## 1 General The General Section of the [[AFSFrequentlyAskedQuestions]]. - [[PreambleFAQ]]
- [[UsageFAQ]] - [[AdminFAQ]] - [[ResourcesFAQ]] - [[AboutTheFAQ]] - [[FurtherReading]] ### 1.01 What is AFS? AFS is a distributed filesystem that enables co-operating hosts (clients and servers) to efficiently share filesystem resources across both local area and wide area networks. The commercial version of AFS is marketed, maintained, and extended by Transarc Corporation. AFS is based on a distributed file system originally developed at the Information Technology Center at Carnegie-Mellon University that was called the "Andrew File System". "Andrew" was the name of the research project at CMU - honouring th founders of the University. Once Transarc was formed and AFS became a product, the "Andrew" was dropped to indicate that AFS had gone beyond the Andrew research project and had become a supported, product quality filesystem. However, there were a number of existing cells that rooted their filesystem as /afs. At the time, changing the root of the filesystem was a non-trivial undertaking. So, to save the early AFS sites from having to rename their filesystem, AFS remained as the name and filesystem root. ### 1.02 Who supplies AFS? There are currently three sources for AFS: Commercial Transarc (now part of IBM), the open sourced version of former Transarc AFS called [[OpenAFS]] and the independent open source project [[Arla]].
1. IBM Pittsburgh Lab phone: +1 (412) 667-4400
  11 Stanwix Street fax: +1 (412) 667-6977
  Pittsburgh email: information@transarc.com
  PA 15222 afs-sales@transarc.com
  United States of America WWW: http://www.transarc.com
2. [[Main/OpenAFS]] WWW: http://www.openafs.org/
3. [[Main/Arla]] WWW: http://www.stacken.kth.se/projekt/arla/
### 1.03 What is /afs? The root of the AFS filetree is /afs. If you execute "ls /afs" you will see directories that correspond to AFS cells (see below). These cells may be local (on same LAN) or remote (eg halfway around the world). With AFS you can access all the filesystem space under /afs with commands you already use (eg: cd, cp, rm, and so on) provided you have been granted permission (see AFS ACL below). ### 1.04 What is an AFS cell? An AFS cell is a collection of servers grouped together administratively and presenting a single, cohesive filesystem. Typically, an AFS cell is a set of hosts that use the same Internet domain name. Normally, a variation of the domain name is used as the AFS cell name. Users log into AFS client workstations which request information and files from the cell's servers on behalf of the users. ### 1.05 What are the benefits of using AFS? The main strengths of AFS are its: - caching facility - security features - simplicity of addressing - scalability - communications protocol Here are some of the advantages of using AFS in more detail: #### 1.05.a Cache Manager AFS client machines run a Cache Manager process. The Cache Manager maintains information about the identities of the users logged into the machine, finds and requests data on their behalf, and keeps chunks of retrieved files on local disk. The effect of this is that as soon as a remote file is accessed a chunk of that file gets copied to local disk and so subsequent accesses (warm reads) are almost as fast as to local disk and considerably faster than a cold read (across the network). Local caching also significantly reduces the amount of network traffic, improving performance when a cold read is necessary. #### 1.05.b Location independence Unlike NFS, which makes use of /etc/filesystems (on a client) to map (mount) between a local directory name and a remote filesystem, AFS does its mapping (filename to location) at the server. This has the tremendous advantage of making the served filespace location independent. Location independence means that a user does not need to know which fileserver holds the file, the user only needs to know the pathname of a file. Of course, the user does need to know the name of the AFS cell to which the file belongs. Use of the AFS cellname as the second part of the pathname (eg: /afs/$AFSCELL/somefile) is helpful to distinguish between file namespaces of the local and non-local AFS cells. To understand why such location independence is useful, consider having 20 clients and two servers. Let's say you had to move a filesystem "/home" from server a to server b. Using NFS, you would have to change the /etc/filesystems file on 20 clients and take "/home" off-line while you moved it between servers. With AFS, you simply move the AFS volume(s) which constitute "/home" between the servers. You do this "on-line" while users are actively using files in "/home" with no disruption to their work. (Actually, the AFS equivalent of "/home" would be /afs/$AFSCELL/home where $AFSCELL is the AFS cellname.) #### 1.05.c Scalability With location independence comes scalability. An architectural goal of the AFS designers was client/server ratios of 200:1 which has been successfully exceeded at some sites. Transarc do not recommend customers use the 200:1 ratio. A more cautious value of 50:1 is expected to be practical in most cases. It is certainly possible to work with a ratio somewhere between these two values. Exactly what value depends on many factors including: number of AFS files, size of AFS files, rate at which changes are made, rate at which file are being accessed, speed of servers processor, I/O rates, and network bandwidth. AFS cells can range from the small (1 server/client) to the massive (with tens of servers and thousands of clients). Cells can be dynamic: it is simple to add new fileservers or clients and grow the computing resources to meet new user requirements. #### 1.05.d Improved security Firstly, AFS makes use of Kerberos to authenticate users. This improves security for several reasons: - passwords do not pass across the network in plaintext - encrypted passwords no longer need to be visible - You don't have to use NIS, aka yellow pages, to distribute /etc/passwd - thus "ypcat passwd" can be eliminated. - If you do choose to use NIS, you can replace the password field with "X" so the encrypted password is not visible. (These issues are discussed in detail in [25]). - AFS uses mutual authentication - both the service provider and service requester prove their identities Secondly, AFS uses access control lists (ACLs) to enable users to restrict access to their own directories. #### 1.05.e Single systems image (SSI) Establishing the same view of filestore from each client and server in a network of systems (that comprise an AFS cell) is an order of magnitude simpler with AFS than it is with, say, NFS. This is useful to do because it enables users to move from workstation to workstation and still have the same view of filestore. It also simplifies part of the systems management workload. In addition, because AFS works well over wide area networks the SSI is also accessible remotely. As an example, consider a company with two widespread divisions (and two AFS cells): ny.acme.com and sf.acme.com. Mr Fudd, based in the New York office, is visiting the San Francisco office. Mr. Fudd can then use any AFS client workstation in the San Francisco office that he can log into (a unprivileged guest account would suffice). He could authenticate himself to the ny.acme.com cell and securely access his New York filespace. For example: The following shows a guest in the sf.acme.com AFS cell: 1. add AFS executables directory to PATH 2. obtaining a PAG with pagsh command (see 2.06) 3. use the klog command to authenticate into the ny.acme.com AFS cell 4. making a HOME away from home 5. invoking a homely .profile guest@toontown.sf.acme.com $ PATH=/usr/afsws/bin:$PATH # {1} guest@toontown.sf.acme.com $ pagsh # {2} $ klog -cell ny.acme.com -principal elmer # {3} Password: $ HOME=/afs/ny.acme.com/user/elmer; export HOME # {4} $ cd $ . .profile # {5} you have new mail guest@toontown $ It is not necessary for the San Francisco sys admin to give Mr. Fudd an AFS account in the sf.acme.com cell. Mr. Fudd only needs to be able to log into an AFS client that is: 1. on the same network as his cell and 2. his ny.acme.com cell is mounted in the sf.acme.com cell (as would certainly be the case in a company with two cells). #### 1.05.f Replicated AFS volumes AFS files are stored in structures called Volumes. These volumes reside on the disks of the AFS file server machines. Volumes containing frequently accessed data can be read-only replicated on several servers. Cache managers (on users client workstations) will make use of replicate volumes to load balance. If accessing data from one replicate copy, and that copy becomes unavailable due to server or network problems, AFS will automatically start accessing the same data from a different replicate copy. An AFS client workstation will access the closest volume copy. By placing replicate volumes on servers closer to clients (eg on same physical LAN) access to those resources is improved and network traffic reduced. #### 1.05.g Improved robustness to server crash The Cache Manager maintains local copies of remotely accessed files. This is accomplished in the cache by breaking files into chunks of up to 64k (default chunk size). So, for a large file, there may be several chunks in the cache but a small file will occupy a single chunk (which will be only as big as is needed). A "working set" of files that have been accessed on the client is established locally in the client's cache (copied from fileserver(s)). If a fileserver crashes, the client's locally cached file copies remain readable but updates to cached files fail while the server is down. Also, if the AFS configuration has included replicated read-only volumes then alternate fileservers can satisfy requests for files from those volumes. #### 1.05.h "Easy to use" networking Accessing remote file resources via the network becomes much simpler when using AFS. Users have much less to worry about: want to move a file from a remote site? Just copy it to a different part of /afs. Once you have wide-area AFS in place, you don't have to keep local copies of files. Let AFS fetch and cache those files when you need them. #### 1.05.i Communications protocol AFS communications protocol is optimized for Wide Area Networks. Retransmitting only the single bad packet in a batch of packets and allowing the number of unacknowledged packets to be higher (than in other protocols, see [4]). #### 1.05.j Improved system management capability Systems administrators are able to make configuration changes from any client in the AFS cell (it is not necessary to login to a fileserver). With AFS it is simple to effect changes without having to take systems off-line. Example: A department (with its own AFS cell) was relocated to another office. The cell had several fileservers and many clients. How could they move their systems without causing disruption? First, the network infrastructure was established to the new location. The AFS volumes on one fileserver were migrated to the other fileservers. The "freed up" fileserver was moved to the new office and connected to the network. A second fileserver was "freed up" by moving its AFS volumes across the network to the first fileserver at the new office. The second fileserver was then moved. This process was repeated until all the fileservers were moved. All this happened with users on client workstations continuing to use the cell's filespace. Unless a user saw a fileserver being physically moved (s)he would have no way to tell the change had taken place. Finally, the AFS clients were moved - this was noticed! ### 1.06 Which systems is AFS available for? AFS runs on systems from: HP, Compaq, IBM, SUN, SGI, Apple ([[MacOSX]]) and PCs with flavours of Unix. AFS has been available for Next and DEC (Ultrix). Transarc customers have done ports to Crays, and the 3090, but all are based on some flavour of unix. Some customers have done work to make AFS data available to PCs and Macs, although they are using something similar to the AFS/NFS translator (a system that enables "NFS only" clients to NFS mount the AFS filetree /afs). There is a client only implementation "AFS Client for Windows/NT". A page describing the current systems for which AFS is supported may be found at: - There are also ports of AFS done by customers available from Transarc on an "as is" unsupported basis. More information on this can be found at: - - These ports of AFS client code include: - HP (Apollo) Domain OS - by Jim Rees at the University of Michigan. - sun386i - by Derek Atkins and Chris Provenzano at MIT. - Linux - by Derek Atkins, mailing list: <linux-afs-request@mit.edu> - [[NetBSD]] - by John Kohl, mailing list: <netbsd-afs@mit.edu> There is some information about AFS on OS/2 at: - The AFS on Linux FAQ may be found at: - Check out the [[OpenAFS]] and [[Arla]] pages for port avilablity. ### 1.07 What does "ls /afs" display in the Internet AFS filetree? Essentially this displays the AFS cells that co-operate in the Internet AFS filetree. Note that the output of this will depend on the cell you do it from; a given cell may not have all the publicly advertised cells available, and it may have some cells that aren't advertised outside of the given site. The definitive source for this information is: - I've included the list of cell names included in it below: asu.edu #ASU uni-freiburg.de #Albert-Ludwigs-Universitat Freiburg anl.gov #Argonne National Laboratory fl.mcs.anl.gov # Argonne National Laboratory MCS Division FL dapnia.saclay.cea.fr #Axlan-CEA bcc.ac.uk #Bloomsbury Computing Consortium bu.edu #Boston University cs.brown.edu #Brown University Department of Computer Science caspur.it #CASPUR Inter-University Computing Consortium,Rome ciesin.org #CIESIN mathematik-cip.uni-stuttgart.de #CIP-Pool of Math. Dept, Univ. Stuttgart gg.caltech.edu #Caltech Computer Graphics Group cards.com #Cards - Electronic Warfare Associates cheme.cmu.edu #Carnegie Mellon Univ. Chemical Engineering Dept. cmu.edu #Carnegie Mellon University andrew.cmu.edu #Carnegie Mellon University - Campus ce.cmu.edu #Carnegie Mellon University - Civil Eng. Dept. ece.cmu.edu #Carnegie Mellon University - Elec. Comp. Eng. Dept. me.cmu.edu #Carnegie Mellon University - Mechanical Engineering cs.cmu.edu #Carnegie Mellon University - School of Comp. Sci. club.cc.cmu.edu #Carnegie Mellon University Computer Club cert.org #CERT/Coordination Center others.chalmers.se #Chalmers University of Technology - General users cipool.uni-stuttgart.de #CIP Pool, Rechenzentrum University of Stuttgart clarkson.edu #Clarkson University, Potsdam, USA msc.cornell.edu #Cornell University Materials Science Center graphics.cornell.edu #Cornell University Program of Computer Graphics theory.cornell.edu #Cornell University Theory Center ifh.de #DESY-IfH Zeuthen northstar.dartmouth.edu #Dartmouth College, Project Northstar desy.de #Deutsches Elektronen-Synchrotron dkrz.de #Deutsches Klimarechenzentrum Hamburg dis.uniroma1.it #DIS, Univ. "La Sapienza", Rome, area Buonarotti msrc.pnl.gov #EMSL's AFS Cell zdvpool.uni-tuebingen.de#Eberhard-Karls-Universitaet Tuebingen, WS-Pools enea.it #enea.it es.net #Energy Sciences Net research.ec.org #Esprit Research Network of Excellence dce.emsl.pnl.gov #EMSL's DCE Cell cern.ch #European Laboratory for Particle Physics, Geneva fnal.gov #Fermi National Acclerator Laboratory fh-heilbronn.de #Fachhochschule Heilbronn hephy.at #hephy-vienna sleeper.nsa.hp.com #HP Cupertino palo_alto.hpl.hp.com #HP Palo Alto afs.hursley.ibm.com #IBM Hursley Laboratories (UK), external cell ibm.uk #IBM UK, AIX Systems Support Centre zurich.ibm.ch #IBM Zurich Internet Cell ctp.se.ibm.com #IBM/4C, Chalmers, Sweden ipp-hgw.mpg.de #IPP site at Greifswald in2p3.fr #IN2P3 production cell lngs.infn.it #INFN Laboratori Nazionali di Gran Sasso, Italia le.infn.it #INFN Sezione di Lecce, Italia pi.infn.it #INFN Sezione di Pisa ike.uni-stuttgart.de #Institut fuer Kernenergetik, Universitaet Stuttgart ipp-garching.mpg.de #Institut fuer Plasmaphysik csv.ica.uni-stuttgart.de #Institut fuer Computeranwendungen, Uni. Stuttgart iastate.edu #Iowa State University infn.it #Istituto Nazionale di Fisica Nucleare, Italia jpl.nasa.gov #Jet Propulsion Laboratory zdv.uni-mainz.de #Johannes-Gutenberg-Universitaet Mainz isk.kth.se #KTH College of Engineering cc.keio.ac.jp #Keio University, Fac. of Sci. & Tech. Computing Ctr sfc.keio.ac.jp #Keio University, Japan afs-math.zib-berlin.de #Konrad-Zuse-Zentrum fuer Informationstechnik Berlin thermo-a.mw.tu-muenchen.de #Lehrstuhl A fuer Thermodynamik,TUM lrz-muenchen.de #Leibniz-Rechenzentrum Muenchen Germany athena.mit.edu #MIT/Athena cell net.mit.edu #MIT/Network Group cell sipb.mit.edu #MIT/SIPB cell msu.edu #Michigan State University home cell mpa-garching.mpg.de #Max-Planck-Institut fuer Astrophysik federation.atd.net #Multi Resident AFS at Naval Research Lab - CCS isl.ntt.jp #NTT Information and Communication nersc.gov #National Energy Research Supercomputer Center alw.nih.gov #National Institutes of Health nrel.gov #National Renewable Energy Laboratory cmf.nrl.navy.mil #Naval Research Lab lcp.nrl.navy.mil #Naval Research Lab - Lab for Computational Physics nrlfs1.nrl.navy.mil #Naval Research Laboratory eos.ncsu.edu #NCSU - College of Engineering unity.ncsu.edu #NCSU Campus ncat.edu #North Carolina Agricultural and Technical State U. bp.ncsu.edu #North Carolina State University - Backbone Prototype ri.osf.org #OSF Research Institute gr.osf.org #OSF Research Institute, Grenoble urz.uni-magdeburg.de #Otto-von-Guericke-Universitaet, Magdeburg N ovpit.indiana.edu #OVPIT at Indiana University psc.edu #PSC (Pittsburgh Supercomputing Center) psu.edu #Penn State phy.bnl.gov #Physics Deptpartment, Brookhaven National Lab postech.ac.kr #Pohang University of Science pppl.gov #Princeton Plasma Physics Laboratory rwcp.or.jp #Real World Computer Partnership(rwcp) rz.uni-jena.de #Rechenzentrum University of Jena, Germany rhrk.uni-kl.de #Rechenzentrum University of Kaiserslautern rus.uni-stuttgart.de #Rechenzentrum University of Stuttgart rhic #Relativistic Heavy Ion Collider rpi.edu #Rensselaer Polytechnic Institute uni-bonn.de #Rheinische Friedrich Wilhelm Univesitaet Bonn rose-hulman.edu #Rose-Hulman Institute of Technology cs.rose-hulman.edu # Rose-Hulman Inst. of Tech., CS Department nada.kth.se #Royal Institute of Technology, NADA rl.ac.uk #Rutherford Appleton Lab, England slac.stanford.edu #Stanford Linear Accelerator Center dsg.stanford.edu #Stanford Univ. - Comp. Sci. - Distributed Systems ir.stanford.edu #Stanford University afs1.scri.fsu.edu #Supercomputer Computations Research Instit ethz.ch #Swiss Federal Inst. of Tech. - Zurich, Switzerland hrzone.th-darmstadt.de #TH-Darmstadt tu-bs.de #Technical University of Braunschweig, Germany tu-chemnitz.de #Technische Universitaet Chemnitz-Zwickau, Germany telos.com #Telos Systems Group - Chantilly, Va. transarc.com #Transarc Corporation cats.ucsc.edu #UC Santa Cruz, Comp and Tech Services, California umr.edu #UMR - Missouri's Technological University hep.net #US High Energy Physics Information cell uni-mannheim.de #Uni Mannheim (Rechenzentrum) ece.ucdavis.edu #Univ California - Davis campus geo.uni-koeln.de #Univ. of Cologne Inst. for Geophysics & Meteorology meteo.uni-koeln.de #Univ. of Cologne Inst. for Geophysics & Meteorology N dsi.uniroma1.it #Univ. Rome-1, Dept. of Computer Science U spv.uniroma1.it #Univ. Rome-1, Area San Pietro in Vincoli N vn.uniroma3.it #Univ. Rome-3, Area Vasca Navale urz.uni-heidelberg.de #Universitaet Heidelberg spc.uchicago.edu #University of Chicago - Social Sciences rrz.uni-koeln.de #University of Cologne - Reg Comp Center wu-wien.ac.at #University of Economics, Vienna, Austria uni-hohenheim.de #University of Hohenheim ncsa.uiuc.edu #University of Illinois wam.umd.edu #University of Maryland Network WAM Project glue.umd.edu #University of Maryland - Project Glue engin.umich.edu #University of Michigan - CAEN umich.edu #University of Michigan - Campus dmsv.med.umich.edu #University of Michigan - DMSV citi.umich.edu #University of Michigan - IFS Development lsa.umich.edu #University of Michigan - LSA College math.lsa.umich.edu #University of Michigan - Math Cell sph.umich.edu #University of Michigan -- School of Public cs.unc.edu #University of North Carolina at Chapel Hill nd.edu #University of Notre Dame pitt.edu #University of Pittsburgh vn.uniroma3.it #University of Rome 3, Area Vasca Navale, Italy isi.edu #University of Southern California/ISI dce.uni-stuttgart.de #University of Stuttgart - DCE/DFS Cell ihf.uni-stuttgart.de #University of Stuttgart, Ins. fuer Hochfrequenz-Tec mathematik.uni-stuttgart.de #University of Stuttgart, Math Dept. cs.utah.edu #University of Utah Computer Science Dept utah.edu #University of Utah Information Tech. Service cs.washington.edu #University of Washington Comp Sci Department wisc.edu #University of Wisconsin-Madison, Campus cs.wisc.edu #University of Wisconsin-Madison, Comp Sci Dept belwue.uni-tuebingen.de #ZDV Universitaet Tuebingen This shows different and widespread organizations making use of the Internet AFS filetree. Note that it is also possible to use AFS "behind the firewall" within the confines of your organization's network - you don't have to participate in the Internet AFS filetree. Indeed, there are lots of benefits of using AFS on a local area network without using the WAN capabilities. ### 1.08 Why does AFS use Kerberos authentication? It improves security. Kerberos uses the idea of a trusted third party to prove identification. This is a bit like using a letter of introduction or quoting a referee who will vouch for you. When a user authenticates using the klog command (s)he is prompted for a password. If the password is accepted the Kerberos Authentication Server (KAS) provides the user with an encrypted token (containing a "ticket granting ticket"). From that point on, it is the encrypted token that is used to prove the user's identity. These tokens have a limited lifetime (typically a day) and are useless when expired. In AFS, it is possible to authenticate into multiple AFS cells. A summary of the current set of tokens held can be displayed by using the "tokens" command. For example: elmer@toontown $ tokens Tokens held by the Cache Manager: User's (AFS ID 9997) tokens for afs@ny.acme.com [Expires Sep 15 06:50] User's (AFS ID 5391) tokens for afs@sf.acme.com [Expires Sep 15 06:48] --End of list-- Kerberos improves security because a users's password need only be entered once (at klog time). AFS uses Kerberos to do complex mutual authentication which means that both the service requester and the service provider have to prove their identities before a service is granted. Transarc's implementation of Kerberos is slightly different from MIT Kerberos V4 but AFS can work with either version. Joe Jackson wrote about this in: For more detail on this and other Kerberos issues see the faq for Kerberos (posted to news.answers and comp.protocols.kerberos) [28]. (Also, see [15], [16], [26], [27]) ### 1.09 Does AFS work over protocols other than TCP/IP? No. AFS was designed to work over TCP/IP. ### 1.10 How can I access AFS from my PC? You can use PC-Interface which is available from Transarc and Locus Computing Corporations. For more information on PC-Interface see the PC-Interface Frequently Asked Questions file in: - - There is also SAMBA (an SMB/netbios server for UNIX). The current version will authenticate the connecting process with AFS as well. - The SAMBA FAQ is in: - The SAMBA mailing list can be joined via: ### 1.11 How does AFS compare with NFS?
  AFS NFS
File Access Common name space from all workstations Different file names from different workstations
File Location Tracking Automatic tracking by file system processes and databases Mountpoints to files set by administrators and users
Performance Client caching to reduce network load; callbacks to maintain cache consistency No local disk caching; limited cache consistency
Andrew Benchmark (5 phases, 8 clients) Average time of 210 seconds/client Average time of 280 seconds/client
Scaling capabilities Maintains performance in small and very large installations Best in small to mid-size installations
  Excellent performance on wide-area configuration Best in local-area configurations
Security Kerberos mutual authentication Security based on unencrypted user ID's
  Access control lists on directories for user and group access No access control lists
Availability Replicates read-mostly data and AFS system information No replication
Backup Operation No system downtime with specially developed AFS Backup System Standard UNIX backup system
Reconfiguration By volumes (groups of files) Per-file movement
  No user impact; files remain accessible during moves, and file names do not change Users lose access to files and filenames change (mountpoints need to be reset)
System Management Most tasks performed from any workstation Frequently involves telnet to other workstations
Autonomous Architecture Autonomous administrative units called cells, in addition to file servers and clients File servers and clients
  No trust required between cells No security distinctions between sites
[ source: ftp://ftp.transarc.com/pub/afsps/doc/afs-nfs.comparison ]
Other points: - Some vendors offer more secure versions of NFS but implementations vary. Many NFS ports have no extra security features (such as Kerberos). - The AFS Cache Manager can be configured to work with a RAM (memory) based cache. This offers signifigant performance benefits over a disk based cache. NFS has no such feature. Imagine how much faster it is to access files cached into RAM! - The Andrew benchmark demonstrates that AFS has better performance than NFS as the number of clients increases. A graph of this (taken from Andrew benchmark report) is available in: - ![andrew1.jpg](http://www.angelfire.com/hi/plutonic/images/andrew1.jpg)