Difference: UsingAFS (24 vs. 25)

Revision 252016-04-29 - GordonStewart

Line: 1 to 1
 
META TOPICPARENT name="WebHome"
Changed:
<
<

AFS at Glasgow

>
>

AFS in PPE

PPE storage provision is currently under review, and the following is subject to change.

 
Added:
>
>

Introduction

PPE uses AFS (the Andrew File System), and specifically the OpenAFS distribution, as a way to share some home areas and data directories between different machines, both internally and externally.

This page provides specific information about the AFS infrastructure within PPE. For a general introduction to AFS and information about how to use it, please refer to the OpenAFS User Guide.

 

Directory Layout

The local AFS cell (phas.gla.ac.uk, mounted as /afs/phas.gla.ac.uk) contains the following directories:

Line: 27 to 36
 

External Kerberos Access (Linux / Mac OS X)

Changed:
<
<
You can configure Kerberos on a Linux or Mac OS X machine to enable passwordless log-in to remote machines once a Kerberos ticket has been created. To do this, open /etc/krb5.conf (/Library/Preferences/edu.mit.Kerberos under OS X) in a text editor, and add the following to the realms section:
>
>
You can configure Kerberos on a Linux or Mac OS X machine to enable password-less log-in to remote machines once a Kerberos ticket has been created. To do this, open /etc/krb5.conf (/Library/Preferences/edu.mit.Kerberos under OS X) in a text editor, and add the following to the realms section:
 
PHAS.GLA.AC.UK = {

Line: 119 to 128
 
fs setacl <PATHNAME> <USERNAME> <PERMISSIONS> Add an entry to the current directory's ACL.
Changed:
<
<

AFS ACLs (Protecting Data)

AFS file systems use directory based ACLs to determine the access permissions for a given file. The following is taken from the afs documentation (http://docs.openafs.org/AdminGuide/ch15s02.html):

  • The permissions on a directory's ACL apply to all of the files in the directory. When you move a file to a different directory, you effectively change the access permissions that apply to it to those on its new directory's ACL. Changing a directory's ACL changes the protection on all the files in it.
  • When you create a subdirectory, its initial ACL is created as a copy of its parent directory's ACL. You can then change the subdirectory's ACL independently. However, the parent directory's ACL continues to control access to the subdirectory in the following way: the parent directory's ACL must grant the l (lookup) permission to a user (or a group the user belongs to) in order for the user to access the subdirectory at all.

By default the following directories are created in a user's afs home area:

  • private - access only for the user and the system administrator, this is also the default for any new directories.
  • public - public (world wide) access for anyone.
  • public_html - public (world wide) access for anyone, user web pages belong here.
  • public_ppe - readable to the ppe group only.

To see the acl list on a directory use the command fs listacl dir .

To allow a user or group user read access to a directory dir :

fs setacl dir user read

To give write permissions:

fs setacl dir user write

And to remove all permissions for a user or group:

fs setacl dir user none

>
>

AFS Access Control Lists (ACLs)

 
Changed:
<
<
System administrator access is required to all directories to allow backups to be taken.
>
>
AFS uses directory-based ACLs to determine the permissions for the files contained within. Changing the permissions on a directory changes the permissions for all the files it contains, while moving a file from one directory to another may change its permissions. Subdirectories inherit the permissions on their parent directory when created, but may be configured independently thereafter. A detailed description of these permissions can be found in the OpenAFS User Guide.
 
Changed:
<
<
There is a limit of around 20 entries that can be added to an acl list. The exact number depends on the size (in characters) of each acl entry. To get around this user created groups can be used and then the group can be added to the acl list. The cern web page http://information-technology.web.cern.ch/services/fe/afs/howto/work-afs-groups has instructions on how to create groups and add people to them.
>
>
PPE home areas contain the following directories by default:
 
Changed:
<
<

Recursive setting of ACLs

A helper script to recursively set an ACL is available on all the scientific linux desktop machines. Usage is similar to the standard fs setacl command:

fs-recursive-setacl dir user acl

Accessing the CERN afs cell (/afs/cern.ch)

Getting a kerberos ticket for another kerberos realm using kinit will overwrite the existing kerberos tickets file destroying any local Glasgow ticket. To get around this tickets for different kerberos realms have to be written to different files. A couple of helper scripts have been written to made this straight forward: kinit-cern, klist-cern, kdestroy-cern, ssh-cern, kinit-fnal, klist-fnal, kdestroy-fnal, ssh-fnal.

They are used in the same way as the standard kinit, klist and kdestroy. For example:

$ kinit-cern <lxplus user name>@CERN.CH

and after doing the kinit:

$ ssh-cern <lxplus user name>@lxplus.cern.ch
>
>
Directory Description
private Access for the user and system administrators.
public Global access.
public_html Location for personal web pages.
public PPE access.
 
Deleted:
<
<

rsyncing files to afs

 
Changed:
<
<
rsync will copy files to an afs file system in the same way as any other file system. However if directories in the source file system have the stick bit set rsync will complain that it 'failed to set permissions'. A directory with the sticky bit set will have a 's' in the permissions bit field eg:
>
>

Accessing the CERN AFS cell

 
Changed:
<
<
drwxrwsr-x  4 ppemgr ppemgr   45 Jan 14  2009 sl44
>
>
Access to the CERN AFS cell (cern.ch, mounted as /afs/cern.ch) requires you to obtain a ticket for a different Kerberos realm. When obtaining this ticket, it is important that it be written to a different file from default, otherwise it will overwrite your PPE ticket and prevent access to your local files. To simplify this, a number of helper scripts have been provided: kinit-cern, klist-cern, kdestroy-cern, ssh-cern, kinit-fnal, klist-fnal, kdestroy-fnal, and ssh-fnal. These commands work similarly to the standard kinit, klist, kdestroy and ssh commands.
 
Deleted:
<
<
These errors can be safely ignored but they may obscure other errors when rsyncing. To remove stick bits before rsyncing use chmod:
 
Changed:
<
<
chmod a-s _dir_
>
>

Using rsync with AFS

 
Changed:
<
<
replacing _dir_ as required. To recursively remove sticky bits use the -R option.
>
>
rsync will raise a permissions error when attempting to copy files which have the sticky bit set. Such errors can be safely ignored.
 
Deleted:
<
<

Automatic Token Renewal

 
Changed:
<
<
To automatically renew an AFS token for up to 30 days after logging in requires either a small addition the shell login script for ssh logins or for desktop logins a small script to be auto run. Each login change is independent of the others and all can be safely used at the same time.
>
>

Automatic token renewal

 
Changed:
<
<

ssh login

>
>
AFS tokens can be automatically renewed for up to 30 days after log-in. This requires that a small script be configured to run automatically.
 
Changed:
<
<
For bash shell users add the following to the top of .bash_profile:
>
>
Users of the Bash shell should add the following to the start of their .bash_profile:
 
Changed:
<
<
>
>

 if [ -e /bin/ps ] && [ -e /bin/grep ] then kproc=`/bin/ps x -u ${USER} | /bin/grep krenew | /bin/grep ${KRB5CCNAME}`
Line: 211 to 166
  /usr/bin/krenew -K 60 -t -k ${KRB5CCNAME} & fi fi
Changed:
<
<

For csh/tcsh users the untested equivalent is to add the following to the top of .cshrc or .tcshrc:

if ( -e /bin/ps && -e /bin/grep ) then
    setenv kproc `/bin/ps x -u ${USER} | /bin/grep krenew | /bin/grep ${KRB5CCNAME}`
    if ( "${kproc}" == "" && -e /usr/bin/krenew ) then
        /usr/bin/krenew -K 60 -t -k ${KRB5CCNAME} &
    endif
endif

META FILEATTACHMENT attachment="krb5.conf" attr="" comment="" date="1357214218" name="krb5.conf" path="krb5.conf" size="1656" stream="krb5.conf" tmpFilename="/usr/tmp/CGItemp13840" user="AndrewPickford" version="2"
>
>
 
This site is powered by the TWiki collaboration platform Powered by PerlCopyright © 2008-2021 by the contributing authors. All material on this collaboration platform is the property of the contributing authors.
Ideas, requests, problems regarding TWiki? Send feedback