[OpenAFS] mod_waklog question

Jason Edgecombe jwedgeco@uncc.edu
Fri, 14 Jul 2017 10:35:33 -0400


--94eb2c1912c6a3e905055447f8aa
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable

Andreas,

Try modifying your systemd unit file to add the "-t" parameter as follows:

ExecStart=3D/usr/bin/k5start -o apache -K30 -t -f /etc/httpd.keytab
httpd-principal-name -- /usr/sbin/httpd $OPTIONS -DFOREGROUND


The "-t" option runs the aklog command to grab tokens. I don't use this
because my AFS folders are granted via IP ACLs and the kerberos credentials
are only used for accessing kerberized SMB shares.

Sincerely,
Jason

---------------------------------------------------------------------------
Jason Edgecombe | Linux Administrator
UNC Charlotte | The William States Lee College of Engineering
9201 University City Blvd. | Charlotte, NC 28223-0001
Phone: 704-687-1943
jwedgeco@uncc.edu | http://engr.uncc.edu |  Facebook
---------------------------------------------------------------------------
If you are not the intended recipient of this transmission or a person
responsible for delivering it to the intended recipient, any disclosure,
copying, distribution, or other use of any of the information in this
transmission is strictly prohibited. If you have received this transmission
in error, please notify me immediately by reply e-mail or by telephone at
704-687-1943.  Thank you.

On Thu, Jul 13, 2017 at 5:59 AM, Andreas Ladanyi <andreas.ladanyi@kit.edu>
wrote:

> Hi Jason,
>
> i tried out your systemd config as below. I have a CentOS 7 box.
>
> k5start and Apache starts.
>
> pstree:
> =3D=3D=3D=3D
>
> k5start=E2=94=80=E2=94=80=E2=94=80httpd=E2=94=80=E2=94=80=E2=94=8010*[htt=
pd=E2=94=80=E2=94=80=E2=94=802*[{httpd}]]
>
>
> less /proc/fs/openafs/unixusers:
> =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
>
> UID/PAG Refs States  Cell                          ViceID     Tok Set  To=
k
> Begin Tok Expire vno  NFS Client         UID/PAG Client UID Sysname(s)
>          0    0 0005    cellname              0  1499920292 1499920290
> 1499963490 256
>       1000    0 0005    cellname              1  1499930214 1499930215
> 1499966212 256
> 1091860458    0 0005    cellname          29787  1499931869 1499931870
> 1499967869 256
>
>
>
> The VideID 29787 is the afs id of the correct afs username
> (afsweb.fqdn_of_the_host) in pts. The keytab which k5start reads contains
> the kerberos principal (afsweb/fqdn_of_the_host@REALM).
>
> I set read (rl) permission for the afs username afsweb.fqdn_of_the_host
> (29787) on the folder which contain the webfiles and "lookup" permission =
to
> all parent folders of the webfolder. Apache tells me he cant access to th=
e
> webfolder (DocumentRoot).
>
> Another problem i found out is apache cant open logfiles in the afs path
> and cant start:
> (13)Permission denied: AH00091: httpd: could not open error log file
> /afs/.............
>
> sestatus:
> =3D=3D=3D=3D=3D
>
> SELinux status:                 enabled
> SELinuxfs mount:                /sys/fs/selinux
> SELinux root directory:         /etc/selinux
> Loaded policy name:             targeted
> Current mode:                   permissive
> Mode from config file:          error (Success)
> Policy MLS status:              enabled
> Policy deny_unknown status:     allowed
> Max kernel policy version:      28
>
>
> regards,
> Andreas
>
> Hi Andreas,
>
> Getting systemd, apache, and kstart to play nice took a little bit of
> work. I have included a sanitized copy of my Apache systemd unit file. Be
> sure to modify the ExecStart line to have the correct keytab location and
> principal name.
>
> I have NOT tested this in selinux enforcing mode, so beware.
>
> I think that kstart does create a new PAG, but I'm not certain. Be sure t=
o
> verify that by running bash via kstart, then running "id" to see if an
> extra high-numbered numeric group appears. If no new PAG is created, then
> you might play with the pagsh command.
>
> Sincerely,
> Jason
>
> ----------------------------cut----------------------------
> [Unit]
> # customized unit file to start apache with a kerberos keytab
> Description=3DThe Apache HTTP Server
> After=3Dnetwork.target remote-fs.target nss-lookup.target
> Documentation=3Dman:httpd(8)
> Documentation=3Dman:apachectl(8)
>
> [Service]
> Type=3Dnotify
> EnvironmentFile=3D/etc/sysconfig/httpd
> ExecStart=3D/usr/bin/k5start -o apache -K30 -f /etc/httpd.keytab
> httpd-principal-name -- /usr/sbin/httpd $OPTIONS -DFOREGROUND
> ExecReload=3D/usr/sbin/httpd $OPTIONS -k graceful
> ExecStop=3D/bin/kill -WINCH ${MAINPID}
> # We want systemd to give httpd some time to finish gracefully, but still
> want
> # it to kill httpd after TimeoutStopSec if something went wrong during th=
e
> # graceful stop. Normally, Systemd sends SIGTERM signal right after the
> # ExecStop, which would kill httpd. We are sending useless SIGCONT here t=
o
> give
> # httpd time to finish.
> KillSignal=3DSIGCONT
>
> # allow k5start child processes (i.e. apache) to notify system that it's =
up
> NotifyAccess=3Dall
> PrivateTmp=3Dfalse
>
> [Install]
> WantedBy=3Dmulti-user.target
> ----------------------------cut----------------------------
>
>
>

--94eb2c1912c6a3e905055447f8aa
Content-Type: text/html; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable

<div dir=3D"ltr"><div class=3D"gmail_default" style=3D"font-family:arial,he=
lvetica,sans-serif">Andreas,</div><div class=3D"gmail_default" style=3D"fon=
t-family:arial,helvetica,sans-serif"><br></div><div class=3D"gmail_default"=
 style=3D"font-family:arial,helvetica,sans-serif">Try modifying your system=
d unit file to add the &quot;-t&quot; parameter as follows:</div><div class=
=3D"gmail_default" style=3D"font-family:arial,helvetica,sans-serif"><blockq=
uote type=3D"cite" style=3D"font-family:arial,sans-serif;font-size:12.8px">=
<div dir=3D"ltr"><div class=3D"gmail_default"><div class=3D"gmail_default">=
<font face=3D"arial, helvetica,
              sans-serif">ExecStart=3D/usr/bin/k5start -o apache -K30 -t -f=
 /etc/httpd.keytab httpd-principal-name -- /usr/sbin/httpd $OPTIONS -DFOREG=
ROUND</font></div></div></div></blockquote></div><div class=3D"gmail_defaul=
t" style=3D"font-family:arial,helvetica,sans-serif"><br></div><div class=3D=
"gmail_default" style=3D"font-family:arial,helvetica,sans-serif">The &quot;=
-t&quot; option runs the aklog command to grab tokens. I don&#39;t use this=
 because my AFS folders are granted via IP ACLs and the kerberos credential=
s are only used for accessing kerberized SMB shares.</div><div class=3D"gma=
il_default" style=3D"font-family:arial,helvetica,sans-serif"><br></div><div=
 class=3D"gmail_default" style=3D"font-family:arial,helvetica,sans-serif">S=
incerely,</div><div class=3D"gmail_default" style=3D"font-family:arial,helv=
etica,sans-serif">Jason</div></div><div class=3D"gmail_extra"><br clear=3D"=
all"><div><div class=3D"gmail_signature" data-smartmail=3D"gmail_signature"=
><div dir=3D"ltr">---------------------------------------------------------=
------------------<br>
Jason Edgecombe | Linux Administrator<br>
UNC Charlotte | The William States Lee College of Engineering<br>
9201 University City Blvd. | Charlotte, NC 28223-0001<br>
Phone: <a href=3D"tel:704-687-1943" value=3D"+17046871943" target=3D"_blank=
"><span>704</span>-<span>687</span>-<span>1943</span></a><br>
<a href=3D"mailto:jwedgeco@uncc.edu" target=3D"_blank">jwedgeco@uncc.edu</a=
> | <a href=3D"http://engr.uncc.edu" target=3D"_blank">http://engr.uncc.edu=
</a> | =C2=A0Facebook<br>
---------------------------------------------------------------------------=
<br>
If you are not the intended recipient of this transmission or a person=20
responsible for delivering it to the intended recipient, any disclosure,
 copying, distribution, or other use of any of the information in this=20
transmission is strictly prohibited. If you have received this=20
transmission in error, please notify me immediately by reply e-mail or=20
by telephone at<br>
<a href=3D"tel:704-687-1943" value=3D"+17046871943" target=3D"_blank"><span=
>704</span>-<span>687</span>-<span>1943</span></a>.=C2=A0 Thank you.</div><=
/div></div>
<br><div class=3D"gmail_quote">On Thu, Jul 13, 2017 at 5:59 AM, Andreas Lad=
anyi <span dir=3D"ltr">&lt;<a href=3D"mailto:andreas.ladanyi@kit.edu" targe=
t=3D"_blank">andreas.ladanyi@kit.edu</a>&gt;</span> wrote:<br><blockquote c=
lass=3D"gmail_quote" style=3D"margin:0 0 0 .8ex;border-left:1px #ccc solid;=
padding-left:1ex">
 =20
   =20
 =20
  <div text=3D"#000000" bgcolor=3D"#FFFFFF">
    <div class=3D"m_-3966557208113604286moz-cite-prefix">Hi Jason,<br>
      <br>
      i tried out your systemd config as below. I have a CentOS 7 box.<br>
      <br>
      k5start and Apache starts.<br>
      <br>
      pstree:<br>
      =3D=3D=3D=3D<br>
      <br>
      k5start=E2=94=80=E2=94=80=E2=94=80httpd=E2=94=80=E2=94=80=E2=94=8010*=
[httpd=E2=94=80=E2=94=80=E2=94=80<wbr>2*[{httpd}]]<br>
      <br>
      <br>
      less /proc/fs/openafs/unixusers:<br>
      =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D<br>
      <br>
      UID/PAG Refs States=C2=A0 Cell=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=
=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=
=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 ViceID=C2=A0=C2=A0=C2=A0=C2=A0 Tok
      Set=C2=A0 Tok Begin Tok Expire vno=C2=A0 NFS Client=C2=A0=C2=A0=C2=A0=
=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 UID/PAG Client
      UID Sysname(s)<br>
      =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 0=C2=A0=C2=A0=C2=A0 =
0 0005=C2=A0=C2=A0=C2=A0 cellname =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=
=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 0=C2=A0 1499920292
      1499920290 1499963490 256<br>
      =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 1000=C2=A0=C2=A0=C2=A0 0 0005=C2=A0=C2=
=A0=C2=A0 cellname =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=
=C2=A0=C2=A0=C2=A0 1=C2=A0 1499930214
      1499930215 1499966212 256<br>
      1091860458=C2=A0=C2=A0=C2=A0 0 0005=C2=A0=C2=A0=C2=A0 cellname =C2=A0=
=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 29787=C2=A0 1499931869
      1499931870 1499967869 256<br>
      <br>
      <br>
      <br>
      The VideID 29787 is the afs id of the correct afs username
      (afsweb.fqdn_of_the_host) in pts. The keytab which k5start reads
      contains the kerberos principal (afsweb/fqdn_of_the_host@REALM<wbr>).=
<br>
      <br>
      I set read (rl) permission for the afs username
      afsweb.fqdn_of_the_host (29787) on the folder which contain the
      webfiles and &quot;lookup&quot; permission to all parent folders of t=
he
      webfolder. Apache tells me he cant access to the webfolder
      (DocumentRoot).<br>
      <br>
      Another problem i found out is apache cant open logfiles in the
      afs path and cant start:<br>
      (13)Permission denied: AH00091: httpd: could not open error log
      file /afs/.............<br>
      <br>
      sestatus:<br>
      =3D=3D=3D=3D=3D<br>
      <br>
      SELinux status:=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=
=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 enabled<br>
      SELinuxfs mount:=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=
=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 /sys/fs/selinux<br>
      SELinux root directory:=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=
=A0 /etc/selinux<br>
      Loaded policy name:=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=
=C2=A0=C2=A0=C2=A0=C2=A0 targeted<br>
      Current mode:=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=
=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 permissive<br>
      Mode from config file:=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=
=A0=C2=A0 error (Success)<br>
      Policy MLS status:=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=
=A0=C2=A0=C2=A0=C2=A0=C2=A0 enabled<br>
      Policy deny_unknown status:=C2=A0=C2=A0=C2=A0=C2=A0 allowed<br>
      Max kernel policy version:=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 28<br>
      <br>
      <br>
      regards,<br>
      Andreas<br>
      <br>
    </div>
    <blockquote type=3D"cite">
      <div dir=3D"ltr">
        <div class=3D"gmail_default">
          <div class=3D"gmail_default"><font face=3D"arial, helvetica,
              sans-serif">Hi Andreas,</font></div>
          <div class=3D"gmail_default"><font face=3D"arial, helvetica,
              sans-serif"><br>
            </font></div>
          <div class=3D"gmail_default"><font face=3D"arial, helvetica,
              sans-serif">Getting systemd, apache, and kstart to play
              nice took a little bit of work. I have included a
              sanitized copy of my Apache systemd unit file. Be sure to
              modify the ExecStart line to have the correct keytab
              location and principal name.</font></div>
          <div class=3D"gmail_default"><font face=3D"arial, helvetica,
              sans-serif"><br>
            </font></div>
          <div class=3D"gmail_default"><font face=3D"arial, helvetica,
              sans-serif">I have NOT tested this in selinux enforcing
              mode, so beware.</font></div>
          <div class=3D"gmail_default"><font face=3D"arial, helvetica,
              sans-serif"><br>
            </font></div>
          <div class=3D"gmail_default"><font face=3D"arial, helvetica,
              sans-serif">I think that kstart does create a new PAG, but
              I&#39;m not certain. Be sure to verify that by running bash
              via kstart, then running &quot;id&quot; to see if an extra
              high-numbered numeric group appears. If no new PAG is
              created, then you might play with the pagsh command.</font></=
div>
          <div class=3D"gmail_default"><font face=3D"arial, helvetica,
              sans-serif"><br>
            </font></div>
          <div class=3D"gmail_default"><font face=3D"arial, helvetica,
              sans-serif">Sincerely,</font></div>
          <div class=3D"gmail_default"><font face=3D"arial, helvetica,
              sans-serif">Jason</font></div>
          <div class=3D"gmail_default"><font face=3D"arial, helvetica,
              sans-serif"><br>
            </font></div>
          <div class=3D"gmail_default"><font face=3D"arial, helvetica,
              sans-serif">----------------------------cu<wbr>t-------------=
---------------</font></div>
          <div class=3D"gmail_default"><font face=3D"arial, helvetica,
              sans-serif">[Unit]</font></div>
          <div class=3D"gmail_default"><font face=3D"arial, helvetica,
              sans-serif"># customized unit file to start apache with a
              kerberos keytab</font></div>
          <div class=3D"gmail_default"><font face=3D"arial, helvetica,
              sans-serif">Description=3DThe Apache HTTP Server</font></div>
          <div class=3D"gmail_default"><font face=3D"arial, helvetica,
              sans-serif">After=3Dnetwork.target remote-fs.target
              nss-lookup.target</font></div>
          <div class=3D"gmail_default"><font face=3D"arial, helvetica,
              sans-serif">Documentation=3D<a class=3D"m_-396655720811360428=
6moz-txt-link-freetext">man:httpd(8)</a></font></div>
          <div class=3D"gmail_default"><font face=3D"arial, helvetica,
              sans-serif">Documentation=3D<a class=3D"m_-396655720811360428=
6moz-txt-link-freetext">man:apachectl(8)</a></font></div>
          <div class=3D"gmail_default"><font face=3D"arial, helvetica,
              sans-serif"><br>
            </font></div>
          <div class=3D"gmail_default"><font face=3D"arial, helvetica,
              sans-serif">[Service]</font></div>
          <div class=3D"gmail_default"><font face=3D"arial, helvetica,
              sans-serif">Type=3Dnotify</font></div>
          <div class=3D"gmail_default"><font face=3D"arial, helvetica,
              sans-serif">EnvironmentFile=3D/etc/sysconfig<wbr>/httpd</font=
></div>
          <div class=3D"gmail_default"><font face=3D"arial, helvetica,
              sans-serif">ExecStart=3D/usr/bin/k5start -o apache -K30 -f
              /etc/httpd.keytab httpd-principal-name -- /usr/sbin/httpd
              $OPTIONS -DFOREGROUND</font></div>
          <div class=3D"gmail_default"><font face=3D"arial, helvetica,
              sans-serif">ExecReload=3D/usr/sbin/httpd $OPTIONS -k
              graceful</font></div>
          <div class=3D"gmail_default"><font face=3D"arial, helvetica,
              sans-serif">ExecStop=3D/bin/kill -WINCH ${MAINPID}</font></di=
v>
          <div class=3D"gmail_default"><font face=3D"arial, helvetica,
              sans-serif"># We want systemd to give httpd some time to
              finish gracefully, but still want</font></div>
          <div class=3D"gmail_default"><font face=3D"arial, helvetica,
              sans-serif"># it to kill httpd after TimeoutStopSec if
              something went wrong during the</font></div>
          <div class=3D"gmail_default"><font face=3D"arial, helvetica,
              sans-serif"># graceful stop. Normally, Systemd sends
              SIGTERM signal right after the</font></div>
          <div class=3D"gmail_default"><font face=3D"arial, helvetica,
              sans-serif"># ExecStop, which would kill httpd. We are
              sending useless SIGCONT here to give</font></div>
          <div class=3D"gmail_default"><font face=3D"arial, helvetica,
              sans-serif"># httpd time to finish.</font></div>
          <div class=3D"gmail_default"><font face=3D"arial, helvetica,
              sans-serif">KillSignal=3DSIGCONT</font></div>
          <div class=3D"gmail_default"><font face=3D"arial, helvetica,
              sans-serif"><br>
            </font></div>
          <div class=3D"gmail_default"><font face=3D"arial, helvetica,
              sans-serif"># allow k5start child processes (i.e. apache)
              to notify system that it&#39;s up</font></div>
          <div class=3D"gmail_default"><font face=3D"arial, helvetica,
              sans-serif">NotifyAccess=3Dall</font></div>
          <div class=3D"gmail_default"><font face=3D"arial, helvetica,
              sans-serif">PrivateTmp=3Dfalse</font></div>
          <div class=3D"gmail_default"><font face=3D"arial, helvetica,
              sans-serif"><br>
            </font></div>
          <div class=3D"gmail_default"><font face=3D"arial, helvetica,
              sans-serif">[Install]</font></div>
          <div class=3D"gmail_default"><font face=3D"arial, helvetica,
              sans-serif">WantedBy=3Dmulti-user.target</font></div>
          <div style=3D"font-family:arial,helvetica,sans-serif">-----------=
-----------------cu<wbr>t----------------------------<br>
          </div>
        </div>
        <div class=3D"gmail_extra"><br>
        </div>
      </div>
    </blockquote>
    <br>
  </div>

</blockquote></div><br></div>

--94eb2c1912c6a3e905055447f8aa--