[OpenAFS-devel] Accomodating daemons
Russ Allbery
rra@stanford.edu
Thu, 23 Nov 2006 11:40:35 -0800
Erik Osterman <e@osterman.com> writes:
> I have a question I've seen asked many times before. My problem is, I
> haven't been able to find a solution that works for us.
> Scenario: a cluster of VMs assigned dynamic IPs from shared networks,
> where each VM is a closed system running daemons that need access to a
> private OpenAFS cell. We are unable to grant access based on subnets,
> since any subnet other than /32 cannot be trusted on the shared network.
> One solution I've seen is to wrap the process with an aklog system call
> to obtain a token. Problem with this is that the token expires after a
> maximum of 100 hours, which means every 100 hours we must restart the
> processes on the node. If the daemon process forks off another process,
> I'm not sure if the token is inherited; more over, if these are CGIs it
> might be non-trvial to add the token request.
This is the reason why we wrote kstart at Stanford. See:
<http://www.eyrie.org/~eagle/software/kstart/>
and:
<http://www.stanford.edu/services/afs/sysadmin/userguide/web-pages.html>
for some somewhat older documentation on various approaches. Since then,
I've added to kstart the ability to run a command given on its command
line in a PAG with AFS tokens, which is a better solution in many cases.
--
Russ Allbery (rra@stanford.edu) <http://www.eyrie.org/~eagle/>