[OpenAFS-devel] Accomodating daemons

Erik Osterman e@osterman.com
Sun, 26 Nov 2006 13:17:26 -0800 

Thank you all for the thoughtful responses I've been receiving. kstart 
seemed like the most secure solution, but ultimately, we've decided to 
go the OpenVPN route since other parts of our application would benefit 
from this private/secured network. We can always move to kstart once our 
architecture is more defined. OpenVPN was a snap to setup and I'm able 
to communicate over the network (10.0.0.0)

I am totally dumbfounded, however, why I am unable to get OpenAFS to 
communicate via the VPN 10.0.0.0; it always communicates via the public IP.

CellServDB:
 >ourdomain.com # Ourcompany
10.0.0.1    #ourmachine

ThisCell:
ourdomain.com

/usr/vice/etc/CellServDB is linked to /usr/afs/CellServDB
/usr/vice/etc/ThisCell is linked to /usr/afs/ThisCell

I am trying to connect 10.0.0.6 to 10.0.0.1, the AFS (1.4.2) server. I 
have purged the /usr/vice/cache directory. I have restarted the 
openafs-client. I have even rebooted the machine.

I ran,

pts createuser 10.0.0.0
pts adduser 10.0.0.0 -group ourgroup

If I list /afs/ourcompany.com from 10.0.0.6, I get permission denied.

If 1.2.3.4 is our public IP (on the same machine as 10.0.0.6), and I run

pts createuser 1.2.3.0
pts adduser 1.2.3.0 -group ourgroup

then list /afs/ourcompany.com it works as expected. This would mean that 
ourgroup is properly configured, but for some reason the OpenAFS client 
is not communicating using the 10 network.

If anyone has any ideas what could be happening here, I'd appreciate to 
hear from you!

Best Regards,

Erik Osterman


Russ Allbery wrote:
> Erik Osterman <e@osterman.com> writes:
>
>   
>> I have a question I've seen asked many times before. My problem is, I
>> haven't been able to find a solution that works for us.
>>     
>
>   
>> Scenario: a cluster of VMs assigned dynamic IPs from shared networks,
>> where each VM is a closed system running daemons that need access to a
>> private OpenAFS cell.  We are unable to grant access based on subnets,
>> since any subnet other than /32 cannot be trusted on the shared network.
>>     
>
>   
>> One solution I've seen is to wrap the process with an aklog system call
>> to obtain a token. Problem with this is that the token expires after a
>> maximum of 100 hours, which means every 100 hours we must restart the
>> processes on the node. If the daemon process forks off another process,
>> I'm not sure if the token is inherited; more over, if these are CGIs it
>> might be non-trvial to add the token request.
>>     
>
> This is the reason why we wrote kstart at Stanford.  See:
>
>     <http://www.eyrie.org/~eagle/software/kstart/>
>
> and:
>
>     <http://www.stanford.edu/services/afs/sysadmin/userguide/web-pages.html>
>
> for some somewhat older documentation on various approaches.  Since then,
> I've added to kstart the ability to run a command given on its command
> line in a PAG with AFS tokens, which is a better solution in many cases.
>
>