AFS

AFS general presentationAFS general presentation

Olivier Le Moigne IT/DIS/DFSOlivier Le Moigne IT/DIS/DFS

12/1/199912/1/1999

AFS Overview (1)AFS Overview (1)

What is AFS ?What is AFS ? Worldwide network distributed file system Developed at Carnegie-Mellon University AFS = Andrew File System , "Andrew" was the name

of the research project at CMU - honoring the founders of the University

AFS stands for Andrew File System marketed by Transarc (IBM)

Where is it ? (client point of view)Where is it ? (client point of view) /afs is the root of AFS file tree

(on NT : \\hostname-afs\all mapped to drive P:) /afs/cern.ch is the root of CERN cell AFS file tree

AFS Overview (2)AFS Overview (2)

AFS StructureAFS Structure Files and directories are stored in volumes Volumes are in partitions Partitions are in servers Servers are in a cell

fileservers database servers (replication of database)

volume location serversauthentication serversprotection serversbackup servers

A client has just to know database servers. When it needs a file, it contacts a database server to know where it is stored.

AFS Overview (3)AFS Overview (3)

AFS advantagesAFS advantages caching security

Kerberos Access Control Lists

location independence everything in /afs a client has just to know AFS database servers

scalability optimized for Wide Area Network robustness

replication of database servers possibility to replicate volumes on several servers

AFS at CERN (1)AFS at CERN (1)

What for ?What for ? Main network file system for UNIX workstations Common file system for all platforms UNIX/NT (?)

Not forNot for mission critical applications (network dependency) experiments data storage (tapes)

StatisticsStatistics total disk space: 2TB 10000 users 2000 clients 30 servers (3 database servers)

AFS at CERN (2)AFS at CERN (2)

AFS TeamAFS Team Rainer Többicke Olivier Le Moigne Tami Kramer (NICE NT client installation) Tim Whibley (operations)

Contact Afs.Support@cern.ch

AFS documentationAFS documentation

CERNCERN AFS home page available from http://wwwinfo.cern.ch/ AFS user guide

FAQFAQ http://www.angelfire.com/hi/plutonic/afs-faq.html or

/afs/transarc.com/public/afs-contrib/doc/faq/afs-faq.html

TransarcTransarc http://www.transarc.com

AFS

Using AFSUsing AFS

Authentication (1)Authentication (1)

AFS tokenAFS token AFS authentication is based on Kerberos a token is a data object which correlates user’s

processes with AFS identity key of mutual authentication mechanism checked with tokens command obtained at login time when enabled or with klog

command (need user password) password is changed with kpasswd expires every 25 hours (has to be refreshed) refreshed by xlock specific UNIX replacement tools: rsh, acrontab...

Authentication (2)Authentication (2)

Process Authentication GroupProcess Authentication Group unique number used by operating system to identify

which token is associated with user processes new PAG created by pagsh command (new shell)

Authentication (3)Authentication (3)

Authentication IssuesAuthentication Issues never use klog as root without creating a new PAG pagsh must be used if you want to have several

tokens (with different AFS id). Use ksu to obtain a token from a different user (small script using pagsh and klog)

clock synchronization between servers and clients is important to be able to acquire tokens (“clock badly skewed” message)

tokens expiration is sometimes painful for user but it is important for security. Solutions exists:

CERN settings for LSF (batch jobs) acrontab, xlock

Protection groups (1)Protection groups (1)

What is it ?What is it ? Several AFS ids can be listed in a group useful for rights management

How to manage themHow to manage them create/delete a new group

pts createg/delete username:groupname add/remove a user

pts adduser/removeuser username group list group members

pts mem group

Protection Groups (2)Protection Groups (2)

Special groupsSpecial groups system:anyuser just any AFS user in the world system:authuser any AFS user with a valid

token for the local cell

cern:nodes all machines at CERN(based on IP

address) gg AFS space

administrators for group gg cern:gg all registered members of

group gg

Access Control Lists (1)Access Control Lists (1)

What is it ?What is it ? control permissions on directory and file access list of rights defined on per-directory basis seven rights exist in AFS:

lookup list files in a directory insert add a new file in a directory delete administer change ACL in a directory read read file contents and status write change file contents and mode lock lock full file

ACL (2)ACL (2)

Mnemonic rightsMnemonic rights all r+w+k+l+i+d+a none entry deleted from access list. This

does not mean that the user has no rights, since other ACL entries may still apply

read r+l write r+w+k+l+i+d, i.e. everything

except 'a'

ACL (3)ACL (3)

ACL manipulationACL manipulation examine an ACL

fs listacl directory$ fs la /afs/cern.ch/user/o/olm

Access list for /afs/cern.ch/user/o/olm is

Normal rights

system:anyuser l

olm rlidwka

olivier rlidwka

change ACL fs setacl directory afsid right

$ fs sa . huon read

$ fs sa . huon rl

ACL (4)ACL (4)

ACL issuesACL issues confusion between UNIX mode bits and AFS ACLs

only meaningful owner mode bits are significant it is not because a directory has rwx UNIX mode that

you can read and write in it if you want to give someone access to a file, use fs

setacl, not (only) chmod be careful of token expiration

Other remarks about UNIX and AFSOther remarks about UNIX and AFS not possible to have executable only file (no read) no cross directory hard links no setuid/setgid bit (at least at CERN)

Volumes (1)Volumes (1)

FeaturesFeatures can be moved transparently from one server to

another backup replication (only read only) quota

Mount pointMount point directory where root of the volume is mounted

/afs/cern.ch/user/o/olm is a mount point: volume user.olm managed with fs mkm and fs lsm

Volumes (2)Volumes (2)

Aaaah ! I’ve lost my files !Aaaah ! I’ve lost my files ! Do not panic, there is a backup every day (if your files

are not in a scratch volume q.*) file from yesterday are online (backup volume)

For user: /afs/cern.ch/ubackup/o/olm a command is being developed to automate restore

after this, we have to use tapes. Contact Afs.Support and ask to restore the volume you are interested in (or just the full path of your files) and precise the date.

We keep backups during 1 year but there are gaps after 1 months (we recycle tapes)

Volumes (3)Volumes (3)

I have no more space in my home directoryI have no more space in my home directory available space is shown by fs listquota.

$ fs lq /afs/cern.ch/user/o/olm

Volume Name Quota Used %Used Partition

user.olm 50000 35586 71% 81%

to increase space, usually ask your AFS space administrator (found in xwho)

typical user home directory is 50MB partition can also be full (to save disks space, total of

volume quota is usually bigger that partition size). Contact Afs.Support. The balancing script did not its job...

Volumes (4)Volumes (4)

I can not access my home directoryI can not access my home directory check token there is a “lost contact” message

fs checkserver to see if a server is down fs exa directory to see on which server it is is there a network problem ? Try ping on a afs3 client configuration (CellServDB)

there is a “volume busy” message AFS management scripts manage used space and move

volumes. When a volume is moved, it is not available for a short period (normally).

MiscellaneousMiscellaneous

@sys@sys AFS permits to have a platform dependent directory

In AFS home directory, bin is a symbolic link to .@sys/bin

This can be a problem when a central service nodes have a different operating system (directory no longer exists)

@sys is replaced by the value of fs sys

Installing AFSInstalling AFS

UNIXUNIX need to be root with afs SUE feature

NTNT need to have administrator privileges In Start Menu :

More Applications\System Configuration\AFS Client for NT

NT GUI (1)NT GUI (1)

NT GUI (2)NT GUI (2)

NT GUI (3)NT GUI (3)

The Thing...The Thing...

Check user token with Check user token with tokenstokens command command$ tokens

Tokens held by the Cache Manager:

User's (AFS ID 4968) tokens for afs@cern.ch [Expires Jan 12 12:11]

Refresh token with Refresh token with klogklog command command$ klog olm

Password:

$ tokens

Tokens held by the Cache Manager:

User's (AFS ID 4968) tokens for afs@cern.ch [Expires Jan 13 12:56]

--End of list--