Chicago: The ACM In A Box

Chicago replicates a whole lot of services and is intended to be the one thing that needs to be grabbed in a fire, as it were. Relevant sections of the documentation that specifically mention Chicago include

The machine itself is somewhat, ah, uniquely configured, playing the game documented in LXC and Docker DIY, using /r/lxc for the configuration of its myriad containers. They are overseen by runit automation, with runsvdir watching /etc/service (and, in turn, started by systemd).

Miscellaneous Notes

Keytabs

One odd quirk that results from Chicago’s multi-faceted self is that it has several different kerberos keytabs installed:

  • /etc/krb5.keytab holds host/chicago.acm.jhu.edu@ACM.JHU.EDU and is used to get TGTs for things that need access to AFS.
  • /r/lxc/kdc/etc/krb5.keytab also holds host/chicago.acm.jhu.edu@ACM.JHU.EDU and is used by kpropd to fetch the KDC database from typhon (within the kdc-kpropd container).
  • /r/lxc/ldap/etc/krb5.keytab holds ldap/chicago.acm.jhu.edu@ACM.JHU.EDU and is used by LDAP replication (within the ldap-slapd container).

Please be sure that, during key rotation, all relevant keytabs are updated and continue to hold only the principals they should.

Slapd container

We pass the “POSIX capabilities” of net_bind_service, setgid, setuid, and dac_override in to the LXC container for slapd. slapd needs these, apparently, to create its ldapi:/// socket and shed its r00t privs down to uid and gid 1.