[OpenAFS-devel] Accomodating daemons

Thu, 23 Nov 2006 01:49:34 -0800

I have a question I've seen asked many times before. My problem is, I 
haven't been able to find a solution that works for us.

Scenario: a cluster of VMs assigned dynamic IPs from shared networks, 
where each VM is a closed system running daemons that need access to a 
private OpenAFS cell.  We are unable to grant access based on subnets, 
since any subnet other than /32 cannot be trusted on the shared network.

One solution I've seen is to wrap the process with an aklog system call 
to obtain a token. Problem with this is that the token expires after a 
maximum of 100 hours, which means every 100 hours we must restart the 
processes on the node. If the daemon process forks off another process, 
I'm not sure if the token is inherited; more over, if these are CGIs it 
might be non-trvial to add the token request.

The other solution I've seen is to create users based on IPs or subnets. 
This seems closest to what we want, however, doesn't work well (meaning, 
requires admin intervention) when you want to grant IP/32 ACLs to 
dynamic IPs. It would require custom scripting to accommodate.

A solution I haven't heard mentioned is to run OpenAFS over a VPN, 
whereby the trusted network IPs can be guaranteed. I am less eager to 
implement this solution.

Since our machines are closed and mostly locked down, if I had it my 
way, I'd have some sort of token that never expired (which doesn't 
appear possible) and is available to any process running under any UID 
on the server. Is there any solution close to this that can be implemented?

Optimistically,

Erik Osterman