[freeipa PR#5337][opened] [Backport][ipa-4-8] systemd: enforce en_US.UTF-8 locale in systemd units
by abbra
URL: https://github.com/freeipa/freeipa/pull/5337
Author: abbra
Title: #5337: [Backport][ipa-4-8] systemd: enforce en_US.UTF-8 locale in systemd units
Action: opened
PR body:
"""
Python code does detection of the system encoding based on the locale
settings. On RHEL 8.4 development images we somehow get LANG=en_US which
defaults to iso8859-1 _inside_ the systemd-started service, even though
the whole environment defaults to LANG=en_US.UTF-8.
When instrumented with ExecStartPre=/usr/bin/locale, the following
output can be seen:
locale[45481]: LANG=en_US
locale[45481]: LC_CTYPE="en_US"
locale[45481]: LC_NUMERIC="en_US"
locale[45481]: LC_TIME="en_US"
locale[45481]: LC_COLLATE="en_US"
locale[45481]: LC_MONETARY="en_US"
locale[45481]: LC_MESSAGES="en_US"
locale[45481]: LC_PAPER="en_US"
locale[45481]: LC_NAME="en_US"
locale[45481]: LC_ADDRESS="en_US"
locale[45481]: LC_TELEPHONE="en_US"
locale[45481]: LC_MEASUREMENT="en_US"
locale[45481]: LC_IDENTIFICATION="en_US"
locale[45481]: LC_ALL=
ipactl[45483]: Unexpected error
ipactl[45483]: SystemEncodingError: System encoding must be UTF-8, 'iso8859-1' is not supported. Set LC_ALL="C.UTF-8", or LC_ALL="" and LC_CTYPE="C.UTF-8".
systemd[1]: ipa.service: Main process exited, code=exited, status=1/FAILURE
Set the environment to explicit LC_ALL=C.UTF-8 to please the Python
code. FreeIPA server side only cares about actual encoding, not the
language itself. We already use LC_ALL=C.UTF-8 in httpd service snippet.
Fixes: https://pagure.io/freeipa/issue/8617
Signed-off-by: Alexander Bokovoy <abokovoy(a)redhat.com>
Reviewed-By: Thomas Woerner <twoerner(a)redhat.com>
"""
To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/5337/head:pr5337
git checkout pr5337
3 years, 5 months
[freeipa PR#5334][opened] systemd: enforce en_US.UTF-8 locale in systemd units
by abbra
URL: https://github.com/freeipa/freeipa/pull/5334
Author: abbra
Title: #5334: systemd: enforce en_US.UTF-8 locale in systemd units
Action: opened
PR body:
"""
Python code does detection of the system encoding based on the locale
settings. On RHEL 8.4 development images we somehow get LANG=en_US which
defaults to iso8859-1 _inside_ the systemd-started service, even though
the whole environment defaults to LANG=en_US.UTF-8.
When instrumented with ExecStartPre=/usr/bin/locale, the following
output can be seen:
```
locale[45481]: LANG=en_US
locale[45481]: LC_CTYPE="en_US"
locale[45481]: LC_NUMERIC="en_US"
locale[45481]: LC_TIME="en_US"
locale[45481]: LC_COLLATE="en_US"
locale[45481]: LC_MONETARY="en_US"
locale[45481]: LC_MESSAGES="en_US"
locale[45481]: LC_PAPER="en_US"
locale[45481]: LC_NAME="en_US"
locale[45481]: LC_ADDRESS="en_US"
locale[45481]: LC_TELEPHONE="en_US"
locale[45481]: LC_MEASUREMENT="en_US"
locale[45481]: LC_IDENTIFICATION="en_US"
locale[45481]: LC_ALL=
ipactl[45483]: Unexpected error
ipactl[45483]: SystemEncodingError: System encoding must be UTF-8, 'iso8859-1' is not supported. Set LC_ALL="C.UTF-8", or LC_ALL="" and LC_CTYPE="C.UTF-8".
systemd[1]: ipa.service: Main process exited, code=exited, status=1/FAILURE
```
Set the environment to explicit LANG=en_US.UTF-8 to please the Python
code. FreeIPA server side only cares about actual encoding, not the
language itself.
Fixes: https://pagure.io/freeipa/issue/8617
Signed-off-by: Alexander Bokovoy <abokovoy(a)redhat.com>
"""
To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/5334/head:pr5334
git checkout pr5334
3 years, 5 months
[freeipa PR#5328][opened] Allow mod_auth_gssapi to create and access ccaches in /run/ipa/ccaches
by abbra
URL: https://github.com/freeipa/freeipa/pull/5328
Author: abbra
Title: #5328: Allow mod_auth_gssapi to create and access ccaches in /run/ipa/ccaches
Action: opened
PR body:
"""
With commit c6644b8566f747fa80e2c1925b79bad9f8c92bd7 we default to
create unique credential caches in /run/ipa/ccaches for every client
that connects to IPA with a new session. On F34, mod_auth_gssapi process
running as 'apache' cannot create the ccache in /run/ipa/ccaches because
it has no access rights.
The core of the problem is that we have two different paths to obtaining
a ccache: one where 'apache' running httpd process creates it directly
and one where an internal redirect from 'ipaapi' running httpd process
is happening.
Since /run/ipa/ccaches is a temporary directory created in /run which is
mounted as tmpfs, POSIX ACLs can be used to add 'apache' group
permission to create the ccaches.
When '/run/ipa/ccaches' has SGID bit, created files inside it would
automatically get 'ipaapi' group assigned. So all we need is to mark the
directory as 02770 (SGID bit).
Fixes: https://pagure.io/freeipa/issue/8613
Signed-off-by: Alexander Bokovoy <abokovoy(a)redhat.com>
"""
To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/5328/head:pr5328
git checkout pr5328
3 years, 5 months