Difference: UsingAFS (23 vs. 24)

Revision 242016-04-28 - GordonStewart

  META TOPICPARENT 
 name="WebHome"
- META TOPICPARENT
+ name="WebHome"
-<
<
+ Using AFS At Glasgow
->
>
+ AFS at Glasgow
   AFS in PPE 
  Introduction
   Directory Layout
   Cron jobs
   AFS on Mac OS X
   External Kerberos Access (Linux / Mac OS X)
   External AFS Access (Linux / Mac OS X)
   Hints, Tips and Issues 
  Common AFS commands
   AFS Access Control Lists (ACLs)
   Accessing the CERN AFS cell
   Using rsync with AFS
   Automatic token renewal
-<
<
+ Local AFS Cell (/afs/phas.gla.ac.uk)
-<
<
+ File System Layout
->
>
+ Directory Layout
-<
<
+Beneath /afs/phas.gla.ac.uk are the following directories:
->
>
+The local AFS cell (phas.gla.ac.uk, mounted as /afs/phas.gla.ac.uk) contains the following directories:
-<
<
+ backup : Snap shot backups for user home directories and other files. The snap shot is done each night at 1am.
  data : Large store area, not backed up.
  group : Group based storage area, backed up. 
  project : 
  system : Common programs installed system wide.
  user : User home directories are stored under this directory. The initial quota on home directories is 50GB. Nightly snap shot backups and long term backups.
->
>
+ Directory 
 Description 


 backup 
 Nightly back-up of user home areas. 


 data 
 Large storage areas for research data. 


 group 
 Storage for PPE data. 


 project 
   


 system 
 Common programs. 


 user 
 User home areas.
- Directory
+ Description
- backup
+ Nightly back-up of user home areas.
- data
+ Large storage areas for research data.
- group
+ Storage for PPE data.
  project
- system
+ Common programs.
- user
+ User home areas.
-<
<
+ Backups
->
>
+Refer to the section on back-ups for a list of those directories which are backed-up, and details of the retention schedule.
-<
<
+Overnight backups of user home areas are taken at 1am each night. These backups are user accessible and can be found in /afs/phas.gla.ac.uk/backup/user/_letter_/_username_. Longer term backups are also done - nightly snapshots of user home directories are retained for 7 days except that the snapshots done on a Saturday are retained for two months and the snapshots done on the first Saturday of each month are retained for six months. These longer term backups are not user accessible please contact ITManagement to request a file to be recovered.
-<
<
+ Cronjobs
->
>
+ Cron jobs
-<
<
+Normal cronjobs can not write to the afs file system and can only read the publicly accessible parts of the file system. Cronjobs which require access to the afs file system can be created using the kcrontab command.
->
>
+Normal cron jobs cannot write to the AFS file system, and will only be able to read publicly-accessible files.  You can create a cron job with full access to AFS using the kcrontab command.
-<
<
+ Batch system
-<
<
+The currrent batch system (acess from the machine ppepbs.physics.gla.ac.uk) will not be able to access the local afs cell. A new batch system has been setup which can access the afs file system and which is accessible from any linux desktop machine that has been moved onto the new system.
->
>
+ External Kerberos Access (Linux / Mac OS X)
-<
<
+To use the new system simply use the normal qsub and qstat commands from any PPE linux desktop that has been moved over the the new system.
->
>
+You can configure Kerberos on a Linux or Mac OS X machine to enable passwordless log-in to remote machines once a Kerberos ticket has been created.  To do this, open /etc/krb5.conf (/Library/Preferences/edu.mit.Kerberos under OS X) in a text editor, and add the following to the realms section:
-<
<
+ Home web pages 

User's home web pages are served from the directory public_html in their home directory. The web server will use the public_html directory in the afs file system of an account moved over to the afs in preference to the public_html directory in the old account. Until files are moved from the old public_html directory to the new directory a user's web pages will be inaccessible. It is important to move the files under the public_html directory in the old NFS file system to the new public_html directory and not to move the public_html directory itself due to afs file permissions. For example to do this use the command:

mv /home/_username_/public_html/* /afs/phas.gla.ac.uk/user/_letter_/_username_/public_html/

Substituting _letter_ and _username_ as required.

 External Kerberos access (linux/mac) 

Setting up kerberos on a linux or mac allows for password less login to machines after the initial kerberos ticket has been created.

Edit the file /etc/krb5.conf or for OS X edit /Library/Preferences/edu.mit.Kerberos and add/edit to the  realms section:
->
>
 PHAS.GLA.AC.UK = {
  default_domain = phas.gla.ac.uk
  kdc = kdc2.phas.gla.ac.uk:88
  kdc = kdc1.phas.gla.ac.uk:88
  admin_server = kdc1.phas.gla.ac.uk
 }
-<
<
->
>
+In the same file, add the following to the libdefaults section:
 Then add/edit to the libdefaults section:
-<
<
->
>
 allow_weak_crypto = true
default_realm = PHAS.GLA.AC.UK
dns_lookup_realm = false
 renew_lifetime = 672h
forwardable = true
proxiable = true
-<
<
->
>
-<
<
+For ssh access edit /etc/ssh/ssh_config on linux machines or /etc/ssh_config on macs (root access is required to edit either file) and ensure the follow are set to yes:
->
>
+To use Kerberos with SSH, open /etc/ssh/ssh_config (/etc/ssh_config on OS X) and check the following values are set:
-<
<
->
>
 GSSAPIAuthentication yes
GSSAPIDelegateCredentials yes
GSSAPIKeyExchange yes
-<
<
->
>
-<
<
+Then try to get an kerberos ticket and log into ppelx:
->
>
+You will need administrative rights to make any changes to these files.
-<
<
+create kerberos ticket then ssh into ppelx
$ kinit username@PHAS.GLA.AC.UK
$ ssh username@ppelx.physics.gla.ac.uk
 create kerberos ticket then ssh into ppelx
 $ kinit username@PHAS.GLA.AC.UK
 $ ssh username@ppelx.physics.gla.ac.uk
->
>
+To use a Kerberos ticket to log-in to ppelx:
-<
<
+Changing username as appropriate.
->
>
+$ kinit <USERNAME>@PHAS.GLA.AC.UK
$ ssh <USERNAME>@ppelx.physics.gla.ac.uk
-<
<
+ External afs access (linux/mac)
-<
<
+To access the phas.gla.ac.uk afs cell from an external linux machine requires first setting up kerberos access as described above and then installing the openafs client and editing a couple of config files all of which will require root access. Packages exist for all the major linux distributions just use the distributions software installer. If that fails try the openafs web site: https://www.openafs.org . For OS X the packages can be downloaded from http://www.openafs.org/macos.html
->
>
+ External AFS Access (Linux / Mac OS X)
-<
<
+After installing the openafs edit the file /etc/krb5.conf or for OS X edit /Library/Preferences/edu.mit.Kerberos and add/edit to the  realms section:
->
>
+Access to the phas.gla.ac.uk AFS cell from a non-PPE machine requires that you first configure Kerberos as described above, then install the appropriate OpenAFS client.
-<
<
+Then add/edit to the domain_realm section:
->
>
+After installing OpenAFS, open /etc/krb5.conf (/Library/Preferences/edu.mit.Kerberos under OS X) in a text editor, and add the following to the domain_realm section:
-<
<
->
>
  .phas.gla.ac.uk = PHAS.GLA.AC.UK
 .physics.gla.ac.uk = PHAS.GLA.AC.UK
 .ppe.gla.ac.uk = PHAS.GLA.AC.UK
-<
<
+Or use this example krb5.conf file which also has the kerberos setting for cern and fermi lab.
->
>
-<
<
+Then edit the CellServDB file which can usually be found on a linux machine at /usr/vice/etc/CellServDB or /etc/openafs/CellServDB and for OS X is located at /var/db/openafs/etc/CellServDB and add:
->
>
+You will then need to edit your CellServDB file, which can usually be found in either /usr/vice/etc/CellServDB or /etc/openafs/CellServDB (/var/db/openafs/etc/CellServDB under OS X), adding the following lines:
-<
<
->
>
 >phas.gla.ac.uk         #Univeristy of Glasgow Physics And Astronomy

194.36.1.27                     #afsdb3.phas.gla.ac.uk
194.36.1.19                     #afsdb1.phas.gla.ac.uk
194.36.1.33                     #afsdb2.phas.gla.ac.uk
-<
<
->
>
-<
<
+either at the top or bottom of the file.
->
>
+Finally, edit the ThisCell file which can be found in the same directory, replacing its contents with:
-<
<
+Next edit the ThisCell file (/usr/vice/etc/ThisCell or /etc/openafs/ThisCell on linux or /var/db/openafs/etc/ThisCell for OS X) replacing the contents with
->
>
 phas.gla.ac.uk
-<
<
->
>
+Restart the OpenAFS client either by restarting the service, or by rebooting the machine.
-<
<
+Restart the openafs client either by restarting the client service or rebooting the machine) and create a kerberos ticket and get an afs token:
->
>
+To create a Kerberos ticket and obtain an AFS token, use commands similar to the following:
-<
<
+create kerberos ticket then ssh into ppelx
$ kinit username@PHAS.GLA.AC.UK
$ aklog
 create kerberos ticket then ssh into ppelx
 $ kinit username@PHAS.GLA.AC.UK
 $ aklog
->
>
+$ kinit <USERNAME>@PHAS.GLA.AC.UK
$ aklog
-<
<
+Changing username as appropriate. If both commands are successful then try to access the afs cell:
-<
<
+test the afs cell
$ ls /afs/phas.gla.ac.uk/user
 test the afs cell
 $ ls /afs/phas.gla.ac.uk/user
->
>
+ Hints, Tips and Issues
-<
<
+ Hints, Tips And Issues
  Common AFS commands
-<
<
+ fs lq : List the size and amount used of the volume of the current working directory.
   fs listacl : List the acl (access control list) for the current working directory.
  fs setacl dir user/group permissions  :  Add to the acl of a directory.
->
>
+ Command 
 Description 


 fs lq 
 Display information about available and used space for the current directory. 


 fs listacl 
 Display the ACL (Access Control List) of the current directory. 


 fs setacl <PATHNAME> <USERNAME> <PERMISSIONS> 
 Add an entry to the current directory's ACL.
- Command
+ Description
- fs lq
+ Display information about available and used space for the current directory.
- fs listacl
+ Display the ACL (Access Control List) of the current directory.
- fs setacl <PATHNAME> <USERNAME> <PERMISSIONS>
+ Add an entry to the current directory's ACL.
  AFS ACLs (Protecting Data)

View topic | History: r26 < r25 < r24 < r23 | More topic actions...