Administration

OpenAFS is an implementation of the Andrew File System. It is used to store home directories for student and staff. There are currently five active storage servers (openafs[1-5]) .

Our OpenAFS cell is called csl.tjhsst.edu, but you can just call it csl when navigating to it in the AFS tree.

Administration Concepts

As you might expect, OpenAFS is a rather complex system. It is laid out using a few main components:

• bos, the Basic Overseers, which essentially oversees every other server

• pts, the Protection Server, which keeps track of users and groups

• vos, the Volume Server, which keeps track of volumes

• fs, which, as you might expect, is the File Server.

Each of these systems has a command named after it (i.e. vos lets you interface with the volume server, fs works with the file server, and so on) to allow you to administer it.

Servers

The CSL has quite a few AFS servers:

• openafs1

• openafs2

• openafs3

• openafs4

• openafs5

Managing OpenAFS

OpenAFS has a few command-line tools that you can use in order to manage it. Before using them, gain administrative access to AFS. If you don't, you won't be able to make changes.

Once you've done this, if your /admin principal is in the AFS group system:administrators, you will have administrative access to AFS.

bos (Basic Overseer)

bos manages everything. Hopefully, you won't have to deal with it much. If something breaks, bos help is a great resource. The one common use case for bos is if a volume suddenly goes offline. If this happens, it may need to be "salvaged." This can be done with the following command:

If you have server-wide corruption (which is bad), you can attempt to salvage volumes with:

vos (Volume Server)

AFS has a concept of volumes. A volume is simply a logical container for files. It differs from a directory in that it can be mounted anywhere in the AFS tree, and can be moved from server to server as needed.

To create a new volume:

After creating a volume, you will probably want to set the quota. See the section on Quotas below. You will probably also want to mount the volume somewhere, so you can actually use it. See the section on Volume Mountpoints below.

You can examine volumes with the examine sub-command:

Another common operation is listing volumes. This can be done by referring to the VLDB (volume database)

Or, if you want to query the server directly, you can do that as well:

You can restrict listings to a specific partition as well.

When a partition on a server is running out of space, you may want to move volumes to another server or partition. This can be done with the move sub-command:

This might take a while, and progress isn't printed. Be patient! If you don't know which volumes to move, this obscure command can print out the largest ones:

You can also take volumes offline, or restore them, with the offline and online sub-commands:

If a volume can't come online, it may need to be salvaged.

fs (File Server)

Permissions

AFS completely ignores standard UNIX permissions. That means that chmod will do absolutely nothing for you. Instead, AFS uses its own permission system, which can only apply to an entire directory at a time, instead of just a single file. This means that you may have to find clever workarounds to some problems. As an AFS admin, you'll be able to modify permissions anywhere in the tree. Here's how you can do that:

Or just:

la is an abbreviation for "list access list/ACL", and sa is an abbreviation for "set access list/ACL."

The PERMISSIONS you can grant a user are as follows:

• r: read files in the directory, but not list them

• l: list files in the directory, but not read them

• i: create new files (insert) in the directory (does not imply read/write after the files are created)

• d: delete files in the directory

• k: set locks on files

• w: write to files in the directory

• a: set permissions on files in the directory

• read: an alias for rl

• write: an alias for rlidkw

• all: an alias for rlidkwa

Quotas

AFS volumes have quotas (i.e. storage limits). The two major operations involved are examining quotas and setting quotas. First, cd to the directory where the volume in question is mounted:

To show the quota, use the lq subcommand (short for "list quota"):

To set the quota, use the sq command (short for "set quota"):

You can also set the quota for a volume upon volume creation with -maxquota

fs lq will reflect this change. Note that the quota value you specify must be in kilobytes.

Volume Mount-points

Volumes can be mounted anywhere in the AFS tree. To manage volume mount-points, there are two primary commands.

In order to mount a volume at a point in the tree, use the mkmount sub-command:

To remove a mount-point:

Cache

Rarely, the AFS cache will act up on a specific machine. This problem may manifest itself in the form of an empty directory, for example. Fortunately, fixing it isn't that difficult.

If you're feeling lazy:

You can also target a specific directory:

...or a specific volume:

pts (Projection Server)

The Protection Server keeps track of users and groups. By the way, it always assigns negative IDs to groups and positive IDs to users.

Help on all pts commands can be found with the pts help sub-command.

Groups

AFS has a concept of groups. As an AFS admin, you can manage all existing groups (including system:administrators), and create new ones.

You can inspect an existing group by using the examine sub-command:

You can view the members of a group by using the membership sub-command:

You can also view which groups a user is a member of using the same command.

Adding users to groups can be done using the adduser sub-command:

For example,

The inverse action, removing users from groups, uses the removeuser sub-command:

For example,

Creating groups can be done with the creategroup sub-command:

For example,

Users

AFS users are separate from Kerberos/LDAP users, and as such, must be created separately. This can be done with the createuser sub-command:

You can examine a user with the examine sub-command: