[OpenAFS] Redux: Linux: systemctl --user vs. AFS
Jonathan Billings
billings@negate.org
Fri, 13 Aug 2021 10:48:32 -0400
On Thu, Aug 05, 2021 at 05:11:23PM +0000, spacefrogg-openafs@spacefrogg.net wrote:
> It is as basic as it sounds. Setting up sssd is documented in its
> manpages and gets as complicated and messy as your site requires.
>
> user@.service: We literally changed the ExecStart= directive to a
> shell script that reads like:
>
> if [ ! $guard-against-system-accounts ]; then
> export KRB5CCNAME=/path/to/cache-depending-on-$(id -u)
> aklog
> fi
> exec /path/to/systemd --user
While I do suggest using KEYRING: or KCM: Kerberos 5 ccache, I think
that this is the ideal solution. Previously, I was getting AFS tokens
for the systemd --user session with a user service that ran *AFTER*
systemd --user launched, but the aforementioned method gets tokens
*BEFORE* systemd --user runs, so the user session already has a PAG
with a token in it.
This is my new configuration:
# cat /etc/systemd/system/user@.service.d/afs.conf
# Disable the default action and run a script instead
[Service]
ExecStart=
ExecStart=-/usr/libexec/afs/systemd-user-execstart.sh
# cat /usr/libexec/afs/systemd-user-execstart.sh
#!/bin/bash
# Don't get tokens if $UID isn't defined
if [[ -z "$UID" ]]; then
exec /usr/lib/systemd/systemd --user
fi
# System accounts do not need tokens in systemd user
if [[ "$UID" -lt 1000 ]]; then
exec /usr/lib/systemd/systemd --user
fi
# Skip if no krb5 tools
if [[ ! -x /usr/bin/klist ]]; then
exec /usr/lib/systemd/systemd --user
fi
# Set ccache name
export KRB5CCNAME="KEYRING:persistent:$UID"
# Get AFS Tokens
if /usr/bin/klist -s; then
/usr/bin/aklog
fi
exec /usr/lib/systemd/systemd --user
======================================================================
With the above configuration, users (with UID >= 1000) have AFS tokens
in their systemd --user session, and all the services that are
launched out of their home directory launch fine (assuming they
support AFS homedirs).
My execstart script could probably use some work, and better logic,
but it is a first attempt. It is great to see systemd --user launch
with AFS tokens this way.
Now, when I'm logged in with my regular user, I see this after SSH'ing
in (this is my RHEL 8 test VM):
[jbillings@rhel8 ~]$ systemctl --user status
● rhel8
State: running
Jobs: 0 queued
Failed: 0 units
Since: Fri 2021-08-13 10:31:25 EDT; 1min 10s ago
CGroup: /user.slice/user-1000.slice/user@1000.service
├─pulseaudio.service
│ └─3775 /usr/bin/pulseaudio --daemonize=no --log-target=journal
├─init.scope
│ ├─3747 /usr/lib/systemd/systemd --user
│ └─3754 (sd-pam)
└─dbus.service
└─3837 /usr/bin/dbus-daemon --session --address=systemd: --nofork --nopidfile --systemd-activation --syslog-only
(Logging in through GDM works too, but the output of 'systemctl --user
status' is really long)
--
Jonathan Billings <billings@negate.org>