[OpenAFS] Re: k5start and AFS tokens

Andrew Deason adeason@sinenomine.net
Tue, 30 Sep 2014 15:55:52 -0500

On Tue, 30 Sep 2014 20:56:35 +0200
Jaap Winius <jwinius@umrk.nl> wrote:

> In the mean time, I still get the most consistent results by using two
> separate start-stop-daemon invocations. I understand that this is not
> ideal, since now the script will start the long-term daemon even if
> k5start fails before it, but right now I don't have a better solution.

I haven't read through this thread too closely, but it doesn't seem like
you've been given much of a concrete explanation of how you're supposed
to change a daemon startup invocation to a k5start-ified one. (But there
has been a lot of attempted explanation of what's going on or why
something doesn't work.)

So I'm not going to answer your immediate question, but just to try to
maybe help illustrate:

If you have an init script that at some point runs some long-running
command in the foreground (after forking etc), like:

    /usr/sbin/whateverd --foreground

You should replace that with:

    k5start -f /whatever.keytab -U --other-options -- /usr/bin/whateverd --foreground

(or /usr/bin/k5start, or $K5START or something)

But if the init script runs some command that daemonizes itself (it
forks, detaches, etc), you need to replace this:

    /usr/sbin/whateverd --daemonize

with something like:

    k5start -b -f /whatever.keytab -U --other-options -- /usr/sbin/whateverd --foreground

Note the '-b' option for k5start, and changing the whateverd invocation
from '--daemonize' to '--foreground'. If the long-running process does
not have a way of running in the foreground, I don't think you can do
this the 'proper' way that people have been suggesting.

And of course, all of this is just the arguably 'proper' way to use
k5start; that is, to wrap another command. You can just run k5start
separately and be decoupled from the other process, as I think you are
doing, and other people do do that. It's just not the "best" way to do
it (at least, according to some/most).

Also, if you want more feedback or more eyes on this or anything, you
can try mailing the kerberos list, since this isn't really AFS-specific.
I don't mean to say that this thread is inappropriate for here, but
just that that's another place to try if you wanted. Others may be more
used to answering questions like this there, and Russ would see it
there (iirc he doesn't read this list, or will not be reading it for

Andrew Deason