kick off a post boot job
cswiger at mac.com
Wed Oct 18 17:36:01 UTC 2006
On Oct 18, 2006, at 10:10 AM, Robin Becker wrote:
> I have a number of servers which don't have console access, but I
> would like to have apache started automatically if the server is
> rebooted. However, it seems that if https is used then I need to
> type in a secret at boot time (on the console).
> Is there a way to start processes up automatically after the boot
> is finished?
Sure. Cron or at will do so, for example. But you're not going to
truly resolve the actual problem of needing human input for a
passphrase by having some other machine do something automatically.
> I could imagine asking another, trusted, server to supply the magic
> string using scp or some other secure transport and then using the
> decoded result to start up apache.
The "magic string" is normally called the SSH private key, ~/.ssh/
id_rsa or ~/.ssh/id_dsa. :-)
I suppose you could use SSH from some remote trusted server to do an
"apachectl startssl" and then feed it the passphrase, but then you've
ended up putting the passphrase in cleartext on the trusted host, and
you need to permit the trusted host to login to the webserver without
needing human intervention via SSH keypairs, so you're just moving
the problem from one place to another.
If you've got 24-7 sysadmin availability, then keeping your x.509
certs passphrase-protected might well make sense-- if a machine is
rebooted, a sysadmin needs to login and start apache by hand.
Otherwise, most people leave the x.509 certs unsecured with a
passphrase so that the webserver can be setup to start itself upon a
reboot without manual intervention.
More information about the freebsd-questions