[OpenAFS] k5start, AFS and long-running daemon

Andy Cobaugh phalenor@gmail.com
Mon, 17 Jan 2011 11:37:29 -0500 (EST)


On 2011-01-17 at 16:17, Stephen Quinney ( stephen@jadevine.org.uk ) said:
> I am having some problems with trying to use k5start to maintain a
> kerberos credential cache for a long-running daemon. In particular,
> it's maintaining the AFS tokens which is problematic.
>
> I noticed on http://www.eyrie.org/~eagle/software/kstart/todo.html,
> the following comment on the k5start todo list:
>
> "Add a flag saying to start a command in a PAG and with tokens and
> then keep running even if the command exits. This would be useful to
> spawn a long-running daemon inside a PAG and then maintain its tokens,
> even if k5start and the daemon then become detached and have to be
> stopped separately."
>
> I have a daemon which detaches but which needs to access AFS
> directories. Running k5start in the background works great for
> maintaining the kerberos cache (which is also needed for DB access)
> it's just AFS which is causing problems. So this sounds like exactly
> what I need to do, given that this isn't currently possible with
> k5start can you suggest the best way to go about achieving the same
> thing?

Just start the whole thing inside pagsh.

Then we use these options to k5start:

/usr/bin/k5start -b -K 10 -l 14d -p /var/run/$prog-k5start.pid -f $keytab -k $ccname -t $princ2

Where $keytab is obvious, ccname = /tmp/krb5cc_k5start_wrapped-$prog
$princ2 = -U or $print@$realm (depending on k5start version).

That's taken almost directly from our k5start-wrapper script, which we 
use to wrap init scripts under /etc/init.d/. You create 
/etc/init.d/$prog-afs, set a couple of variables like $keytab, then source 
k5start-wrapper.

--andy