Bug 1432010
| Summary: | SSSD ships a drop-in configuration snippet in /etc/systemd/system | ||
|---|---|---|---|
| Product: | Red Hat Enterprise Linux 7 | Reporter: | Jan Pazdziora (Red Hat) <jpazdziora> |
| Component: | sssd | Assignee: | SSSD Maintainers <sssd-maint> |
| Status: | CLOSED ERRATA | QA Contact: | Niranjan Mallapadi Raghavender <mniranja> |
| Severity: | unspecified | Docs Contact: | |
| Priority: | unspecified | ||
| Version: | 7.3 | CC: | abokovoy, extras-qa, grajaiya, jhrozek, jpazdziora, lslebodn, mkosek, mzidek, pbrezina, pjagrut, pkulkarn, preichl, rharwood, sbose, sgoveas, ssorce, tscherf |
| Target Milestone: | rc | Keywords: | Reopened |
| Target Release: | --- | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| Whiteboard: | |||
| Fixed In Version: | sssd-1.16.0-6.el7 | Doc Type: | If docs needed, set a value |
| Doc Text: | Story Points: | --- | |
| Clone Of: | 1431153 | Environment: | |
| Last Closed: | 2018-04-10 17:11:33 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
|
Description
Jan Pazdziora (Red Hat)
2017-03-14 10:08:21 UTC
(In reply to Jan Pazdziora from comment #0) > +++ This bug was initially created as a clone of Bug #1431153 +++ > > Description of problem: > > SSSD ships the following configuration snippet for the systemd service unit > file: > > /etc/systemd/system/sssd.service.d/journal.conf > > Strictly speaking, /etc/systemd/system should only host whatever local > configuration employed by system administrator and vendor-supplied > configuration should go to /usr/lib/systemd/system or /run/systemd/system > (see systemd.unit man page for more detials). > This file does not change any behaviour. It is a template for users who want to enable logging to journald. This files is aimed for local configuration; (to change default logging from files to journald). So location is correct. sh$ grep journal.conf sssd.spec %config(noreplace) %{_sysconfdir}/systemd/system/sssd.service.d/journal.conf sh$ cat /etc/systemd/system/sssd.service.d/journal.conf [Service] # Uncomment *both* of the following lines to enable debug logging # to go to journald instead of /var/log/sssd. You will need to # run 'systemctl daemon-reload' and then restart the SSSD service # for this to take effect #ExecStart= #ExecStart=/usr/sbin/sssd -i > Apart from no adhering to these guidelines, these packaging issues also > complicate containerization of services such as FreeIPA, which have to do a > lot of unnecessary /etc/ scrubbing in order to provide a sane volume > persistence model. > freeIPA complicates containerisation itself. It is not related to sssd. freeIPA container should use sssd-docker component and do not emulate virtual machine inside containers. Anyway, you can simply remove this file after installation of package sssd-common. Reason why we cannot this file in rhel is upgrade from rhel7.3 -> rhel7.4 sssd upstream changed type of service from forking -> to notify https://pagure.io/SSSD/sssd/c/d4063e9a21a4e203bee7e0a0144fa8cabb14cc46 However, old recommendation from old journald.conf does not work correctly with Type notify. After removing this file user will not get journald.conf.rpmnew with updated content https://pagure.io/SSSD/sssd/c/7b4704a10958bb7d3390db9eff863875d2b643f7 (In reply to Lukas Slebodnik from comment #1) > This file does not change any behaviour. Then it shouldn't be there. > It is a template for users who want to enable logging to journald. Then it should be in documentation directory. > freeIPA complicates containerisation itself. It is not related to sssd. It is because /etc/systemd/system captures the configuration of the container, to it should live in data volume, and SSSD package forcing some content there is a complication. > freeIPA container should use sssd-docker component and do not emulate > virtual machine inside containers. Oh come on. sssd-docker component uses the poor-man's systemctl approach, it's hardly an example for a solution which has dozen of daemons. > Anyway, you can simply remove this file after installation of package > sssd-common. That's what we do as workaround in our Dockerfiles and that's what we'd like to stop doing. > Reason why we cannot this file in rhel is upgrade from rhel7.3 -> rhel7.4 > sssd upstream changed type of service from forking -> to notify > https://pagure.io/SSSD/sssd/c/d4063e9a21a4e203bee7e0a0144fa8cabb14cc46 > However, old recommendation from old journald.conf does not work correctly > with Type notify. > > After removing this file user will not get journald.conf.rpmnew with updated > content > https://pagure.io/SSSD/sssd/c/7b4704a10958bb7d3390db9eff863875d2b643f7 And this is exactly why SSSD should ship this somewhere where it could be symlinked by the admin if they wish to do so, not something that the admin has to edit in place, fiddle with .rpmnew, etc. (In reply to Jan Pazdziora from comment #3) > (In reply to Lukas Slebodnik from comment #1) > > This file does not change any behaviour. > > Then it shouldn't be there. > Many packages provides configuration files with commented out lines. For nicer user-experience. > > It is a template for users who want to enable logging to journald. > > Then it should be in documentation directory. Users will not notice change in files in documentation directory https://pagure.io/SSSD/sssd/c/7b4704a10958bb7d3390db9eff863875d2b643f7 and files /usr cannot have "%config" attribute. > > freeIPA container should use sssd-docker component and do not emulate > > virtual machine inside containers. > > Oh come on. sssd-docker component uses the poor-man's systemctl approach, > it's hardly an example for a solution which has dozen of daemons. > That's the point; freeIPA container should not use dozen of daemons. It should use different containers. But ipa-{server,client}-install ignores such use case. > > Anyway, you can simply remove this file after installation of package > > sssd-common. > > That's what we do as workaround in our Dockerfiles and that's what we'd like > to stop doing. > That's not a solution. You should stop bundling sssd inside freeipa container. It's unnecessary duplicated content which is already in sssd-docker. To verify, make sure the file /etc/systemd/system/sssd.service.d/journal.conf is not distributed. *** Bug 1485329 has been marked as a duplicate of this bug. *** Versions: ======= sssd-ad-1.16.0-13.el7.x86_64 sssd-proxy-1.16.0-13.el7.x86_64 python-sssdconfig-1.16.0-13.el7.noarch sssd-client-1.16.0-13.el7.x86_64 sssd-common-1.16.0-13.el7.x86_64 sssd-common-pac-1.16.0-13.el7.x86_64 sssd-ipa-1.16.0-13.el7.x86_64 sssd-krb5-1.16.0-13.el7.x86_64 sssd-1.16.0-13.el7.x86_64 sssd-krb5-common-1.16.0-13.el7.x86_64 sssd-ldap-1.16.0-13.el7.x86_64 [root@ipaqavme ~]# rpm -ql sssd-common | grep -i /etc/systemd/system [root@ipaqavme ~]# No Configuration or systemd snippet file found Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHEA-2018:0929 |