kick off a post boot job

[Chuck Swiger]

On Oct 18, 2006, at 10:10 AM, Robin Becker wrote:
> I have a number of servers which don't have console access, but I  
> would like to have apache started automatically if the server is  
> rebooted. However, it seems that if https is used then I need to  
> type in a secret at boot time (on the console).
>
> Is there a way to start processes up automatically after the boot  
> is finished?

Sure.  Cron or at will do so, for example.  But you're not going to  
truly resolve the actual problem of needing human input for a  
passphrase by having some other machine do something automatically.

> I could imagine asking another, trusted, server to supply the magic  
> string using scp or some other secure transport and then using the  
> decoded result to start up apache.

The "magic string" is normally called the SSH private key, ~/.ssh/ 
id_rsa or ~/.ssh/id_dsa.  :-)

I suppose you could use SSH from some remote trusted server to do an  
"apachectl startssl" and then feed it the passphrase, but then you've  
ended up putting the passphrase in cleartext on the trusted host, and  
you need to permit the trusted host to login to the webserver without  
needing human intervention via SSH keypairs, so you're just moving  
the problem from one place to another.

If you've got 24-7 sysadmin availability, then keeping your x.509  
certs passphrase-protected might well make sense-- if a machine is  
rebooted, a sysadmin needs to login and start apache by hand.   
Otherwise, most people leave the x.509 certs unsecured with a  
passphrase so that the webserver can be setup to start itself upon a  
reboot without manual intervention.

-- 
-Chuck