[OpenAFS] mod_waklog question
Jason Edgecombe
jwedgeco@uncc.edu
Tue, 11 Jul 2017 08:56:17 -0400
--94eb2c14c6ea0e189305540a3c38
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
Hi Andreas,
Getting systemd, apache, and kstart to play nice took a little bit of work.
I have included a sanitized copy of my Apache systemd unit file. Be sure to
modify the ExecStart line to have the correct keytab location and principal
name.
I have NOT tested this in selinux enforcing mode, so beware.
I think that kstart does create a new PAG, but I'm not certain. Be sure to
verify that by running bash via kstart, then running "id" to see if an
extra high-numbered numeric group appears. If no new PAG is created, then
you might play with the pagsh command.
Sincerely,
Jason
----------------------------cut----------------------------
[Unit]
# customized unit file to start apache with a kerberos keytab
Description=3DThe Apache HTTP Server
After=3Dnetwork.target remote-fs.target nss-lookup.target
Documentation=3Dman:httpd(8)
Documentation=3Dman:apachectl(8)
[Service]
Type=3Dnotify
EnvironmentFile=3D/etc/sysconfig/httpd
ExecStart=3D/usr/bin/k5start -o apache -K30 -f /etc/httpd.keytab
httpd-principal-name -- /usr/sbin/httpd $OPTIONS -DFOREGROUND
ExecReload=3D/usr/sbin/httpd $OPTIONS -k graceful
ExecStop=3D/bin/kill -WINCH ${MAINPID}
# We want systemd to give httpd some time to finish gracefully, but still
want
# it to kill httpd after TimeoutStopSec if something went wrong during the
# graceful stop. Normally, Systemd sends SIGTERM signal right after the
# ExecStop, which would kill httpd. We are sending useless SIGCONT here to
give
# httpd time to finish.
KillSignal=3DSIGCONT
# allow k5start child processes (i.e. apache) to notify system that it's up
NotifyAccess=3Dall
PrivateTmp=3Dfalse
[Install]
WantedBy=3Dmulti-user.target
----------------------------cut----------------------------
---------------------------------------------------------------------------
Jason Edgecombe | Linux Administrator
UNC Charlotte | The William States Lee College of Engineering
9201 University City Blvd. | Charlotte, NC 28223-0001
Phone: 704-687-1943
jwedgeco@uncc.edu | http://engr.uncc.edu | Facebook
---------------------------------------------------------------------------
If you are not the intended recipient of this transmission or a person
responsible for delivering it to the intended recipient, any disclosure,
copying, distribution, or other use of any of the information in this
transmission is strictly prohibited. If you have received this transmission
in error, please notify me immediately by reply e-mail or by telephone at
704-687-1943. Thank you.
On Tue, Jul 11, 2017 at 4:44 AM, Andreas Ladanyi <andreas.ladanyi@kit.edu>
wrote:
>
> =E2=80=8Bmod_waklog is meant to be used as an .htaccess-style mechanism=
=E2=80=8B to let
> users supply credentials via a web browser so that apache can use those
> credentials to access user files. In this case, the apache process switch=
es
> between multiple AFS users and the tokens only need to live for the brief
> life of the http request/session.
>
> Your timeout issues suggest that you are running apache with long-running
> tokens as a single user and those tokens need to be automatically renewed=
.
> If you're using this "apache needs persistent AFS access via a service
> account" use case, then you need to use k5start and a local keytab:
> https://www.eyrie.org/~eagle/software/kstart/k5start.html
>
> Ok. So i have to add k5start [options] ...... /usr/bin/httpd ..... in the
> default systemd start script from apache.
>
> Something like:
>
> ExecStart=3D/usr/bin/k5start -b -t -k /tmp/k5start_httpd -f keytab -K 10 =
-l
> 10h principal_from_keytab /usr/sbin/httpd $OPTIONS -DFOREGROUND
>
> I i understand it correctly the k5start will take a new tgt, create a new
> pag and call aklog to get a afs token which is put into the pag of the
> parent process.
>
> So i have to play with the flags -b, -K, -t
>
> Does kinit/k5start or aklog create a new pag in general ? I would say
> aklog.
>
>
> k5start is available in EPEL. I think there are debian packages as well.
>
> Jason
>
>
> ------------------------------------------------------------
> ---------------
> Jason Edgecombe | Linux Administrator
> UNC Charlotte | The William States Lee College of Engineering
> 9201 University City Blvd. | Charlotte, NC 28223-0001
> Phone: 704-687-1943
> jwedgeco@uncc.edu | http://engr.uncc.edu | Facebook
> ------------------------------------------------------------
> ---------------
> If you are not the intended recipient of this transmission or a person
> responsible for delivering it to the intended recipient, any disclosure,
> copying, distribution, or other use of any of the information in this
> transmission is strictly prohibited. If you have received this transmissi=
on
> in error, please notify me immediately by reply e-mail or by telephone at
> 704-687-1943. Thank you.
>
>
>
--94eb2c14c6ea0e189305540a3c38
Content-Type: text/html; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
<div dir=3D"ltr"><div class=3D"gmail_default"><div class=3D"gmail_default">=
<font face=3D"arial, helvetica, sans-serif">Hi Andreas,</font></div><div cl=
ass=3D"gmail_default"><font face=3D"arial, helvetica, sans-serif"><br></fon=
t></div><div class=3D"gmail_default"><font face=3D"arial, helvetica, sans-s=
erif">Getting systemd, apache, and kstart to play nice took a little bit of=
work. I have included a sanitized copy of my Apache systemd unit file. Be =
sure to modify the ExecStart line to have the correct keytab location and p=
rincipal name.</font></div><div class=3D"gmail_default"><font face=3D"arial=
, helvetica, sans-serif"><br></font></div><div class=3D"gmail_default"><fon=
t face=3D"arial, helvetica, sans-serif">I have NOT tested this in selinux e=
nforcing mode, so beware.</font></div><div class=3D"gmail_default"><font fa=
ce=3D"arial, helvetica, sans-serif"><br></font></div><div class=3D"gmail_de=
fault"><font face=3D"arial, helvetica, sans-serif">I think that kstart does=
create a new PAG, but I'm not certain. Be sure to verify that by runni=
ng bash via kstart, then running "id" to see if an extra high-num=
bered numeric group appears. If no new PAG is created, then you might play =
with the pagsh command.</font></div><div class=3D"gmail_default"><font face=
=3D"arial, helvetica, sans-serif"><br></font></div><div class=3D"gmail_defa=
ult"><font face=3D"arial, helvetica, sans-serif">Sincerely,</font></div><di=
v class=3D"gmail_default"><font face=3D"arial, helvetica, sans-serif">Jason=
</font></div><div class=3D"gmail_default"><font face=3D"arial, helvetica, s=
ans-serif"><br></font></div><div class=3D"gmail_default"><font face=3D"aria=
l, helvetica, sans-serif">----------------------------<wbr>cut-------------=
--------------<wbr>-</font></div><div class=3D"gmail_default"><font face=3D=
"arial, helvetica, sans-serif">[Unit]</font></div><div class=3D"gmail_defau=
lt"><font face=3D"arial, helvetica, sans-serif"># customized unit file to s=
tart apache with a kerberos keytab</font></div><div class=3D"gmail_default"=
><font face=3D"arial, helvetica, sans-serif">Description=3DThe Apache HTTP =
Server</font></div><div class=3D"gmail_default"><font face=3D"arial, helvet=
ica, sans-serif">After=3Dnetwork.target remote-fs.target nss-lookup.target<=
/font></div><div class=3D"gmail_default"><font face=3D"arial, helvetica, sa=
ns-serif">Documentation=3Dman:httpd(8)</font></div><div class=3D"gmail_defa=
ult"><font face=3D"arial, helvetica, sans-serif">Documentation=3Dman:apache=
ctl(8)</font></div><div class=3D"gmail_default"><font face=3D"arial, helvet=
ica, sans-serif"><br></font></div><div class=3D"gmail_default"><font face=
=3D"arial, helvetica, sans-serif">[Service]</font></div><div class=3D"gmail=
_default"><font face=3D"arial, helvetica, sans-serif">Type=3Dnotify</font><=
/div><div class=3D"gmail_default"><font face=3D"arial, helvetica, sans-seri=
f">EnvironmentFile=3D/etc/<wbr>sysconfig/httpd</font></div><div class=3D"gm=
ail_default"><font face=3D"arial, helvetica, sans-serif">ExecStart=3D/usr/b=
in/k5start -o apache -K30 -f /etc/httpd.keytab httpd-principal-name -- /usr=
/sbin/httpd $OPTIONS -DFOREGROUND</font></div><div class=3D"gmail_default">=
<font face=3D"arial, helvetica, sans-serif">ExecReload=3D/usr/sbin/httpd $O=
PTIONS -k graceful</font></div><div class=3D"gmail_default"><font face=3D"a=
rial, helvetica, sans-serif">ExecStop=3D/bin/kill -WINCH ${MAINPID}</font><=
/div><div class=3D"gmail_default"><font face=3D"arial, helvetica, sans-seri=
f"># We want systemd to give httpd some time to finish gracefully, but stil=
l want</font></div><div class=3D"gmail_default"><font face=3D"arial, helvet=
ica, sans-serif"># it to kill httpd after TimeoutStopSec if something went =
wrong during the</font></div><div class=3D"gmail_default"><font face=3D"ari=
al, helvetica, sans-serif"># graceful stop. Normally, Systemd sends SIGTERM=
signal right after the</font></div><div class=3D"gmail_default"><font face=
=3D"arial, helvetica, sans-serif"># ExecStop, which would kill httpd. We ar=
e sending useless SIGCONT here to give</font></div><div class=3D"gmail_defa=
ult"><font face=3D"arial, helvetica, sans-serif"># httpd time to finish.</f=
ont></div><div class=3D"gmail_default"><font face=3D"arial, helvetica, sans=
-serif">KillSignal=3DSIGCONT</font></div><div class=3D"gmail_default"><font=
face=3D"arial, helvetica, sans-serif"><br></font></div><div class=3D"gmail=
_default"><font face=3D"arial, helvetica, sans-serif"># allow k5start child=
processes (i.e. apache) to notify system that it's up</font></div><div=
class=3D"gmail_default"><font face=3D"arial, helvetica, sans-serif">Notify=
Access=3Dall</font></div><div class=3D"gmail_default"><font face=3D"arial, =
helvetica, sans-serif">PrivateTmp=3Dfalse</font></div><div class=3D"gmail_d=
efault"><font face=3D"arial, helvetica, sans-serif"><br></font></div><div c=
lass=3D"gmail_default"><font face=3D"arial, helvetica, sans-serif">[Install=
]</font></div><div class=3D"gmail_default"><font face=3D"arial, helvetica, =
sans-serif">WantedBy=3Dmulti-user.target</font></div><div style=3D"font-fam=
ily:arial,helvetica,sans-serif">----------------------------<wbr>cut-------=
--------------------<wbr>-<br></div></div><div class=3D"gmail_extra"><br cl=
ear=3D"all"><div><div class=3D"m_-2973063997954032716gmail_signature" data-=
smartmail=3D"gmail_signature"><div dir=3D"ltr">----------------------------=
--<wbr>------------------------------<wbr>---------------<br>
Jason Edgecombe | Linux Administrator<br>
UNC Charlotte | The William States Lee College of Engineering<br>
9201 University City Blvd. | Charlotte, NC 28223-0001<br>
Phone: <a href=3D"tel:704-687-1943" value=3D"+17046871943" target=3D"_blank=
"><span>704</span>-<span>687</span>-<span>1943</span></a><br>
<a href=3D"mailto:jwedgeco@uncc.edu" target=3D"_blank">jwedgeco@uncc.edu</a=
> | <a href=3D"http://engr.uncc.edu" target=3D"_blank">http://engr.uncc.edu=
</a> | =C2=A0Facebook<br>
------------------------------<wbr>------------------------------<wbr>-----=
----------<br>
If you are not the intended recipient of this transmission or a person=20
responsible for delivering it to the intended recipient, any disclosure,
copying, distribution, or other use of any of the information in this=20
transmission is strictly prohibited. If you have received this=20
transmission in error, please notify me immediately by reply e-mail or=20
by telephone at<br>
<a href=3D"tel:704-687-1943" value=3D"+17046871943" target=3D"_blank"><span=
>704</span>-<span>687</span>-<span>1943</span></a>.=C2=A0 Thank you.</div><=
/div></div>
<br><div class=3D"gmail_quote">On Tue, Jul 11, 2017 at 4:44 AM, Andreas Lad=
anyi <span dir=3D"ltr"><<a href=3D"mailto:andreas.ladanyi@kit.edu" targe=
t=3D"_blank">andreas.ladanyi@kit.edu</a>></span> wrote:<br><blockquote c=
lass=3D"gmail_quote" style=3D"margin:0 0 0 .8ex;border-left:1px #ccc solid;=
padding-left:1ex">
=20
=20
=20
<div text=3D"#000000" bgcolor=3D"#FFFFFF">
<div class=3D"m_-2973063997954032716m_8140363787121225101moz-cite-prefi=
x"><br>
</div>
<blockquote type=3D"cite">
<div dir=3D"ltr">
<div class=3D"gmail_default" style=3D"font-family:arial,helvetica,s=
ans-serif">=E2=80=8Bmod_waklog is
meant to be used as an .htaccess-style mechanism=E2=80=8B to let =
users
supply credentials via a web browser so that apache can use
those credentials to access user files. In this case, the
apache process switches between multiple AFS users and the
tokens only need to live for the brief life of the http
request/session.</div>
<div class=3D"gmail_default" style=3D"font-family:arial,helvetica,s=
ans-serif"><br>
</div>
<div class=3D"gmail_default" style=3D"font-family:arial,helvetica,s=
ans-serif">Your timeout
issues suggest that you are running apache with long-running
tokens as a single user and those tokens need to be
automatically renewed. If you're using this "apache need=
s
persistent AFS access via a service account" use case, then
you need to use k5start and a local keytab:</div>
<div class=3D"gmail_default"><font face=3D"arial, helvetica,
sans-serif"><a href=3D"https://www.eyrie.org/%7Eeagle/software/=
kstart/k5start.html" target=3D"_blank">https://www.eyrie.org/~eagle/s<wbr>o=
ftware/kstart/k5start.html</a></font><br>
</div>
</div>
</blockquote>
<font face=3D"arial, helvetica, sans-serif">Ok. So i have to add
k5start [options] ...... /usr/bin/httpd ..... in the default
systemd start script from apache.<br>
<br>
Something like: <br>
<br>
ExecStart=3D/usr/bin/k5start -b -t -k /tmp/k5start_httpd -f keytab
-K 10 -l 10h principal_from_keytab /usr/sbin/httpd $OPTIONS
-DFOREGROUND<br>
<br>
I i understand it correctly the k5start will take a new tgt,
create a new pag and call aklog to get a afs token which is put
into the pag of the parent process.<br>
<br>
So i have to play with the flags -b, -K, -t<br>
<br>
Does kinit/k5start or aklog create a new pag in general ? I would
say aklog.<br>
<br>
</font>
<blockquote type=3D"cite">
<div dir=3D"ltr">
<div class=3D"gmail_default"><font face=3D"arial, helvetica,
sans-serif"><br>
</font></div>
<div class=3D"gmail_default"><font face=3D"arial, helvetica,
sans-serif">k5start is available in EPEL. I think there are
debian packages as well.</font></div>
<div class=3D"gmail_default"><font face=3D"arial, helvetica,
sans-serif"><br>
</font></div>
<div class=3D"gmail_default"><font face=3D"arial, helvetica,
sans-serif">Jason</font></div>
<div class=3D"gmail_default"><font face=3D"arial, helvetica,
sans-serif"><br>
</font></div>
<div class=3D"gmail_extra"><br clear=3D"all">
<div>
<div class=3D"m_-2973063997954032716m_8140363787121225101gmail_=
signature" data-smartmail=3D"gmail_signature">
<div dir=3D"ltr">------------------------------<wbr>---------=
---------------------<wbr>---------------<br>
Jason Edgecombe | Linux Administrator<br>
UNC Charlotte | The William States Lee College of
Engineering<br>
9201 University City Blvd. | Charlotte, NC 28223-0001<br>
Phone: <a href=3D"tel:704-687-1943" value=3D"+17046871943" =
target=3D"_blank"><span>704</span>-<span>687</span>-<span>1943</span></a><b=
r>
<a href=3D"mailto:jwedgeco@uncc.edu" target=3D"_blank">jwed=
geco@uncc.edu</a> | <a href=3D"http://engr.uncc.edu" target=3D"_blank">http=
://engr.uncc.edu</a> |
=C2=A0Facebook<br>
------------------------------<wbr>------------------------------<wbr>-----=
----------<br>
If you are not the intended recipient of this
transmission or a person responsible for delivering it
to the intended recipient, any disclosure, copying,
distribution, or other use of any of the information in
this transmission is strictly prohibited. If you have
received this transmission in error, please notify me
immediately by reply e-mail or by telephone at<br>
<a href=3D"tel:704-687-1943" value=3D"+17046871943" target=
=3D"_blank"><span>704</span>-<span>687</span>-<span>1943</span></a>.=C2=A0
Thank you.</div>
</div>
</div>
</div>
</div>
</blockquote>
<br>
</div>
</blockquote></div><br></div></div>
--94eb2c14c6ea0e189305540a3c38--