Migration to AFS environment:


Created on: 21-Sep-2000
Last update: 15-Jan-2001



What is AFS ?
AFS (Andrew File System) is a distributed file system that allows to share file across the network. AFS is similar to NFS but have a better authentication, access control list and cache system that avoid data transfer from the servers of files already present on the client.
Some AFS advantage:

Structure of AFS tree
On unix client you can find afs filespace under the path /afs. In the /afs directory there are the names of afs cells known to the system, like cern.ch, lnf.infn.it, transarc.com, etc.
Please NEVER issue the command 'ls -lsa' (or similar) in /afs because the system must contact every cell and this operation take a very long time. To see known cells use 'ls /afs'.

Using AFS

Authentication and afs token
AFS identify users using tokens. A token can be obtained at login time or using klog command, it's also possible to pass tokens from one client to another using ssh (note that both ssh-client and ssh-server must have the afs token passing facility enabled). You can obtain only one token per cell, so you can't have, for example, paperino@lnf.infn.it and pluto@lnf.infn.it tokens at the same time, instead you can have more tokens of different cells (ie: paperino@lnf.infn.it, pluto@cern.ch, userthree@kloe.infn.it).
NOTE: The Token have a limited lifetime, you can check your tokens status with the command "tokens".

Access Control List
In AFS access to files are managed by ACL. Only directory have an ACL, you can't set an ACL for a specific file in a directory, so every file in a directory have the same ACL.
AFS defines the following access rights:

Note that a new directory created in AFS inherits the ACL of the parent directory, but if you modify the parent directory ACL no change is propagated to the child directory.
Access rights for a directory can be examined using "fs listacl " command. To set an ACL use the "fs setacl " command, where acl are two parameters space separated: the former is userid or a protection group, the latter is one or more access rights.
	% fs listacl /afs/lnf.infn.it/user/u/userone/project2
	Access list for /afs/lnf.infn.it/user/u/userone/project2 is
	Normal rights:
	  lnf:backup rl
	  system:anyuser l
	  userone rlidwka
	  usertwo rl
To remove any permission to usertwo:
	% fs setacl /afs/lnf.infn.it/user/u/userone/project2 usertwo none

Access Control List vs Unix Permission
As described above AFS use ACLs to control file access.
Standard unix mode bits for group and world are ignored. Instead the owner set of bits are examined after positive evaluation of the ACL and are used to give the final permission (read/write/execute) for the file involved.
For example: if you reset the r flag of a file (with chmod -r ) and try to read it you'll get a "Permission denied" error even you have the read permission in the ACL of the directory where the file is located.
There is no ACL permission directly corresponding to the x (excute) mode bit, but to execute a file stored in AFS, the user must also have the r (read) and l (lookup) permissions on the ACL of the file's directory.
Note that some program (like ssh, sendmail, etc.) checks for special standard unix mode bits settings, so you need to set the requested unix permissions to run those applications without errors.

Creating Protection Groups
With AFS every user can create up to 20 protection groups. A protection groups is a collection of userid and/or groupid that can be used in ACL to share directory with other AFS users. Examples, to create a protection group:

	% pts creategroup usertwo:mygroup
To add users:
	% pts adduser -user tizio caio sempronio -group usertwo:mygroup
To list membership:
	% pts membership usertwo:mygroup
To list owned groups:
	% pts listowned usertwo

Checking Volume Quotas
AFS filespace is made of volumes. Each volume is a certain amount of space allocated on a physical disk on some afs server, mounted as a directory in afs file system. Every user has an associated volume with a fixed quota, to see the current space usage and the quota use the fs listquota command, example:

	% fs listquota $HOME
For more information about a volume use the vos examine command:
	% vos examine user.usertwo

LNF AFS Cell environment

LNF AFS cell tree structure
The lnf.infn.it AFS cell have the following main directories under the /afs/lnf.infn.it path:

	asis        Software ASIS and CERN Library (mirror from cern.ch)
	backup      Users snapshots
	group       Users home directories by group 
	project	    Groups and Special purpose area
	service     lnf.infn.it cell servers
	system      AFS sw, management and documentation
	user        Users home directories

Home directory structure
On user creation the home directory have 4 subdirectories:

  • private     (access is restricted to the user)
  • public      (world readable)
  • www       (readable by central www servers)
  • .dotfiles    (readable by central hosts)
The home directory have the l (lookup) permission to any user. The public directory must be used only for data/sw with no distribution restriction because it can be read by every user on the internet with an AFS client. Put your private data in private directory. To share data with your workgroup create a new directory under your home and set acl to give read and lookup permission for your workgroup. Every file in www directory will be accessible by every browser on the internet, so be aware about it.

The .dotfiles directory
The .dotfiles directory is a special purpose directory, its acl gives read and lookup permission to Central Computing Service hosts for special application like sendmail and ssh deamons.
Note that every user on those systems can read files in .dotfiles directory.

Migration related info

The .cshrc and .login files
The migration script change the user .cshrc and .login files with newer ones. The old files are saved as .cshrc.preafs.<TIMESTAMP> and .login.preafs.<TIMESTAMP>. The user can check what she/he need from the old .cshrc and .login files and copy it in the new ones. If .cshrc and .login are modified some unix environment settings may fail.

The www directory
During migration, if a public_html directory is present the directory will be renamed as www. If user already have a file or a directory named www it will be renamed as www.preafs.<TIMESTAMP>.

Who is affected by migration ?
Every Computing Service Unix User. When ? See schedule here!
VMS users are not affected.
kloe.infn.it AFS cell users are not affected.
infn.it AFS cell users using LNF infn.it server are not affected, in this phase. Note: the default afs cell for computing service system is lnf.infn.it so if you need to access to infn.it cell you must use "klog username@cellname" or equivalent syntax.

Backup and Restore

Snapshot volumes
Every night snapshots of the user's volumes are created. The backup (snapshot) volume is a readonly volume, so you can read file from it but you cannot write anything to.

Recover a file from snapshot
The snapshot volume permits the user to recover online files deleted or modified accidently after the last night as they were during the last snapshot. For example, we want to recover a file called main.c (located in private) created 2 days ago and deleted accidently this morning:

	% cp $BACKUPVOL/private/main.c $HOME/private
Where $BACKUPVOL is environmental variable containing mount point of user backup volume.

The acl lnf:backup
Every directory of user file space has a special acl lnf:backup with read and lookup permissions. This behaviour is needed in order to permit the backup server to do the backup of user's files. If this acl is removed no backup will be possible unless a system:anyuser or system:authuser acl exists with read and lookup permissions.

Files without backup
Some type of files are excluded from backup. Currently files named core and files under directory .netscape/cache are excluded from backup.


Using .forward file
In order to permit sendmail to read your .forward file is necessary to put it in .dotfiles directory and create a link named .forward in the home directory referring the new file. Example:
	% cd
	% mv .forward .dotfiles/forward
	% ln -s .dotfiles/forward .forward

Using ssh authorized_keys file
In order to use ssh RSA remote authentication the ssh daemon needs to read the user file $HOME/.ssh/authorized_keys without any afs token, to do that follow this example:

	% cd
	% mkdir .dotfiles/ssh
	% mv .ssh/authorized_keys .dotfiles/ssh
	% ln -s ../.dotfiles/ssh/authorized_keys .ssh/authorized_keys

Passing tokens
Using ssh it is possible to pass AFS tokens from one client to another, so it isn't needed to execute any klog to get tokens. To do that it's necessary to use ssh client and server with AFS token passing feature present and enabled. On Unix Central Computing Service Systems this feature is present, for other unix system please ask to the System Administrator of the machine. Starting ssh in debug mode (-v flag) output must contain a line like this:

 debug: Remote: AFS token accepted (afs@lnf.infn.it, AFS ID 5201@lnf.infn.it)
otherwise ssh client and/or server don't have AFS token passing feature.

Use of @sys
@sys is a special name valid under AFS file system that can be used to have the same links on machines of different system types and still have each machine access the files appropriate to its system type. The value of @sys can be checked issuing the "fs sysname" command. An example on using @sys is the follow:

	% mkdir rs_aix43 alpha_dux40
	... put in rs_aix43 and alpha_dux40 some architecture 
	    depending executable code ...
	% ln -s @sys mybin
Now referring commands in mybin the afs cache manager will translate the @sys symbol giving access to the correct file for the specific architecure.

Reporting troubles on using AFS

Please report trouble on using AFS via email at the following address: AFSUsers.Support@lnf.infn.it

Back to the index

Sandro Angius/ mail to: Sandro.Angius@lnf.infn.it

[ LNF Home page | AFS Home page | Computing Home page ]