[Linux-cluster] Re: [Cluster-devel] PAM and NSS for clusters
Kadlecsik Jozsef
kadlec at mail.kfki.hu
Mon Nov 17 19:26:09 UTC 2008
On Mon, 17 Nov 2008, Lon Hohberger wrote:
> On Mon, 2008-11-17 at 15:43 +0100, Fabio M. Di Nitto wrote:
> >
> > On Mon, 17 Nov 2008, Kadlecsik Jozsef wrote:
>
> > > http://www.kfki.hu/~kadlec/sw/cluster/
>
> > This looks very interesting. Did you consider submitting those patches
> > upstream?
>
> I agree - it's very cool. It can't be used for bringing up GFS
> (chicken/egg), but for permissions on the file system and such, it looks
> pretty good.
>
> What's neat is that you don't need centralized management server(s) :)
Yes, that's the main point: no need for an additional management system at
all, the (cluster) filesystem provides it for free.
We fighted a lot with pam-mysql and libnss-mysql at it was a disaster. In
Debian/Ubuntu there's a libnss-mysql package which's simply broken.
libnss-mysql-bg is an alternative, but it had problems with zsh and we
were fed up with the debugging after libnss-mysql. And the whole concept
is "suboptimal" at the minimum, as a mysql process is forked at every
NSS/PAM usage. Of course one could install nscd, but it's just a
workaround. So we came up using the filesystem itself.
> > I am pretty sure some of them (like PAtch 1) should be accepted right
> > away given they fix what could be a bug and reduce your delta in time.
>
> 0005 looks like it statically defines /etc/cluster_rootdir, but I am
> probably reading the patch incorrectly. I don't know PAM well enough to
> answer this question, so I need to ask it anyway:
>
> * Is there a way to make the root directory configurable, or are admins
> expected to link /etc/cluster_rootdir to /gfs/system (or whatever they
> choose)?
That's not a PAM restriction at all but NSS: there is no way to make a
name service switch module configurable, i.e. to use the same module for
multiple times, with different parameters: one cannot pass parameters to
an NSS module. In PAM, it's easy, in NSS it's impossible.
Hm. OK, it's not nicer, but it'd be not hard to change the logic: let
/etc/cluster_rootdir be a directory and any symlink in that dir could
point to the root directories of the alternate password files. Thus NSS
could find them all, without using any parameters.
> I wonder if it would get accepted in a distribution ... that would be
> neat. Since it doesn't actually require cluster software itself (just a
> shared file system), then it shouldn't be that hard... in theory :/
Best regards,
Jozsef
--
E-mail : kadlec at mail.kfki.hu, kadlec at blackhole.kfki.hu
PGP key: http://www.kfki.hu/~kadlec/pgp_public_key.txt
Address: KFKI Research Institute for Particle and Nuclear Physics
H-1525 Budapest 114, POB. 49, Hungary
More information about the Cluster-devel
mailing list