[OpenAFS] Scripts for cleaning tokens/pags
Neulinger, Nathan R.
nneul@umr.edu
Thu, 14 Dec 2000 15:22:22 -0600
FYI - I accidentally sent these from the wrong window... If you have any
questions about them, send them to nneul@umr.edu, as I won't see the replies
otherwise.
-- Nathan
> -----Original Message-----
> From: System Administrator [mailto:root@umr.edu]
> Sent: Thursday, December 14, 2000 8:56 AM
> To: openafs-info@openafs.org; info-afs@transarc.com
> Subject: [OpenAFS] Scripts for cleaning tokens/pags
>
>
> These are two scripts we use on machines with the following criteria:
>
> a. Lots of authentications that involve tokens - this in our
> case does
> _NOT_ include POP and IMAP servers, those are krb5 only, and
> do not get
> tokens, however, they _DO_ include telnet logins, netatalk-afpd, and
> samba.
>
> b. Setup such that tokens don't go away in general. In the
> case of telnet
> sessions, people often leave stuff running in background - having the
> tokens go away would cause a problem.
>
> c. (HP-UX) Tokens are not owned by userids that don't match
> their afsid.
> (This is a limitation of HP-UX, I have no way of determining the pags
> that are in use by a process.) On linux, /proc can be used to
> determine all
> active pags from processes that are running.
>
> ----
>
> For reference, if you run this script on a machine that is
> overly bogged
> down by pags currently - it will likely appear to lock up the
> machine for
> a few seconds as it collapses a huge in-kernel hash into a
> tiny one after
> you've cleared out all the old tokens.
>
> I'm sure someone could improve this immensely by triggering the unlog
> system call from perl directly instead of system("unlog");
>
> ---
>
> The way the scripts work is, using kdump, they retrieve a
> list of all the
> pags in the kernel hash, they they attempt to determine which
> of those
> pags contain tokens that need to be kept. (In the case of the hpux10
> script, that means 'the userid associated with this afsid for
> this token
> has processes running on the machine.) (In the case of linux,
> that means
> 'a process exists in this pag'.) it then loops through all
> those pags,
> putting the script into that pag temporarily (setgroups) and
> issuing unlog.
>
> ---
>
> Note - this is necessary even on the most current afs for
> linux, as it
> still does not do garbage collection of tokens/pags.
>
> -- Nathan
>