Difference: UsingAFS (23 vs. 24)

Revision 242016-04-28 - GordonStewart

Line: 1 to 1
 
META TOPICPARENT name="WebHome"
Changed:
<
<

Using AFS At Glasgow

>
>

AFS at Glasgow

 
Deleted:
<
<

Local AFS Cell (/afs/phas.gla.ac.uk)

 
Changed:
<
<

File System Layout

>
>

Directory Layout

 
Changed:
<
<
Beneath /afs/phas.gla.ac.uk are the following directories:
>
>
The local AFS cell (phas.gla.ac.uk, mounted as /afs/phas.gla.ac.uk) contains the following directories:
 
Changed:
<
<
  • backup : Snap shot backups for user home directories and other files. The snap shot is done each night at 1am.
  • data : Large store area, not backed up.
  • group : Group based storage area, backed up.
  • project :
  • system : Common programs installed system wide.
  • user : User home directories are stored under this directory. The initial quota on home directories is 50GB. Nightly snap shot backups and long term backups.
>
>
Directory Description
backup Nightly back-up of user home areas.
data Large storage areas for research data.
group Storage for PPE data.
project  
system Common programs.
user User home areas.
 
Changed:
<
<

Backups

>
>
Refer to the section on back-ups for a list of those directories which are backed-up, and details of the retention schedule.
 
Deleted:
<
<
Overnight backups of user home areas are taken at 1am each night. These backups are user accessible and can be found in /afs/phas.gla.ac.uk/backup/user/_letter_/_username_. Longer term backups are also done - nightly snapshots of user home directories are retained for 7 days except that the snapshots done on a Saturday are retained for two months and the snapshots done on the first Saturday of each month are retained for six months. These longer term backups are not user accessible please contact ITManagement to request a file to be recovered.
 
Changed:
<
<

Cronjobs

>
>

Cron jobs

 
Changed:
<
<
Normal cronjobs can not write to the afs file system and can only read the publicly accessible parts of the file system. Cronjobs which require access to the afs file system can be created using the kcrontab command.
>
>
Normal cron jobs cannot write to the AFS file system, and will only be able to read publicly-accessible files. You can create a cron job with full access to AFS using the kcrontab command.
 
Deleted:
<
<

Batch system

 
Changed:
<
<
The currrent batch system (acess from the machine ppepbs.physics.gla.ac.uk) will not be able to access the local afs cell. A new batch system has been setup which can access the afs file system and which is accessible from any linux desktop machine that has been moved onto the new system.
>
>

External Kerberos Access (Linux / Mac OS X)

 
Changed:
<
<
To use the new system simply use the normal qsub and qstat commands from any PPE linux desktop that has been moved over the the new system.
>
>
You can configure Kerberos on a Linux or Mac OS X machine to enable passwordless log-in to remote machines once a Kerberos ticket has been created. To do this, open /etc/krb5.conf (/Library/Preferences/edu.mit.Kerberos under OS X) in a text editor, and add the following to the realms section:
 
Changed:
<
<

Home web pages

User's home web pages are served from the directory public_html in their home directory. The web server will use the public_html directory in the afs file system of an account moved over to the afs in preference to the public_html directory in the old account. Until files are moved from the old public_html directory to the new directory a user's web pages will be inaccessible. It is important to move the files under the public_html directory in the old NFS file system to the new public_html directory and not to move the public_html directory itself due to afs file permissions. For example to do this use the command:

mv /home/_username_/public_html/* /afs/phas.gla.ac.uk/user/_letter_/_username_/public_html/

Substituting _letter_ and _username_ as required.

External Kerberos access (linux/mac)

Setting up kerberos on a linux or mac allows for password less login to machines after the initial kerberos ticket has been created.

Edit the file /etc/krb5.conf or for OS X edit /Library/Preferences/edu.mit.Kerberos and add/edit to the realms section:

>
>

 PHAS.GLA.AC.UK = { default_domain = phas.gla.ac.uk kdc = kdc2.phas.gla.ac.uk:88 kdc = kdc1.phas.gla.ac.uk:88 admin_server = kdc1.phas.gla.ac.uk }
Changed:
<
<
>
>

In the same file, add the following to the libdefaults section:

  Then add/edit to the libdefaults section:
Changed:
<
<
>
>

 allow_weak_crypto = true default_realm = PHAS.GLA.AC.UK dns_lookup_realm = false
Line: 65 to 51
 renew_lifetime = 672h forwardable = true proxiable = true
Changed:
<
<
>
>
 
Changed:
<
<
For ssh access edit /etc/ssh/ssh_config on linux machines or /etc/ssh_config on macs (root access is required to edit either file) and ensure the follow are set to yes:
>
>
To use Kerberos with SSH, open /etc/ssh/ssh_config (/etc/ssh_config on OS X) and check the following values are set:
 
Changed:
<
<
>
>

 GSSAPIAuthentication yes GSSAPIDelegateCredentials yes GSSAPIKeyExchange yes
Changed:
<
<
>
>
 
Changed:
<
<
Then try to get an kerberos ticket and log into ppelx:
>
>
You will need administrative rights to make any changes to these files.
 
Changed:
<
<
create kerberos ticket then ssh into ppelx
$ kinit username@PHAS.GLA.AC.UK
$ ssh username@ppelx.physics.gla.ac.uk
>
>
To use a Kerberos ticket to log-in to ppelx:
 
Changed:
<
<
Changing username as appropriate.
>
>
$ kinit <USERNAME>@PHAS.GLA.AC.UK
$ ssh <USERNAME>@ppelx.physics.gla.ac.uk
 
Deleted:
<
<

External afs access (linux/mac)

 
Changed:
<
<
To access the phas.gla.ac.uk afs cell from an external linux machine requires first setting up kerberos access as described above and then installing the openafs client and editing a couple of config files all of which will require root access. Packages exist for all the major linux distributions just use the distributions software installer. If that fails try the openafs web site: https://www.openafs.org . For OS X the packages can be downloaded from http://www.openafs.org/macos.html
>
>

External AFS Access (Linux / Mac OS X)

 
Changed:
<
<
After installing the openafs edit the file /etc/krb5.conf or for OS X edit /Library/Preferences/edu.mit.Kerberos and add/edit to the realms section:
>
>
Access to the phas.gla.ac.uk AFS cell from a non-PPE machine requires that you first configure Kerberos as described above, then install the appropriate OpenAFS client.
 
Changed:
<
<
Then add/edit to the domain_realm section:
>
>
After installing OpenAFS, open /etc/krb5.conf (/Library/Preferences/edu.mit.Kerberos under OS X) in a text editor, and add the following to the domain_realm section:
 
Changed:
<
<
>
>

  .phas.gla.ac.uk = PHAS.GLA.AC.UK .physics.gla.ac.uk = PHAS.GLA.AC.UK .ppe.gla.ac.uk = PHAS.GLA.AC.UK
Changed:
<
<

Or use this example krb5.conf file which also has the kerberos setting for cern and fermi lab.

>
>
 
Changed:
<
<
Then edit the CellServDB file which can usually be found on a linux machine at /usr/vice/etc/CellServDB or /etc/openafs/CellServDB and for OS X is located at /var/db/openafs/etc/CellServDB and add:
>
>
You will then need to edit your CellServDB file, which can usually be found in either /usr/vice/etc/CellServDB or /etc/openafs/CellServDB (/var/db/openafs/etc/CellServDB under OS X), adding the following lines:
 
Changed:
<
<
>
>

 >phas.gla.ac.uk #Univeristy of Glasgow Physics And Astronomy
194.36.1.27 #afsdb3.phas.gla.ac.uk 194.36.1.19 #afsdb1.phas.gla.ac.uk 194.36.1.33 #afsdb2.phas.gla.ac.uk
Changed:
<
<
>
>
 
Changed:
<
<
either at the top or bottom of the file.
>
>
Finally, edit the ThisCell file which can be found in the same directory, replacing its contents with:
 
Changed:
<
<
Next edit the ThisCell file (/usr/vice/etc/ThisCell or /etc/openafs/ThisCell on linux or /var/db/openafs/etc/ThisCell for OS X) replacing the contents with
>
>

 phas.gla.ac.uk
Changed:
<
<
>
>

Restart the OpenAFS client either by restarting the service, or by rebooting the machine.

 
Changed:
<
<
Restart the openafs client either by restarting the client service or rebooting the machine) and create a kerberos ticket and get an afs token:
>
>
To create a Kerberos ticket and obtain an AFS token, use commands similar to the following:
 
Changed:
<
<
create kerberos ticket then ssh into ppelx
$ kinit username@PHAS.GLA.AC.UK
$ aklog
>
>
$ kinit <USERNAME>@PHAS.GLA.AC.UK
$ aklog
 
Deleted:
<
<
Changing username as appropriate. If both commands are successful then try to access the afs cell:
 
Changed:
<
<
test the afs cell
$ ls /afs/phas.gla.ac.uk/user
>
>

Hints, Tips and Issues

 
Deleted:
<
<

Hints, Tips And Issues

 

Common AFS commands

Changed:
<
<
  • fs lq : List the size and amount used of the volume of the current working directory.
  • fs listacl : List the acl (access control list) for the current working directory.
  • fs setacl dir user/group permissions : Add to the acl of a directory.
>
>
Command Description
fs lq Display information about available and used space for the current directory.
fs listacl Display the ACL (Access Control List) of the current directory.
fs setacl <PATHNAME> <USERNAME> <PERMISSIONS> Add an entry to the current directory's ACL.
 

AFS ACLs (Protecting Data)

 
This site is powered by the TWiki collaboration platform Powered by PerlCopyright © 2008-2021 by the contributing authors. All material on this collaboration platform is the property of the contributing authors.
Ideas, requests, problems regarding TWiki? Send feedback