[OpenAFS] asetkey and bos_setcellname in 1.8.3
xguan@reliancememory.com
xguan@reliancememory.com
Mon, 5 Aug 2019 01:31:58 -0700
This is a multipart message in MIME format.
------=_NextPart_000_0084_01D54B2D.93FB0210
Content-Type: text/plain;
charset="us-ascii"
Content-Transfer-Encoding: 7bit
There seems to be a causality dilemma between asetkey and bos_setcellname
when a new cell is brought up, at least in 1.8.3.
Invoking asetkey on a vanilla server (binary installation, 1st database
server) leads to an error if it is before the initialization of krb.conf and
ThisCell
$ asetkey add rxkad_krb5 4 18 <keyfile> <princ>
asetkey: can't initialize conf dir '/etc/openafs/server'
Looking at the source code of asetkey.c, the first thing main() does is to
check if confdir is valid:
tdir = afsconf_Open(confdir);
if (!tdir) {
fprintf(stderr, "%s: can't initialize conf dir '%s'\n",
argv[0],
confdir);
exit(1);
}
https://github.com/openafs/openafs/blob/85d70ea953c6fb44f200ed4be13cded74135
59b8/src/aklog/asetkey.c#L448
With trial and error, it seems that afsconf_Open() won't succeed unless
ThisCell and krb.conf are both properly configured.
While krb.conf can be configured manually, ThisCell has NOT been initialized
at this step. It is yet to be filled by "bos setcellname -localauth", which
requires the key to be in place and the bosserver to be running in the
background. So it seems to be a chicken or the egg problem.
bos_setcellname requires a bosserver daemon launched. Launching bosserver
without an initialized confdir always fails on my case. I suspect the
following section of bosserver.c is responsible
tdir = afsconf_Open(AFSDIR_SERVER_ETC_DIRPATH);
if (!tdir) {
tdir = CreateLocalCellConfig();
}
which fails because CreateLocalCellConfig() calls afsconf_SetCellInfo() with
a __NULL__ in its first argument. bosserver then exits abnormally.
Step-to-step guidance for newcomers usually instructs a user to key the
server before bos_setcellname. For example:
https://wiki.openafs.org/admin/InstallingOpenAFSonCentOS7/
https://wiki.gentoo.org/wiki/OpenAFS#Keying_the_Server
To break the chain, I manually configured krb.conf and ThisCell, then
invoked asetkey. After successful keying, bosserver can be launched and
bos_setcellname can be invoked with "-localauth"
1.6.2x was largely exempted from that problem if a user uses rxkad.keytab
instead of invoking "asetkey". But in 1.8 we see the return of asetkey for
Kerberos 5.
Can OpenAFS gurus confirm the issue? I think it will make life much easier
for new users to bring up a cell.
Thanks.
==========================
Ximeng (Simon) Guan, Ph.D.
Director of Device Technology
Reliance Memory
==========================
------=_NextPart_000_0084_01D54B2D.93FB0210
Content-Type: text/html;
charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
<html xmlns:v=3D"urn:schemas-microsoft-com:vml" =
xmlns:o=3D"urn:schemas-microsoft-com:office:office" =
xmlns:w=3D"urn:schemas-microsoft-com:office:word" =
xmlns:m=3D"http://schemas.microsoft.com/office/2004/12/omml" =
xmlns=3D"http://www.w3.org/TR/REC-html40"><head><meta =
http-equiv=3DContent-Type content=3D"text/html; =
charset=3Dus-ascii"><meta name=3DGenerator content=3D"Microsoft Word 15 =
(filtered medium)"><style><!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:DengXian;
panose-1:2 1 6 0 3 1 1 1 1 1;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:"\@DengXian";
panose-1:2 1 6 0 3 1 1 1 1 1;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:11.0pt;
font-family:"Calibri",sans-serif;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:#0563C1;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:#954F72;
text-decoration:underline;}
span.EmailStyle17
{mso-style-type:personal-compose;
font-family:"Calibri",sans-serif;
color:windowtext;}
.MsoChpDefault
{mso-style-type:export-only;}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext=3D"edit" spidmax=3D"1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext=3D"edit">
<o:idmap v:ext=3D"edit" data=3D"1" />
</o:shapelayout></xml><![endif]--></head><body lang=3DEN-US =
link=3D"#0563C1" vlink=3D"#954F72"><div class=3DWordSection1><p =
class=3DMsoNormal>There seems to be a causality dilemma between asetkey =
and bos_setcellname when a new cell is brought up, at least in 1.8.3. =
<o:p></o:p></p><p class=3DMsoNormal><o:p> </o:p></p><p =
class=3DMsoNormal>Invoking asetkey on a vanilla server (binary =
installation, 1<sup>st</sup> database server) leads to an error if it is =
before the initialization of krb.conf and ThisCell<o:p></o:p></p><p =
class=3DMsoNormal><o:p> </o:p></p><p class=3DMsoNormal>$ asetkey =
add rxkad_krb5 4 18 <keyfile> <princ><o:p></o:p></p><p =
class=3DMsoNormal>asetkey: can't initialize conf dir =
'/etc/openafs/server'<o:p></o:p></p><p =
class=3DMsoNormal><o:p> </o:p></p><p class=3DMsoNormal>Looking at =
the source code of asetkey.c, the first thing main() does is to check if =
confdir is valid:<o:p></o:p></p><p =
class=3DMsoNormal><o:p> </o:p></p><p class=3DMsoNormal>tdir =3D =
afsconf_Open(confdir);<o:p></o:p></p><p =
class=3DMsoNormal> if (!tdir) {<o:p></o:p></p><p =
class=3DMsoNormal> &=
nbsp; fprintf(stderr, "%s: can't initialize conf =
dir '%s'\n", argv[0],<o:p></o:p></p><p =
class=3DMsoNormal> &=
nbsp; &n=
bsp; confdir);<o:p></o:p></p><p =
class=3DMsoNormal> &=
nbsp; exit(1);<o:p></o:p></p><p =
class=3DMsoNormal> }<o:p></o:p></p><p =
class=3DMsoNormal><o:p> </o:p></p><p class=3DMsoNormal><a =
href=3D"https://github.com/openafs/openafs/blob/85d70ea953c6fb44f200ed4be=
13cded7413559b8/src/aklog/asetkey.c#L448">https://github.com/openafs/open=
afs/blob/85d70ea953c6fb44f200ed4be13cded7413559b8/src/aklog/asetkey.c#L44=
8</a><o:p></o:p></p><p class=3DMsoNormal><o:p> </o:p></p><p =
class=3DMsoNormal>With trial and error, it seems that afsconf_Open() =
won’t succeed unless ThisCell and krb.conf are both properly =
configured. <o:p></o:p></p><p class=3DMsoNormal><o:p> </o:p></p><p =
class=3DMsoNormal>While krb.conf can be configured manually, ThisCell =
has NOT been initialized at this step. It is yet to be filled by =
“bos setcellname -localauth”, which requires the key to be =
in place and the bosserver to be running in the background. So it seems =
to be a chicken or the egg problem. <o:p></o:p></p><p =
class=3DMsoNormal><o:p> </o:p></p><p =
class=3DMsoNormal>bos_setcellname requires a bosserver daemon launched. =
Launching bosserver without an initialized confdir always fails on my =
case. I suspect the following section of bosserver.c is =
responsible<o:p></o:p></p><p class=3DMsoNormal><o:p> </o:p></p><p =
class=3DMsoNormal>tdir =3D =
afsconf_Open(AFSDIR_SERVER_ETC_DIRPATH);<o:p></o:p></p><p =
class=3DMsoNormal> if (!tdir) {<o:p></o:p></p><p =
class=3DMsoNormal> &=
nbsp; tdir =3D =
CreateLocalCellConfig();<o:p></o:p></p><p class=3DMsoNormal =
style=3D'text-indent:10.15pt'>}<o:p></o:p></p><p =
class=3DMsoNormal><o:p> </o:p></p><p class=3DMsoNormal>which fails =
because CreateLocalCellConfig() calls afsconf_SetCellInfo() with a =
__NULL__ in its first argument. bosserver then exits abnormally. =
<o:p></o:p></p><p class=3DMsoNormal><o:p> </o:p></p><p =
class=3DMsoNormal>Step-to-step guidance for newcomers usually instructs =
a user to key the server before bos_setcellname. For =
example:<o:p></o:p></p><p class=3DMsoNormal><a =
href=3D"https://wiki.openafs.org/admin/InstallingOpenAFSonCentOS7/">https=
://wiki.openafs.org/admin/InstallingOpenAFSonCentOS7/</a><o:p></o:p></p><=
p class=3DMsoNormal><a =
href=3D"https://wiki.gentoo.org/wiki/OpenAFS#Keying_the_Server">https://w=
iki.gentoo.org/wiki/OpenAFS#Keying_the_Server</a><o:p></o:p></p><p =
class=3DMsoNormal><o:p> </o:p></p><p class=3DMsoNormal>To break the =
chain, I manually configured krb.conf and ThisCell, then invoked =
asetkey. After successful keying, bosserver can be launched and =
bos_setcellname can be invoked with =
“-localauth”<o:p></o:p></p><p =
class=3DMsoNormal><o:p> </o:p></p><p class=3DMsoNormal>1.6.2x was =
largely exempted from that problem if a user uses rxkad.keytab instead =
of invoking “asetkey”. But in 1.8 we see the return of =
asetkey for Kerberos 5. <o:p></o:p></p><p =
class=3DMsoNormal><o:p> </o:p></p><p class=3DMsoNormal>Can OpenAFS =
gurus confirm the issue? I think it will make life much easier for new =
users to bring up a cell.<o:p></o:p></p><p =
class=3DMsoNormal><o:p> </o:p></p><p =
class=3DMsoNormal>Thanks.<o:p></o:p></p><p =
class=3DMsoNormal><o:p> </o:p></p><p =
class=3DMsoNormal>=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D<o:p></o:p></p><p class=3DMsoNormal>Ximeng (Simon) =
Guan, Ph.D.<o:p></o:p></p><p class=3DMsoNormal>Director of Device =
Technology<o:p></o:p></p><p class=3DMsoNormal>Reliance =
Memory<o:p></o:p></p><p =
class=3DMsoNormal>=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D<o:p></o:p></p><p =
class=3DMsoNormal><o:p> </o:p></p></div></body></html>
------=_NextPart_000_0084_01D54B2D.93FB0210--