welcome: please sign in

Diff for "AndrewFileSystem"

Differences between revisions 6 and 36 (spanning 30 versions)
Revision 6 as of 2007-04-09 20:30:47
Size: 3359
Editor: 212
Comment:
Revision 36 as of 2008-12-16 00:34:26
Size: 4862
Editor: AdamChlipala
Comment: spam
Deletions are marked like this. Additions are marked like this.
Line 1: Line 1:
#pragma section-numbers off

This page explains some nuances of the Andrew File System (AFS), which we use to serve home directories.

<<TableOfContents>>
Line 23: Line 28:
These should be run automatically if you log in normally, but admins `sudo`ing around to different users seem to need to run `aklog` manually to access AFS. These should be run automatically if you log in normally, but admins who manually `kinit` to different users (for
the purpose of testing access permissions most often), need to of course run both `kinit; aklog` to completely
switch to a target user.
Line 40: Line 47:
a keytab, such as `kadmin -p domtool/deleuze -k -t /etc/keytabs/domtool.deleuze` . a keytab, such as `kadmin -p domtool -k -t /etc/keytabs/domtool` .
Line 61: Line 68:

In the example above, only one key (of 4 or 5 created) is exported for a user. Sometimes it might be desirable to
only export a specific key into a keytab file, but we generally just omit the `-e KEY_TYPE` parameter and export
all keys to the keytab file.

You can view keys stored in a keytab by doing `sudo klist -k /etc/keytabs/KEYTAB_FILE`.

To make daemons properly kinit/aklog as the user you created for them, use ``k5start`` command. Many examples
of how to use it are already found in our /etc/init.d/ scripts. Important options include `-U` (which kinits as
the first principal found in the keytab file, without the need to explicitly name a principal), -f (which specifies
the keytab file to kinit from), and -K MINUTES (which re-news the ticket after MINUTES, so that daemons can run
for long periods of time).

To give $DAEMON the actual permission in AFS space, for most common actions, `fs setacl DIR $DAEMON read` or `write`
are good. All subdirectories that get created within the toplevel directory for which you give permissions, will
inherit all the permissions.

= Listing and setting quotas =

To list volume quota, run{{{
fs lq DIR
}}}


To set volume quota in 1-kilobyte blocks, run{{{
fs sq DIR -max SIZE
}}}

This page explains some nuances of the Andrew File System (AFS), which we use to serve home directories.

Basic Architecture

Using the shared filesystem involves a combination of Kerberos and OpenAFS.

File conventions

The /afs tree contains shared filesystems. /afs/hcoop.net (symlinked from /afs/hcoop as well) is our piece of the AFS-o-sphere. Subdirectories include:

  • /afs/hcoop.net/user, the home of home directories

  • /afs/hcoop.net/user/U/US/$USERNAME, $USERNAME's home directory

  • /afs/hcoop.net/common/etc, the home of non-platform-specific fun stuff like DomTool

Connecting to AFS from an HCoop server

I found this handy summary of the commands that must be run:

On our servers, it seems sufficient to run:

AndrewFileSystem (last edited 2018-11-15 03:45:21 by ClintonEbadi)