|
⇤ ← Revision 1 as of 2007-04-04 02:32:56
Size: 2438
Comment:
|
Size: 2440
Comment:
|
| Deletions are marked like this. | Additions are marked like this. |
| Line 5: | Line 5: |
| 1) create local user SERVICE in /etc/passwd: | 1. create local user SERVICE in /etc/passwd: |
| Line 7: | Line 7: |
| (usually already done by Debian postinst scripts in form of "adduser --system SERVICE". (--system ensures that the assigned ID is in range 100 < ID < 1000 .)) |
* (usually already done by Debian postinst scripts in form of "adduser --system SERVICE". (--system ensures that the assigned ID is in range 100 < ID < 1000 .)) |
| Line 11: | Line 11: |
| 2) create Kerberos principal: | 2. create Kerberos principal: {{{ kadmin.local -q "addprinc -policy service -randkey SERVICE/HOST" }}} |
| Line 13: | Line 16: |
| kadmin.local -q "addprinc -policy service -randkey SERVICE/HOST" | 3. export user's keys to /etc/keytabs/SERVICE.HOST: {{{ kadmin.local -q "ktadd -k /etc/keytabs/SERVICE.HOST SERVICE/HOST" }}} |
| Line 15: | Line 21: |
| 3) export user's keys to /etc/keytabs/SERVICE.HOST: | 4. create OpenAFS user SERVICE.HOST |
| Line 17: | Line 23: |
| kadmin.local -q "ktadd -k /etc/keytabs/SERVICE.HOST SERVICE/HOST" 4) create OpenAFS user SERVICE.HOST (You must make sure that the UID chosen in AFS is above 1000. |
* (You must make sure that the UID chosen in AFS is above 1000. |
| Line 25: | Line 27: |
| {{{ pts cu SERVICE.HOST.hcoop.net }}} |
|
| Line 26: | Line 31: |
| pts cu SERVICE.HOST.hcoop.net (P.S. Can you tell pts the minimum ID to assign?) 5) create OpenAFS group "SERVICE" if it doesn't exist, and add SERVICE.HOST to it: |
5. create OpenAFS group "SERVICE" if it doesn't exist, and add SERVICE.HOST to it: {{{ |
| Line 35: | Line 36: |
| }}} | |
| Line 36: | Line 38: |
| 6) modify service's init script in /etc/init.d/ in the following way: | 6. modify service's init script in /etc/init.d/ in the following way: |
| Line 38: | Line 40: |
| Change shell at the top of script to "#!/usr/bin/pagsh.openafs" | * Change shell at the top of script to "#!/usr/bin/pagsh.openafs" |
| Line 40: | Line 42: |
| Change start-stop-daemon invocation in action 'start': | * Change start-stop-daemon invocation in action 'start': {{{ |
| Line 47: | Line 49: |
| }}} | |
| Line 48: | Line 51: |
**Or if the service does not use start-stop-daemon itself, you still use it in |
* Or if the service does not use start-stop-daemon itself, you still use it in |
| Line 53: | Line 55: |
| (start): | * (start): {{{ |
| Line 59: | Line 62: |
(stop): |
}}} * (stop): {{{ |
| Line 63: | Line 67: |
| }}} | |
| Line 64: | Line 69: |
| 7) You give permissions in AFS space to group "SERVICE", or to user "SERVICE.HOST" | 7. You give permissions in AFS space to group "SERVICE", or to user "SERVICE.HOST" |
here's the final procedure you should follow (for installing service "SERVICE" (mysql) on host "HOST" (deleuze)):
1. create local user SERVICE in /etc/passwd:
- (usually already done by Debian postinst scripts in form of
- "adduser --system SERVICE". (--system ensures that the
assigned ID is in range 100 < ID < 1000 .))
- "adduser --system SERVICE". (--system ensures that the
2. create Kerberos principal:
kadmin.local -q "addprinc -policy service -randkey SERVICE/HOST"
3. export user's keys to /etc/keytabs/SERVICE.HOST:
kadmin.local -q "ktadd -k /etc/keytabs/SERVICE.HOST SERVICE/HOST"
4. create OpenAFS user SERVICE.HOST
- (You must make sure that the UID chosen in AFS is above 1000.
You can't use UIDs <1000 because those are reserved for local system's IDs, and so such uids in AFS would mess up reported Unix ownership of files).
pts cu SERVICE.HOST.hcoop.net
5. create OpenAFS group "SERVICE" if it doesn't exist, and add
- SERVICE.HOST to it:
pts cg SERVICE
pts ad SERVICE.HOST SERVICE6. modify service's init script in /etc/init.d/ in the following way:
- Change shell at the top of script to "#!/usr/bin/pagsh.openafs"
- Change start-stop-daemon invocation in action 'start':
start-stop-daemon --start --pidfile $PIDFILE \
-c SERVICE:SERVICE \
--exec /usr/bin/k5start -- -U -b -f /etc/keytabs/SERVICE.`hostname` \
-K 300 -t -p $PIDFILE \
<The original start command>- Or if the service does not use start-stop-daemon itself, you still use it in
action 'start' to run k5start on a line before <The original start command> and later in 'stop' to close it:
- (start):
start-stop-daemon --start --pidfile /var/run/SERVICE/k5start-SERVICE.pid \
-c SERVICE:SERVICE \
--exec /usr/bin/k5start -- -U -b -K 300 -t -p /var/run/SERVICE/k5start-SERVICE.pid \
-f /etc/keytabs/SERVICE.`hostname`
sleep 2- (stop):
start-stop-daemon --stop --pidfile /var/run/SERVICE/k5start-SERVICE.pid
rm -f /var/run/SERVICE/k5start-SERVICE.pid7. You give permissions in AFS space to group "SERVICE", or to user "SERVICE.HOST"
- if specific instance is important. (Mostly, you just add permissions to "SERVICE").