######################### Chicago: The ACM In A Box ######################### Chicago replicates a whole lot of services and is intended to be the one thing that needs to be grabbed in a fire, as it were. Relevant sections of the documentation that specifically mention Chicago include * the AFS partition scheme: :doc:`/admindoc/core/afsdoc/partitions` * the long-term archival store: :doc:`/admindoc/core/afsdoc/bup` The machine itself is somewhat, ah, uniquely configured, playing the game documented in :doc:`/admindoc/services/containers`, using ``/r/lxc`` for the configuration of its myriad containers. They are overseen by `runit `_ automation, with ``runsvdir`` watching ``/etc/service`` (and, in turn, started by systemd). Miscellaneous Notes ################### Keytabs ======= One odd quirk that results from Chicago's multi-faceted self is that it has several different kerberos keytabs installed: * ``/etc/krb5.keytab`` holds ``host/chicago.acm.jhu.edu@ACM.JHU.EDU`` and is used to get TGTs for things that need access to AFS. * ``/r/lxc/kdc/etc/krb5.keytab`` also holds ``host/chicago.acm.jhu.edu@ACM.JHU.EDU`` and is used by kpropd to fetch the KDC database from typhon (within the ``kdc-kpropd`` container). * ``/r/lxc/ldap/etc/krb5.keytab`` holds ``ldap/chicago.acm.jhu.edu@ACM.JHU.EDU`` and is used by LDAP replication (within the ``ldap-slapd`` container). Please be sure that, during key rotation, all relevant keytabs are updated and continue to hold only the principals they should. Slapd container =============== We pass the "POSIX capabilities" of ``net_bind_service``, ``setgid``, ``setuid``, and ``dac_override`` in to the LXC container for ``slapd``. ``slapd`` needs these, apparently, to create its ``ldapi:///`` socket and shed its r00t privs down to uid and gid 1.