FYI - I accidentally sent these from the wrong window... If you have any questions about them, send them to [EMAIL PROTECTED], as I won't see the replies otherwise. -- Nathan > -----Original Message----- > From: System Administrator [mailto:[EMAIL PROTECTED]] > Sent: Thursday, December 14, 2000 8:56 AM > To: [EMAIL PROTECTED]; [EMAIL PROTECTED] > Subject: [OpenAFS] Scripts for cleaning tokens/pags > > > These are two scripts we use on machines with the following criteria: > > a. Lots of authentications that involve tokens - this in our > case does > _NOT_ include POP and IMAP servers, those are krb5 only, and > do not get > tokens, however, they _DO_ include telnet logins, netatalk-afpd, and > samba. > > b. Setup such that tokens don't go away in general. In the > case of telnet > sessions, people often leave stuff running in background - having the > tokens go away would cause a problem. > > c. (HP-UX) Tokens are not owned by userids that don't match > their afsid. > (This is a limitation of HP-UX, I have no way of determining the pags > that are in use by a process.) On linux, /proc can be used to > determine all > active pags from processes that are running. > > ---- > > For reference, if you run this script on a machine that is > overly bogged > down by pags currently - it will likely appear to lock up the > machine for > a few seconds as it collapses a huge in-kernel hash into a > tiny one after > you've cleared out all the old tokens. > > I'm sure someone could improve this immensely by triggering the unlog > system call from perl directly instead of system("unlog"); > > --- > > The way the scripts work is, using kdump, they retrieve a > list of all the > pags in the kernel hash, they they attempt to determine which > of those > pags contain tokens that need to be kept. (In the case of the hpux10 > script, that means 'the userid associated with this afsid for > this token > has processes running on the machine.) (In the case of linux, > that means > 'a process exists in this pag'.) it then loops through all > those pags, > putting the script into that pag temporarily (setgroups) and > issuing unlog. > > --- > > Note - this is necessary even on the most current afs for > linux, as it > still does not do garbage collection of tokens/pags. > > -- Nathan >
