|
|
| Home > FAQ on different themes > |
AFS distributed filesystem FAQ |
Section 2 of 4 - Prev - Next
All sections - 1 - 2 - 3 - 4
urz.uni-heidelberg.de #Universitaet Heidelberg
spc.uchicago.edu #University of Chicago - Social Sciences
rrz.uni-koeln.de #University of Cologne - Reg Comp Center
wu-wien.ac.at #University of Economics, Vienna, Austria
uni-hohenheim.de #University of Hohenheim
ncsa.uiuc.edu #University of Illinois
wam.umd.edu #University of Maryland Network WAM Project
glue.umd.edu #University of Maryland - Project Glue
engin.umich.edu #University of Michigan - CAEN
umich.edu #University of Michigan - Campus
dmsv.med.umich.edu #University of Michigan - DMSV
citi.umich.edu #University of Michigan - IFS Development
lsa.umich.edu #University of Michigan - LSA College
math.lsa.umich.edu #University of Michigan - Math Cell
sph.umich.edu #University of Michigan -- School of Public
cs.unc.edu #University of North Carolina at Chapel Hill
nd.edu #University of Notre Dame
pitt.edu #University of Pittsburgh
vn.uniroma3.it #University of Rome 3, Area Vasca Navale, Italy
isi.edu #University of Southern California/ISI
dce.uni-stuttgart.de #University of Stuttgart - DCE/DFS Cell
ihf.uni-stuttgart.de #University of Stuttgart, Ins. fuer Hochfrequenz-Tec
mathematik.uni-stuttgart.de #University of Stuttgart, Math Dept.
cs.utah.edu #University of Utah Computer Science Dept
utah.edu #University of Utah Information Tech. Service
cs.washington.edu #University of Washington Comp Sci Department
wisc.edu #University of Wisconsin-Madison, Campus
cs.wisc.edu #University of Wisconsin-Madison, Comp Sci Dept
belwue.uni-tuebingen.de #ZDV Universitaet Tuebingen
This shows different and widespread organizations making use
of the Internet AFS filetree.
Note that it is also possible to use AFS "behind the firewall"
within the confines of your organization's network - you don't have
to participate in the Internet AFS filetree.
Indeed, there are lots of benefits of using AFS on a local area network
without using the WAN capabilities.
Subject: 1.08 Why does AFS use Kerberos authentication?
It improves security.
Kerberos uses the idea of a trusted third party to prove identification.
This is a bit like using a letter of introduction or quoting a referee
who will vouch for you.
When a user authenticates using the klog command (s)he is prompted
for a password. If the password is accepted the Kerberos
Authentication Server (KAS) provides the user with an encrypted token
(containing a "ticket granting ticket").
From that point on, it is the encrypted token that is used to prove
the user's identity. These tokens have a limited lifetime (typically
a day) and are useless when expired.
In AFS, it is possible to authenticate into multiple AFS cells.
A summary of the current set of tokens held can be displayed
by using the "tokens" command.
For example:
elmer@toontown $ tokens
Tokens held by the Cache Manager:
User's (AFS ID 9997) tokens for afs@ny.acme.com [Expires Sep 15 06:50]
User's (AFS ID 5391) tokens for afs@sf.acme.com [Expires Sep 15 06:48]
--End of list--
Kerberos improves security because a users's password need only be
entered once (at klog time).
AFS uses Kerberos to do complex mutual authentication which means that
both the service requester and the service provider have to prove their
identities before a service is granted.
Transarc's implementation of Kerberos is slightly different from
MIT Kerberos V4 but AFS can work with either version.
Joe Jackson wrote about this in:
http://www.cs.cmu.edu/afs/andrew.cmu.edu/usr/shadow/www/afs/afs-with-kerberos.html
For more detail on this and other Kerberos issues see the faq
for Kerberos (posted to news.answers and comp.protocols.kerberos) [28].
(Also, see [15], [16], [26], [27])
Subject: 1.09 Does AFS work over protocols other than TCP/IP?
No. AFS was designed to work over TCP/IP.
Subject: 1.10 How can I access AFS from my PC?
You can use PC-Interface which is available from Transarc and
Locus Computing Corporations.
For more information on PC-Interface see the PC-Interface
Frequently Asked Questions file in:
file:///afs/transarc.com/public/afs-contrib/doc/faq/pci.faq
ftp://ftp.transarc.com/pub/afs-contrib/doc/faq/pci.faq
There is also SAMBA (an SMB/netbios server for UNIX). The current
version will authenticate the connecting process with AFS as well.
U http://samba.anu.edu.au/samba/
The SAMBA FAQ is in:
U http://samba.anu.edu.au/samba/docs/faq/sambafaq-1.html#ss1.1
The SAMBA mailing list can be joined via: samba-request@anu.edu.au
Subject: 1.11 How does AFS compare with NFS?
AFS NFS
File Access Common name space from Different file names from
all workstations different workstations
File Location Automatic tracking by Mountpoints to files set by
Tracking file system processes administrators and users
and databases
Performance Client caching to reduce No local disk caching;
network load; callbacks limited cache consistency
to maintain cache consis-
tency
Andrew Benchmark Average time of 210 Average time of 280
(5 phases, 8 clients) seconds/client seconds/client
Scaling capabilities Maintains performance in Best in small to mid-size
small and very large installations
installations
Excellent performance on Best in local-area
wide-area configuration configurations
Security Kerberos mutual authen- Security based on
tication unencrypted user ID's
Access control lists on No access control lists
directories for user and
group access
Availability Replicates read-mostly No replication
data and AFS system
information
Backup Operation No system downtime with Standard UNIX backup system
specially developed AFS
Backup System
Reconfiguration By volumes (groups of Per-file movement
files)
No user impact; files Users lose access to files
remain accessible during and filenames change
moves, and file names do (mountpoints need to be
not change reset)
System Management Most tasks performed from Frequently involves telnet
any workstation to other workstations
Autonomous Autonomous administrative File servers and clients
Architecture units called cells, in
addition to file servers
and clients
No trust required between No security distinctions
cells between sites
[ source: ftp://ftp.transarc.com/pub/afsps/doc/afs-nfs.comparison ]
Other points:
+ Some vendors offer more secure versions of NFS but implementations vary.
Many NFS ports have no extra security features (such as Kerberos).
+ The AFS Cache Manager can be configured to work with a RAM (memory)
based cache. This offers signifigant performance benefits over
a disk based cache.
NFS has no such feature.
Imagine how much faster it is to access files cached into RAM!
+ The Andrew benchmark demonstrates that AFS has better performance
than NFS as the number of clients increases. A graph of this
(taken from Andrew benchmark report) is available in:
U http://www.angelfire.com/hi/plutonic/images/andrew1.jpg
Subject: 2 Using AFS
Subject: 2.01 What are the differences between AFS and a unix filesystem?
Essentially, from a user's point of view, there is little difference
between AFS and local unix filestore. Nearly all the commands normally
used to access local files can be used to access files in /afs.
In the following set of sections, I have attempted to "target"
each section to an appropriate type of user by including to the
right of each section heading one of: User, Programmer, SysAdmin.
Here is a summary of the differences:
Authentication: [ User ]
Before a user can access protected AFS files (s)he needs to become
authenticated to AFS using the klog command (Kerberos login) to get
a Kerberos "ticket granting ticket" (called a token from here on).
Without a token, an unauthenticated user is given the AFS identity
"system:anyuser" and as such is only able to access files in directories
that have ACLs granting system:anyuser access.
Many systems have the klog function built into the system login program.
So a user would not even have to know they gain a token on logging in.
If you use a system where you have to issue the klog command after
login then you should run the pagsh command first (see below).
AFS provides access control lists to give more precise control
to users wishing to protect their files (see AFS ACL below).
File permissions: [ User ]
Unix mode bits for group and other are ignored.
The mode bits for the file owner don't work the way they used to.
Users should protect their AFS files with (directory) ACLs only.
Just use mode bits to make a file executable.
Data protection with AFS ACLs: [ User ]
Some versions of unix (eg IBM's AIX version 3) allow ACLs on
local files. In AFS, ACLs protect directories and used with
AFS protection groups (see below) provide a finer granularity
of protection than can be achieved with basic unix file permissions.
(AFS ACLs are described in more detail below.)
Protection groups: [ User ]
Users can create and maintain their own protection groups in AFS -
as opposed to unix where only sys admins can manage protection groups.
Hard links: [ User ]
In AFS, hard links (eg: ln old new) are only valid within a directory.
This is because AFS ACLs protect directories (not individual files)
and allowing hard links that span directories would subvert ACL
protection.
Symbolic links work in AFS because they reference a pathname and
not an i-node directly. (Hard links reference an i-node directly.)
Changing file protection by moving a file: [ User ]
Moving a file to a different directory will change the protection
of a file if the ACL on the new directory if different to the ACL
on the original directory.
chown and chgrp: [ User ]
Only members of the AFS group "system:administrators" can use these
commands on files in /afs.
Save on close: [ Programmer ]
AFS Cache Manager does not send file modifications to a file server
until the close() or fsync() system call.
write() system calls only update the local cache copy on the client.
Note the difference in semantic of writing a file:
local unix file: writes update the file "immediately"
AFS file: local cached copy updated "immediately" but
the server copy is only updated when the file
is closed or fsync'ed.
It is important to understand that most applications (eg: vi, emacs,
frame, interleaf, wingz, dogz, etc) issue the close() system call when
the user chooses/issues the "save" command in the application.
Users are not required to exit the application to "save" their
changes back to the server.
byte-range file locking: [ Programmer ]
AFS does not support byte-range locking within a file,
although lockf() and fcntl() calls will return 0 (success).
The first time a byte-range lock is attempted, AFS will display:
"afs: byte-range lock/unlock ignored; make sure no one else
else is running this program."
whole file locking: [ Programmer ]
AFS does support advisory locking an entire file with flock().
Processes on the same client workstation that attempt to lock
a file obey the proper locking semantics.
Processes on different AFS clients requesting a lock on the same
file would get EWOULDBLOCK returned.
character and block special files: [ SysAdmin ]
AFS does not support character and block special files.
The mknod command does not create either character or block
special files in /afs.
AFS version of fsck: [ SysAdmin ]
On an AFS server, the partitions containing served files are NOT
unix filesystems and standard fsck *must* not be used - use the AFS
version instead.
Subject: 2.02 What is an AFS protection group?
A named list of users.
Group names are used in AFS ACLs to identify lists of users with
particular access permissions.
In AFS, users can create and maintain their own protection groups.
This is different to unix where only the system administrator can
manage /etc/group.
AFS groups are stored in the protection database on fileserver(s)
and managed by using the "pts" command.
An AFS group typically has the format:
owner-id:group-name
By default, only the owner of a group can change its members.
It is possible to have both users and IP addresses as members
of an AFS group. By using an IP address like this you can specify
all the users from the host with that IP address.
Subject: 2.03 What are the AFS defined protection groups?
system:anyuser
Everyone who has access to an AFS client in any cell that is
on the same network as your cell.
system:authuser
Everyone who has access to an AFS client in any cell that is
on the same network as your cell *and* has valid tokens for
your cell (ie has been authenticated in your cell).
system:administrators
Users who have privileges to execute some but not all
system administrator commands.
Subject: 2.04 What is an AFS access control list (ACL)?
There is an ACL for every directory in AFS. The ACL specifies
protection at the directory level (not file level) by listing
permissions of users and/or groups to a directory. There is a
maximum of 20 entries on an ACL.
For example:
An AFS ACL is displayed by using the "fs" command as shown below:
tweety@toontown $ fs listacl .
Access list for . is
Normal rights:
fac:coords rlidwka
system:anyuser rl
This ACL shows that members of the AFS protection group "fac:coords"
have full access rights to the current directory and "system:anyuser"
has only read and lookup rights.
The members of "fac:coords" can be determined by accessing the
protection group database using the "pts" command as shown below:
tweety@toontown $ pts membership fac:coords
Members of fac:coords (id: -1577) are:
sylvester
roadrunner
yosemite.sam
Subject: 2.05 What are the AFS access rights?
In AFS, there are seven access rights that may be set or not set:
lookup l Permission to examine the ACL and traverse the
directory (needed with most other access rights).
Permission to look up filenames in a directory.
read r View the contents of files in the directory
insert i Add new files or sub-directories
write w Modify file contents, use "chmod"
delete d Remove file(s) in directory
lock k Permission for programs to "flock" files
in the directory
administer a Ability to change the ACL
There are short-hand forms:
read rl read and lookup
write rlidwk all rights except administer
all rlidwka
none removes all rights
Subject: 2.06 What is pagsh?
A command to get a new shell with a process authentication group (PAG).
This is normally used if your system does not use the AFS version of login.
It is used to get a PAG prior to running klog.
The PAG uniquely identifies the user to the Cache Manager.
Without a PAG the Cache Manager uses the unix UID to identify a user.
Subject: 2.07 Why use a PAG?
There are two reasons:
a) Child processes inherit the PAG and the Kerberos token so they are AFS
authenticated.
b) For security: if you don't have a PAG then the Cache Manager identifies
you by unix UID. Another user with root access to the client could
su to you and therefore use your token.
Subject: 2.08 How can I tell if I have a PAG?
You can tell if you have a PAG by typing "groups". A PAG is indicated
by the appearance of two integers in the list of groups.
For example:
sylvester@toontown $ groups
33536 32533 staff catz
Subject: 2.09 Can I still run cron jobs with AFS?
Yes, but remember that in order to fully access files in AFS you have
to be AFS authenticated. If your cron job doesn't klog then it only
gets system:anyuser access.
The klog command has a "-pipe" option which will read a password from
stdin. IF (yes, that's a big if :-) you are prepared to store your
password in a local (non-AFS) file then you might use the following:
a) create a "wrapper" script to get a PAG, get your AFS token
and execute a command:
#!/usr/afsws/bin/pagsh
#
# NAME afs_wrap_cron
# AUTHOR Paul Blackburn
# PURPOSE Run an AFS authenticated cron job.
# Get a PAG, get the user's token,
# then exec user's command
CMD=`basename ${0}`
usage() {
echo "Usage: ${CMD} [ -principal AFSID ] passwordfile command" >&2
}
if [ ${1} = "-principal" ]; then
PRINCIPAL="${1} ${2}"
shift 2
fi
if [ -z "${1}" ]; then
echo "${CMD} error: need name of password file" >&2
usage
exit 1
else
passwordfile=${1}
shift
fi
/usr/afsws/bin/klog ${PRINCIPAL} -pipe < ${passwordfile}
if [ -z "${1}" ]; then
echo "${CMD} error: need name of command to run" >&2
usage
exit 1
else
command_line="$*"
command=`echo ${command_line} | awk '{print $1}'`
# Check if we can run the command.
# If we got this far, it is likely that the command name is correct
# but there may be a problem in accessing the command file.
# If there is an error, log it via syslog (logger) rather than ">&2"
if [ ! -x "${command}" ]; then
M="error: unable to execute command ${command}"
logger -i -t "${CMD}" "${M}"
exit 1
fi
fi
exec ${command_line}
b) Store your password in a local (non-AFS) file that only you
have access to (perhaps: /home/$USER/.p).
Make sure that this file is mode 600 and also be sure that
you trust whoever has root access on this system and whoever
has access to backup tapes! Also, don't forget to change this
file if you change your AFS password.
c) In your crontab file, run afs_wrap_cron followed by unlog:
0 6 * * * /usr/local/bin/afs_wrap_cron /home/$USER/.p \
$HOME/bin/6AMdaily; /usr/afsws/bin/unlog
Note that you can still run a cron job without getting a token if
the task does not need to be AFS authenticated. In this case, you
may get stderr from the cron job if your .profile is not accessible
because of the ACL protecting your $HOME. Simply redirect to /dev/null:
0 7 * * * $sys_anyuser_readable_dir/7AMdaily 2>/dev/null
Subject: 2.10 How much disk space does a 1 byte file occupy in AFS?
One kilobyte.
Other filesystems allocate different file block sizes.
For example, IBM's AIX version 3 journaled file system (JFS)
uses 4K blocks (exception: 2K for the 160MB disk drive).
Such blocksize differences lead to variations on the amount of
disk space required to store files. Copying a directory from AFS
to AIX JFS would require more space in JFS because of the block
fragmentation.
Example:
a) Create a one byte file in AFS and use "ls -s" to show how many
kilobytes it occupies:
ariel@atlantica $ echo z >/afs/dsea/tmp/one_byte_file
ariel@atlantica $ ls -s /afs/dsea/tmp/one_byte_file
1 /afs/dsea/tmp/one_byte_file
b) Create same file in local filesystem (AIX JFS):
ariel@atlantica $ echo z >/tmp/one_byte_file
ariel@atlantica $ ls -s /tmp/one_byte_file
4 /tmp/one_byte_file
Subject: 2.11 Is it possible to specify a user who is external
to the current AFS cell on an ACL?
No. You cannot reference a particular user from another AFS cell.
You can specify an IP address on the ACL; this means any and all
users from the host with that IP address.
Another solution to this problem is to give the external user an
"authentication-only" account in your AFS cell. This means that
(s)he can klog (but has no home directory) in your cell.
# Example: AFS administrator creates an authentication-only user
$ uss add daffy "Daffy Duck" -t /dev/null
$ kas setpassword daffy -admin admin
Cross-realm authentication (where co-operating cells are able to
specify remore users as "user@remote.cell" on an ACL) is an *unsupported*
feature of AFS 3.3a. That means that Transarc doesn't promise
to make it work for you, nor keep it running in future releases.
Subject: 2.12 Are there any problems printing files in /afs?
The issue of printing in AFS is almost always the same: what do you
send to the printing daemon? Do you send it the bytes you want to
print or do you just send the file name containing those bytes? If
you send it a file name, you have to be sure that the printing daemon
can read it. Most daemons run with no AFS tokens, so can't access
directories unless they are open for system:anyuser read access.
Often, printing commands (lpr, lp, enq) have an option that allows
for both modes of operation, though the default behavior varies from
system to system. If you're interested in making your daemons
authenticate to AFS, check out the example scripts in AFS-Contrib:
file:///afs/transarc.com/public/afs-contrib/tools/reauth-example
ftp://ftp.transarc.com/pub/afs-contrib/tools/reauth-example/
Another common problem is setuid printing commands. For instance, the
"enq" command runs as root, daemon, or some such user. If you aren't
using the AFS login and simply issue "klog" to get tokens, those
tokens are associated with your uid. When setuid programs run, they
lose access to your token and often can't read the file name given as
an argument. The solution in this case is to use "pagsh" before
"klog" so that your tokens are transferred to subprocesses
automatically by group membership. This works even if the uid
changes, as for setuid programs.
Subject: 2.13 Can I create a fifo (aka named pipe) in /afs?
No. AFS does not support "mknod fifofile p".
Subject: 2.14 If an AFS server crashes, do I have to reboot my AFS client?
No.
Typically, if an AFS server becomes unavailable, the AFS Cache Manager on
your AFS client will see you through the outage until the server returns.
This robustness is dependent on the way your AFS cell has been configured
including the following factors:
+ On the client side:
+ How big is the cache?
+ Are the files you need already in the cache?
+ On the server side:
+ How many servers? It's best to have a minimum of three.
+ Is the data you are accessing replicated? In AFS, replicas
are ReadOnly copies.
With replicated volumes, the AFS Cache Manager knows about all of the
servers on which the replicas are located. Therefore, when the Cache
Manager accesses a replicated volume, if the RPC times out, the
Cache Manager automatically retrys the RPC, using a different file server.
If necessary, the Cache Manager will attempt to contact all file servers
on which a replica of the volume resides.
If you are accessing ReadWrite volumes on a crashed server then you
will not be able to save changes back to the server until it returns.
You don't need to reboot, and the Cache Manager activity is "invisible"
to the user.
Subject: 2.15 Can I use AFS on my diskless workstation?
Yes. The AFS Cache Manager can be configured to work with either
a disk based cache or a memory (RAM) based cache. With the latter,
you can expect file access from the cache with a whizz!
U http://www.uni-hohenheim.de/~schaefer/afs/info-afs/1306.html
Subject: 2.16 Can I test for AFS tokens from within my program?
Yes. Some sample code showing how to do this can be found in:
file:///afs/transarc.com/public/afs-contrib/tools/auth-samples/listtokens.c
ftp://ftp.transarc.com/pub/afs-contrib/tools/auth-samples/listtokens.c
Subject: 2.17 What's the difference between /afs/cellname and /afs/.cellname?
AFS has ReadOnly (RO) and ReadWrite (RW) volumes.
The convention in AFS is to mount the RW volume "root.cell" as
/afs/.cellname and the RO volume "root.cell.readonly" as /afs/cellname.
This is so that when you travel down the /afs/.cellname link, AFS will
always use the RW site of any volumes that have RO clones.
This allows your administrator to update the RW copy of a volume and
"vos release $volname" so that it will appear in /afs/cellname.
Subject: 2.18 Can I klog as two users on a machine in the same cell?
Yes, if you use two different PAGs.
It's: "One token per PAG per client system."
From one shell you can only authenticate as a single user of a cell.
If you open another shell (with another PAG) you can klog as a different
user of the same cell from the same client.
You can authenticate into many cells from one client shell.
Subject: 2.19 What are the ~/.__afsXXXX files?
They are temporary reference files used by the AFS Cache Manager.
In UNIX filesystems, when you a remove a file that is kept open
by a process, the file stays around physically while it is no longer
referenced in any directory (which you will see as a mismatch between
disk space usage according to df and du).
Some applications rely on that feature, e.g. they create a temporary file
and remove it immediatley while keeping the file descriptor open.
The file then disappears from the filesystem automagically
when the process terminates or the file descriptor gets closed otherwise.
Such applications could get into trouble with older versions of AFS,
where the file could really disappear while it was held open.
Newer versions of AFS rename such files to .__afsXXXX, thus making sure
that the data stays around as expected by the application. As soon as
the file gets closed, the associated .__afsXXXX should disappear.
Subject: 3 AFS administration
Subject: 3.01 Is there a version of xdm available with AFS authentication?
Yes, xdm can be found in:
file:///afs/transarc.com/public/afs-contrib/tools/xdm
ftp://ftp.transarc.com/pub/afs-contrib/tools/xdm/
Subject: 3.02 Is there a version of xlock available with AFS authentication?
Yes, xlock can be found in:
file:///afs/transarc.com/public/afs-contrib/tools/xlock
ftp://ftp.transarc.com/pub/afs-contrib/tools/xlock/
Subject: 3.03 What is /afs/@cell?
It is a symbolic link pointing at /afs/$your_cell_name.
NB, @cell is not something that is provided by AFS. You may decide
it is useful in your cell and wish to create it yourself.
/afs/@cell is useful because:
+ If you look after more than one AFS cell, you could create
the link in each cell then set your PATH as:
PATH=$PATH:/afs/@cell/@sys/local/bin
+ For most cells, it shortens the path names to be typed in
thus reducing typos and saving time.
A disadvantage of using this convention is that when you cd into
/afs/@cell then type "pwd" you see "/afs/@cell" instead of the full name
of your cell. This may appear confusing if a user wants to tell a user
in another cell the pathname to a file.
You could create your own /afs/@cell with the following:
#/bin/ksh -
# author: mpb
[ -L /afs/@cell ] && echo We already have @cell! && exit
cell=$(cat /usr/vice/etc/ThisCell)
cd /afs/.${cell} && fs mkm temp root.afs
cd temp
ln -s /afs/${cell} @cell
ln -s /afs/.${cell} .@cell # .@cell for RW path
cd /afs/.${cell} && fs rmm temp
vos release root.afs; fs checkv
U http://www-archive.stanford.edu/lists/info-afs/hyper95/0298.html
Subject: 3.04 Given that AFS data is location independent, how does
an AFS client determine which server houses the data
its user is attempting to access?
The Volume Location Database (VLDB) is stored on AFS Database
Servers and is ideally replicated across 3 or more Database Server
machines. Replication of the Database ensures high availability
and load balances the requests for the data. The VLDB maintains
information regarding the current physical location of all volume
data (files and directories) in the cell, including the IP address
of the FileServer, and the name of the disk partition the data is
stored on.
A list of a cell's Database Servers is stored on the local disk of
each AFS Client machine as: /usr/vice/etc/CellServDB
The Database Servers also house the Kerberos Authentication
Database (encrypted user and server passwords), the Protection
Database (user UID and protection group information) and the
Backup Database (used by System Administrators to backup AFS file
data to tape).
Subject: 3.05 Which protocols does AFS use?
AFS may be thought of as a collection of protocols and software
processes, nested one on top of the other. The constant interaction
between and within these levels makes AFS a very sophisticated software
Section 2 of 4 - Prev - Next
All sections - 1 - 2 - 3 - 4
| Back to category FAQ on different themes - Use Smart Search |
| Home - Smart Search - About the project - Feedback |
© allanswers.org | Terms of use