ee25310d |
1 | here's the final procedure you should follow\r |
2 | (for installing service "SERVICE" (mysql) on host "HOST" (deleuze)):\r |
3 | \r |
4 | \r |
5 | 1. create local user SERVICE in /etc/passwd:\r |
6 | \r |
7 | (usually already done by Debian postinst scripts in form of "adduser --system SERVICE". (--system ensures that the assigned ID is in range 100 < ID < 1000 .))\r |
8 | \r |
9 | 2. create Kerberos principal:\r |
10 | {{{\r |
11 | kadmin.local -q "addprinc -policy service -randkey SERVICE/HOST"\r |
12 | }}}\r |
13 | \r |
14 | 3. export user's keys to /etc/keytabs/SERVICE.HOST and chmod the file properly:\r |
15 | {{{\r |
16 | kadmin.local -q "ktadd -k /etc/keytabs/SERVICE.HOST SERVICE/HOST"\r |
17 | chown SERVICE:wheel /etc/keytabs/SERVICE.HOST\r |
18 | chmod 440 /etc/keytabs/SERVICE.HOST\r |
19 | }}}\r |
20 | \r |
21 | 4. create OpenAFS user SERVICE.HOST\r |
22 | (You must make sure that the UID chosen in AFS is above 1000. You can't use UIDs <1000 because those are reserved for local system's IDs, and so such uids in AFS would mess up reported Unix ownership of files).\r |
23 | {{{\r |
24 | pts cu SERVICE.HOST.hcoop.net\r |
25 | }}}\r |
26 | \r |
27 | 5. create OpenAFS group "SERVICE" if it doesn't exist, and add SERVICE.HOST to it:\r |
28 | {{{\r |
29 | pts cg SERVICE\r |
30 | pts ad SERVICE.HOST SERVICE\r |
31 | }}}\r |
32 | \r |
33 | 6. modify service's init script in /etc/init.d/ in the following way:\r |
34 | \r |
35 | * Change shell at the top of script to "#!/usr/bin/pagsh.openafs"\r |
36 | \r |
37 | * Change start-stop-daemon invocation in action 'start':\r |
38 | {{{\r |
39 | start-stop-daemon --start --pidfile $PIDFILE \\r |
40 | -c SERVICE:SERVICE \\r |
41 | --exec /usr/bin/k5start -- -U -b -f /etc/keytabs/SERVICE.`hostname` \\r |
42 | -K 300 -t -p $PIDFILE \\r |
43 | <The original start command>\r |
44 | }}}\r |
45 | \r |
46 | * Or if the service does not use start-stop-daemon itself, you still use it in\r |
47 | action 'start' to run k5start on a line before <The original start command>\r |
48 | and later in 'stop' to close it:\r |
49 | \r |
50 | * (start):\r |
51 | {{{\r |
52 | start-stop-daemon --start --pidfile /var/run/SERVICE/k5start-SERVICE.pid \\r |
53 | -c SERVICE:SERVICE \\r |
54 | --exec /usr/bin/k5start -- -U -b -K 300 -t -p /var/run/SERVICE/k5start-SERVICE.pid \\r |
55 | -f /etc/keytabs/SERVICE.`hostname`\r |
56 | sleep 2\r |
57 | }}}\r |
58 | * (stop):\r |
59 | {{{\r |
60 | start-stop-daemon --stop --pidfile /var/run/SERVICE/k5start-SERVICE.pid\r |
61 | rm -f /var/run/SERVICE/k5start-SERVICE.pid\r |
62 | }}}\r |
63 | \r |
64 | 7. You give permissions in AFS space to group "SERVICE", or to user "SERVICE.HOST" if specific instance is important. (Mostly, you just add permissions to "SERVICE").\r |