[OpenAFS] Creating a partial sandbox of the production Cell & krb5 realm

Jason Edgecombe jason@rampaginggeek.com
Mon, 12 Nov 2012 18:41:17 -0500

On 11/11/2012 07:08 PM, Jeffrey Altman wrote:
> On 11/11/2012 6:11 PM, Jason Edgecombe wrote:
>> The same name is wanted to avoid tweaking the account generation scripts.
> The way to avoid tweaking the scripts is to never hard code cell or
> realm names in the scripts.  These values should either be parameters to
> the scripts or come from a configuration file.
> Linked cells are the built-in method of creating test environments with
> AFS.  Create test.uncc.edu which is linked to uncc.edu.  When a volume
> is looked up in test.uncc.edu:
>   the test.uncc.edu vldb is searched.  If the volume is found, it is used
>   If the volume is not found, the uncc.edu vldb is searched and if
>   the volume is found in uncc.edu, it is used.
>   aklog obtains a token for both test.uncc.edu and uncc.edu when
>   the cells are linked.
>   The test.uncc.edu KeyFile will be different from the uncc.edu KeyFile
>   so it is not possible to accidentally issue a command in the test cell
>   which would alter the production cell.
>   You can copy the PRDB from the production cell and use it in the
>   test cell.
> Since this is not an option, ...
>> To make the sandbox, I would like to copy the existing krb5 and PTS
>> DB's. Besides the Keyfile and CellservDB, what other Kerberos/AFs keys
>> must be changed to prevent the sandbox from accidentally affecting
>> production via AFS/KRB commands?
> If you copy the existing KRB5 DB all of the tickets issued in the test
> realm will be valid in the production environment.  Is this acceptable?
> The KeyFile for the test cell must be changed.
> The CellServDB file will need to be replaced with a test version.  The
> problem with doing so and keeping the same names is that it can lead to
> confusion.  If the test environment is a one off that you are going to
> discard this might not matter but if it is going to be a long running
> environment that will be an issue.
> The Kerberos krb5.conf will also need to be updated with the alternate
> configuration.
> If you are using DNS records for AFS or KRB5 you will need to build a
> test infrastructure for DNS as well.
>> I plan to selectively "vos dump" some production volumes and "vos
>> restore" them on the test cell.
> right.
Thanks to everyone who replied publicly and privately. The volume and 
tone of the emails on this list, along with some assertiveness, helped 
me to change some minds. I'm going to set up a differently-named realm 
and cell.