Part III: AFS—A Secure Distributed Filesystem
The -noauth option is used because this command is run without any credentials for this cell.
Special administrative privileges are necessary to explore the authentication part of AFS, which is standard Kerberos, so I skip it here.
Now, find out where the current directory physically is located:
% fs whereis . File . is on hosts andrew.e.kth.se VIRTUE.OPENAFS.ORG
This shows that two copies of this directory are available, one from andrew.e.kth.se and one from VIRTUE.OPENAFS.ORG.
% fs lsmount /afs/openafs.org/software/openafs ↪/v1.2/1.2.10/binary/fedora-1.0 /afs/openafs.org/software/openafs/v1.2/1.2.10/binary/fedora-1.0 ↪ is a mount point for volume #openafs.1210.f10
shows that this directory actually is a mount point for an AFS volume named openafs.1210.f10.
Another AFS command allows us to inspect volumes:
% vos examine openafs.1210.f10 -cell openafs.org -noauth
This command examines the read-write version of volume openafs.1210.f10 in AFS cell openafs.org. The output should look like this:
openafs.1210.f10 536871770 RW 25680 K On-line VIRTUE.OPENAFS.ORG /vicepb RWrite 536871770 ROnly 536871771 Backup 0 MaxQuota 0 K Creation Fri Nov 21 17:56:28 2003 Last Update Fri Nov 21 18:05:30 2003 0 accesses in the past day (i.e., vnode references) RWrite: 536871770 ROnly: 536871771 number of sites -> 3 server VIRTUE.OPENAFS.ORG partition /vicepb RW Site server VIRTUE.OPENAFS.ORG partition /vicepb RO Site server andrew.e.kth.se partition /vicepb RO Site
The output shows that this volume is hosted on server VIRTUE.OPENAFS.ORG in disk partition /vicepb. The next line shows the numeric volume IDs for the read-write and the read-only volumes. It also shows some statistics. The last three lines show where the one read-write (RW Site) and the two read-only (RO Site) copies of this volume are located.
To find out how many other AFS disk partitions are on the server VIRTUE.OPENAFS.ORG, use the command:
% vos listpart VIRTUE.OPENAFS.ORG -noauth
We learn that the partitions on the server are:
/vicepa /vicepb /vicepc Total: 3
which show a total of three /vicep partitions. To see what volumes are located in partition /vicepa on this server, execute:
% vos listvol VIRTUE.OPENAFS.ORG /vicepa -noauth
This command takes a while and eventually returns a list of 275 volumes. The first few lines of output look like this:
Total number of volumes on server VIRTUE.OPENAFS.ORG partition /vicepa: 275 openafs.10.src 536870975 RW 11407 K On-line openafs.10.src.backup 536870977 BK 11407 K On-line openafs.10.src.readonly 536870976 RO 11407 K On-line openafs.101.src 536870972 RW 11442 K On-line openafs.101.src.backup 536870974 BK 11442 K On-line openafs.101.src.readonly 536870973 RO 11442 K On-line
Another command, bos, communicates with a cell's basic overseer server and finds out the status of that cell's AFS server processes. Many more subcommands are available for the fs, pts, vos and bos commands. All of these AFS commands understand the help option (no dash in front of help) to show all available subcommands. Use fs <subcommand> -help (with the dash) to look at the syntax for a specific subcommand.
Several enhancement projects for AFS currently are underway. The most important project right now is to make AFS work with the 2.6 Linux kernels. These kernels no longer export their syscall table. Another project is to provide a disconnected mode that allows AFS clients to go off the network and continue to use AFS. Once they reconnect, the content of files in AFS space is re-synchronized.
Although all the different aspects of AFS can be overwhelming at first and the learning curve for setting up your own AFS cell is steep, the reward for using AFS in your infrastructure can be significant. Secure, platform-independent world-wide file sharing is a concept as attractive as serving your /usr/local/ area and all your UNIX home directories. And, all this comes with only minimal long-term administrative costs.
Resources for this article: /article/8079.
Alf Wachsmann, PhD, has been at the Stanford Linear Accelerator Center (SLAC) since 1999. He is responsible for all areas of automated Linux installation, including farm nodes, servers and desktops. His work focuses on AFS support, migration to Kerberos 5, a user registry project and user consultants.
- Not So Dynamic Updates
- New Products
- Users, Permissions and Multitenant Sites
- Flexible Access Control with Squid Proxy
- Security in Three Ds: Detect, Decide and Deny
- Tighten Up SSH
- DevOps: Everything You Need to Know
- Non-Linux FOSS: MenuMeters
- Solving ODEs on Linux
- Android Candy: Bluetooth Auto Connect