Upload
michael-armstrong
View
224
Download
0
Tags:
Embed Size (px)
Citation preview
AFS
AFS general presentationAFS general presentation
Olivier Le Moigne IT/DIS/DFSOlivier Le Moigne IT/DIS/DFS
12/1/199912/1/1999
AFS Overview (1)AFS Overview (1)
What is AFS ?What is AFS ? Worldwide network distributed file system Developed at Carnegie-Mellon University AFS = Andrew File System , "Andrew" was the name
of the research project at CMU - honoring the founders of the University
AFS stands for Andrew File System marketed by Transarc (IBM)
Where is it ? (client point of view)Where is it ? (client point of view) /afs is the root of AFS file tree
(on NT : \\hostname-afs\all mapped to drive P:) /afs/cern.ch is the root of CERN cell AFS file tree
AFS Overview (2)AFS Overview (2)
AFS StructureAFS Structure Files and directories are stored in volumes Volumes are in partitions Partitions are in servers Servers are in a cell
fileservers database servers (replication of database)
volume location serversauthentication serversprotection serversbackup servers
A client has just to know database servers. When it needs a file, it contacts a database server to know where it is stored.
AFS Overview (3)AFS Overview (3)
AFS advantagesAFS advantages caching security
Kerberos Access Control Lists
location independence everything in /afs a client has just to know AFS database servers
scalability optimized for Wide Area Network robustness
replication of database servers possibility to replicate volumes on several servers
AFS at CERN (1)AFS at CERN (1)
What for ?What for ? Main network file system for UNIX workstations Common file system for all platforms UNIX/NT (?)
Not forNot for mission critical applications (network dependency) experiments data storage (tapes)
StatisticsStatistics total disk space: 2TB 10000 users 2000 clients 30 servers (3 database servers)
AFS at CERN (2)AFS at CERN (2)
AFS TeamAFS Team Rainer Többicke Olivier Le Moigne Tami Kramer (NICE NT client installation) Tim Whibley (operations)
Contact [email protected]
AFS documentationAFS documentation
CERNCERN AFS home page available from http://wwwinfo.cern.ch/ AFS user guide
FAQFAQ http://www.angelfire.com/hi/plutonic/afs-faq.html or
/afs/transarc.com/public/afs-contrib/doc/faq/afs-faq.html
TransarcTransarc http://www.transarc.com
AFS
Using AFSUsing AFS
Authentication (1)Authentication (1)
AFS tokenAFS token AFS authentication is based on Kerberos a token is a data object which correlates user’s
processes with AFS identity key of mutual authentication mechanism checked with tokens command obtained at login time when enabled or with klog
command (need user password) password is changed with kpasswd expires every 25 hours (has to be refreshed) refreshed by xlock specific UNIX replacement tools: rsh, acrontab...
Authentication (2)Authentication (2)
Process Authentication GroupProcess Authentication Group unique number used by operating system to identify
which token is associated with user processes new PAG created by pagsh command (new shell)
Authentication (3)Authentication (3)
Authentication IssuesAuthentication Issues never use klog as root without creating a new PAG pagsh must be used if you want to have several
tokens (with different AFS id). Use ksu to obtain a token from a different user (small script using pagsh and klog)
clock synchronization between servers and clients is important to be able to acquire tokens (“clock badly skewed” message)
tokens expiration is sometimes painful for user but it is important for security. Solutions exists:
CERN settings for LSF (batch jobs) acrontab, xlock
Protection groups (1)Protection groups (1)
What is it ?What is it ? Several AFS ids can be listed in a group useful for rights management
How to manage themHow to manage them create/delete a new group
pts createg/delete username:groupname add/remove a user
pts adduser/removeuser username group list group members
pts mem group
Protection Groups (2)Protection Groups (2)
Special groupsSpecial groups system:anyuser just any AFS user in the world system:authuser any AFS user with a valid
token for the local cell
cern:nodes all machines at CERN(based on IP
address) gg AFS space
administrators for group gg cern:gg all registered members of
group gg
Access Control Lists (1)Access Control Lists (1)
What is it ?What is it ? control permissions on directory and file access list of rights defined on per-directory basis seven rights exist in AFS:
lookup list files in a directory insert add a new file in a directory delete administer change ACL in a directory read read file contents and status write change file contents and mode lock lock full file
ACL (2)ACL (2)
Mnemonic rightsMnemonic rights all r+w+k+l+i+d+a none entry deleted from access list. This
does not mean that the user has no rights, since other ACL entries may still apply
read r+l write r+w+k+l+i+d, i.e. everything
except 'a'
ACL (3)ACL (3)
ACL manipulationACL manipulation examine an ACL
fs listacl directory$ fs la /afs/cern.ch/user/o/olm
Access list for /afs/cern.ch/user/o/olm is
Normal rights
system:anyuser l
olm rlidwka
olivier rlidwka
change ACL fs setacl directory afsid right
$ fs sa . huon read
$ fs sa . huon rl
ACL (4)ACL (4)
ACL issuesACL issues confusion between UNIX mode bits and AFS ACLs
only meaningful owner mode bits are significant it is not because a directory has rwx UNIX mode that
you can read and write in it if you want to give someone access to a file, use fs
setacl, not (only) chmod be careful of token expiration
Other remarks about UNIX and AFSOther remarks about UNIX and AFS not possible to have executable only file (no read) no cross directory hard links no setuid/setgid bit (at least at CERN)
Volumes (1)Volumes (1)
FeaturesFeatures can be moved transparently from one server to
another backup replication (only read only) quota
Mount pointMount point directory where root of the volume is mounted
/afs/cern.ch/user/o/olm is a mount point: volume user.olm managed with fs mkm and fs lsm
Volumes (2)Volumes (2)
Aaaah ! I’ve lost my files !Aaaah ! I’ve lost my files ! Do not panic, there is a backup every day (if your files
are not in a scratch volume q.*) file from yesterday are online (backup volume)
For user: /afs/cern.ch/ubackup/o/olm a command is being developed to automate restore
after this, we have to use tapes. Contact Afs.Support and ask to restore the volume you are interested in (or just the full path of your files) and precise the date.
We keep backups during 1 year but there are gaps after 1 months (we recycle tapes)
Volumes (3)Volumes (3)
I have no more space in my home directoryI have no more space in my home directory available space is shown by fs listquota.
$ fs lq /afs/cern.ch/user/o/olm
Volume Name Quota Used %Used Partition
user.olm 50000 35586 71% 81%
to increase space, usually ask your AFS space administrator (found in xwho)
typical user home directory is 50MB partition can also be full (to save disks space, total of
volume quota is usually bigger that partition size). Contact Afs.Support. The balancing script did not its job...
Volumes (4)Volumes (4)
I can not access my home directoryI can not access my home directory check token there is a “lost contact” message
fs checkserver to see if a server is down fs exa directory to see on which server it is is there a network problem ? Try ping on a afs3 client configuration (CellServDB)
there is a “volume busy” message AFS management scripts manage used space and move
volumes. When a volume is moved, it is not available for a short period (normally).
MiscellaneousMiscellaneous
@sys@sys AFS permits to have a platform dependent directory
In AFS home directory, bin is a symbolic link to .@sys/bin
This can be a problem when a central service nodes have a different operating system (directory no longer exists)
@sys is replaced by the value of fs sys
Installing AFSInstalling AFS
UNIXUNIX need to be root with afs SUE feature
NTNT need to have administrator privileges In Start Menu :
More Applications\System Configuration\AFS Client for NT
NT GUI (1)NT GUI (1)
NT GUI (2)NT GUI (2)
NT GUI (3)NT GUI (3)
The Thing...The Thing...
Check user token with Check user token with tokenstokens command command$ tokens
Tokens held by the Cache Manager:
User's (AFS ID 4968) tokens for [email protected] [Expires Jan 12 12:11]
Refresh token with Refresh token with klogklog command command$ klog olm
Password:
$ tokens
Tokens held by the Cache Manager:
User's (AFS ID 4968) tokens for [email protected] [Expires Jan 13 12:56]
--End of list--