|
AFS Beginner's Guide - May 1996 - Warren Jessop (revised January 2001) |
|
 CSE Support |
Printer Friendly Version (PDF) |
CSE Home |
About Us |
Search |
Contact Info |
AFS Beginner's Guide:
We interrupt this AFS web page for a special bulletin....
For the latest news on the AFS to NFS migration and the demise of AFS,
see Support FAQ #19:
rtfm.cs.washington.edu/cgi-bin/wreq/req2?showfaq-faq-1-19
Two new Linux (UNIX/NFS) research servers, administered by the systems group, have been installed to replace the current AFS servers and to serve files that are currently being served by AFS. Directory names will correspond as follows:
Old AFS Directory New NFS Directory
----------------- -----------------
/afs/cs/homes /homes/sys
/afs/cs/projects /projects/sys
/afs/cs/sources /sources/sys
|
On Sunday, February 4, 2001, all AFS volumes (Servers and Volumes) will be copied from the AFS servers to the NFS servers by the support group, as detailed below. Naturally, if the AFS volumes are subsequently updated with new/edited files after the initial copy, they may need to be copied again. We (support) will be glad to provide procedures for doing copies of AFS volumes.
On Sunday February 18, 2001 the LAST BACKUP of the departmental AFS filesystems will be taken; if you have an AFS account you may continue to use those servers, but after that date anything you store there may be lost permanently if there is some type of system failure.
On Sunday April 1, 2001 the AFS servers will be powered down for good. After that date restores from AFS backup tapes will not be possible.
AFS provides much richer file access control mechanisms than UNIX (File and Directory Access Controls), hence there cannot be a perfect mapping from permissions in an AFS directory to those in its UNIX copy. The support group will make an initial, but necessarily imperfect, effort to map AFS permissions to the UNIX world when AFS volumes are copied to UNIX directories the first time. Subsequent fine tuning, however, will be up to the owners of the data. Migration details are given below.
If you currently log into an AFS client and your home directory is on an AFS server, you will need to take action as described below under Details.
AFS "mount points" (Backup Volumes and Mount Points) will be handled by replacing them with symbolic links on the NFS servers. The exact method of dealing with AFS mount points is given below.
If the the home directory you have when you log into a UNIX system is on an AFS server, you will at some point need to change your home directory to one on an NFS server. Everyone already has an NFS home directory. You just need to send a message to support@cs to effect the change.
The sooner you do this, the better. Obviously it makes no sense to wait until after the AFS servers have been shut down; on the other hand, experience tells us that some users will do exactly that.
All afs volumes will be copied to the new NFS servers as follows:
user.jouser) will
be copied and made available on all research UNIX systems under
`/homes/sys' and on NT/W2000 systems under
`\\ntdfs\cs\unix\homes\sys' (e.g. `/homes/sys/jouser' and
`\\ntdfs\cs\unix\homes\sys\jouser'). The owner and group of
`/homes/sys/jouser' will be set appropriately; mode will be
read/write by owner only.
proj.spin).
These include:
directory AFS volume (mount pt.) ----------- ---------- contrib proj.contrib course proj.course dyncomp proj.dyncomp kimera proj.kimera lis proj.lis luxor proj.luxor metacrawler proj.metacrawler mojava proj.mojava opal proj.opal porc proj.porc porcupine proj.porc prism proj.prism sio proj.sio spin proj.spin visual proj.visual webos proj.webos syn/amit proj.syn.amit syn/cardwell proj.syn.cardwell syn/savage proj.syn.savage trace/bchen proj.trace.bchen trace/jlo proj.trace.jlo trace/romer proj.trace.romer |
Each of these will appear under `/projects/sys' (`\\ntdfs\cs\unix\projects\sys') with the directory names listed above (e.g. `/projects/sys/spin' and `/projects/sys/trace/jlo').
proj.spin.www will be copied to
`/projects/sys/.proj1/spin.www'), as shown here:
AFS volume copied to proj.meta.c /projects/sys/.proj1/meta.c proj.meta.d /projects/sys/.proj1/meta.d proj.meta.f /projects/sys/.proj1/meta.f proj.meta.g /projects/sys/.proj1/meta.g proj.meta.h /projects/sys/.proj1/meta.h proj.meta.i /projects/sys/.proj1/meta.i proj.opal.chase /projects/sys/.proj1/opal.chase proj.opal.jamrozik /projects/sys/.proj1/opal.jamrozik proj.opal.nara /projects/sys/.proj1/opal.nara proj.spin.hoffman /projects/sys/.proj1/spin.hoffman proj.spin.m3 /projects/sys/.proj1/spin.m3 proj.spin.mef /projects/sys/.proj1/spin.mef proj.spin.merge /projects/sys/.proj1/spin.merge proj.spin.myrinet /projects/sys/.proj1/spin.myrinet proj.spin.owa /projects/sys/.proj1/spin.owa proj.spin.test /projects/sys/.proj1/spin.test proj.spin.www /projects/sys/.proj1/spin.www proj.opal.tiwary /projects/sys/.proj2/opal.tiwary proj.opal.voelker /projects/sys/.proj2/opal.voelker proj.spin.archive /projects/sys/.proj2/spin.archive proj.spin.artjg /projects/sys/.proj2/spin.artjg proj.spin.becker /projects/sys/.proj2/spin.becker proj.spin.bershad /projects/sys/.proj2/spin.bershad proj.spin.bin /projects/sys/.proj2/spin.bin proj.spin.build /projects/sys/.proj2/spin.build proj.spin.chase /projects/sys/.proj2/spin.chase proj.spin.cvsroot /projects/sys/.proj2/spin.cvsroot proj.spin.ddion /projects/sys/.proj2/spin.ddion proj.spin.dist /projects/sys/.proj2/spin.dist proj.spin.eaberg /projects/sys/.proj2/spin.eaberg proj.spin.pardy /projects/sys/.proj2/spin.pardy proj.meta.e /projects/sys/.proj3/meta.e proj.porc.manu /projects/sys/.proj3/porc.manu proj.porc.maureen /projects/sys/.proj3/porc.maureen proj.porc.nspring /projects/sys/.proj3/porc.nspring proj.spin.egs /projects/sys/.proj3/spin.egs proj.spin.egs.jdk /projects/sys/.proj3/spin.egs.jdk proj.spin.ericc /projects/sys/.proj3/spin.ericc proj.spin.fgray /projects/sys/.proj3/spin.fgray proj.spin.imenn /projects/sys/.proj3/spin.imenn proj.spin.matthai /projects/sys/.proj3/spin.matthai proj.spin.oystr /projects/sys/.proj3/spin.oystr proj.spin.rgrimm /projects/sys/.proj3/spin.rgrimm proj.spin.robs /projects/sys/.proj3/spin.robs proj.spin.savage /projects/sys/.proj3/spin.savage proj.spin.tian /projects/sys/.proj3/spin.tian proj.spin.whsieh /projects/sys/.proj3/spin.whsieh proj.spin.yasushi /projects/sys/.proj3/spin.yasushi |
src.yyy) will be copied to
`/sources/sys' (e.g. as `/sources/sys/yyy').
local, root and system;
these will be copied to one of three directories,
`/projects/sys/.afs/local',
`/projects/sys/.afs/root', or
`/projects/sys/.afs/system'.
If an AFS mount point is encountered when copying directory hierarchies from AFS servers to NFS servers, it will be handled as described in this example:
Let the directory name of the mount point be `xxx' and the AFS volume
it points to be called proj.xxx. The directory (mount point) that
appears in AFS will be replaced with a symlink on the destination NFS
filesystem. The name of the symlink will be `xxx-DEAD-AFS-MTPT' and
its contents will be `#proj.xxx'.
For example, ls -ld xxx; fs lsmount xxx on AFS would put out
something like this (see man fs_lsmount on an AFS client for more
info on listing mount points):
drwxrwxrwx 4 root spin 2048 Oct 30 1998 xxx/ 'xxx' is a mount point for volume '#proj.xxx' |
while ls -l xxx on NFS would put out something like this:
lrwxrwxrwx 1 jouser grad_cs 13 Jan 3 12:22 xxx-DEAD-AFS-MTPT -> #proj.xxx |
It is up to the owner of each directory to create a correct link (and
delete the "DEAD" link if desired). E.g. if the root of volume
proj.xxx winds up in `/projects/sys/.proj1/xxx' on the NFS
server,
ln -s /projects/sys/.proj1/xxx |
We now return you to your regularly scheduled web page...
If you don't have time to read the first two parts of this guide (Introduction and File and Directory Access Controls), at least read this first page. This is what you need to know if you have an AFS home directory or if you must access some other protected AFS directory. AFS is a type of file system enabled on most UNIX workstations in the department. You can work with AFS files the same as you would with "normal" UNIX files, using the same editors, compilers, and other tools. However, there are some significant differences you need to be aware of.
rsh, rcp, or rlogin (or a command that
uses any of them, such as xrsh), you may need to know that there
are AFS versions of these commands (The UNIX R-Commands).
The following questions assume that your user name is `joeuser' and that your home directory, called `/afs/cs/homes/joeuser', is kept on an AFS file server. Answers are in AFS Driver License Quiz Answers
ls command to look at the characteristics of file
`.secret' in your home directory:
|
|
The file access permissions do not allow the specified action. |
AFS (the AFS File System, a product of Transarc Corporation) is a distributed file sytem that operates on a worldwide network of client hosts and server hosts. An AFS client host can access files residing on an AFS server transparently, as if they resided on a local disk. This is similar to how NFS is set up locally in the CSE department. However, unlike NFS, AFS mandates the use of a truly global hierarchical naming scheme in which a file has the same path name on any AFS client anywhere in the world.
This document briefly presents information you will need to get started with AFS and notes some of the principal differences between AFS and the usual UNIX file systems such as NFS. A familiarity with UNIX filesystems and file structure is assumed.
You can read publicly accessible AFS files even if you do not have an AFS account, so not everyone will need an account.
If you already have a CSE research account you may also get an AFS
account and directory. This will be referred to as your AFS home
directory, although it need not be your login directory. Send
mail to afs@cs to request an account. Your home directory will
be assigned a space quota, usually 20 megabytes or less.
Until AFS becomes ubiquitous throughout the department, your AFS home
directory will not be your login directory for every host in the
department. If you want your login directory to be your AFS home
directory for a particular group of AFS client hosts, send mail to
afs@cs. If your AFS home and login directories are one and the
same, your quota can be set according the kind of account you have or
the project you are working on.
In order to access AFS commands you should make sure your PATH environment variable has a `/usr/afsws/bin' component. Likewise, to access man pages, MANPATH should have a `/usr/afsws/man' component. If you are using the current departmental standard `.cshrc' file(1), PATH and MANPATH will have these components; see The UNIX R-Commands for more information.
If `/usr/afsws' does not exist on the host you are logged into (e.g. `cd /usr/afsws' fails), the host does not have the ability to be an AFS client, or for some reason it has not been configured as an AFS client
Of the current CSE research hosts, all are or will eventually be configured as AFS clients except: DECstations running Ultrix, some Alphas, and some of the older Suns.
The root of the AFS file tree is `/afs'. The second component of the path is a cell name---usually a DNS dotted name. Thus,
/afs/cs.washington.edu |
Locally, a symbolic link under `/afs', `cs -> cs.washington.edu', allows path names to be abbreviated, e.g.
/afs/cs/homes/joeuser |
/afs/cs.washington.edu/homes/joeuser. |
The following directories are below `/afs/cs':
homes
projects
sources
local
uns
admin
system
cse
Some AFS commands are organized into "suites", for example the fs
suite. The first parameter of such a command is an opcode
for the suite. All suite commands have an opcode `help',
which will list all the other opcodes, e.g. for fs:
|
An opcode can be abbreviated by entering a prefix string long enough to make it unique, e.g. `fs exa .' is the same as `fs examine .'. In addition, opcode aliases may be accepted. Adding an opcode after `help' causes the aliases and command usage to be displayed for that opcode, e.g:
|
Most commands, whether part of a suite or not, also have a `-help' parameter that will display usage.
In addition to the built-in command help, a set of man pages for AFS
commands is kept in `/usr/afsws/man'. The man pages are organized
in an unobvious way for the command suites. For example, instead of
`man fs' yielding a complete man page for fs and all its
opcodes, it yields only an introduction to the fs suite. In
order to know in detail what a particular opcode of fs does, you
need to enter `man fs_opcode' (note the `_'),
e.g. `man fs_examine'. Note that the full opcode must be
specified, and no aliases are allowed, e.g. `man fs_exa' or
`man fs_listvol' will not work. To see a "whatis" list of all
AFS man pages, enter `man -k AFS:'.
The unit of storage on an AFS server is called a volume---a named subsection of a disk partition. Volumes consist of natural "chunks" of data; for example, each home directory is contained in a single volume. In using AFS you will almost never need to know which servers(2) contain particular volumes, and you will rarely need to be aware of the names of volumes.
A space quota may be assigned to an AFS volume. At this time, home directories have been assigned a range of quotas from 20MB to unlimited. To find the volume name, quota, and space usage corresponding to any AFS path, use the `fs listquota path' command, e.g.
|
To have a better "feel" for what AFS does, it may help to know that in addition to containing AFS volumes, the servers also maintain several databases:
Servers also ensure that AFS system configuration and binary files are replicated among themselves, and a designated server maintains a master clock that other servers and clients set their clocks by.
AFS does not use UNIX UIDs for authentication. To access any but public
AFS files you need to have an AFS token. Almost all AFS client hosts
have AFS-aware versions of login and xdm(3), so a token is automatically issued when
you log in.(4) To see what tokens you have use
the tokens command, for example:
|
If you do not have a token, you can get one by using the klog
command, e.g.:
|
Tokens do not last forever; by default they expire 25 hours after the
time issued. Use klog, if necessary, to renew an expired token
or to replace one about to expire with a fresh one.
To change your AFS password, use kpasswd:(5)
|
Each AFS directory (not each file) has an associated Access Control List (ACL), a list of users and groups granted or denied access to the directory's contents. Associated with each user or group on an ACL is a set of rights granted or denied.
AFS rights are shown in the following table. There are seven basic rights, each with a single-letter abbreviation. A set of rights is displayed as (or can be expressed as) a concatentation of the basic right abbreviations. In addition, there are some shorthand abbreviations that can be used for common combinations of rights when setting a directory's ACL:
abbrev
l
i
d
a
r
w
k
flock files in a directory.
all
read
write
none
The UNIX mode bits of a directory have no effect in AFS, nor do the group and other mode bits of a regular file.
Only the user mode bits of regular files retain their function and can be used to further restrict access to a file that a directory's ACL allows access to. However,
chmod.
Warning: when you create a tar file from an AFS directory,
be sure the mode bits are set correctly. In AFS the directory mode bits
rwxrwxrwx mean nothing, but when untarred to a UNIX file system
you will want the mode bits to be correct.
The UNIX group of an AFS file or directory is not used. Instead, ACLs may assign (or negate) rights to AFS groups as well as individual users.
AFS provides a few predefined groups:
system:anyuser
system:authuser
system:administrators
One group local to UW CSE is also worth mentioning:
cs-hosts
Group IDs in AFS are negative numbers, to distinguish them from UIDs.
You can create and manage your own protection groups. See man pages
pts, pts_creategroup, and pts_adduser for more
details.
To look at an ACL that applies to a path, use `fs listacl path', e.g.:
|
cs-hosts has read rights and user
joeuser has all rights.
To change an ACL use `fs setacl path [id rights]...', e.g. to remove `cs-hosts' from an ACL and allow `read' rights to `system:anyuser', enter:
fs setacl /afs/cs/homes/joeuser/public cs-hosts none system:anyuser read |
fs_setacl for details.
If you have an account in a foreign AFS cell, you can get a token for that account and keep it in the local host, e.g.:
|
tokens output shows tokens held for both foreign and local
cells, hence files for which rights are granted may be accessed in both
cells.
Each night the system takes a "snapshot" of all volumes and for each one creates a read-only backup volume that reflects conditions at the time of the snapshot. The system does not actually copy files, only pointers to files, so taking the snapshots is very efficient. After the backup volumes are generated, a backup process is run that copies them to tape, similar to the nightly backup process run on regular UNIX file systems.
A backup volume's name is that of the original with `.backup' appended, e.g. joeuser's home directory backup volume is called `user.joeuser.backup'.
To make a volume visible in the file hierarchy, an AFS mount point for the volume must be created via `fs mkmount directory volume'. For example, in the course of setting up joeuser's home directory, the following command was executed:
fs mkmount /afs/cs/homes/joeuser/oldfiles user.joeuser.backup |
|
fs_lsmount for more information on mount
points.
Having an `oldfiles' mountpoint available means you can retrieve accidentally deleted or hosed files yourself, if you discover they are gone before the next nightly backup snapshot. For example, to replace today's `public/reallyimportant' file with yesterday's:
cd /afs/cs/homes/joeuser cp oldfiles/public/reallyimportant public/reallyimportant |
When your AFS home directory is first created its contents and characteristics are as follows:
All of this is illustrated by the following example:
|
A PAG (Process Authentication Group) is a number that identifies you to the Cache Manager, an AFS process running on your local client host. One of the Cache Manager's jobs is to hold tokens for all authenticated users and to identify the issuers of commands that require AFS authentication. There are two ways the Cache Manager can identify you:
login and xdm programs have been modified to
accept your AFS password and set up a PAG and token for you
automatically.
If you need a new PAG, use the pagsh command, which
starts a Bourne shell with PAG established, e.g.:
|
groups command includes two
adjacent numbers, there is a PAG. All child processes inherit their
parent's PAG.
There can be only one token at a time per cell per host per PAG. As a consequence, when you modify tokens, the modification applies to all processes with the same PAG, or, if tokens are associated with your UID instead of a PAG, to all processes on the host under your UID that have no PAG. One of the advantages of running with a PAG is that a process running as root will not be able to use your tokens, even if it has assumed your UID.
The one token per cell per host per PAG property can lead to surprising
results, say if your friend drops by to show you something and uses a
shell in one of your 23 windows to run a klog command without
issuing a pagsh command first!
When pagsh creates a new PAG your existing token(s), if any, remain
associated with the old PAG or UID, and you must issue klog
to get a new token.
The best way to ensure a long-running background job is properly authenticated and not disturbed is to start it in a new PAG with a fresh token, e.g. in a wrapper script:
|
Another function of the Cache Manager is to request files from servers and store them temporarily in the disk cache, a reserved area of your local host's disk. You work on the copy, which is written back to the server when the file is closed.
The size of the cache varies according to the disk capacity of individual hosts, but it generally is on the order of 50MB. If the system finds it needs more cache than the amount provided, performance will suffer. To find out how much cache is in use, enter `fs getcacheparms', e.g.:
|
Each AFS user or group has a set of five privacy flags to indicate who has permission to view information about it and, for groups, who can make changes to the group. Only group privacy flags are discussed here.
The privacy flags are listed by `pts examine group', e.g.:
|
The flags are "positional" in nature, and values for all 5 are always listed, e.g. `S-M--' in the above example.
The following table shows the possible single-character values for all five group privacy flags:
s
S
-
pts_creategroup for details.)
O
-
m
M
-
a
A
-
r
R
See man page pts_setfields for details.
Several types of AFS client hosts are used in the department:
type
alpha_osf32
i386_linux1
i386_linux2
rs_aix32
sgi_53
sun4c_411
sun4m_412
If the string `@sys' appears in an AFS path name, it will automatically be replaced by the AFS type of the local host. For example, one way to create `/afs/cs/projects/ai/bin' directories for SunOS and IRIX platforms is as follows:
cd /afs/cs/projects/ai mkdir .bin mkdir .bin/sun4m_412 .bin/sgi_53 (cd .bin; ln -s sun4m_412 sun4c_411) ln -s .bin/@sys bin |
You can find out the system name of the current host with the `fs sysname' command.
A non-AFS client host may NFS-mount `/afs' from an NFS/AFS
Translator host. A translator host is both an AFS client and an NFS
server. You can tell a "real" AFS client if the filesystem of
`/afs' as reported by df is "AFS":
|
|
To access protected files, you must do two things:
knfs command on the translator host to tell its
Cache Manager two things: the name of the NFS client machine you
want to use and your UNIX uid.
This lets the translator host associate the NFS client with your tokens.
|
knfs kludge only when really necessary.
The UNIX "r-commands"---rsh, rcp, and
rlogin---are used to execute commands on a remote host, copy
files to/from a remote host, and login to a remote host without
re-entering your UNIX password, provided a `.rhosts' file in your
remote home directory allows it. AFS-aware versions of these commands
are available which, in addition to these functions, set up a PAG and
enable AFS authentication on a remote host, either by passing your
existing AFS tokens or by establishing new tokens. To get around bugs
in the r-commands provided by Transarc, we support the AFS-aware
versions of the "secure shell" r-commands. See
http://www.cs.hut.fi/ssh
for more information on the Secure Shell
Remote Login Program.
In the departmental standard `.cshrc' file, PATH is currently set
such that the secure shell r-commands directory appears after the
usual default location of rsh, rcp, and rlogin
(`/usr/ucb'). The default path hides the secure shell r-commands
because they are are not transparently interchangeable with the UNIX
versions; for example, if the remote host cannot handle the secure shell
protocol, the AFS-aware secure shell versions revert to the standard
r-commands and write the following to standard error: "Secure
connection to host refused; reverting to insecure method. ...WARNING:
Connection will not be encrypted."
If you want to use the AFS-aware secure shell versions of these programs, edit your `.cshrc' to put `/afs/cs/local/bin' early in your PATH and `/afs/cs/local/man' early in your MANPATH.
An AFS-aware version of xlock, known as xlock.afs, is available
in `/afs/cs/local/bin'. Xlock.afs will get a new local token
for the PAG (Process Authentication Group) in which it was called when you unlock the
screen by typing your AFS password. Thus, if you use xlock.afs
to lock your workstation every day, you will not have to issue
klog (Authentication, Passwords, and Tokens) explictly to keep your token from expiring.
However, xlock.afs does not renew tokens on remote systems, so if
you have used xrsh to open xterms or editors on remote systems,
you must renew these tokens explicitly with klog.
Here are some common things that can go wrong or that can cause confusion. As always, send mail to `afs@cs' if you think there is a problem that requires staff assistance.
If `/afs/cs' is present and your environment is correct, but AFS commands are still not available, either
klog, as described
in Authentication, Passwords, and Tokens.
/afs/transarc.com/public/www/Product/AFS/FAQ/faq.html
.
There are also hard copy manuals---AFS User's Guide and AFS
Command Reference Manual---that you can look at, located in Sieg 117.
ls command to look at the characteristics of file
`.secret' in your home directory:
% ls -l /afs/cs/homes/joeuser/.secret -rw------- 1 joeuser joegroup 4698 May 1 11:25 .secret |
ANSWER: Maybe true, maybe false: it depends on the Access Control List of your home directory, not on the UNIX protection modes. See File and Directory Access Controls and in particular UNIX Mode Bits.
ANSWER: Your AFS token has probably timed out. See Authentication, Passwords, and Tokens.
ANSWER: See Servers and Volumes.
% klog mikey Password: mikey's_AFS_password % view /afs/cs/homes/mikey/coolfile |
The file access permissions do not allow the specified action. |
ANSWER: Your friend has replaced your token with his, not only in one window but very likely in all of them. See Process Authentication Group.
| Jump to: | .
@
A B C D E F G H I K L M N O P Q R S T U V W X |
|---|
| Jump to: | .
@
A B C D E F G H I K L M N O P Q R S T U V W X |
|---|
This is the `.cshrc' that new home directories get a copy of. If your home directory was set up some time ago, you may want to compare your `.cshrc' to the copy of the standard file kept in `/cse/lab/dotfiles/dept.cshrc' on all research hosts
There are 5 servers in the CSE department: 3 Alphas running OSF/1 3.2, and two IBM PowerPCs running AIX 3.2.5
"AFS-aware" password handling means that you only need to provide your AFS password to be logged in
If a token is automatically issued, a PAG is established as well. See Process Authentication Group.
Kpasswd may
not be available on some platforms, e.g. Linux. In that case use
`kas setpasswd username'.
This means that if your version of UNIX allows you to be in a maximum of 16 groups and you wish to establish a PAG, the maximum number of UNIX groups is reduced to 14.