1 This is a step-by-step guide to installing OpenAFS and setting up an AFS cell
2 on CentOS 7, and presumably RedHat Enterprise Linux 7, and anything from that
3 same family. It is current as of OpenAFS version 1.8.3 on CentOS 7.
5 This document is based on [[InstallingOpenAFSonRHEL]] and includes information from
6 the [Unix Quick Start Guide](http://docs.openafs.org/QuickStartUnix/).
12 When setting up an AFS cell on the internet, the convention is to user your
13 internet domain name for your Kerberos realm and AFS cell name. The Kerberos
14 realm name should be uppercase and the AFS cell name should be lowercase.
16 Note, it is possible to create a AFS cell with a different name than the
17 Kerberos realm (or even use a single Kerberos realm in multiple cells). See
18 the documentation for the OpenAFS `krb.conf` server configuration file for
19 details on mapping realms to cell names.
23 A minimal OS install is sufficient.
25 For a simple installation, you may use a single server to host the Kerberos
26 KDC, OpenAFS database server, and OpenAFS fileserver. For a production
27 environment, it is recommended that the Kerberos KDC be deployed on a
28 dedicated, secure server, the OpenAFS database servers be deployed on three
29 separate machines, and multiple file servers deployed as needed.
33 An important thing to keep in mind is that you'll need at least one partition
34 on the file server to store volumes for AFS. This will be mounted at
35 `/vicepa`. If you have multiple partitions they can be mounted at `/vicepb`,
36 `/vicepc`, etc. The file server uses file-based storage (not block based).
37 `ext3`, `ext4`, and `xfs` are commonly used filesystems on the vicep
40 Clients should have a dedicated partition for the file cache. The cache
41 partition is traditionally mounted at `/usr/vice/cache`.
45 DNS should be working correctly for forward and reverse name lookups before you
46 begin the Kerberos and OpenAFS installation. `bind` can be installed if you
47 need a local DNS server. Use `system-config-bind` to add a zone and entries.
49 Servers need at least one IPv4 interface that is accessible by the AFS clients.
50 IPv6 interfaces are not yet supported.
54 Kerberos, and therefore OpenAFS, requires good clock synchronization between
55 clients and servers. As CentOS 7 enables `chronyd` for time synchronization
56 out of the box, it is unlikely you will need to make a change.
60 The default firewall settings on RHEL will block the network ports used by
61 Kerberos and OpenAFS. You will need to adjust the firewall rules on the
62 servers to allow traffic on these ports.
64 On the Kerberos server, open udp ports 88 and 646:
66 # firewall-cmd --zone=public --add-port=88/udp
67 # firewall-cmd --zone=public --add-port=646/udp
68 # firewall-cmd --runtime-to-permanent
70 On the OpenAFS database servers, open the udp ports 7002, 7003, and 7007:
72 # firewall-cmd --zone=public --add-port=7002/udp
73 # firewall-cmd --zone=public --add-port=7003/udp
74 # firewall-cmd --zone=public --add-port=7007/udp
75 # firewall-cmd --runtime-to-permanent
77 On the OpenAFS file servers, open the udp ports 7000, 7005, and 7007:
79 # firewall-cmd --zone=public --add-port=7000/udp
80 # firewall-cmd --zone=public --add-port=7005/udp
81 # firewall-cmd --zone=public --add-port=7007/udp
82 # firewall-cmd --runtime-to-permanent
84 OpenAFS clients use udp port 7001. Open udp port 7001 on any system that will
85 have the OpenAFS client installed.
87 # firewall-cmd --zone=public --add-port=7001/udp
88 # firewall-cmd --runtime-to-permanent
90 ## Installing Kerberos
92 Install the Kerberos server and client packages with the command:
94 # yum install -y krb5-server krb5-workstation krb5-libs
96 Replace every instance of `EXAMPLE.COM` with your realm name in the following
100 * `/var/kerberos/krb5kdc/kdc.conf`
101 * `/var/kerberos/krb5kdc/kadm5.acl`
103 Replace every instance of the example hostname `kerberos.example.com` with
104 the actual hostname of your Kerberos server in the file `/etc/krb5.conf`.
106 Create the Kerberos database using the `krb5_util` command. You will be
107 prompted for a master principal password. Choose a password, keep it secret,
110 # /usr/sbin/kdb5_util create -s
112 Start the Kerberos servers.
114 # systemctl start krb5kdc
115 # systemctl start kadmin
116 # systemctl enable krb5kdc
117 # systemctl enable kadmin
119 ## Installing OpenAFS servers
121 ### Installing servers
123 The OpenAFS source tarballs are available on the OpenAFS website. You will
124 need to build the source RPM with a script provided in the source tarball, and
125 then build the RPMs using the `rpmbuild` command. There are third party
126 sources for pre-built packages, in particular the CentOS Storage SIG, but note
127 that at least with the Storage SIG's packages, configuration files are located
128 in `/etc/openafs` and servers `/usr/libexec/openafs` instead of the traditional
131 $ sudo yum install rpm-build yum-utils make perl libtool bzip2 wget
133 $ wget https://www.openafs.org/dl/openafs/<version>/openafs-<version>-src.tar.bz2
134 $ wget https://www.openafs.org/dl/openafs/<version>/openafs-<version>-doc.tar.bz2
135 $ wget https://www.openafs.org/dl/openafs/<version>/RELNOTES-<version>
136 $ wget https://www.openafs.org/dl/openafs/<version>/ChangeLog
138 $ tar xf openafs-<version>-src.tar.bz2 --strip-components=4 '*/makesrpm.pl'
139 $ perl makesrpm.pl openafs-<version>-src.tar.bz2 openafs-<version>-doc.tar.bz2 RELNOTES-<version> ChangeLog
141 $ rpm -iv openafs-<version>-1.src.rpm
142 $ sudo yum-builddep ~/rpmbuild/SPECS/openafs.spec
144 $ rpmbuild -bb --define "build_modules 0" ~/rpmbuild/SPECS/openafs.spec
146 where `<version>` is the OpenAFS version you wish to install, e.g. "1.8.5".
148 Use `yum` to install the OpenAFS server packages from your your rpmbuild RPMS directory:
150 # yum install -y openafs-<version>-1.el7.x86_64.rpm openafs-server-<version>-1.el7.x86_64.rpm openafs-docs-<version>-1.el7.x86_64.rpm openafs-krb5-<version>-1.el7.x86_64.rpm
152 Create the Kerberos AFS service key and export it to a keytab file:
154 # cellname=<cellname>
155 # kadmin.local -q "addprinc -randkey -e aes256-cts-hmac-sha1-96:normal,aes128-cts-hmac-sha1-96:normal afs/${cellname}"
156 # kadmin.local -q "ktadd -k /usr/afs/etc/rxkad.keytab -e aes256-cts-hmac-sha1-96:normal,aes128-cts-hmac-sha1-96:normal afs/${cellname}"
158 where `<cellname>` is the name of your cell. Make note of the key version number (kvno) as it is needed for the next step where it shows `<kvno>`.
160 # asetkey add rxkad_krb5 <kvno> 18 /usr/afs/etc/rxkad.keytab afs/${cellname}
161 # asetkey add rxkad_krb5 <kvno> 17 /usr/afs/etc/rxkad.keytab afs/${cellname}
164 If your Kerberos REALM name is different from your cell name add your upper case
165 REALM name in /usr/afs/etc/krb.conf, else you will not know why your cell does not work!
167 Start the OpenAFS servers:
169 # systemctl start openafs-server
170 # systemctl enable openafs-server
172 Check the server log `/usr/afs/logs/BosLog` to verify the OpenAFS `bosserver`
173 process started. Set the cell name with the command:
175 # bos setcellname localhost ${cellname} -localauth
177 ### Starting the database services
179 The `ptserver` process stores the AFS users and group names in your cell. The
180 `vlserver` process stores the file server locations of the AFS volumes in your
181 cell. Start the OpenAFS database processes with the commands:
183 # bos create localhost ptserver simple -cmd /usr/afs/bin/ptserver -localauth
184 # bos create localhost vlserver simple -cmd /usr/afs/bin/vlserver -localauth
186 Check the log files `BosLog`, `PTLog`, `VLLog` in the `/usr/afs/logs`
187 directory to verify the `ptserver` and `vlserver` started.
189 ### Starting the file server
191 Start the file server. This is a rather long command line.
193 # bos create localhost \
195 "/usr/afs/bin/dafileserver -L" \
196 "/usr/afs/bin/davolserver -p 64 -log" \
197 "/usr/afs/bin/salvageserver" \
198 "/usr/afs/bin/dasalvager -parallel all32" \
201 Check the servers logs `BosLog`, `FileLog`, `VolserLog`, and `SalsrvLog`, in
202 `/usr/afs/logs' to verify the file server started. At this point the OpenAFS
203 server processes should be running.
205 ### Creating the admin account
207 Create a user account for Kerberos and AFS administration.
210 # kadmin.local -q "addprinc ${myname}/admin"
211 Enter password: <password>
212 Re-enter password: <password>
213 # pts createuser ${myname}.admin -localauth
214 # pts adduser ${myname}.admin system:administrators -localauth
215 # bos adduser localhost ${myname}.admin -localauth
217 where `<myname>` is your user name and `<password>` is your chosen password.
219 The admin principal can be any name you want. The recommended practice is to
220 create two principals for admins: one for your normal user, and an additional
221 admin account. For example, I may have `steve` and `steve/admin`. Note that for
222 Kerberos 5, the name is `steve/admin@REALM`, whereas in AFS, the name is
223 `steve.admin`. Use `steve.admin` for all AFS commands. Since this is to be an
224 administrator we will also register it as such with the `bos` server. We can give
225 it administrator rights by adding it to the group `system:administrators`. This
226 is an AFS default group. The `pts membership` command will list all the groups
227 that your user is a member of. Verify that it lists `system:administrators`.
229 ### Create the root volumes
231 At this point we need our `/vicepa` partition. You should have done this when
232 installing the operating system. If you have not, do it now, then restart the
233 fileserver with `systemctl restart openafs-server`. (If this is only a test
234 system you may create a pseudo partition without needing to create an actual
235 separate filesystem. To do this, create an empty directory called `/vicepa` and
236 then create an empty file called `/vicepa/AlwaysAttach`, then restart the file
237 server with `systemctl restart openafs-server`.)
239 Create the root volumes with the commands:
241 # vos create localhost a root.afs -localauth
242 # vos create localhost a root.cell -localauth
244 Check the volume location database to verify the two volumes are listed.
248 Finally, now that the server configuration is done, put the `bosserver` into
249 the more secure restricted mode, which disables several bos commands which are
250 strictly not needed for normal operation.
252 # bos setrestricted localhost -mode 1 -localauth
254 This completes the server side setup. At this point will need to install the
255 OpenAFS cache manager (client), setup the top level directories, and then start
256 adding files to your new cell. The cache manager may be installed on a
257 separate machine (for example, your laptop.) Also, you will no longer be using
258 the `root` user to run OpenAFS commands, but instead from this point forward
259 you should use your Kerberos credentials.
261 ## Installing OpenAFS Client
265 If installing the cache manager on an OpenAFS server, first remove the symlinks
266 created by `bosserver`. These will be in the way if the client is installed.
268 # test -h /usr/vice/etc/ThisCell && rm /usr/vice/etc/ThisCell
269 # test -h /usr/vice/etc/CellServDB && rm /usr/vice/etc/CellServDB
271 The OpenAFS kernel module must match your kernel version. Unless you are maintaining
272 a local `yum` repository that tracks every single kernel release and updates its kmod builds,
273 you will want to use the DKMS mechanism for installing the the kernel module. If
274 you are installing on a freshly patched machine, be sure to reboot before installing
275 the OpenAFS kernel module. Assuming you are using the same set of packages built earlier:
277 # yum install -y dkms gcc kernel-devel kernel-headers
278 # yum install -y openafs-<version>-1.el7.x86_64.rpm openafs-client-<version>-1.el7.x86_64.rpm openafs-krb5-<version>-1.el7.x86_64.rpm dkms-openafs-<version>-1.el7.x86_64.rpm
280 ### Client side configuration
282 `/usr/afs/etc` is the location for the server files. We also need to configure
283 the client. The client files are located in `/usr/vice/etc`. RPM based OpenAFS
284 packages are set up in such a way that there are two `CellServDB` client
285 files in `/usr/vice/etc`: `CellServDB.dist` and `CellServDB.local`. We will
286 copy ours to the local list.
288 # cp /usr/afs/etc/CellServDB /usr/vice/etc/CellServDB.local
289 # cp /usr/afs/etc/ThisCell /usr/vice/etc/ThisCell
291 The RPM based `openafs-client` init script will combine the `CellServDB.dist`
292 and `CellServDB.local` files into the `CellServDB` file, which the cache
293 manager reads on startup.
295 ### Start the cache manager
297 Start the cache manager with the command:
299 # systemctl start openafs-client
300 # systemctl enable openafs-client
302 Run the `mount` command to verify the AFS filesystem is mounted at `/afs`.
304 Try logging in to AFS. `kinit` logs you into Kerberos (this is the normal
305 Kerberos utility). `aklog` gets you an AFS token. The `tokens` command lists
306 the tokens you have. You should see `afs@<cellname>`. If you run into problems, you
307 can use `klist` to list your Kerberos tickets, or `aklog` with the `-d` flag.
309 $ kinit <username>/admin
314 ## Setting up the cell root directory
316 Now we will set up the root directories. The root directory for the AFS
317 namespace is in the volume called `root.afs`. The root directory of your cell
318 should be in a volume called `root.cell`. You will need to set the ACLs for
319 these directories. AFS access rights are rather different from those in UNIX.
320 I suggest reading the IBM documentation for this; it still applies.
322 The cache manager is started in `-dynroot` mode on RPM-based installations.
323 This allows the cache manager to mount the AFS filesystem without the need to
324 contact the OpenAFS servers. The side-effect of `-dynroot` is the `root.afs`
325 volume cannot be accessed directly. Fortunately, we can use "magic" `.:mount`
326 directory to access the `root.afs` volume.
328 Set up the top level directories.
330 $ cellname=$(cat /usr/vice/etc/ThisCell)
332 $ cd /afs/.:mount/${cellname}:root.afs/
333 $ fs mkmount ${cellname} root.cell -cell ${cellname}
334 $ fs mkmount .${cellname} root.cell -cell ${cellname} -rw
335 $ fs setacl . system:anyuser read
337 $ cd /afs/.:mount/${cellname}:root.cell/
338 $ fs setacl . system:anyuser read
340 Replicate the root volumes so that you have read only copies. Later, if more
341 file servers are added to the cell, additional read-only copies should be made.
343 $ server=<hostname of the fileserver>
344 $ vos addsite ${server} a root.afs
345 $ vos release root.afs
346 $ vos addsite ${server} a root.cell
347 $ vos release root.cell
349 ## Adding users and volumes
351 Now that OpenAFS is installed, the site specific AFS volumes and directory
352 structure can be set up. Users should be made, along with their home
353 volumes. ACLs for the volume directories should be established.
355 This section provides an example setup. The names of the volumes and
356 directories can be specific to your needs.
358 You must first authenticate as a Kerberos/AFS admin to run the commands
359 shown in this section.
361 $ kadmin <username>/admin
364 ### Creating user accounts
366 We can create a user by registering it to Kerberos and the `ptserver` database.
367 If you use integrated login, make sure that the users' UNIX uids and pts ids
370 $ kadmin -q "addprinc <username>"
371 <enter password for username>
372 $ pts createuser <username> -id <numeric uid>
374 If you use integrated login, make sure that you add an entry to /etc/passwd or
375 whatever means you use of distributing user information.
377 ### Setting up volumes for users
379 First, we can make a top level volume to contain the mount points to volumes
380 for individuals. The IBM documentation suggests making a directory
381 `/afs/<cellname>/user` with volume name user for all of your AFS users. Some
382 sites have adopted the directory `home` instead of `user`. If you use `home`,
383 your users may feel more comfortable, as this is the convention in Linux and
386 The following commands create the `home` volume and make a read-only replica:
388 $ vos create <fileserver> a home
389 $ cd /afs/.<cellname>
390 $ fs mkmount home home
391 $ vos addsite <fileserver> a home
392 $ vos release root.cell
395 Now you can create directories for any of your users. We will not replicate
396 these volumes. By not replicating them, we force the cache manager to access a
397 read/write volume. This means that even if we access the cell through the
398 read-only volume we can still access our read/write user directories (this is
399 what you want). Maxquota 0 means that there is no size restriction to the
400 volume. You can give it a restriction if you like (the default is 5mb). Do
401 these commands for every directory you like.
403 $ vos create <fileserver> a home.<uid> -maxquota 0
404 $ cd /afs/.<cellname>/home
405 $ fs mkmount <user> home.<uid>
408 The home volume is released to make the new directories are visible from the
409 read only mount point.
413 Now that we have volumes, we should set some restrictions on those volumes.
414 If you trust the users not to make directories *world writable*, you
415 can give the user of the directory full rights.
417 $ cd /afs/.<cellname>/home
418 $ fs setacl -dir <user> -acl <user> all
420 To give the users read and write access, but not rights to change ACLs,
422 $ cd /afs/.<cellname>/home
423 $ fs setacl -dir <user> -acl <user> write