Difference: UsingAFS (24 vs. 25)

Revision 252016-04-29 - GordonStewart

  META TOPICPARENT 
 name="WebHome"
- META TOPICPARENT
+ name="WebHome"
-<
<
+ AFS at Glasgow
->
>
+ AFS in PPE 

PPE storage provision is currently under review, and the following is subject to change.
   AFS in PPE 
  Introduction
   Directory Layout
   Cron jobs
   AFS on Mac OS X
   External Kerberos Access (Linux / Mac OS X)
   External AFS Access (Linux / Mac OS X)
   Hints, Tips and Issues 
  Common AFS commands
   AFS Access Control Lists (ACLs)
   Accessing the CERN AFS cell
   Using rsync with AFS
   Automatic token renewal
->
>
+ Introduction 

PPE uses AFS (the Andrew File System), and specifically the OpenAFS distribution, as a way to share some home areas and data directories between different machines, both internally and externally.

This page provides specific information about the AFS infrastructure within PPE.  For a general introduction to AFS and information about how to use it, please refer to the OpenAFS User Guide.
  Directory Layout 

The local AFS cell (phas.gla.ac.uk, mounted as /afs/phas.gla.ac.uk) contains the following directories:
  External Kerberos Access (Linux / Mac OS X)
-<
<
+You can configure Kerberos on a Linux or Mac OS X machine to enable passwordless log-in to remote machines once a Kerberos ticket has been created.  To do this, open /etc/krb5.conf (/Library/Preferences/edu.mit.Kerberos under OS X) in a text editor, and add the following to the realms section:
->
>
+You can configure Kerberos on a Linux or Mac OS X machine to enable password-less log-in to remote machines once a Kerberos ticket has been created.  To do this, open /etc/krb5.conf (/Library/Preferences/edu.mit.Kerberos under OS X) in a text editor, and add the following to the realms section:
 PHAS.GLA.AC.UK = {
  fs setacl <PATHNAME> <USERNAME> <PERMISSIONS> 
 Add an entry to the current directory's ACL.
- fs setacl <PATHNAME> <USERNAME> <PERMISSIONS>
+ Add an entry to the current directory's ACL.
-<
<
+ AFS ACLs (Protecting Data) 

AFS file systems use directory based ACLs to determine the access permissions for a given file. The following is taken from the afs documentation (http://docs.openafs.org/AdminGuide/ch15s02.html):
 

 The permissions on a directory's ACL apply to all of the files in the directory. When you move a file to a different directory, you effectively change the access permissions that apply to it to those on its new directory's ACL. Changing a directory's ACL changes the protection on all the files in it.
  When you create a subdirectory, its initial ACL is created as a copy of its parent directory's ACL. You can then change the subdirectory's ACL independently. However, the parent directory's ACL continues to control access to the subdirectory in the following way: the parent directory's ACL must grant the l (lookup) permission to a user (or a group the user belongs to) in order for the user to access the subdirectory at all.
 

By default the following directories are created in a user's afs home area:
 

 private - access only for the user and the system administrator, this is also the default for any new directories.
  public - public (world wide) access for anyone.
  public_html - public (world wide) access for anyone, user web pages belong here.
  public_ppe - readable to the ppe group only.
 

To see the acl list on a directory use the command fs listacl dir .

To allow a user or group  user  read access to a directory  dir :

 fs setacl dir user read

To give write permissions:

fs setacl dir user write

And to remove all permissions for a user or group:

fs setacl dir user none
->
>
+ AFS Access Control Lists (ACLs)
-<
<
+System administrator access is required to all directories to allow backups to be taken.
->
>
+AFS uses directory-based ACLs to determine the permissions for the files contained within.  Changing the permissions on a directory changes the permissions for all the files it contains, while moving a file from one directory to another may change its permissions.  Subdirectories inherit the permissions on their parent directory when created, but may be configured independently thereafter.  A detailed description of these permissions can be found in the OpenAFS User Guide.
-<
<
+There is a limit of around 20 entries that can be added to an acl list. The exact number  depends on the size (in characters) of each acl entry. To get around this user created groups can be used
and then the group can be added to the acl list. The cern web page http://information-technology.web.cern.ch/services/fe/afs/howto/work-afs-groups has instructions on how to create groups and add people to them.
->
>
+PPE home areas contain the following directories by default:
-<
<
+ Recursive setting of ACLs 

A helper script to recursively set an ACL is available on all the scientific linux desktop machines. Usage is similar to the standard fs setacl command:

fs-recursive-setacl dir user acl 

 Accessing the CERN afs cell (/afs/cern.ch) 

Getting a kerberos ticket for another kerberos realm using kinit will overwrite the existing kerberos tickets file destroying any local Glasgow
ticket. To get around this tickets for different kerberos realms have to be written to different files. A couple of helper scripts have been written to
made this straight forward: kinit-cern, klist-cern, kdestroy-cern, ssh-cern, kinit-fnal, klist-fnal,
kdestroy-fnal, ssh-fnal.

They are used in the same way as the standard kinit, klist and kdestroy. For example:

$ kinit-cern <lxplus user name>@CERN.CH


and after doing the kinit:

$ ssh-cern <lxplus user name>@lxplus.cern.ch
->
>
+ Directory 
 Description 


 private 
 Access for the user and system administrators. 


 public 
 Global access. 


 public_html 
 Location for personal web pages. 


 public 
 PPE access.
- Directory
+ Description
- private
+ Access for the user and system administrators.
- public
+ Global access.
- public_html
+ Location for personal web pages.
- public
+ PPE access.
-<
<
+ rsyncing files to afs
-<
<
+rsync will copy files to an afs file system in the same way as any other file system. However if directories in the source file system have the stick bit set rsync will complain that it 'failed to set permissions'. A directory with the sticky bit set will have a 's' in the permissions bit field eg:
->
>
+ Accessing the CERN AFS cell
-<
<
+drwxrwsr-x  4 ppemgr ppemgr   45 Jan 14  2009 sl44
->
>
+Access to the CERN AFS cell (cern.ch, mounted as /afs/cern.ch) requires you to obtain a ticket for a different Kerberos realm.  When obtaining this ticket, it is important that it be written to a different file from default, otherwise it will overwrite your PPE ticket and prevent access to your local files.  To simplify this, a number of helper scripts have been provided: kinit-cern, klist-cern, kdestroy-cern, ssh-cern, kinit-fnal, klist-fnal, kdestroy-fnal, and ssh-fnal.  These commands work similarly to the standard kinit, klist, kdestroy and ssh commands.
-<
<
+These errors can be safely ignored but they may obscure other errors when rsyncing.  To remove stick bits before rsyncing use chmod:
-<
<
+chmod a-s _dir_
->
>
+ Using rsync with AFS
-<
<
+replacing _dir_ as required. To recursively remove sticky bits use the -R option.
->
>
+rsync will raise a permissions error when attempting to copy files which have the sticky bit set.  Such errors can be safely ignored.
-<
<
+ Automatic Token Renewal
-<
<
+To automatically renew an AFS token for up to 30 days after logging in requires either a small addition the shell login script for ssh logins or for
desktop logins a small script to be auto run. Each login change is independent of the others and all can be safely used at the same time.
->
>
+ Automatic token renewal
-<
<
+ ssh login
->
>
+AFS tokens can be automatically renewed for up to 30 days after log-in.  This requires that a small script be configured to run automatically.
-<
<
+For bash shell users add the following to the top of .bash_profile:
->
>
+Users of the Bash shell should add the following to the start of their .bash_profile:
-<
<
->
>
 if [ -e /bin/ps ] && [ -e /bin/grep ]
then
    kproc=`/bin/ps x -u ${USER} | /bin/grep krenew | /bin/grep ${KRB5CCNAME}`
         /usr/bin/krenew -K 60 -t -k ${KRB5CCNAME} &
    fi
fi
-<
<
+For csh/tcsh users the untested equivalent is to add the following to the top of .cshrc or .tcshrc:

if ( -e /bin/ps && -e /bin/grep ) then
    setenv kproc `/bin/ps x -u ${USER} | /bin/grep krenew | /bin/grep ${KRB5CCNAME}`
    if ( "${kproc}" == "" && -e /usr/bin/krenew ) then
        /usr/bin/krenew -K 60 -t -k ${KRB5CCNAME} &
    endif
endif





 META FILEATTACHMENT 
 attachment="krb5.conf" attr="" comment="" date="1357214218" name="krb5.conf" path="krb5.conf" size="1656" stream="krb5.conf" tmpFilename="/usr/tmp/CGItemp13840" user="AndrewPickford" version="2"
- META FILEATTACHMENT
+ attachment="krb5.conf" attr="" comment="" date="1357214218" name="krb5.conf" path="krb5.conf" size="1656" stream="krb5.conf" tmpFilename="/usr/tmp/CGItemp13840" user="AndrewPickford" version="2"
->
>

View topic | History: r26 < r25 < r24 < r23 | More topic actions...