I have been able to set up a private Koji instance using Kerberos and have /mnt/koji shared via NFSv4 using sec=krb5p -- with manual intervention after kojid startup, however, I have some questions regarding automation.
The /mnt/koji directory is exported with (/etc/exports) /export *.example.com(fsid=0,sec=krb5p) /export/home *.example.com(rw,nohide,sec=krb5p) ... /export/koji *.example.com(ro,nohide,sec=krb5p,all_squash) ... The kojibuilder user on each of the kojid hosts needs read access to this directory, so I attempted to use the following script at startup (and via cron jobs to keep the kojibuilder (uidnumber 492) user's credentials refreshed): ------------ #!/bin/bash KRB5CCNAME="/tmp/krb5cc_492" export KRB5CCNAME /usr/bin/kinit -k -t /etc/kojibuilder.keytab \ kojibuilder/[email protected] chown kojibuilder:kojibuilder $KRB5CCNAME chcon -t user_tmp_t $KRB5CCNAME ----------- But unless I 'su - kojibuilder' and run the above script, the kojibuilder user is not able to access the krp5p mount. Once I run the script as the kojibuilder user, then kojid builds won't fail with mock errors. Are there other users who have a better solution for this? Right now, the kojihub is exporting other mounts to actual users and it doesn't appear that I can enforce krb5p on all other exports except this one. Thanks. -A -- Anthony - http://messinet.com - http://messinet.com/~amessina/gallery 8F89 5E72 8DF0 BCF0 10BE 9967 92DC 35DC B001 4A4E
signature.asc
Description: OpenPGP digital signature
-- buildsys mailing list [email protected] https://admin.fedoraproject.org/mailman/listinfo/buildsys
