From: guest Date: Tue, 16 Mar 2004 19:37:00 +0000 (+0000) Subject: none X-Git-Url: https://git.openafs.org/?p=openafs-wiki.git;a=commitdiff_plain;h=22fa0d4bccef7a821023b4b52d1450eac1197a72 none --- diff --git a/AFSLore/AdminFAQ.mdwn b/AFSLore/AdminFAQ.mdwn index 6fbf739..d0e5e36 100644 --- a/AFSLore/AdminFAQ.mdwn +++ b/AFSLore/AdminFAQ.mdwn @@ -13,29 +13,29 @@ The Administration Section of the [[AFSFrequentlyAskedQuestions]].
  • 3.02 Is there a version of xlock available with AFS authentication?
  • 3.03 What is /afs/@cell?
  • 3.04 Given that AFS data is location independent, how does an AFS client determine which server houses the data its user is attempting to access?
    • -
  • 3.05 Which protocols does AFS use?
    • -
  • 3.06 Are setuid programs executable across AFS cell boundaries?
    • -
  • 3.07 How does AFS maintain consistency on read-write files?
    • -
  • 3.08 How can I run daemons with tokens that do not expire?
    • -
  • 3.09 Can I check my user's passwords for security purposes?
    • -
  • 3.10 Is there a way to automatically balance disk usage across fileservers?
    • -
  • 3.11 Can I shutdown an AFS fileserver without affecting users?
    • -
  • 3.12 How can I set up mail delivery to users with $HOMEs in AFS?
    • -
  • 3.13 Should I replicate a ReadOnly volume on the same partition and server as the ReadWrite volume?
    • -
  • 3.14 Should I start AFS before NFS in /etc/inittab?
    • -
  • 3.15 Will AFS run on a multi-homed fileserver?
    • -
  • 3.16 Can I replicate my user's home directory AFS volumes?
    • -
  • 3.17 Which TCP/IP ports and protocols do I need to enable in order to operate AFS through my Internet firewall?
    • +
  • 3.05 How does AFS maintain consistency on read-write files?
    • +
  • 3.06 Which protocols does AFS use?
    • +
  • 3.07 Which TCP/IP ports and protocols do I need to enable in order to operate AFS through my Internet firewall?
    • +
  • 3.08 Are setuid programs executable across AFS cell boundaries?
    • +
  • 3.09 How can I run daemons with tokens that do not expire?
    • +
  • 3.10 Can I check my user's passwords for security purposes?
    • +
  • 3.11 Is there a way to automatically balance disk usage across fileservers?
    • +
  • 3.12 Can I shutdown an AFS fileserver without affecting users?
    • +
  • 3.13 How can I set up mail delivery to users with $HOMEs in AFS?
    • +
  • 3.14 Should I replicate a ReadOnly volume on the same partition and server as the ReadWrite volume?
    • +
  • 3.15 Should I start AFS before NFS in /etc/inittab?
    • +
  • 3.16 Will AFS run on a multi-homed fileserver?
    • +
  • 3.17 Can I replicate my user's home directory AFS volumes?
  • 3.18 What is the Andrew Benchmark?
    • -
  • 3.19 Is there a version of HP VUE login with AFS authentication?
    • -
  • 3.20 How can I list which clients have cached files from a server?
    • -
  • 3.21 Do Backup volumes require as much space as ReadWrite volumes?
    • -
  • 3.22 Should I run timed on my AFS client?
    • -
  • 3.23 Why should I keep /usr/vice/etc/CellServDB current?
    • -
  • 3.24 How can I keep /usr/vice/etc/CellServDB current?
    • -
  • 3.25 How can I compute a list of AFS fileservers?
    • -
  • 3.26 How can I set up anonymous FTP login to access /afs?
    • -
  • 3.27 Where can I find the Andrew Benchmark?
    • +
  • 3.19 Where can I find the Andrew Benchmark?
    • +
  • 3.20 Is there a version of HP VUE login with AFS authentication?
    • +
  • 3.21 How can I list which clients have cached files from a server?
    • +
  • 3.22 Do Backup volumes require as much space as ReadWrite volumes?
    • +
  • 3.23 Should I run timed on my AFS client?
    • +
  • 3.24 Why should I keep /usr/vice/etc/CellServDB current?
    • +
  • 3.25 How can I keep /usr/vice/etc/CellServDB current?
    • +
  • 3.26 How can I compute a list of AFS fileservers?
    • +
  • 3.27 How can I set up anonymous FTP login to access /afs?
  • 3.28 Is the data sent over the network encrypted in AFS ?
  • 3.29 What underlying filesystems can I use for AFS ?
  • 3.30 Compiling OpenAFS
    • @@ -107,7 +107,35 @@ A list of a cell's Database Servers is stored on the local disk of each AFS Clie The Database Servers also house the Kerberos Authentication Database (encrypted user and server passwords), the Protection Database (user UID and protection group information) and the Backup Database (used by System Administrators to backup AFS file data to tape). -### 3.05 Which protocols does AFS use? +### 3.05 How does AFS maintain consistency on read-write files? + +AFS uses a mechanism called "callback". + +Callback is a promise from the fileserver that the cache version of a file/directory is up-to-date. It is established by the fileserver with the caching of a file. + +When a file is modified the fileserver breaks the callback. When the user accesses the file again the Cache Manager fetches a new copy if the callback has been broken. + +The following paragraphs describe AFS callback mechanism in more detail: + +If I open() fileA and start reading, and you then open() fileA, write() a change **\*\*and close() or fsync()\*\*** the file to get your changes back to the server - at the time the server accepts and writes your changes to the appropriate location on the server disk, the server also breaks callbacks to all clients to which it issued a copy of fileA. + +So my client receives a message to break the callback on fileA, which it dutifully does. But my application (editor, spreadsheet, whatever I'm using to read fileA) is still running, and doesn't really care that the callback has been broken. + +When something causes the application to read() more of the file the read() system call executes AFS cache manager code via the VFS switch, which does check the callback and therefore gets new copies of the data. + +Of course, the application may not re-read data that it has already read, but that would also be the case if you were both using the same host. So, for both AFS and local files, I may not see your changes. + +Now if I exit the application and start it again, or if the application does another open() on the file, then I will see the changes you've made. + +This information tends to cause tremendous heartache and discontent - but unnecessarily so. People imagine rampant synchronization problems. In practice this rarely happens and in those rare instances, the data in question is typically not critical enough to cause real problems or crashing and burning of applications. Since 1985, we've found that the synchronization algorithm has been more than adequate in practice - but people still like to worry! + +The source of worry is that, if I make changes to a file from my workstation, your workstation is not guaranteed to be notified until I close or fsync the file, at which point AFS guarantees that your workstation will be notified. This is a significant departure from NFS, in which no guarantees are provided. + +Partially because of the worry factor and largely because of Posix, this will change in DFS. DFS synchronization semantics are identical to local file system synchronization. + +[ DFS is the Distributed File System which is part of the Distributed ] [ Computing Environment (DCE). ] + +### 3.06 Which protocols does AFS use? AFS may be thought of as a collection of protocols and software processes, nested one on top of the other. The constant interaction between and within these levels makes AFS a very sophisticated software system. @@ -125,47 +153,49 @@ For additional information, Section 1.5 of the AFS System Administrator's Guide [ source: ] [ Copyright 1991 Transarc Corporation ] -### 3.06 Are setuid programs executable across AFS cell boundaries? +### 3.07 Which TCP/IP ports and protocols do I need to enable in order to operate AFS through my Internet firewall? -By default, the setuid bit is ignored but the program may be run (without setuid privilege). - -It is possible to configure an AFS client to honour the setuid bit. This is achieved by root running: - - root@toontown # fs setcell -cell $cellname -suid - -(where $cellname is the name of the foreign cell. Use with care!). +Assuming you have already taken care of nameserving, you may wish to use an Internet timeserver for Network Time Protocol [[[NTP|Main/FurtherReading#NTP]]] and the question about [[timed|Main/WebHome#NTP]]: -NB: making a program setuid (or setgid) in AFS does **not** mean that the program will get AFS permissions of a user or group. To become AFS authenticated, you have to klog. If you are not authenticated, AFS treats you as "system:anyuser". +ntp 123/udp -### 3.07 How does AFS maintain consistency on read-write files? +A list of NTP servers is available via anonymous FTP from: -AFS uses a mechanism called "callback". +- -Callback is a promise from the fileserver that the cache version of a file/directory is up-to-date. It is established by the fileserver with the caching of a file. +For further details on NTP see: -When a file is modified the fileserver breaks the callback. When the user accesses the file again the Cache Manager fetches a new copy if the callback has been broken. +For a "minimal" AFS service which does not allow inbound or outbound klog: -The following paragraphs describe AFS callback mechanism in more detail: + cachemanager 4711/udp (only if you use the arla-client instead of OpenAFS) + fileserver 7000/udp + cachemanager 7001/udp + ptserver 7002/udp + vlserver 7003/udp + kaserver 7004/udp + volserver 7005/udp + reserved 7006/udp + bosserver 7007/udp -If I open() fileA and start reading, and you then open() fileA, write() a change **\*\*and close() or fsync()\*\*** the file to get your changes back to the server - at the time the server accepts and writes your changes to the appropriate location on the server disk, the server also breaks callbacks to all clients to which it issued a copy of fileA. +(Ports in the 7020-7029 range are used by the AFS backup system, and won't be needed by external clients performing simple file accesses.) -So my client receives a message to break the callback on fileA, which it dutifully does. But my application (editor, spreadsheet, whatever I'm using to read fileA) is still running, and doesn't really care that the callback has been broken. +Additionally, for "klog" to work through the firewall you need to allow inbound and outbound UDP on ports >1024 (probably 1024<port<2048 would suffice depending on the number of simultaneous klogs). -When something causes the application to read() more of the file the read() system call executes AFS cache manager code via the VFS switch, which does check the callback and therefore gets new copies of the data. +See also: -Of course, the application may not re-read data that it has already read, but that would also be the case if you were both using the same host. So, for both AFS and local files, I may not see your changes. +### 3.08 Are setuid programs executable across AFS cell boundaries? -Now if I exit the application and start it again, or if the application does another open() on the file, then I will see the changes you've made. +By default, the setuid bit is ignored but the program may be run (without setuid privilege). -This information tends to cause tremendous heartache and discontent - but unnecessarily so. People imagine rampant synchronization problems. In practice this rarely happens and in those rare instances, the data in question is typically not critical enough to cause real problems or crashing and burning of applications. Since 1985, we've found that the synchronization algorithm has been more than adequate in practice - but people still like to worry! +It is possible to configure an AFS client to honour the setuid bit. This is achieved by root running: -The source of worry is that, if I make changes to a file from my workstation, your workstation is not guaranteed to be notified until I close or fsync the file, at which point AFS guarantees that your workstation will be notified. This is a significant departure from NFS, in which no guarantees are provided. + root@toontown # fs setcell -cell $cellname -suid -Partially because of the worry factor and largely because of Posix, this will change in DFS. DFS synchronization semantics are identical to local file system synchronization. +(where $cellname is the name of the foreign cell. Use with care!). -[ DFS is the Distributed File System which is part of the Distributed ] [ Computing Environment (DCE). ] +NB: making a program setuid (or setgid) in AFS does **not** mean that the program will get AFS permissions of a user or group. To become AFS authenticated, you have to klog. If you are not authenticated, AFS treats you as "system:anyuser". -### 3.08 How can I run daemons with tokens that do not expire? +### 3.09 How can I run daemons with tokens that do not expire? It is not a good idea to run with tokens that do not expire because this would weaken one of the security features of Kerberos. @@ -185,7 +215,7 @@ Another collection of tools was [mentioned](https://lists.openafs.org/pipermail/ Another option is [OpenPBS](http://www.openpbs.org/) and [Password Storage and Retrieval](http://www.lam-mpi.org/software/psr/) (PSR), where you encrypt your AFS password with a public key and put it in your home directory, and trusted machine(s) which have the private key on local disk then decrypt your password and run your job. MIT uses a variant of this (e.g. [a](http://web.mit.edu/longjobs/www/) & [b](http://mit.edu/longjobs-dev/notebook/)) that uses their own code (see [longjobs documentation](http://web.mit.edu/longjobs-dev/doc/netsec.txt) sections III and IV) instead of PSR. -### 3.09 Can I check my user's passwords for security purposes? +### 3.10 Can I check my user's passwords for security purposes? Yes. Alec Muffett's Crack tool (at version 4.1f) has been converted to work on the Transarc kaserver database. This modified Crack (AFS Crack) is available via anonymous ftp from: @@ -207,7 +237,7 @@ Author: Dan Lovinger Contact: Derrick J. Brashear <shadow+@andrew.cmu.edu> -### 3.10 Is there a way to automatically balance disk usage across fileservers? +### 3.11 Is there a way to automatically balance disk usage across fileservers? Yes. There is a tool, balance, which does exactly this. It can be retrieved via anonymous ftp from: @@ -217,7 +247,7 @@ Actually, it is possible to write arbitrary balancing algorithms for this tool. Author: Dan Lovinger Contact: Derrick Brashear <shadow+@andrew.cmu.edu> -### 3.11 Can I shutdown an AFS fileserver without affecting users? +### 3.12 Can I shutdown an AFS fileserver without affecting users? Yes, this is an example of the flexibility you have in managing AFS. @@ -246,7 +276,7 @@ Other points to bear in mind: - If the system to be shutdown has the lowest IP address there may be a brief delay in authenticating because of timeout experienced before contacting a second kaserver. -### 3.12 How can I set up mail delivery to users with $HOMEs in AFS? +### 3.13 How can I set up mail delivery to users with $HOMEs in AFS? There are many ways to do this. Here, only two methods are considered: @@ -293,7 +323,7 @@ An example of how to do this for IBM RISC System/6000 is auth-sendmail. A beta t -### 3.13 Should I replicate a [[ReadOnly]] volume on the same partition and server as the [[ReadWrite]] volume? +### 3.14 Should I replicate a [[ReadOnly]] volume on the same partition and server as the [[ReadWrite]] volume? Yes, Absolutely! It improves the robustness of your served volumes. @@ -308,7 +338,7 @@ However, you are **very** strongly encouraged to keep one RO copy of a volume on If you keep a "cheap replica", then by definition, if the RW is available, one of the RO's is also available, and clients will utilize that site. -### 3.14 Should I start AFS before NFS in /etc/inittab? +### 3.15 Should I start AFS before NFS in /etc/inittab? Yes, it is possible to run both AFS and NFS on the same system but you should start AFS first. @@ -330,7 +360,7 @@ With AIX, you need to load NFS kernel extensions before the AFS KEs in /etc/rc.a ${D}/cfgafs -a ${D}/afs.ext /usr/afs/bin/bosserver & -### 3.15 Will AFS run on a multi-homed fileserver? +### 3.16 Will AFS run on a multi-homed fileserver? (multi-homed = host has more than one network interface.) @@ -346,7 +376,7 @@ The simplest way of dealing with this is to make your AFS fileservers single-hom At release 3.4 of AFS, it is possible to have multi-homed fileservers (but _not_ multi-homed database servers). -### 3.16 Can I replicate my user's home directory AFS volumes? +### 3.17 Can I replicate my user's home directory AFS volumes? No. @@ -390,36 +420,6 @@ In theory, you could have RO copies of a user's RW volume on a second server but The bottom line is: you cannot replicate $HOMEs across servers. -### 3.17 Which TCP/IP ports and protocols do I need to enable in order to operate AFS through my Internet firewall? - -Assuming you have already taken care of nameserving, you may wish to use an Internet timeserver for Network Time Protocol [[[NTP|Main/FurtherReading#NTP]]] and question [[3.22|Main/WebHome#NTP]]: - -ntp 123/udp - -A list of NTP servers is available via anonymous FTP from: - -- - -For further details on NTP see: - -For a "minimal" AFS service which does not allow inbound or outbound klog: - - cachemanager 4711/udp (only if you use the arla-client instead of OpenAFS) - fileserver 7000/udp - cachemanager 7001/udp - ptserver 7002/udp - vlserver 7003/udp - kaserver 7004/udp - volserver 7005/udp - reserved 7006/udp - bosserver 7007/udp - -(Ports in the 7020-7029 range are used by the AFS backup system, and won't be needed by external clients performing simple file accesses.) - -Additionally, for "klog" to work through the firewall you need to allow inbound and outbound UDP on ports >1024 (probably 1024<port<2048 would suffice depending on the number of simultaneous klogs). - -See also: - ### 3.18 What is the Andrew Benchmark? "It is a script that operates on a collection of files constituting an application program. The operations are intended to represent typical actions of an average user. The input to the benchmark is a source tree of about 70 files. The files total about 200 KB in size. The benchmark consists of five distinct phases: @@ -434,13 +434,19 @@ See also: Source: -### 3.19 Is there a version of HP VUE login with AFS authentication? +### 3.19 Where can I find the Andrew Benchmark? + + [156k] [156k] + +This is a tar archive of + +### 3.20 Is there a version of HP VUE login with AFS authentication? Yes, the availability of this is described in: If you don't have access to the above, please contact Rajeev Pandey of Hewlett Packard whose email address is <rpandey@cv.hp.com>. -### 3.20 How can I list which clients have cached files from a server? +### 3.21 How can I list which clients have cached files from a server? By using the following script: @@ -469,7 +475,7 @@ By using the following script: echo "$n ($ipaddr)" done -### 3.21 Do Backup volumes require as much space as [[ReadWrite]] volumes? +### 3.22 Do Backup volumes require as much space as [[ReadWrite]] volumes? No. @@ -483,7 +489,7 @@ The BK volume is re-synchronised with the RW next time a "vos backupsys" is run. The space needed for the BK volume is directly related to the size of all files changed in the RW between runs of "vos backupsys". -### 3.22 Should I run timed on my AFS client? +### 3.23 Should I run timed on my AFS client? No. @@ -497,7 +503,7 @@ A list of NTP servers is available via anonymous FTP from: The default time setting behavior of the AFS client can be disabled by specifying the `-nosettime` argument to [afsd](http://www.transarc.ibm.com/Library/documentation/afs/3.5/unix/cmd/cmd53.htm). This is recommended for AFS servers which are also configured as clients (because servers normally run NTP daemons) and for clients that run NTP. -### 3.23 Why should I keep /usr/vice/etc/CellServDB current? +### 3.24 Why should I keep /usr/vice/etc/CellServDB current? On AFS clients, /usr/vice/etc/CellservDB, defines the cells and (their servers) that can be accessed via /afs. @@ -509,7 +515,7 @@ As well as updating [[CellservDB]], your AFS administrator should ensure that ne If a cell is added to [[CellServDB]] then the **client** must either be restared or you must the AFS command "fs newcell -cell .. -servers ... ...". -### 3.24 How can I keep /usr/vice/etc/CellServDB current? +### 3.25 How can I keep /usr/vice/etc/CellServDB current? Do a daily copy from a master source and update the AFS kernel sitelist. @@ -551,14 +557,14 @@ Example: echo "zero length file: ${src}" >&2 fi -### 3.25 How can I compute a list of AFS fileservers? +### 3.26 How can I compute a list of AFS fileservers? -Here is a Korn shell command to do it: +Here is a Bourne shell command to do it (it will work in GNU bash and the Korn shell, too): - stimpy@nick $ vos listvldb -cell $(cat /usr/vice/etc/ThisCell) \ + stimpy@nick $ vos listvldb -cell `cat /usr/vice/etc/ThisCell` \\ | awk '(/server/) {print $2}' | sort -u -### 3.26 How can I set up anonymous FTP login to access /afs? +### 3.27 How can I set up anonymous FTP login to access /afs? The easiest way on a primarily "normal" machine (where you don't want to have everything in AFS) is to actually mount root.cell under ~ftp, and then symlink /afs to ~ftp/afs or whatever. It's as simple as changing the mountpoint in /usr/vice/etc/cacheinfo and restarting afsd. @@ -568,12 +574,6 @@ Alternatively, you can make ~ftp an AFS volume and just mount whatever you need Unless you need to do authenticating ftp, you are _strongly_ recommended using wu-ftpdv2.4 (or better). -### 3.27 Where can I find the Andrew Benchmark? - - [156k] [156k] - -This is a tar archive of - ### 3.28 Is the data sent over the network encrypted in AFS ? There is still no easy way to do this in Transarc AFS, but [[OpenAFS]] now has a "fs" subcommand to turn on encryption of regular file data sent and received by a client. This is a per client setting that persist until reboot. No server actions are needed to support this change. The syntax is: