issue with k5start
Russ Allbery
eagle at eyrie.org
Tue Sep 25 17:11:54 EDT 2018
Kristen Webb <kwebb at teradactyl.com> writes:
> When I use the -k ccache option it appears that each job simply
> overwrites the cchache file.
It should only do this if the ticket is going to expire sooner than two
minutes before the next wake-up period, though, I think? I would have
expected this to work with all jobs sharing the same cache file, as long
as they're at least a little staggered. That said, I don't think I've
really tested for this sort of parallelism, and it's entirely possible
that the separate k5start processes don't manage coordination between each
other on the same ticket cache properly.
> Is there a way to use k5start to achieve what I am after
> - shared ccache for many jobs to keep kerberos server traffic down
> - allow long running jobs to continue beyond their initial aklog
> renewal date
> If I ran k5start as a daemon and managed periodic aklog's within my
> application, would that work?
Yes, that's what I was going to suggest. If each application is running
in a separate PAG, each application needs to run aklog periodically
independently of the others. If you also want to share a single ticket
cache among the applications, you probably want to split those two
operations.
Unfortunately, k5start doesn't currently have a mode of operation in which
it only runs the aklog command but doesn't try to renew tickets if they
aren't about to expire.
--
Russ Allbery (eagle at eyrie.org) <http://www.eyrie.org/~eagle/>
More information about the Kerberos
mailing list