[Linux-cluster] Re: [Cluster-devel] PAM and NSS for clusters

Kadlecsik Jozsef kadlec at mail.kfki.hu
Mon Nov 17 19:26:09 UTC 2008 

On Mon, 17 Nov 2008, Lon Hohberger wrote:

> On Mon, 2008-11-17 at 15:43 +0100, Fabio M. Di Nitto wrote:
> > 
> > On Mon, 17 Nov 2008, Kadlecsik Jozsef wrote:
> 
> > > http://www.kfki.hu/~kadlec/sw/cluster/
> 
> > This looks very interesting. Did you consider submitting those patches 
> > upstream?
> 
> I agree - it's very cool.  It can't be used for bringing up GFS
> (chicken/egg), but for permissions on the file system and such, it looks
> pretty good.
> 
> What's neat is that you don't need centralized management server(s) :)

Yes, that's the main point: no need for an additional management system at 
all, the (cluster) filesystem provides it for free.

We fighted a lot with pam-mysql and libnss-mysql at it was a disaster. In 
Debian/Ubuntu there's a libnss-mysql package which's simply broken. 
libnss-mysql-bg is an alternative, but it had problems with zsh and we 
were fed up with the debugging after libnss-mysql. And the whole concept 
is "suboptimal" at the minimum, as a mysql process is forked at every 
NSS/PAM usage. Of course one could install nscd, but it's just a 
workaround. So we came up using the filesystem itself.
 
> > I am pretty sure some of them (like PAtch 1) should be accepted right 
> > away given they fix what could be a bug and reduce your delta in time.
> 
> 0005 looks like it statically defines /etc/cluster_rootdir, but I am
> probably reading the patch incorrectly.  I don't know PAM well enough to
> answer this question, so I need to ask it anyway:
>   
> * Is there a way to make the root directory configurable, or are admins
> expected to link /etc/cluster_rootdir to /gfs/system (or whatever they
> choose)?

That's not a PAM restriction at all but NSS: there is no way to make a 
name service switch module configurable, i.e. to use the same module for 
multiple times, with different parameters: one cannot pass parameters to 
an NSS module. In PAM, it's easy, in NSS it's impossible.

Hm. OK, it's not nicer, but it'd be not hard to change the logic: let 
/etc/cluster_rootdir be a directory and any symlink in that dir could 
point to the root directories of the alternate password files. Thus NSS 
could find them all, without using any parameters.

> I wonder if it would get accepted in a distribution ... that would be
> neat.  Since it doesn't actually require cluster software itself (just a
> shared file system), then it shouldn't be that hard... in theory :/

Best regards,
Jozsef
--
E-mail : kadlec at mail.kfki.hu, kadlec at blackhole.kfki.hu
PGP key: http://www.kfki.hu/~kadlec/pgp_public_key.txt
Address: KFKI Research Institute for Particle and Nuclear Physics
         H-1525 Budapest 114, POB. 49, Hungary

More information about the Cluster-devel mailing list