Chicago: The ACM In A Box¶
Chicago replicates a whole lot of services and is intended to be the one thing that needs to be grabbed in a fire, as it were. Relevant sections of the documentation that specifically mention Chicago include
- the AFS partition scheme: OpenAFS Partition Scheme
- the long-term archival store: Long-term AFS Archives with bup
The machine itself is somewhat, ah, uniquely configured, playing the game
documented in LXC and Docker DIY, using /r/lxc for the
configuration of its myriad containers. They are overseen by runit automation, with runsvdir watching
/etc/service (and, in turn, started by systemd).
Miscellaneous Notes¶
Keytabs¶
One odd quirk that results from Chicago’s multi-faceted self is that it has several different kerberos keytabs installed:
/etc/krb5.keytabholdshost/chicago.acm.jhu.edu@ACM.JHU.EDUand is used to get TGTs for things that need access to AFS./r/lxc/kdc/etc/krb5.keytabalso holdshost/chicago.acm.jhu.edu@ACM.JHU.EDUand is used by kpropd to fetch the KDC database from typhon (within thekdc-kpropdcontainer)./r/lxc/ldap/etc/krb5.keytabholdsldap/chicago.acm.jhu.edu@ACM.JHU.EDUand is used by LDAP replication (within theldap-slapdcontainer).
Please be sure that, during key rotation, all relevant keytabs are updated and continue to hold only the principals they should.
Slapd container¶
We pass the “POSIX capabilities” of net_bind_service, setgid,
setuid, and dac_override in to the LXC container for slapd.
slapd needs these, apparently, to create its ldapi:/// socket and
shed its r00t privs down to uid and gid 1.