Contents
- 1 Introduction
- 2 Preparation
- 3 Installing OpenAFS software
- 4 Installing OpenAFS documentation
- 5 Configuring OpenAFS
- 6 Starting AFS
- 7 Install Kerberos5 client
- 8 Configure Kerberos client
- 9 Check Kerberos and AFS authentication
- 10 Access Internet AFS filespace
- 11 Decision: automatic start of OpenAFS or not?
- 12 Change history
Introduction
This document describes how to install and configure OpenAFS client on Mageia Linux.
AFS is a distributed filesystem originally developed at Carnegie-Mellon University in Pittsburgh, Pennsylvania, USA.
The public CellServDB which is a list of public Internet accessible AFS sites is available via this link: http://www.central.org/csdb.html
For more details about OpenAFS, please see http://openafs.org
Preparation
Install kernel-devel rpm
OpenAFS uses kernel modules therefore we need to have the matching "kernel-devel" rpm installed.
When new versions of the kernel are made available via system updates, the OpenAFS kernel modules will automatically be built using DKMS (Dynamic Kernel Module Support).
Check what kernel you have with the following command:
$ uname -r 3.8.11-desktop-1.mga3
So, we have a "desktop" kernel. You might also see "server". We open a root shell and set a shell variable for the kernel type:
# Define shell variable "kernel_type" # (copy & paste, run as root): kernel_type=$(uname -r | awk -F- '{print$2}') # (end copy & paste)
Now, check that we have kernel-desktop-latest installed (NB if it is "server" then we would check for kernel-server-latest):
# rpm -qa | grep "^kernel-${kernel_type}-latest" kernel-desktop-latest-3.8.11-1.mga3
We do have kernel-desktop-latest installed. That is good. If you don't see that installed, you can install it:
# Install kernel "latest" meta rpm # ( copy & paste, run as root) /usr/sbin/urpmi kernel-${kernel_type}-latest # (end copy & paste)
Next, we need to check we have the matching devel kernel rpm installed:
# rpm -qa | grep "^kernel-${kernel_type}-devel-latest" kernel-desktop-devel-latest-3.8.11-1.mga3
We see kernel-desktop-devel-latest and that is good. If kernel-desktop-devel-latest was not installed, we need to install it with:
# Install kernel "devel" latest meta rpm # (copy & paste, run as root) /usr/sbin/urpmi kernel-${kernel_type}-devel-latest # (end copy & paste)
Configure firewall configuration to allow 7001/udp inbound
AFS fileservers need to be able to communicate to AFS Client machines on port 7001 UDP in order for callback to work.
AFS callback is the mechanism that ensures consistency of file contents for multiple clients. Basically, if a file is changed by one client, the AFS fileserver issues a callback to other clients accessing that file.
The AFS Cache Manager on those other clients then does a re-read of the file from the server on the next file read access. This ensures all clients maintain a consistent view of a particular file.
Normally, Mageia runs shorewall firewall which blocks all inbound connections unless you specify differently.
Configure shorewall to allow 7001/UDP inbound connections.
# Use the drakfirewall command to manage shorewall configuration # (Copy & paste, run as root) /sbin/drakfirewall # (end copy & paste)
Starting drakfirewall via Mageia Control Center
Allowing inbound port 7001 UDP for AFS callback
Configure connection monitoring
Complete the changes to firewall
Installing OpenAFS software
Now we can start installing OpenAFS rpms.
This is going to take a few minutes as it will run DKMS to build the needed OpenAFS kernel modules using the command:
# Install OpenAFS client software # (copy & paste, run as root) /usr/sbin/urpmi dkms-libafs openafs openafs-client # (end copy & paste)
Example:
# /usr/sbin/urpmi dkms-libafs openafs openafs-client # Install OpenAFS client software rsync://distrib-coffee.ipsl.jussieu.fr/pub/linux/Mageia/distrib/cauldron/x86_64/media/core/release/openafs-client-1.6.2.1-1.mga3.x86_64.rpm rsync://distrib-coffee.ipsl.jussieu.fr/pub/linux/Mageia/distrib/cauldron/x86_64/media/core/release/dkms-libafs-1.6.2.1-1.mga3.noarch.rpm rsync://distrib-coffee.ipsl.jussieu.fr/pub/linux/Mageia/distrib/cauldron/x86_64/media/core/release/openafs-1.6.2.1-1.mga3.x86_64.rpm installing openafs-client-1.6.2.1-1.mga3.x86_64.rpm dkms-libafs-1.6.2.1-1.mga3.noarch.rpm openafs-1.6.2.1-1.mga3.x86_64.rpm from /var/cache/urpmi/rpms Preparing... ################################################################################################################################# 1/3: dkms-libafs ################################################################################################################################# Creating symlink /var/lib/dkms/libafs/1.6.2.1-1.mga3/source -> /usr/src/libafs-1.6.2.1-1.mga3 DKMS: add Completed. Preparing kernel 3.8.11-desktop-1.mga3 for module build: (This is not compiling a kernel, just preparing kernel symbols) Storing current .config to be restored when complete Running Generic preparation routine make mrproper....... using /proc/config.gz make oldconfig.... make prepare.... Building module: cleaning build area....(bad exit status: 2) SMP=SP; eval `grep CONFIG_SMP /boot/config-3.8.11-desktop-1.mga3`; [ -n "$CONFIG_SMP" ] && SMP=MP; ./configure --with-linux-kernel-headers=/lib/modules/3.8.11-desktop-1.mga3/build; make MPS=$SMP; mv src/libafs/MODLOAD-*/libafs.ko.................................................................. cleaning build area.... cleaning kernel tree (make mrproper)..... DKMS: build Completed. libafs.ko.xz: - Installation - Installing to /lib/modules/3.8.11-desktop-1.mga3/dkms/3rdparty/libafs// depmod..... DKMS: install Completed. 2/3: openafs ################################################################################################################################# 3/3: openafs-client #################################################################################################################################
Installing OpenAFS documentation
This will provide "man" pages for both user and administrator commands and configuration files.
# Install OpenAFS documentation # (copy & paste, run as root) /usr/sbin/urpmi openafs-doc # (end copy & paste)
Example
# /usr/sbin/urpmi openafs-doc ftp.belnet.be::mageia/distrib/3/i586/media/core/release/openafs-doc-1.6.2.1-1.mga3.noarch.rpm installing openafs-doc-1.6.2.1-1.mga3.noarch.rpm from /var/cache/urpmi/rpms Preparing... #################################################################################################################### 1/1: openafs-doc ####################################################################################################################
Configuring OpenAFS
Defining time synchronization method
It is possible to let the AFS Cache manager synchronize time. However, it is more common to let NTP do this task.
The AFS configuration file /etc/sysconfig/openafs is where this is defined.
By setting -nosettime as one of the parameters for afsd this stops afsd from doing time synchronization. Thus leaving time synchronization to NTP.
Note that as of Mageia 5, chronyd is used in place of ntpd. Check if we already have the "chronyd" NTP service running:
[root@localhost ~]# systemctl status chronyd.service ● chronyd.service - NTP client/server Loaded: loaded (/usr/lib/systemd/system/chronyd.service; enabled) Active: active (running) since Mon 2015-11-02 14:48:11 GMT; 36min ago Main PID: 646 (chronyd) CGroup: /system.slice/chronyd.service └─646 /usr/sbin/chronyd -u chrony Nov 02 14:48:11 localhost chronyd[646]: chronyd version 1.31.1 starting Nov 02 14:48:11 localhost chronyd[646]: Frequency 3.838 +/- 12.600 ppm read from /var/lib/chrony/drift Nov 02 14:48:45 localhost chronyd[646]: Selected source 5.9.110.236 Nov 02 14:52:00 localhost chronyd[646]: Selected source 95.81.173.74 Nov 02 14:53:19 localhost chronyd[646]: Forward time jump detected! Nov 02 14:53:19 localhost chronyd[646]: Can't synchronise: no reachable sources Nov 02 14:55:29 localhost chronyd[646]: Selected source 95.81.173.74
If you don't see chronyd is enabled and running (as above), you may need (as root) to install and start the chronyd NTP daemon:
# Install and start NTP # (copy & paste, run as root) /usr/sbin/urpmi chrony systemctl start chronyd.service # (end copy & paste)
Configure your CellServDB file
The CellServDB file defines a list of AFS cells and their AFS database servers. On OpenAFS client machines it is found here: /etc/openafs/CellServDB.
Internet example
There is a public Internet AFS filetree. Please be aware that for AFS callback to be functional, it is necessary for AFS fileservers to be able to connect to AFS clients on UDP port 7001. So, it is unlikely that callback would be functional for external AFS cells with AFS clients on most organization Intranets (because Internet gateways do not typically allow 7001/tcp inbound from the Internet). If you use the Internet public list of cells and their servers: http://dl.central.org/dl/cellservdb/CellServDB you may want to get an up-to-date copy.
# Obtain the current CellServDB for public Internet AFS cells # (copy & paste, run as root) cd /etc/openafs/ mv CellServDB CellServDB- wget http://dl.central.org/dl/cellservdb/CellServDB # (end copy & paste)
NB, some organizations have their own private CellServDB.
If this applies to you, you will have to find the correct CellServDB for your organization.
Define your AFS cell membership
Internet example
For example:
# Define AFS cell membership # (copy & paste, run as root) echo grand.central.org > /etc/openafs/ThisCell # (end copy & paste)
NB, some organisations have their own private AFS cells.
If this applies to you, you will have to find the correct cellname for your organisation.
Note also that in the case of a private cell there must also be an entry for your organization's private AFS cell in the CellServDB file.
Create the AFS mountpoint: /afs/
If it does not already exist, create the AFS mountpoint:
# Create the AFS mountpoint # (copy & paste, run as root) [ ! -d /afs/ ] && mkdir /afs/ || echo "/afs/ already exists" # (end copy & paste)
Check correct cache size is defined
Skip this step if you do not wish to define a separate local filesystem for your AFS disk cache.
It is recommended to have a separate local filesystem for your AFS disk cache because this reserves free space exclusively for the OpenAFS cache manager and ensures more reliable operation.
This disk cache is best defined as an ext2 filesystem (but ext3 will also work).
Choose a cache size to suit your work. I typically use a 128mb cache but you can define a larger one.
If you are using a separate local filesystem for your AFS disk cache, then you need to calculate the free disk space available for OpenAFS to use.
This is typically 84% of the *unused* space of the local filesystem when you first created it.
For example:
Create a local ext2 partition and mount it at /var/cache/openafs/. On Mageia, you will find the "diskdrake" tool is very useful for this.
Use the "df" command to see how much free space is available:
$ df /var/cache/openafs Filesystem Size Used Avail Use% Mounted on /dev/sda7 122M 4.5M 111M 4% /var/cache/openafs
Look for the "Avail" size, in this case 111M and calculate 84% of this expressed in kilobytes.
For example:
$ bc <<< "k=1024; m=k*k; x=111*m/k; s=0.84*x; s" 95477.76
This gives us a (rounded) figure of 95478 kilobytes for the usable space in the local disk cache.
Update /etc/sysconfig/openafs and define:
CACHESIZE=95478
Create the cacheinfo file
Now we can create the cacheinfo file:
# Create the cacheinfo file # (copy & paste, run as root) echo "/afs:/var/cache/openafs:95478" > /etc/openafs/cacheinfo # (end copy & paste)
Configure Cache Manager (afsd)
For an explanation of the parameters for the OpenAFS Cache Manager (afsd) please see the man page for afsd:
man afsd
We need to add "-nosettime" to the default afsd parameters:
# Configure OpenAFS Cache Manager (afsd) # (copy & paste, run as root) f=/etc/sysconfig/openafs sed < ${f} -e s/^AFSD_ARGS=/#AFSD_ARGS=/ -e s/^$/AFSD_ARGS="-dynroot -fakestat -afsdb -stat 2000 -dcache 800 -daemons 3 -volumes 70 -nosettime"/ > ${f}+ mv -f ${f} /tmp/ && mv ${f}+ ${f} # (end copy & paste)
Starting AFS
Load AFS kernel module
# Load AFS kernel module # (copy & paste, run as root) modprobe libafs && echo AFS kernel module loaded || echo Failed to load libafs # (end copy & paste)
Start the AFS Cache Manager
# Start AFS client Cache Manager # (copy & paste, run as root) systemctl start openafs-client.service # start OpenAFS Cache Manager - afsd systemctl status openafs-client.service # display status of the Cache Manager # (end copy & paste)
Example:
[root@localhost openafs]# # Start AFS client Cache Manager [root@localhost openafs]# # (copy & paste, run as root) [root@localhost openafs]# [root@localhost openafs]# systemctl start openafs-client.service # start OpenAFS Cache Manager - afsd [root@localhost openafs]# [root@localhost openafs]# systemctl status openafs-client.service # display status of the Cache Manager ● openafs-client.service - OpenAFS Client Service Loaded: loaded (/usr/lib/systemd/system/openafs-client.service; enabled) Active: active (running) since Mon 2015-11-02 17:43:49 GMT; 63ms ago Process: 54900 ExecStart=/sbin/afsd $AFSD_ARGS (code=exited, status=0/SUCCESS) Process: 54895 ExecStartPre=/sbin/modprobe libafs (code=exited, status=0/SUCCESS) Process: 54893 ExecStartPre=/bin/chmod 0644 /etc/openafs/CellServDB (code=exited, status=0/SUCCESS) Process: 54890 ExecStartPre=/bin/sed -n w/etc/openafs/CellServDB /etc/openafs/CellServDB.local /etc/openafs/CellServDB.dist (code=exited, status=0/SUCCESS) CGroup: /system.slice/openafs-client.service └─54906 /sbin/afsd -dynroot -fakestat -afsdb -stat 2000 -dcache 800 -daemons 3 -volumes 70 -nosettime Nov 02 17:43:49 localhost afsd[54900]: afsd: All AFS daemons started. Nov 02 17:43:49 localhost afsd[54900]: afsd: All AFS daemons started. [root@localhost openafs]# [root@localhost openafs]# # (end copy & paste)
Check AFS is mounted
# df /afs/ Filesystem Size Used Avail Use% Mounted on AFS 8.6G 0 8.6G 0% /afs
Install Kerberos5 client
# Install Kerberos 5 client # (copy & paste, run as root) /usr/sbin/urpmi krb5-workstation # (end copy & paste)
Example:
# /usr/sbin/urpmi krb5-workstation www.mirrorservice.org::mageia.org/pub/mageia/distrib/3/i586/media/core/release/krb5-workstation-1.11.1-1.mga3.i586.rpm installing krb5-workstation-1.11.1-1.mga3.i586.rpm from /var/cache/urpmi/rpms Preparing... ################################################################################################################# 1/1: krb5-workstation #################################################################################################################
Configure Kerberos client
Edit /etc/krb5.conf and define for your Kerberos realm.
Check Kerberos and AFS authentication
Authenticate in kerberos realm:
$ kinit Password for mpb@HOME:
Display kerberos ticket summary:
$ klist Ticket cache: DIR::/run/user/10001/krb5cc_4cbaef078fdb89b1b351b706519f267d/tktFBvEaA Default principal: mpb@HOME Valid starting Expires Service principal 24/05/13 22:48:52 25/05/13 08:48:52 krbtgt/HOME@HOME renew until 31/05/13 22:48:52
Obtain tokens for authentication to AFS:
$ aklog
List AFS tokens
$ tokens Tokens held by the Cache Manager: User's (AFS ID 1001) tokens for afs@home [Expires May 25 08:48] --End of list--
Access Internet AFS filespace
First let's check we can read the public list of AFS cells on the Internet at the grand.central.org site:
$ wc -l /afs/grand.central.org/service/CellServDB # count lines in CellServDB file 665 /afs/grand.central.org/service/CellServDB
First 30 lines of the grand.central.org CellServDB file:
$ nl /afs/grand.central.org/service/CellServDB | head -30 1 >grand.central.org #GCO Public CellServDB 28 Jan 2013 2 18.9.48.14 #grand.mit.edu 3 128.2.203.61 #penn.central.org 4 >wu-wien.ac.at #University of Economics, Vienna, Austria 5 137.208.3.33 #goya.wu-wien.ac.at 6 137.208.7.57 #caravaggio.wu-wien.ac.at 7 137.208.8.14 #vermeer.wu-wien.ac.at 8 >hephy.at #hephy-vienna 9 193.170.243.10 #mowgli.oeaw.ac.at 10 193.170.243.12 #baloo.oeaw.ac.at 11 193.170.243.14 #akela.oeaw.ac.at 12 >cgv.tugraz.at #CGV cell 13 129.27.218.30 #phobos.cgv.tugraz.at 14 129.27.218.31 #deimos.cgv.tugraz.at 15 129.27.218.32 #trinculo.cgv.tugraz.at 16 >itp.tugraz.at #Institute of Theoretical and Computational Physics, TU Graz, Aus 17 129.27.161.7 #faepafs1.tu-graz.ac.at 18 129.27.161.15 #faepafs2.tu-graz.ac.at 19 129.27.161.114 #faepafs3.tu-graz.ac.at 20 >sums.math.mcgill.ca #Society of Undergraduate Mathematics Students of McGill Universi 21 132.216.24.122 #germain.sums.math.mcgill.ca 22 132.216.24.125 #turing.sums.math.mcgill.ca 23 >ualberta.ca #University of Alberta 24 129.128.1.131 #file13.ucs.ualberta.ca 25 129.128.98.17 #mystery.ucs.ualberta.ca 26 129.128.125.40 #drake.ucs.ualberta.ca 27 >cern.ch #European Laboratory for Particle Physics, Geneva 28 137.138.128.148 #afsdb1.cern.ch 29 137.138.246.50 #afsdb3.cern.ch 30 137.138.246.51 #afsdb2.cern.ch
The following example shows using the cd command to change directory to the remote grand.central.org AFS cell:
$ cd /afs/grand.central.org/ $ ls -l total 18 drwxrwxrwx 3 root root 2048 Jun 2 2009 archive/ drwxrwxrwx 2 root root 2048 May 6 2006 cvs/ drwxrwxrwx 3 root root 2048 Mar 21 2003 doc/ drwxrwxrwx 7 root root 2048 May 7 2006 local/ drwxrwxrwx 2 root root 2048 May 7 2006 project/ drwxrwxrwx 5 root root 2048 Jan 30 2007 service/ drwxrwxrwx 2 root root 2048 Dec 31 2008 software/ drwxrwxrwx 2 root root 2048 Aug 24 2007 user/ drwxrwxrwx 2 root root 2048 Oct 5 2012 www/
In the output from "ls -l" (shown above) we see permissions drwxrwxrwx on the directories. Normally, seeing this might be a cause for concern on local (non-AFS) filespace.
However, AFS uses Access Control Lists (ACLs) to manage access permissions on directories. The following example uses the "fs" command to list the ACL for the directory "service":
$ fs listacl service Access list for service is Normal rights: system:administrators rlidwka system:anyuser rl
The ACL on the service directory has full access "rlidwka" for members of the AFS group: "system:administrators" and only "rl" (or Read and Lookup) access for "system:anyuser" (or any other user that is not authenticated).
Important - Many new users of AFS try this first:
$ cd /afs; ls -l # do not do this unless you want a long wait
This is not a good idea unless your AFS cell administrators have taken special steps to reduce the time needed for your client machine to contact each and every remote AFS cell that has been mounted in your cell's root.cell volume.
If you do this "by mistake" and tire of waiting for it to complete contacting every other cell around the planet then it is best just to leave it and open a new terminal.
Decision: automatic start of OpenAFS or not?
If you have installed and configured OpenAFS on a machine that remains connected most of the time (for example, a workstation on LAN) then it may be more convenient to have OpenAFS start automatically on reboot.
Alternatively, if you are using a mobile computer (eg laptop) which you move between home and work networks then it will be better to disable automatic starting of OpenAFS at reboot time.
This then gives you the choice of starting or not starting AFS manually.
If your computer is not able to connect to your AFS cell's servers (as defined in /etc/openafs/CellServDB and /etc/openafs/ThisCell) then you should not start afs.
Change history
date | editor | change details |
2013_05_03 | Paul Blackburn | created page |
2013_05_21 | Paul Blackburn | added more detail on client configuration |
2013_06_29 | Paul Blackburn | added screenshots for configuring firewall with drakfirewall |