remctl endpoints

Russ Allbery rra at stanford.edu
Thu Aug 9 17:52:30 EDT 2012 

Ken Dreyer <ktdreyer at ktdreyer.com> writes:

> In the course of setting up remctl for our AFS infrastructure, I was
> wondering how other sites expose remctld servers to their users. Do you
> have a hostname that's dedicated to this service, such as
> remctl.example.edu ?

We run remctld on literally every system we manage (since we expose
commands to run and lock Puppet and to install packages with aptitude or
yum).  We also expose remctl interfaces for every service that we run, so
any central server doing something like mail services or AFS or web
services has a corresponding set of remctl interfaces exposed to manage or
manipulate parts of that service.

That's the main reason why I've never pursued anything with SRV records:
my mental model is mostly that every system runs remctld and exposes
interfaces to manage those services, and load balancing and availability
happens via load balancing for the service and connecting to the relevant
hostname.

But other folks may well deploy it in a different way.

I would worry about putting all remctl interfaces on a single machine due
to separation of privilege.  If there is more than one thing that you want
to manage, I'm not sure that you'd want all that management on the same
box.  As you say:

> One of the problems I foresee is that sometimes you want a task to run
> on an AFS VLDB server, and sometimes you want it to run on a Kerberos
> KDC. If your cell name matches your realm name, having a generic
> "_remctl._tcp.cell.example.com" SRV entry would not allow you to
> distinguish between server types.

Exactly.

> Does anyone else have ideas for remctl routing and high availability?  I
> guess each remctl application could do a SRV lookup on _kerberos._udp,
> or _afs3-vlserver._udp, and then contact those servers individually.

We mostly use hardware or software DNS load balancing, so we connect to,
say, www.stanford.edu and that goes to one of the underlying systems based
on load balancing and availability.  (For remctl with hardware load
balancing, this requires deploying a shared host/* key on those systems in
most configurations.)

-- 
Russ Allbery (rra at stanford.edu)             <http://www.eyrie.org/~eagle/>

More information about the Kerberos mailing list