Download presentation
Presentation is loading. Please wait.
Published byMichael Armstrong Modified over 9 years ago
1
AFS AFS general presentation Olivier Le Moigne IT/DIS/DFS 12/1/1999
2
AFS Overview (1) What is AFS ? Worldwide network distributed file system Developed at Carnegie-Mellon University AFS = Andrew File System, "Andrew" was the name of the research project at CMU - honoring the founders of the University AFS stands for Andrew File System marketed by Transarc (IBM) Where is it ? (client point of view) /afs is the root of AFS file tree (on NT : \\hostname-afs\all mapped to drive P:) /afs/cern.ch is the root of CERN cell AFS file tree
3
AFS Overview (2) AFS Structure Files and directories are stored in volumes Volumes are in partitions Partitions are in servers Servers are in a cell fileservers database servers (replication of database) volume location servers authentication servers protection servers backup servers A client has just to know database servers. When it needs a file, it contacts a database server to know where it is stored.
4
AFS Overview (3) AFS advantages caching security Kerberos Access Control Lists location independence everything in /afs a client has just to know AFS database servers scalability optimized for Wide Area Network robustness replication of database servers possibility to replicate volumes on several servers
5
AFS at CERN (1) What for ? Main network file system for UNIX workstations Common file system for all platforms UNIX/NT (?) Not for mission critical applications (network dependency) experiments data storage (tapes) Statistics total disk space: 2TB 10000 users 2000 clients 30 servers (3 database servers)
6
AFS at CERN (2) AFS Team Rainer Többicke Olivier Le Moigne Tami Kramer (NICE NT client installation) Tim Whibley (operations) Contact Afs.Support@cern.ch
7
AFS documentation CERN AFS home page available from http://wwwinfo.cern.ch/ AFS user guide FAQ http://www.angelfire.com/hi/plutonic/afs-faq.html or /afs/transarc.com/public/afs-contrib/doc/faq/afs- faq.html Transarc http://www.transarc.com
8
AFS Using AFS
9
Authentication (1) AFS token AFS authentication is based on Kerberos a token is a data object which correlates user’s processes with AFS identity key of mutual authentication mechanism checked with tokens command obtained at login time when enabled or with klog command (need user password) password is changed with kpasswd expires every 25 hours (has to be refreshed) refreshed by xlock specific UNIX replacement tools: rsh, acrontab...
10
Authentication (2) Process Authentication Group unique number used by operating system to identify which token is associated with user processes new PAG created by pagsh command (new shell)
11
Authentication (3) Authentication Issues never use klog as root without creating a new PAG pagsh must be used if you want to have several tokens (with different AFS id). Use ksu to obtain a token from a different user (small script using pagsh and klog) clock synchronization between servers and clients is important to be able to acquire tokens (“clock badly skewed” message) tokens expiration is sometimes painful for user but it is important for security. Solutions exists: CERN settings for LSF (batch jobs) acrontab, xlock
12
Protection groups (1) What is it ? Several AFS ids can be listed in a group useful for rights management How to manage them create/delete a new group pts createg/delete username:groupname add/remove a user pts adduser/removeuser username group list group members pts mem group
13
Protection Groups (2) Special groups system:anyuserjust any AFS user in the world system:authuser any AFS user with a valid token for the local cell cern:nodes all machines at CERN (based on IP address) gg AFS space administrators for group gg cern:gg all registered members of group gg
14
Access Control Lists (1) What is it ? control permissions on directory and file access list of rights defined on per-directory basis seven rights exist in AFS: lookuplist files in a directory insertadd a new file in a directory delete administerchange ACL in a directory readread file contents and status writechange file contents and mode locklock full file
15
ACL (2) Mnemonic rights allr+w+k+l+i+d+a none entry deleted from access list. This does not mean that the user has no rights, since other ACL entries may still apply read r+l write r+w+k+l+i+d, i.e. everything except 'a'
16
ACL (3) ACL manipulation examine an ACL fs listacl directory $ fs la /afs/cern.ch/user/o/olm Access list for /afs/cern.ch/user/o/olm is Normal rights system:anyuser l olm rlidwka olivier rlidwka change ACL fs setacl directory afsid right $ fs sa. huon read $ fs sa. huon rl
17
ACL (4) ACL issues confusion between UNIX mode bits and AFS ACLs only meaningful owner mode bits are significant it is not because a directory has rwx UNIX mode that you can read and write in it if you want to give someone access to a file, use fs setacl, not (only) chmod be careful of token expiration Other remarks about UNIX and AFS not possible to have executable only file (no read) no cross directory hard links no setuid/setgid bit (at least at CERN)
18
Volumes (1) Features can be moved transparently from one server to another backup replication (only read only) quota Mount point directory where root of the volume is mounted /afs/cern.ch/user/o/olm is a mount point: volume user.olm managed with fs mkm and fs lsm
19
Volumes (2) Aaaah ! I’ve lost my files ! Do not panic, there is a backup every day (if your files are not in a scratch volume q.*) file from yesterday are online (backup volume) For user: /afs/cern.ch/ubackup/o/olm a command is being developed to automate restore after this, we have to use tapes. Contact Afs.Support and ask to restore the volume you are interested in (or just the full path of your files) and precise the date. We keep backups during 1 year but there are gaps after 1 months (we recycle tapes)
20
Volumes (3) I have no more space in my home directory available space is shown by fs listquota. $ fs lq /afs/cern.ch/user/o/olm Volume Name Quota Used %Used Partition user.olm 50000 35586 71% 81% to increase space, usually ask your AFS space administrator (found in xwho) typical user home directory is 50MB partition can also be full (to save disks space, total of volume quota is usually bigger that partition size). Contact Afs.Support. The balancing script did not its job...
21
Volumes (4) I can not access my home directory check token there is a “lost contact” message fs checkserver to see if a server is down fs exa directory to see on which server it is is there a network problem ? Try ping on a afs3 client configuration (CellServDB) there is a “volume busy” message AFS management scripts manage used space and move volumes. When a volume is moved, it is not available for a short period (normally).
22
Miscellaneous @sys AFS permits to have a platform dependent directory In AFS home directory, bin is a symbolic link to.@sys/bin This can be a problem when a central service nodes have a different operating system (directory no longer exists) @sys is replaced by the value of fs sys
23
Installing AFS UNIX need to be root with afs SUE feature NT need to have administrator privileges In Start Menu : More Applications\System Configuration\AFS Client for NT
24
NT GUI (1)
25
NT GUI (2)
26
NT GUI (3)
27
The Thing... Check user token with tokens command $ tokens Tokens held by the Cache Manager: User's (AFS ID 4968) tokens for afs@cern.ch [Expires Jan 12 12:11] Refresh token with klog command $ klog olm Password: $ tokens Tokens held by the Cache Manager: User's (AFS ID 4968) tokens for afs@cern.ch [Expires Jan 13 12:56] --End of list--
Similar presentations
© 2025 SlidePlayer.com. Inc.
All rights reserved.