomment-299510819
URL: https://github.com/SSSD/sssd/pull/244 Title: #244: KCM: Modify krb5 snippet file kcm_default_ccache
lslebodn commented: """ I do not want to enable service but I would like to enable sssd-{kcm,secrets} socket and packaging guidelines says:
Only services that meet the criteria below **are permitted** to be enabled by default **on package installation**.
For the purposes of this document, a "service" is defined as one or more of: * A daemon or process started using a systemd service unit. * A daemon or process that is invoked by socket activation, either by using a systemd socket unit, D-BUS activation or similar behavior. * A systemd timer unit that runs periodically.
and sssd-kcm is socket activated service
BTW i can see cca 30-times `systemctl enable` in fedora spec files: exim, yum-cron ... And they enable services and not sockets """
See the full comment at https://github.com/SSSD/sssd/pull/244#issuecomment-299518158
URL: https://github.com/SSSD/sssd/pull/244 Title: #244: KCM: Modify krb5 snippet file kcm_default_ccache
lslebodn commented: """ I do not want to enable service but I would like to enable sssd-{kcm,secrets} socket and packaging guidelines says:
Only services that meet the criteria below **are permitted** to be enabled by default **on package installation**.
For the purposes of this document, a "service" is defined as one or more of: * A daemon or process started using a systemd service unit. * A daemon or process that is invoked by socket activation, either by using a systemd socket unit, D-BUS activation or similar behavior. * A systemd timer unit that runs periodically.
and sssd-kcm is socket activated service
BTW i can see cca 30-times `systemctl enable` in fedora spec files: exim, yum-cron ... And they enable services and not sockets """
See the full comment at https://github.com/SSSD/sssd/pull/244#issuecomment-299518158
URL: https://github.com/SSSD/sssd/pull/244 Title: #244: KCM: Modify krb5 snippet file kcm_default_ccache
sgallagher commented: """ @lslebodn That page lists the criteria for things that are allowed to bypass FESCo and just be added to the fedora-release presets. As I said: if you want it added to that list, just file a BZ ticket as I described above and I will process it. Just do not attempt to play with the defaults in the spec file. That is not the correct approach.
As far as the packages that are calling `systemctl enable`, those are bugs. Most of them predate the creation of the proper systemd packaging macros. We're working to clean those up as we find them. If you have a list of them, please file a BZ against 'distribution'. """
See the full comment at https://github.com/SSSD/sssd/pull/244#issuecomment-299525170
URL: https://github.com/SSSD/sssd/pull/244 Author: lslebodn Title: #244: KCM: Modify krb5 snippet file kcm_default_ccache Action: synchronized
To pull the PR as Git branch: git remote add ghsssd https://github.com/SSSD/sssd git fetch ghsssd pull/244/head:pr244 git checkout pr244
URL: https://github.com/SSSD/sssd/pull/244 Author: lslebodn Title: #244: KCM: Modify krb5 snippet file kcm_default_ccache Action: synchronized
To pull the PR as Git branch: git remote add ghsssd https://github.com/SSSD/sssd git fetch ghsssd pull/244/head:pr244 git checkout pr244
URL: https://github.com/SSSD/sssd/pull/244 Title: #244: KCM: Modify krb5 snippet file kcm_default_ccache
jhrozek commented: """ This version is more distro-agnostic and the instructions in the snippet work well. ACK, """
See the full comment at https://github.com/SSSD/sssd/pull/244#issuecomment-317671276
URL: https://github.com/SSSD/sssd/pull/244 Title: #244: KCM: Modify krb5 snippet file kcm_default_ccache
Label: +Accepted
URL: https://github.com/SSSD/sssd/pull/244 Title: #244: KCM: Modify krb5 snippet file kcm_default_ccache
jhrozek commented: """ * master: 614545382c4ac75d85fb8c80917cc675bc0ec580 """
See the full comment at https://github.com/SSSD/sssd/pull/244#issuecomment-317674437
URL: https://github.com/SSSD/sssd/pull/244 Author: lslebodn Title: #244: KCM: Modify krb5 snippet file kcm_default_ccache Action: closed
To pull the PR as Git branch: git remote add ghsssd https://github.com/SSSD/sssd git fetch ghsssd pull/244/head:pr244 git checkout pr244
URL: https://github.com/SSSD/sssd/pull/244 Title: #244: KCM: Modify krb5 snippet file kcm_default_ccache
Label: +Pushed
sssd-devel@lists.fedorahosted.org