[OpenAFS] Creating a partial sandbox of the production Cell & krb5 realm

Jeffrey Altman jaltman@your-file-system.com
Sun, 11 Nov 2012 19:08:19 -0500


This is an OpenPGP/MIME signed message (RFC 2440 and 3156)
--------------enigF7DE320B2F28BF607F94AF3E
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: quoted-printable

On 11/11/2012 6:11 PM, Jason Edgecombe wrote:
> The same name is wanted to avoid tweaking the account generation script=
s.

The way to avoid tweaking the scripts is to never hard code cell or
realm names in the scripts.  These values should either be parameters to
the scripts or come from a configuration file.

Linked cells are the built-in method of creating test environments with
AFS.  Create test.uncc.edu which is linked to uncc.edu.  When a volume
is looked up in test.uncc.edu:

 the test.uncc.edu vldb is searched.  If the volume is found, it is used

 If the volume is not found, the uncc.edu vldb is searched and if
 the volume is found in uncc.edu, it is used.

 aklog obtains a token for both test.uncc.edu and uncc.edu when
 the cells are linked.

 The test.uncc.edu KeyFile will be different from the uncc.edu KeyFile
 so it is not possible to accidentally issue a command in the test cell
 which would alter the production cell.

 You can copy the PRDB from the production cell and use it in the
 test cell.

Since this is not an option, ...

> To make the sandbox, I would like to copy the existing krb5 and PTS
> DB's. Besides the Keyfile and CellservDB, what other Kerberos/AFs keys
> must be changed to prevent the sandbox from accidentally affecting
> production via AFS/KRB commands?

If you copy the existing KRB5 DB all of the tickets issued in the test
realm will be valid in the production environment.  Is this acceptable?

The KeyFile for the test cell must be changed.

The CellServDB file will need to be replaced with a test version.  The
problem with doing so and keeping the same names is that it can lead to
confusion.  If the test environment is a one off that you are going to
discard this might not matter but if it is going to be a long running
environment that will be an issue.

The Kerberos krb5.conf will also need to be updated with the alternate
configuration.

If you are using DNS records for AFS or KRB5 you will need to build a
test infrastructure for DNS as well.

> I plan to selectively "vos dump" some production volumes and "vos
> restore" them on the test cell.

right.




--------------enigF7DE320B2F28BF607F94AF3E
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: OpenPGP digital signature
Content-Disposition: attachment; filename="signature.asc"

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (MingW32)

iQEcBAEBAgAGBQJQoD34AAoJENxm1CNJffh4QKEH/35o+fM3natk7jA8X1KIKOhH
L/i3xeuSR512HaJO/D0oPoFu8y9faGxc9iebTdC2t6aYZHUpxhDoLrGc278vmbJR
vgJwX1wOe4RHX2BvpzfdOY+YVqlPMMfhtkNzIq3NHPMjuj2lNC5LuWBFFOSetWAA
1+HQW3CKIJnBA3/+44Slg7rjBaikyaWyfruznE79LFNGnferLzH07dJzM1t52v3M
U5B7z+qh1by4wYW/U6jSKMp/pbUAWMzyfwY8WO8eryjbaI/OFO8CrkrIKPJYDQ7U
OqeZZHBLUGcZECu6DZ3qdW6GV/JQ3wPx1SFPf+u7/h4qGmahGHhopu9ux5/WPwg=
=Y1GQ
-----END PGP SIGNATURE-----

--------------enigF7DE320B2F28BF607F94AF3E--