|
Size: 2440
Comment:
|
Size: 2281
Comment:
|
| Deletions are marked like this. | Additions are marked like this. |
| Line 7: | Line 7: |
| * (usually already done by Debian postinst scripts in form of "adduser --system SERVICE". (--system ensures that the assigned ID is in range 100 < ID < 1000 .)) |
* (usually already done by Debian postinst scripts in form of "adduser --system SERVICE". (--system ensures that the assigned ID is in range 100 < ID < 1000 .)) |
| Line 13: | Line 11: |
| kadmin.local -q "addprinc -policy service -randkey SERVICE/HOST" | kadmin.local -q "addprinc -policy service -randkey SERVICE/HOST" |
| Line 18: | Line 16: |
| kadmin.local -q "ktadd -k /etc/keytabs/SERVICE.HOST SERVICE/HOST" | kadmin.local -q "ktadd -k /etc/keytabs/SERVICE.HOST SERVICE/HOST" |
| Line 23: | Line 21: |
| * (You must make sure that the UID chosen in AFS is above 1000. You can't use UIDs <1000 because those are reserved for local system's IDs, and so such uids in AFS would mess up reported Unix ownership of files). |
* (You must make sure that the UID chosen in AFS is above 1000. You can't use UIDs <1000 because those are reserved for local system's IDs, and so such uids in AFS would mess up reported Unix ownership of files). |
| Line 34: | Line 29: |
| pts cg SERVICE pts ad SERVICE.HOST SERVICE |
pts cg SERVICE pts ad SERVICE.HOST SERVICE |
| Line 44: | Line 39: |
| start-stop-daemon --start --pidfile $PIDFILE \ -c SERVICE:SERVICE \ --exec /usr/bin/k5start -- -U -b -f /etc/keytabs/SERVICE.`hostname` \ -K 300 -t -p $PIDFILE \ <The original start command> |
start-stop-daemon --start --pidfile $PIDFILE \ -c SERVICE:SERVICE \ --exec /usr/bin/k5start -- -U -b -f /etc/keytabs/SERVICE.`hostname` \ -K 300 -t -p $PIDFILE \ <The original start command> |
| Line 57: | Line 52: |
| start-stop-daemon --start --pidfile /var/run/SERVICE/k5start-SERVICE.pid \ -c SERVICE:SERVICE \ --exec /usr/bin/k5start -- -U -b -K 300 -t -p /var/run/SERVICE/k5start-SERVICE.pid \ -f /etc/keytabs/SERVICE.`hostname` sleep 2 |
start-stop-daemon --start --pidfile /var/run/SERVICE/k5start-SERVICE.pid \ -c SERVICE:SERVICE \ --exec /usr/bin/k5start -- -U -b -K 300 -t -p /var/run/SERVICE/k5start-SERVICE.pid \ -f /etc/keytabs/SERVICE.`hostname` sleep 2 |
| Line 65: | Line 60: |
| start-stop-daemon --stop --pidfile /var/run/SERVICE/k5start-SERVICE.pid rm -f /var/run/SERVICE/k5start-SERVICE.pid |
start-stop-daemon --stop --pidfile /var/run/SERVICE/k5start-SERVICE.pid rm -f /var/run/SERVICE/k5start-SERVICE.pid |
| Line 69: | Line 64: |
| 7. You give permissions in AFS space to group "SERVICE", or to user "SERVICE.HOST" if specific instance is important. (Mostly, you just add permissions to "SERVICE"). |
7. You give permissions in AFS space to group "SERVICE", or to user "SERVICE.HOST" if specific instance is important. (Mostly, you just add permissions to "SERVICE"). |
here's the final procedure you should follow (for installing service "SERVICE" (mysql) on host "HOST" (deleuze)):
1. create local user SERVICE in /etc/passwd:
(usually already done by Debian postinst scripts in form of "adduser --system SERVICE". (--system ensures that the assigned ID is in range 100 < ID < 1000 .))
2. create Kerberos principal:
kadmin.local -q "addprinc -policy service -randkey SERVICE/HOST"
3. export user's keys to /etc/keytabs/SERVICE.HOST:
kadmin.local -q "ktadd -k /etc/keytabs/SERVICE.HOST SERVICE/HOST"
4. create OpenAFS user SERVICE.HOST
(You must make sure that the UID chosen in AFS is above 1000. You can't use UIDs <1000 because those are reserved for local system's IDs, and so such uids in AFS would mess up reported Unix ownership of files).
pts cu SERVICE.HOST.hcoop.net
5. create OpenAFS group "SERVICE" if it doesn't exist, and add
- SERVICE.HOST to it:
pts cg SERVICE pts ad SERVICE.HOST SERVICE
6. modify service's init script in /etc/init.d/ in the following way:
- Change shell at the top of script to "#!/usr/bin/pagsh.openafs"
- Change start-stop-daemon invocation in action 'start':
start-stop-daemon --start --pidfile $PIDFILE \ -c SERVICE:SERVICE \ --exec /usr/bin/k5start -- -U -b -f /etc/keytabs/SERVICE.`hostname` \ -K 300 -t -p $PIDFILE \ <The original start command>
- Or if the service does not use start-stop-daemon itself, you still use it in
action 'start' to run k5start on a line before <The original start command> and later in 'stop' to close it:
- (start):
start-stop-daemon --start --pidfile /var/run/SERVICE/k5start-SERVICE.pid \ -c SERVICE:SERVICE \ --exec /usr/bin/k5start -- -U -b -K 300 -t -p /var/run/SERVICE/k5start-SERVICE.pid \ -f /etc/keytabs/SERVICE.`hostname` sleep 2
- (stop):
start-stop-daemon --stop --pidfile /var/run/SERVICE/k5start-SERVICE.pid rm -f /var/run/SERVICE/k5start-SERVICE.pid
7. You give permissions in AFS space to group "SERVICE", or to user "SERVICE.HOST" if specific instance is important. (Mostly, you just add permissions to "SERVICE").