welcome: please sign in

The following 272 words could not be found in the dictionary of 7 words (including 7 LocalSpellingWords) and are highlighted below:
above   absolutely   account   accounts   actual   actually   Add   admins   after   against   all   almost   already   also   always   an   and   any   appear   apply   approximately   are   as   ask   at   attempt   author   Auto   background   Backgrounding   backgrounding   backgrounds   be   because   before   behavior   below   best   black   bog   box   breach   broken   bug   bugzilla   but   by   call   can   capture   Capture   Category   Check   check   checks   command   compromised   crontab   currently   daemon   deals   describe   described   detaches   Disable   disable   Disabling   do   does   don   done   encounter   ensure   etc   even   exactly   example   expiring   Explicit   explicit   extremely   figure   Figure   files   filing   First   first   following   For   for   foreground   found   fred   from   fsr   Gap   gather   go   grant   great   have   hcoop   help   high   hints   hours   how   However   huh   ie   if   If   Important   important   in   information   instantly   intentions   into   is   issues   it   It   its   itself   k5start   keytabs   Lastly   launching   ll   log   Logs   logs   low   machines   magic   Make   Management   management   Manual   many   Member   merely   methods   Moreover   must   my   mydaemon   name   need   needed   Needs   needs   nohup   normal   not   Note   Now   of   on   Once   one   only   open   option   or   our   out   outlined   output   page   pagsh   parent   passing   permissions   pidfile   please   post   problem   problems   proceeding   process   proper   properly   pstree   put   puts   qt   re   really   renew   results   root   run   running   sa   screen   script   second   Second   security   see   separate   shellservers   should   Simple   simple   some   Some   ssh   start   starting   starts   steps   supported   sure   take   task   techniques   terminal   That   that   The   the   then   there   things   This   this   tickets   time   tmp   to   To   Token   token   tokens   tries   Troubleshooting   try   two   Uf   understand   unlikely   up   Use   used   user   userid   userids   using   ve   via   vqt   want   was   we   what   when   Where   whoami   will   with   Work   works   workspace   would   write   written   You   you   your  

Clear message
Edit

RunningUnattendedCommandsWithoutRunInPagsh

The run-in-pagsh script was written with the best intentions, but it tries to do many, many things (process backgrounding, pidfile management, etc), all in one script, and all in a black box. Moreover, it is currently not supported by its author. Lastly, its name does not actually describe what it does (you're already in a pagsh when you ssh in to bog!)

If run-in-pagsh works for you, great. If you encounter problems, please first try running your daemon using "explicit" methods described below before filing a bug against AFS. This is to ensure that the problem you've run into is actually a problem with AFS and not a problem with run-in-pagsh.

Disable Auto-Backgrounding

If your daemon "backgrounds" itself (ie detaches from the terminal and puts itself in the background), you absolutely must figure out how to disable this behavior before proceeding. Some hints on how to do this can be found at DisablingAutoBackgrounding.

Explicit Token Management

This is really simple. You have two userids: your normal userid (we'll call this "fred") and your "daemon" userid (we'll call this "fred.daemon"). The first userid is "high security"; if one of our shellservers is broken into, it's unlikely that this account would be compromised. The second userid is "low security": if there is a security breach on any of our machines, then all daemon accounts are instantly compromised. It is extremely important to understand this before you take the steps outlined below.

First, you must grant your "daemon" userid permissions on any files that the background task needs. For example, 

  fsr sa ~/my_daemon_workspace/ fred.daemon all

Second, you need to start your daemon process via k5start. Use the following command: 

  k5start -qtUf /etc/keytabs/user.daemon/fred -- XXX YYY ZZZ

Where XXX YYY ZZZ is the command you want to run in the background. Important: this should be the actual daemon process, not merely some script that checks if the daemon is up and starts it if needed.

This command will run your task in the foreground, but with all the proper token magic you need. Now all you need to do is apply the normal techniques (crontab, at, nohup, screen, etc) to run the command above in the background. You can also try passing the -b option to k5start to have it put itself in the background. However, token management and backgrounding are separate issues; this page only deals with token management.

That's it! Simple, huh?

Troubleshooting

If you encounter problems, please take the following steps to gather information that can be used to help you. Once you've done this, post your problems and the results below to hcoop-help (or open a bugzilla bug).

Make sure that you're starting the daemon properly

Make sure that you're starting the daemon properly; k5start should appear as the parent of your daemon process. To check this, try 

pstree -Gap `whoami`

Capture Logs

Add a -v to the k5start command and capture the output: 

k5start -vqtUf /etc/keytabs/user.daemon/fred -- mydaemon &> /tmp/my-log

Note that the logs need to go into /tmp because you don't need tokens to write there.

Check the KDC

Figure out when your tokens are expiring (almost always exactly 10 hours after launching your daemon) and ask the root admins to check the KDC logs to see if there is even an attempt to renew the tickets at approximately that time.

CategoryMemberManual CategoryNeedsWork

RunningUnattendedCommandsWithoutRunInPagsh (last edited 2014-04-29 05:40:01 by c-50-148-186-167)