From 223b5a0e5ba99f5ae8098748d87e7356bf58f8de Mon Sep 17 00:00:00 2001
From: Julien Leduc <julien.leduc@cern.ch>
Date: Wed, 19 Feb 2020 23:56:32 +0100
Subject: [PATCH] Password for quarkdb is now mandatory with new eos 4.7.x

---
 .../docker/ctafrontend/cc7/opt/run/bin/ctaeos-mgm.sh       | 6 +++---
 .../docker/ctafrontend/cc7/opt/run/bin/start_quarkdb.sh    | 7 +++++++
 .../orchestration/eos-config-quarkdb.yaml                  | 3 +++
 3 files changed, 13 insertions(+), 3 deletions(-)

diff --git a/continuousintegration/docker/ctafrontend/cc7/opt/run/bin/ctaeos-mgm.sh b/continuousintegration/docker/ctafrontend/cc7/opt/run/bin/ctaeos-mgm.sh
index 3482772919..fdbf88b7c3 100755
--- a/continuousintegration/docker/ctafrontend/cc7/opt/run/bin/ctaeos-mgm.sh
+++ b/continuousintegration/docker/ctafrontend/cc7/opt/run/bin/ctaeos-mgm.sh
@@ -71,9 +71,6 @@ echo "mgmofs.tapeenabled true"  >> /etc/xrd.cf.mgm
 # Add configmap based configuration (initially Namespace)
 test -f /etc/config/eos/xrd.cf.mgm && cat /etc/config/eos/xrd.cf.mgm >> /etc/xrd.cf.mgm
 
-# quarkDB only for systemd initially...
-cat /etc/config/eos/xrd.cf.mgm | grep mgmofs.nslib | grep -qi eosnsquarkdb && /opt/run/bin/start_quarkdb.sh
-
 # prepare eos startup
   # skip systemd for eos initscripts
     export SYSTEMCTL_SKIP_REDIRECT=1
@@ -91,6 +88,9 @@ echo -n '0 u:daemon g:daemon n:ctaeos+ N:6361884315374059521 c:1481241620 e:0 f:
   touch   /var/eos/config/${eoshost}/default.eoscf
     chown daemon:daemon /var/eos/config/${eoshost}/default.eoscf
 
+# quarkDB only for systemd initially...
+cat /etc/config/eos/xrd.cf.mgm | grep mgmofs.nslib | grep -qi eosnsquarkdb && /opt/run/bin/start_quarkdb.sh
+
 # add taped SSS must be in a kubernetes secret
 #echo >> /etc/eos.keytab
 #echo '0 u:stage g:tape n:taped+ N:6361736405290319874 c:1481207182 e:0 f:0 k:8e2335f24cf8c7d043b65b3b47758860cbad6691f5775ebd211b5807e1a6ec84' >> /etc/eos.keytab
diff --git a/continuousintegration/docker/ctafrontend/cc7/opt/run/bin/start_quarkdb.sh b/continuousintegration/docker/ctafrontend/cc7/opt/run/bin/start_quarkdb.sh
index 2c9d873a04..765d2ccac7 100755
--- a/continuousintegration/docker/ctafrontend/cc7/opt/run/bin/start_quarkdb.sh
+++ b/continuousintegration/docker/ctafrontend/cc7/opt/run/bin/start_quarkdb.sh
@@ -25,6 +25,13 @@ chown -R xrootd:xrootd ${QUARKDB_DIRECTORY}
 
 cp -f ${QUARKDB_CONFIG} /etc/xrootd/xrootd-quarkdb.cfg
 
+# quarkdb is starting as xrootd user and mgm as daemon
+# the password file must be 400 for each service...
+# for now copy and chown, later run quarkdb as daemon and use /etc/eos.keytab for both
+cp /etc/eos.keytab /etc/eos.keytab.xrootd
+chmod 400 /etc/eos.keytab.xrootd
+chown xrootd:xrootd /etc/eos.keytab.xrootd
+
 systemctl start xrootd@quarkdb
 
 systemctl status xrootd@quarkdb
diff --git a/continuousintegration/orchestration/eos-config-quarkdb.yaml b/continuousintegration/orchestration/eos-config-quarkdb.yaml
index d393a55a8f..68d7aae739 100644
--- a/continuousintegration/orchestration/eos-config-quarkdb.yaml
+++ b/continuousintegration/orchestration/eos-config-quarkdb.yaml
@@ -8,8 +8,11 @@ data:
   xrd.cf.mgm: |
     mgmofs.nslib /usr/lib64/libEosNsQuarkdb.so
     mgmofs.qdbcluster localhost:7777
+    mgmofs.qdbpassword_file  /etc/eos.keytab
+
   xrootd-quarkdb.cfg: |
     xrd.port 7777
     xrd.protocol redis:7777 /usr/lib64/libXrdQuarkDB.so
     redis.mode standalone
     redis.database /var/lib/quarkdb/quarkdb1
+    redis.password_file  /etc/eos.keytab.xrootd
-- 
GitLab