| Size: 2036 Comment: add {{{}}} (thanks to whoever changed "_" to ".") |  ← Revision 18 as of 2014-04-29 05:40:01  ⇥ Size: 3702 Comment:  | 
| Deletions are marked like this. | Additions are marked like this. | 
| Line 1: | Line 1: | 
| The {{{run-in-pagsh}}} script was written with the best intentions, but it tries to do many, many things (process backgrounding, pidfile management, etc), all in one script, and all in a black box. Moreover, it is currently not supported by its author. Lastly, its name does not actually describe what it does (you're already in a pagsh when you ssh in to mire!) | #pragma section-numbers off The {{{run-in-pagsh}}} script was written with the best intentions, but it tries to do many, many things (process backgrounding, pidfile management, etc), all in one script, and all in a black box. Moreover, it is currently not supported by its author. Lastly, its name does not actually describe what it does (you're already in a pagsh when you ssh in to bog!) | 
| Line 5: | Line 7: | 
| == Disable Auto-Backgrounding == If your daemon "backgrounds" itself (ie detaches from the terminal and puts itself in the background), you absolutely must figure out how to disable this behavior before proceeding. Some hints on how to do this can be found at DisablingAutoBackgrounding. | |
| Line 7: | Line 13: | 
| This is really simple. You have two userids: your normal userid (we'll call this "{{{fred}}}") and your "daemon" userid (we'll call this "{{{fred.daemon}}}"). The first userid is "high security"; if one of our shellservers is broken into, it's unlikely that this account would be compromised. The second userid is "low security": if there is a security breach on '''any of our machines, then all daemon accounts are instantly compromised'''. It is extremely important to understand this before you take the steps outlined below. | This is really simple. You have two userids: your normal userid (we'll call this "{{{fred}}}") and your "daemon" userid (we'll call this "{{{fred.daemon}}}"). The first userid is "high security"; if one of our shellservers is broken into, it's unlikely that this account would be compromised. The second userid is "low security": '''if there is a security breach on any of our machines, then all daemon accounts are instantly compromised'''. It is extremely important to understand this before you take the steps outlined below. | 
| Line 21: | Line 27: | 
| Where {{{XXX YYY ZZZ}}} is the command you want to run in the background. | Where {{{XXX YYY ZZZ}}} is the command you want to run in the background. '''Important: this should be the actual daemon process, not merely some script that checks if the daemon is up and starts it if needed.''' | 
| Line 23: | Line 29: | 
| This command will run your task ''in the foreground'', but with all the proper token magic you need. Now all you need to do is apply the normal techniques (crontab, etc) to run the command above in the background. However, token management and backgrounding are separate issues; this page only deals with token management. | This command will run your task ''in the foreground'', but with all the proper token magic you need. Now all you need to do is apply the normal techniques (crontab, at, nohup, screen, etc) to run the command above in the background. You can also try passing the {{{-b}}} option to {{{k5start}}} to have it put itself in the background. However, token management and backgrounding are separate issues; this page only deals with token management. | 
| Line 26: | Line 32: | 
| == Troubleshooting == If you encounter problems, please take the following steps to gather information that can be used to help you. Once you've done this, post your problems and the results below to {{{hcoop-help}}} (or open a bugzilla bug). ==== Make sure that you're starting the daemon properly ==== Make sure that you're starting the daemon properly; {{{k5start}}} should appear as the parent of your daemon process. To check this, try {{{ pstree -Gap `whoami` }}} ==== Capture Logs ==== Add a {{{-v}}} to the {{{k5start}}} command and capture the output: {{{ k5start -vqtUf /etc/keytabs/user.daemon/fred -- mydaemon &> /tmp/my-log }}} Note that the logs need to go into {{{/tmp}}} because you don't need tokens to write there. ==== Check the KDC ==== Figure out when your tokens are expiring (almost always exactly 10 hours after launching your daemon) and ask the root admins to check the KDC logs to see if there is even an ''attempt'' to renew the tickets at approximately that time. ---- CategoryMemberManual CategoryNeedsWork | 
The run-in-pagsh script was written with the best intentions, but it tries to do many, many things (process backgrounding, pidfile management, etc), all in one script, and all in a black box. Moreover, it is currently not supported by its author. Lastly, its name does not actually describe what it does (you're already in a pagsh when you ssh in to bog!)
If run-in-pagsh works for you, great. If you encounter problems, please first try running your daemon using "explicit" methods described below before filing a bug against AFS. This is to ensure that the problem you've run into is actually a problem with AFS and not a problem with run-in-pagsh.
Disable Auto-Backgrounding
If your daemon "backgrounds" itself (ie detaches from the terminal and puts itself in the background), you absolutely must figure out how to disable this behavior before proceeding. Some hints on how to do this can be found at DisablingAutoBackgrounding.
Explicit Token Management
This is really simple. You have two userids: your normal userid (we'll call this "fred") and your "daemon" userid (we'll call this "fred.daemon"). The first userid is "high security"; if one of our shellservers is broken into, it's unlikely that this account would be compromised. The second userid is "low security": if there is a security breach on any of our machines, then all daemon accounts are instantly compromised. It is extremely important to understand this before you take the steps outlined below.
First, you must grant your "daemon" userid permissions on any files that the background task needs. For example,
fsr sa ~/my_daemon_workspace/ fred.daemon all
Second, you need to start your daemon process via k5start. Use the following command:
k5start -qtUf /etc/keytabs/user.daemon/fred -- XXX YYY ZZZ
Where XXX YYY ZZZ is the command you want to run in the background. Important: this should be the actual daemon process, not merely some script that checks if the daemon is up and starts it if needed.
This command will run your task in the foreground, but with all the proper token magic you need. Now all you need to do is apply the normal techniques (crontab, at, nohup, screen, etc) to run the command above in the background. You can also try passing the -b option to k5start to have it put itself in the background. However, token management and backgrounding are separate issues; this page only deals with token management.
That's it! Simple, huh?
Troubleshooting
If you encounter problems, please take the following steps to gather information that can be used to help you. Once you've done this, post your problems and the results below to hcoop-help (or open a bugzilla bug).
Make sure that you're starting the daemon properly
Make sure that you're starting the daemon properly; k5start should appear as the parent of your daemon process. To check this, try
pstree -Gap `whoami`
Capture Logs
Add a -v to the k5start command and capture the output:
k5start -vqtUf /etc/keytabs/user.daemon/fred -- mydaemon &> /tmp/my-log
Note that the logs need to go into /tmp because you don't need tokens to write there.
Check the KDC
Figure out when your tokens are expiring (almost always exactly 10 hours after launching your daemon) and ask the root admins to check the KDC logs to see if there is even an attempt to renew the tickets at approximately that time.
