cron on AFS files]
Paul Blackburn
mpb@hursley.ibm.com
Fri, 02 Mar 2001 21:29:08 +0000
This is a multi-part message in MIME format.
--------------E9AA75B9B9D93E44D6918B8E
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Hello Martin,
I use a simple script, afs_wrap_cron, (attached below)
for my crontab jobs which need AFS authentication.
It only authenticates once at the start of the crontab job
so I take care to have a long enough token lifetime for
the duration of the crontab job.
Also, since it uses a password stored in a local file,
one must take care about restricting access to the
machine on which the crontab job runs.
I hope this may be of some help to you.
--
cheers
paul http://acm.org/~mpb
Martin Gasthuber wrote:
> Hi,
>
> we run AFS for a few years now and from day one we ran into the problem of
> letting cron jobs running on AFS files. Several years ago we installed a piece
> of software developed by CERN which submits the jobs (like cron) together with
> a vald AFS token (that's the good thing). This systems has some intrinsic
> scalability problems and we see more and more problems with it. Now the
> question: Did somebody has another solution for this type of problem ?? We
> thought about using a batch system like LSF which has the ability to
> re-getting a valid ticket at the time the job runs.
>
> Regards,
> Martin
>
> --
> Martin Gasthuber -- DESY/Hamburg -- Head of Systems & Networks in IT
> snail Notkestrasse 85 22607 Hamburg/Germany
> e-mail Martin.Gasthuber@desy.de - fon/fax +49 40 [8998/8994] 2564
--------------E9AA75B9B9D93E44D6918B8E
Content-Type: text/html; charset=us-ascii;
name="afs_wrap_cron.html"
Content-Transfer-Encoding: 7bit
Content-Disposition: inline;
filename="afs_wrap_cron.html"
#!/usr/afsws/bin/pagsh
#
# $Header: /afs/linux.ibm.com/src/afs/@cell/scripts/afs_wrap_cron/RCS/afs_wrap_cron,v 1.3 2000/12/07 13:11:26 mpb Exp $
#
# $Locked$
#
# --------------------------------------------------------------------
# NAME afs_wrap_cron
# AUTHOR Paul Blackburn <mpb@acm.org>
# PURPOSE Run an AFS authenticated cron (or similar) job.
# Get a PAG, get the user's token, then exec user's command
# HISTORY
# mpb 27 Nov 2000 reworked to include command line switches
# --------------------------------------------------------------------
# let's get defensive
PATH=/bin:/sbin:/usr/bin:/usr/sbin:/usr/afsws/bin:/usr/afsws/etc:
IFS="
"
unset ENV
# Undo any aliases for commands used.
# This is to avoid problems such as "ls" having unexpected format output
unalias awk 2>/dev/null
unalias cat 2>/dev/null
unalias cat 2>/dev/null
unalias chmod 2>/dev/null
unalias cp 2>/dev/null
unalias cut 2>/dev/null
unalias date 2>/dev/null
unalias df 2>/dev/null
unalias grep 2>/dev/null
unalias head 2>/dev/null
unalias ls 2>/dev/null
unalias mkdir 2>/dev/null
unalias mv 2>/dev/null
unalias ping 2>/dev/null
unalias rm 2>/dev/null
unalias rmmod 2>/dev/null
unalias rsync 2>/dev/null
unalias sed 2>/dev/null
unalias sort 2>/dev/null
unalias strings 2>/dev/null
unalias tail 2>/dev/null
unalias uname 2>/dev/null
unalias whois 2>/dev/null
# enough defensiveness already!
cmd=$(basename ${0})
cmdline="${cmd} $*"
# site configurable defaults follow -------------------------------------
default_notify=mpb@acm.org
default_cellname=linux.ibm.com
f=/usr/vice/etc/ThisCell
if [ -s "${f}" ]; then
default_cellname=$(cat ${f})
else
echo "${cmd} fatal error: missing ${f}" >&2
exit 1
fi
default_principal=${USER}
# end site configurable defaults ----------------------------------------
# functions -------------------------------------------------------------
usage() {
echo "${cmd}"
echo
echo "This command is used to run another command with AFS authentication."
echo
echo "${cmd} [options]"
echo "where options are:"
echo " -cell \${cellname} - specify AFS cell name"
echo " (default is ${default_cellname})"
echo " -principal \${principal} - specify AFS principal"
echo " (default is ${default_principal})"
echo " -pwfile \${pwfile} - file containing password"
echo " -commandline \${commandline} - command to be executed"
echo
echo "Example:"
echo "${cmd} -pr afsuser -cell cell.domain -pwfile /etc/security/pwf_afsuser"
echo " -commandline "/usr/local/bin/daily_housekeeping -30""
echo
echo "Security caution:"
echo "Since this script uses a password stored in a file (\${pwfile})"
echo "you must take care to restrict access to the contents of \${pwfile}."
echo
echo "It is recommended that \${pwfile} is a local file (not AFS)"
echo "which is protected (chmod 700 \${pwfile}."
echo
echo "Also, take care about root access to this file and backup tapes."
echo "You may choose to run ${cmd} on a restricted login machine. I do."
echo
echo "Please report bugs/suggestions/comments to: ${default_notify}"
}
fatal() {
echo "${cmd} fatal: ${1}" >&2
exit 1
}
error() {
echo "${cmd} error: ${1}" >&2
}
warning() {
echo "${cmd} warning: ${1}" >&2
}
tstamp() {
echo "`date '+''%H''%M'':%S'` ${cmd}: ${1}"
}
doit() {
tstamp "${1}"
eval ${1}
retcode=$?
if [ ${retcode} != 0 ]; then
error "\$?=${retcode}"
fi
}
# main -------------------------------------------------------------------
# crack command line arguments
while [ ! -z "${1}" ]; do
case ${1} in
-cell )
shift
if [ -z "${1}" ]; then
fatal "missing cell name"
else
cellname=${1}
fi
;;
-cell*)
cell=$(echo ${1} | cut -c6-)
;;
-principal | -pr )
shift
if [ -z "${1}" ]; then
fatal "missing principal name"
else
principal=${1}
fi
;;
-principal*)
principal=$(echo ${1} | cut -c11-)
;;
-pr*)
principal=$(echo ${1} | cut -c4-)
;;
-pwfile | -pwf )
shift
if [ -z "${1}" ]; then
fatal "missing password file name"
else
pwfile=${1}
fi
;;
-pwfile*)
pwfile=$(echo ${1} | cut -c8-)
;;
-pwf*)
pwfile=$(echo ${1} | cut -c5-)
;;
-commandline | -cmdl )
shift
if [ -z "${1}" ]; then
fatal "missing commandline to execute"
else
commandline=${1}
fi
;;
-commandline*)
commandline=$(echo ${1} | cut -c13-)
;;
-cmdl*)
commandline=$(echo ${1} | cut -c6-)
;;
-help | -? | -usage )
usage
exit
;;
*)
warning "unknown command line argument: ${1}"
usage
exit 1
;;
esac
shift
done
if [ -z "${cellname}" ]; then
cellname=${default_cellname}
fi
if [ -z "${principal}" ]; then
principal=${default_principal}
fi
if [ -z "${pwfile}" ]; then
fatal "missing password file name"
fi
if [ ! -s "${pwfile}" ]; then
fatal "empty (or nosuch) password file"
fi
if [ -z "${commandline}" ]; then
fatal "missing command to execute"
fi
klog -principal ${principal} -cell ${cellname} -pipe < ${pwfile}
command=$(echo ${commandline} | awk '{print $1}')
type ${command} 2>&1 > /dev/null
if [ $? != 0 ]; then
fatal "not in PATH: ${command}"
fi
# syslog the command to be executed
logger -i -t "${cmd}" "${commandline}"
exec ${commandline}
--------------E9AA75B9B9D93E44D6918B8E--