[38338] in Kerberos
Re: issue with k5start
daemon@ATHENA.MIT.EDU (Russ Allbery)
Tue Sep 25 17:12:13 2018
From: Russ Allbery <eagle@eyrie.org>
To: Kristen Webb <kwebb@teradactyl.com>
In-Reply-To: <CANPK4HbnL5DY1W0TsBUBJThfstE4F+nmXx29xXTXCE-XxAJfmg@mail.gmail.com>
(Kristen Webb's message of "Tue, 25 Sep 2018 12:04:36 -0600")
Date: Tue, 25 Sep 2018 14:11:54 -0700
Message-ID: <8736txqo2t.fsf@hope.eyrie.org>
MIME-Version: 1.0
Cc: kerberos@mit.edu
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
Kristen Webb <kwebb@teradactyl.com> writes:
> When I use the -k ccache option it appears that each job simply
> overwrites the cchache file.
It should only do this if the ticket is going to expire sooner than two
minutes before the next wake-up period, though, I think? I would have
expected this to work with all jobs sharing the same cache file, as long
as they're at least a little staggered. That said, I don't think I've
really tested for this sort of parallelism, and it's entirely possible
that the separate k5start processes don't manage coordination between each
other on the same ticket cache properly.
> Is there a way to use k5start to achieve what I am after
> - shared ccache for many jobs to keep kerberos server traffic down
> - allow long running jobs to continue beyond their initial aklog
> renewal date
> If I ran k5start as a daemon and managed periodic aklog's within my
> application, would that work?
Yes, that's what I was going to suggest. If each application is running
in a separate PAG, each application needs to run aklog periodically
independently of the others. If you also want to share a single ticket
cache among the applications, you probably want to split those two
operations.
Unfortunately, k5start doesn't currently have a mode of operation in which
it only runs the aklog command but doesn't try to renew tickets if they
aren't about to expire.
--
Russ Allbery (eagle@eyrie.org) <http://www.eyrie.org/~eagle/>
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
