[OpenAFS] Re: Website files in AFS
Russ Allbery
rra@stanford.edu
Wed, 11 Feb 2004 19:28:13 -0800
David Botsch <dwb7@ccmr.cornell.edu> writes:
> Here, to run apache inside a pag with tokens, we did 3 things:
> 1. edit the httpd init script to use pagsh as the shell (1st line) -
> this will start apache inside its own pag and means you can service
> start/restart httpd
> 2. put the password for webuser in a root restricted file
> 3. in the init script, pass contents of file to a program called "reauth" ..
> reauth gets tokens inside pag already set up, and every x seconds, will
> renew those tokens.
You can do the same thing with kstart if you want, running it in daemon
mode, and use a keytab rather than a password in a file, which I find more
convenient to manage. The reason why we don't do this is that if you want
to run your reauthenticating daemon under something like supervise, it
requires setting up a separate supervise process under the PAG, which then
isn't monitored by svscan, etc. It works; it was just more convenient for
us to do everything out of /service.
--
Russ Allbery (rra@stanford.edu) <http://www.eyrie.org/~eagle/>