270 likes | 467 Views
AFS general presentation. Olivier Le Moigne IT/DIS/DFS 12/1/1999. AFS Overview (1). What is AFS ? Worldwide network distributed file system Developed at Carnegie-Mellon University
E N D
AFS general presentation Olivier Le Moigne IT/DIS/DFS 12/1/1999
AFS Overview (1) • What is AFS ? • Worldwide network distributed file system • Developed at Carnegie-Mellon University • AFS = Andrew File System , "Andrew" was the name of the research project at CMU - honoring the founders of the University • AFS stands for Andrew File System • marketed by Transarc (IBM) • Where is it ? (client point of view) • /afs is the root of AFS file tree (on NT : \\hostname-afs\all mapped to drive P:) • /afs/cern.ch is the root of CERN cell AFS file tree
AFS Overview (2) • AFS Structure • Files and directories are stored in volumes • Volumes are in partitions • Partitions are in servers • Servers are in a cell • fileservers • database servers (replication of database) • volume location servers • authentication servers • protection servers • backup servers A client has just to know database servers. When it needs a file, it contacts a database server to know where it is stored.
AFS Overview (3) • AFS advantages • caching • security • Kerberos • Access Control Lists • location independence • everything in /afs • a client has just to know AFS database servers • scalability • optimized for Wide Area Network • robustness • replication of database servers • possibility to replicate volumes on several servers
AFS at CERN (1) • What for ? • Main network file system for UNIX workstations • Common file system for all platforms UNIX/NT (?) • Not for • mission critical applications (network dependency) • experiments data storage (tapes) • Statistics • total disk space: 2TB • 10000 users • 2000 clients • 30 servers (3 database servers)
AFS at CERN (2) • AFS Team • Rainer Többicke • Olivier Le Moigne • Tami Kramer (NICE NT client installation) • Tim Whibley (operations) Contact Afs.Support@cern.ch
AFS documentation • CERN • AFS home page available from http://wwwinfo.cern.ch/ • AFS user guide • FAQ • http://www.angelfire.com/hi/plutonic/afs-faq.html or /afs/transarc.com/public/afs-contrib/doc/faq/afs-faq.html • Transarc • http://www.transarc.com
Authentication (1) • AFS token • AFS authentication is based on Kerberos • a token is a data object which correlates user’s processes with AFS identity • key of mutual authentication mechanism • checked with tokens command • obtained at login time when enabled or with klog command (need user password) • password is changed with kpasswd • expires every 25 hours (has to be refreshed) • refreshed by xlock • specific UNIX replacement tools: rsh, acrontab...
Authentication (2) • Process Authentication Group • unique number used by operating system to identify which token is associated with user processes • new PAG created by pagsh command (new shell)
Authentication (3) • Authentication Issues • never use klog as root without creating a new PAG • pagsh must be used if you want to have several tokens (with different AFS id). Use ksu to obtain a token from a different user (small script using pagsh and klog) • clock synchronization between servers and clients is important to be able to acquire tokens (“clock badly skewed” message) • tokens expiration is sometimes painful for user but it is important for security. Solutions exists: • CERN settings for LSF (batch jobs) • acrontab, xlock
Protection groups (1) • What is it ? • Several AFS ids can be listed in a group • useful for rights management • How to manage them • create/delete a new group pts createg/delete username:groupname • add/remove a user pts adduser/removeuser username group • list group members pts mem group
Protection Groups (2) • Special groups • system:anyuser just any AFS user in the world • system:authuser any AFS user with a valid token for the local cell • cern:nodes all machines at CERN (based on IP address) • gg AFS space administrators for group gg • cern:gg all registered members of group gg
Access Control Lists (1) • What is it ? • control permissions on directory and file access • list of rights defined on per-directory basis • seven rights exist in AFS: • lookup list files in a directory • insert add a new file in a directory • delete • administer change ACL in a directory • read read file contents and status • write change file contents and mode • lock lock full file
ACL (2) • Mnemonic rights • all r+w+k+l+i+d+a • none entry deleted from access list. This does not mean that the user has no rights, since other ACL entries may still apply • read r+l • write r+w+k+l+i+d, i.e. everything except 'a'
ACL (3) • ACL manipulation • examine an ACL fs listacl directory $ fs la /afs/cern.ch/user/o/olm Access list for /afs/cern.ch/user/o/olm is Normal rights system:anyuser l olm rlidwka olivier rlidwka • change ACL • fs setacl directory afsid right $ fs sa . huon read $ fs sa . huon rl
ACL (4) • ACL issues • confusion between UNIX mode bits and AFS ACLs • only meaningful owner mode bits are significant • it is not because a directory has rwx UNIX mode that you can read and write in it • if you want to give someone access to a file, use fs setacl, not (only) chmod • be careful of token expiration • Other remarks about UNIX and AFS • not possible to have executable only file (no read) • no cross directory hard links • no setuid/setgid bit (at least at CERN)
Volumes (1) • Features • can be moved transparently from one server to another • backup • replication (only read only) • quota • Mount point • directory where root of the volume is mounted /afs/cern.ch/user/o/olm is a mount point: volume user.olm • managed with fs mkm and fs lsm
Volumes (2) • Aaaah ! I’ve lost my files ! • Do not panic, there is a backup every day (if your files are not in a scratch volume q.*) • file from yesterday are online (backup volume) • For user: /afs/cern.ch/ubackup/o/olm • a command is being developed to automate restore • after this, we have to use tapes. Contact Afs.Support and ask to restore the volume you are interested in (or just the full path of your files) and precise the date. • We keep backups during 1 year but there are gaps after 1 months (we recycle tapes)
Volumes (3) • I have no more space in my home directory • available space is shown by fs listquota. $ fs lq /afs/cern.ch/user/o/olm Volume Name Quota Used %Used Partition user.olm 50000 35586 71% 81% • to increase space, usually ask your AFS space administrator (found in xwho) • typical user home directory is 50MB • partition can also be full (to save disks space, total of volume quota is usually bigger that partition size). Contact Afs.Support. The balancing script did not its job...
Volumes (4) • I can not access my home directory • check token • there is a “lost contact” message • fs checkserver to see if a server is down • fs exa directory to see on which server it is • is there a network problem ? Try ping on a afs3 • client configuration (CellServDB) • there is a “volume busy” message • AFS management scripts manage used space and move volumes. When a volume is moved, it is not available for a short period (normally).
Miscellaneous • @sys • AFS permits to have a platform dependent directory • In AFS home directory, bin is a symbolic link to .@sys/bin • This can be a problem when a central service nodes have a different operating system (directory no longer exists) • @sys is replaced by the value of fs sys
Installing AFS • UNIX • need to be root • with afs SUE feature • NT • need to have administrator privileges • In Start Menu : More Applications\System Configuration\AFS Client for NT
The Thing... • Check user token with tokens command $ tokens Tokens held by the Cache Manager: User's (AFS ID 4968) tokens for afs@cern.ch [Expires Jan 12 12:11] • Refresh token with klog command $ klog olm Password: $ tokens Tokens held by the Cache Manager: User's (AFS ID 4968) tokens for afs@cern.ch [Expires Jan 13 12:56] --End of list--