Ubuntu
freeipa package

krb5kdc[27833]: Couldn't open log file /var/log/krb5kdc.log: Read-only file system

Bug #1874915 reported by Chris Moody
14
This bug affects 2 people
Affects Status Importance Assigned to Milestone
freeipa (Ubuntu)
Triaged
Medium
Unassigned

Bug Description

Hopefully this can trivially be corrected.

Seems the systemd service file for the kerberos portion of freeipa could use a minor tweak.

When restarting the kerberos service, it (incorrectly) reports that the default configured log file (/var/log/krb5kdc.log) is sending to a "read only filesystem". This is a misleading error, since the /var/log directory by default -IS- writeable, but systemd is in fact preventing the daemon from writing. Why systemd can't inject itself inappropriately and report that it's causing the trouble is another conversation. ;) [not personally a systemd fan]

File:
=====
/lib/systemd/system/krb5-kdc.service

Command:
=====
service krb5-kdc restart

Error:
=====
krb5kdc[27833]: Couldn't open log file /var/log/krb5kdc.log: Read-only file system

Please make the following adjustment to the default systemd file.
=====
13c13
< ReadWriteDirectories=-/var/tmp /tmp /var/lib/krb5kdc -/var/run /run
---
> ReadWriteDirectories=-/var/tmp /tmp /var/lib/krb5kdc -/var/run /run /var/log

Thank you for all the help and support. :)

Cheers,
-Chris

Timo Aaltonen (tjaalton)
affects: freeipa (Ubuntu) → krb5 (Ubuntu)
Revision history for this message
Sam Hartman (hartmans) wrote : Re: [Bug 1874915] Re: krb5kdc[27833]: Couldn't open log file /var/log/krb5kdc.log: Read-only file system

I'm going to push back on the reassignment to krb5.
I think this is a freeipa bug.
Kerberos's systemd service unit is correct for Kerberos.
freeipa is the one that is deciding it wants to change the Kerberos
logging configuration, and thus is the one that should adjust the
permissions.
Honestly I'd rather see this fixed by freeipa not messing around with
Kerberos configs so much, but especially not logging config.

Revision history for this message
Andreas Hasenack (ahasenack) wrote :

In general I tend to agree with Sam. A config was changed (kdc logging to a file in /var/log/), and for it to work fully another config needs to be changed (systemd). FreeIPA (who made the first change) can easily create a systemd override for this.

That being said, it's not super unreasonable for a user, after reading the kdc.conf(8) manpage, to expect logging to a file in /var/log to work. Were the logfile in, say, /var/adm, or some other nonexistent directory, I can easily see how that would require further configuration, but not /var/log. That I find a bit unexpected.

I would however generally recommend to use SYSLOG and the AUTH facility, that would seem to offer better integration.

Revision history for this message
Lucas Kanashiro (lucaskanashiro) wrote :

I agree with Sam and Andreas, we should not change the krb5kdc systemd unit file because of freeipa. I am assigning this bug back to freeipa.

affects: krb5 (Ubuntu) → freeipa (Ubuntu)
Changed in freeipa (Ubuntu):
status: New → Triaged
importance: Undecided → Medium
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Duplicates of this bug

Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.