[OpenAFS] Scripts for cleaning tokens/pags

Neulinger, Nathan R. nneul@umr.edu
Thu, 14 Dec 2000 15:22:22 -0600


FYI - I accidentally sent these from the wrong window... If you have any
questions about them, send them to nneul@umr.edu, as I won't see the replies
otherwise.

-- Nathan

> -----Original Message-----
> From: System Administrator [mailto:root@umr.edu]
> Sent: Thursday, December 14, 2000 8:56 AM
> To: openafs-info@openafs.org; info-afs@transarc.com
> Subject: [OpenAFS] Scripts for cleaning tokens/pags
> 
> 
> These are two scripts we use on machines with the following criteria:
> 
> a. Lots of authentications that involve tokens - this in our 
> case does 
> _NOT_ include POP and IMAP servers, those are krb5 only, and 
> do not get 
> tokens, however, they _DO_ include telnet logins, netatalk-afpd, and 
> samba.
> 
> b. Setup such that tokens don't go away in general. In the 
> case of telnet 
> sessions, people often leave stuff running in background - having the 
> tokens go away would cause a problem.
> 
> c. (HP-UX) Tokens are not owned by userids that don't match 
> their afsid. 
> (This is a limitation of HP-UX, I have no way of determining the pags 
> that are in use by a process.) On linux, /proc can be used to 
> determine all 
> active pags from processes that are running.
> 
> ----
> 
> For reference, if you run this script on a machine that is 
> overly bogged 
> down by pags currently - it will likely appear to lock up the 
> machine for 
> a few seconds as it collapses a huge in-kernel hash into a 
> tiny one after 
> you've cleared out all the old tokens. 
> 
> I'm sure someone could improve this immensely by triggering the unlog 
> system call from perl directly instead of system("unlog");
> 
> ---
> 
> The way the scripts work is, using kdump, they retrieve a 
> list of all the 
> pags in the kernel hash, they they attempt to determine which 
> of those 
> pags contain tokens that need to be kept. (In the case of the hpux10 
> script, that means 'the userid associated with this afsid for 
> this token 
> has processes running on the machine.) (In the case of linux, 
> that means 
> 'a process exists in this pag'.) it then loops through all 
> those pags, 
> putting the script into that pag temporarily (setgroups) and 
> issuing unlog.
> 
> ---
> 
> Note - this is necessary even on the most current afs for 
> linux, as it 
> still does not do garbage collection of tokens/pags. 
> 
> -- Nathan
>