|
| ProjectNorton/AfsOnNetBSDTest |
UserPreferences |
| The Project List | FrontPage | RecentChanges | TitleIndex | WordIndex | SiteNavigation | HelpContents | moin.sf.net |
This is the test version of this page --- where I munge with stuff as I am playing with it. If you want the regular, stable version of this page, see ![[WWW]](/wiki/img/moin-www.gif "[WWW]"){kind=small}
ProjectNorton/AfsOnNetBSD
Use OpenAFS for the server side, and for the various afs commands: fs, vos, bos, etc. The OpenAFS client stuff (afsd), however, does not (currently) work, so use Arla for afsd and friends.
While I use afs heavily at work, I do little of what you would consider administrative stuff. At best, I'm a talented amateur, at worse, several terabytes of data go wondering off into the aether. Some of the stuff here may seem goofy to seasoned AFS administrators. In particular, I've done no work on making the Arla and OpenAFS trees of installed programs be in some sane merged binary --- things are all off in completely separate trees here (no --with-transarc-paths here ....)
You have been warned....
Download openafs-1.3.82 (later versions will probably work, but this is what I used). These are the compile options I used:
./configure --enable-largefile-fileserver --enable-fast-restart --enable-bitmap-later \ --disable-kernel-module --enable-debug --enable-bos-new-config --enable-namei-fileserver \ --prefix=/local/pkgs/openafs/openafs-1.3.82
XXX Put explanations of config flags here.
Do the make and make install dance.
Download arla-0.39 (again, later versions will probably work, but this is what I used). Here are the compile options I used:
./configure --with-krb4-lib=/usr/lib --with-krb4-include=/usr/include/kerberosIV \ --with-sys=/usr/src/sys --with-krb5-lib=/usr/lib --with-krb5-include=/usr/include/krb5 \ --prefix=/local/pkgs/arla/arla-0.39
XXX Put explanations of config flags here
Note: You will need to have the NetBSD system src wherever --with-sys points to.
Essentially, you will be following the "Unix Quickstart Guide" available on the OpenAFS web site, with some changes: skip over the kaserver stuff, since you will be using the heimdal kdc to get kerberos tickets and various other things to munge those into AFS tokens.
I don't use AFS' built in ntp stuff, so I've set up my machines to all sync to a common time source. You will want to do this, or use the AFS ntp stuff, because kerberos requires times on machines to be within a certain range to work (typically 5 minutes). -- XXX actually startup afsd without ntp service
This assumes that you have the heimdal kdc (or some other kdc, your choice) up and running and get use it to create principals.
You will need to create two principals: one for the AFS server itself, and at least one for someone who will have administrative rights in AFS.
My kerberos realm is TPROA.NET. Replace accordingly.
You will need to pick at least one principal in kerberos to have administrative rights in AFS. Typically, you would use some instance of your normal principal, i.e. user/admin or user/afs. I'm using kula/afs@TPROA.NET since I'm using kula/admin@TPROA.NET for kerberos stuff only (and this is what we do at work). You can do as you like. Remember that AFS is still based on v4 kerberos, so to it, your instance will look like kula.afs to AFS stuff (i.e. replace the / with a . -- XXX Is this still true?).
Creating my /afs instance. The -p kula/admin flag to kadmin tells it to use that principal to do stuff in kadmin.
afs-1# kadmin -p kula/admin kadmin> add kula/afs Max ticket life [1 day]: Max renewable life [1 week]: Principal expiration time [never]: Password expiration time [never]: Attributes []: kula/afs@TPROA.NET's Password: Verifying - kula/afs@TPROA.NET's Password:
Current best practice is to create an AFS kerberos principal with the form afs/<cell name>@TPROA.NET, i.e. afs/tproa.net@TPROA.NET for the cell tproa.net. This way you can have multiple cells use the same kerberos realm (i.e. you could create a afs/test.tproa.net@TPROA.NET for the cell test.tproa.net).
See http://grand.central.org/twiki/bin/view/AFSLore?topic=KerberosAFSInstall for details:
service-3# ktutil -k /tmp/afskeytabfile.krb5 get afs/tproa.net
Note that I did not delete any of the keytypes --- it seems to work fine.
service-3# ktutil -k /tmp/afskeytabfile.krb5 list /tmp/afskeytabfile.krb5: Vno Type Principal 1 des-cbc-crc afs/tproa.net@TPROA.NET 1 des-cbc-md4 afs/tproa.net@TPROA.NET 1 des-cbc-md5 afs/tproa.net@TPROA.NET 1 des3-cbc-sha1 afs/tproa.net@TPROA.NET
Convert the key:
service-3# ktutil -v copy FILE:/tmp/afskeytabfile.krb5 AFSKEYFILE:/tmp/KeyFile copying FILE:/tmp/afskeytabfile.krb5 to AFSKEYFILE:/tmp/KeyFile copying afs/tproa.net@TPROA.NET, keytype des-cbc-crc, kvno 1 copying afs/tproa.net@TPROA.NET, keytype des-cbc-md4, kvno 1 copying afs/tproa.net@TPROA.NET, keytype des-cbc-md5, kvno 1 copying afs/tproa.net@TPROA.NET, keytype des3-cbc-sha1, kvno 1
Now, I had to make the file /usr/afs/etc/ThisCell contain my cell name. Someone else I know doesn't have to do this, so I suspect that some knob in krb5.conf configures this (or it looks for some other file location I have yet to find) but I am not sure which one.
Actually, this is defined in Heimdal's lib/krb5/keytab_keyfile.c
#define AFS_SERVERTHISCELL "/usr/afs/etc/ThisCell"
Make the directory /local/pkgs/openafs/openafs-1.3.82/etc/openafs/server and drop /tmp/KeyFile there, chmod it to 700.
bos manages all other AFS processes. Start it:
cd /local/pkgs/openafs/openafs-1.3.82 mkdir -p var/openafs/logs chmod 700 var/openafs sbin/bosserver &
The bosserver will background and start up some other process to actually run, so you will see something like:
afs-1# sbin/bosserver & [1] 5040 afs-1# [1] Done sbin/bosserver
but if you ps and look for the bosserver it will be running.
bin/bos setcellname service-3.tproa.net tproa.net -localauth
The -localauth flag bypasses the normal bos authentication stuff, and says "just read from KeyFile and use it", so as long as you are logged in as root on that machine and can read KeyFile, you should be able to run commands.
service-3# bin/bos create service-3.tproa.net buserver simple /local/pkgs/openafs/openafs-1.3.82/libexec/openafs/buserver -cell tproa.net -localauth service-3# bin/bos create service-3.tproa.net ptserver simple /local/pkgs/openafs/openafs-1.3.82/libexec/openafs/ptserver -cell tproa.net -localauth service-3# bin/bos create service-3.tproa.net vlserver simple /local/pkgs/openafs/openafs-1.3.82/libexec/openafs/vlserver -cell tproa.net -localauth
This creates the backup, protection and volume location servers on our first machine.
Here we skip the steps in the IBM Quick Start guide that creates the afs key, and admin entries, since we did that above and are not using the kaserver in AFS. You can verify that bos can list the keys, however:
service-3# bin/bos listkeys service-3.tproa.net -cell tproa.net -localauth key 1 has cksum 2449704641 Keys last changed on Wed May 18 21:57:29 2005. All done.
This is where you tell the pt server about your administrative account. The pts command, however, does not have a -localauth flag, and while you could use pt_util to munch the prdb file manually, I couldn't get pt_util to work, nor could I find any real explanation of what I shove to it. So, stop everything, kill bosserver, and restart it, temporarily, with -noauth:
service-3# bin/bos shutdown service-3.tproa.net -localauth service-3# bin/bos status service-3.tproa.net -localauth Instance buserver, temporarily disabled, currently shutdown. Instance ptserver, temporarily disabled, currently shutdown. Instance vlserver, temporarily disabled, currently shutdown. service-3# ps ax | grep bosserver 5183 ?? Is 0:00.05 sbin/bosserver service-3# kill -HUP 5183 service-3# ps ax | grep bosserver service-3# sbin/bosserver -noauth & [1] 7247 service-3# [1] Done sbin/bosserver -noauth service-3# ps ax | grep bosserver 6689 ?? Ss 0:00.02 sbin/bosserver -noauth
Create the pts entries:
service-3# bin/pts createuser -name kula.afs -cell tproa.net -id 10137 -noauth User kula.afs has id 10137 service-3# bin/pts adduser kula.afs system:administrators -cell tproa.net -noauth service-3# bin/pts membership kula.afs -cell tproa.net -noauth Groups kula.afs (id: 10137) is a member of: system:administrators
Note that I used kula.afs, not kula/afs
Shutdown everything again, and restart bos to have localauth:
service-3# bin/bos shutdown service-3.tproa.net -localauth service-3# bin/bos status service-3.tproa.net -localauth Instance buserver, temporarily disabled, currently shutdown. Instance ptserver, temporarily disabled, currently shutdown. Instance vlserver, temporarily disabled, currently shutdown. service-3# ps ax | grep bosserver 6689 ?? Ss 0:00.03 sbin/bosserver -noauth service-3# kill -HUP 6689 service-3# sbin/bosserver & [1] 25575 service-3# [1] Done sbin/bosserver service-3# ps ax | grep bosserver 27744 ?? Ss 0:00.02 sbin/bosserver
service-3# bin/bos adduser service-3.tproa.net kula.afs -cell tproa.net -localauth service-3# bin/bos listusers service-3.tproa.net -cell tproa.net -localauth SUsers are: kula.afs
XXX
From Tracy: You need to install the LWP threaded versions of the fileserver instead of the pthread version. The fileserver.LWP version is what you find in <openafs>/src/viced/fileserver, the pthread version is from <openafs>/src/tviced/fileserver. You have to do this because currently the pthread version of the fileserver doesn't quit properly, which makes bos kinda a pain to use to shutdown the fileserver.
service-3# cp <openafs>/src/viced/fileserver /local/pkgs/openafs/openafs-1.3.82/libexec/openafs/fileserver
service-3# bin/bos create service-3.tproa.net fs fs \
? /local/pkgs/openafs/openafs-1.3.82/libexec/openafs/fileserver \
? /local/pkgs/openafs/openafs-1.3.82/libexec/openafs/volserver \
? /local/pkgs/openafs/openafs-1.3.82/libexec/openafs/salvager \
? -cell tproa.net -localauth
service-3# bin/bos status service-3.tproa.net fs -long -localauth
Bosserver reports inappropriate access on server directories
Instance fs, (type is fs) currently running normally.
Auxiliary status is: file server running.
Process last started at Wed May 18 22:19:44 2005 (2 proc starts)
Command 1 is '/local/pkgs/openafs/openafs-1.3.82/libexec/openafs/fileserver'
Command 2 is '/local/pkgs/openafs/openafs-1.3.82/libexec/openafs/volserver'
Command 3 is '/local/pkgs/openafs/openafs-1.3.82/libexec/openafs/salvager'
Make sure the fileserver process can see your /vicep partitions:
service-3# sbin/vos listpart service-3.tproa.net -localauth
The partitions on the server are:
/vicepa /vicepb
Total: 2
service-3# sbin/vos create service-3.tproa.net /vicepa root.afs -cell tproa.net -localauth Volume 536870912 created on partition /vicepa of service-3.tproa.net
Create the following script as /etc/rc.d/arlad (provided by Tracy Di Marco White):
#!/bin/sh
#
# PROVIDE: arlad
# REQUIRE: beforemountlkm
. /etc/rc.subr
name="arlad"
rcvar=$name
command="/usr/arla/libexec/${name}"
command_args="-z /dev/nnpfs0"
start_precmd="/usr/arla/sbin/mount_nnpfs /dev/nnpfs0 /afs"
stop_postcmd="/sbin/umount /afs"
required_files="/dev/nnpfs0"
required_dirs="/afs"
load_rc_config $name
run_rc_command "$1"
Make this executable. You will also need to modify the paths to point to the proper location. Since eventually I'll get around to putting everything in some sane location, I've left it as is.
Edit /local/pkgs/arla/arla-0.39/etc/CellServDB to add your cell. You can just glom on the bit in the server's version /local/pkgs/openafs/openafs-1.3.82/etc/openafs/CellServDB to the end:
>tproa.net # The People's Republic of Ames 209.234.76.70 #service-3.tproa.net
In fact, it is best to do this, since the format of this file is a bit particular
Edit /local/pkgs/arla/arla-0.39/etc/ThisCell to make your cell the default cell.
/local/pkgs/arla/arla-0.39/bin/nnpfs_mod.o - nnpfs_mod /local/pkgs/arla/arla-0.39/sbin/nnpfs_makedev /var/db/nnpfs_sym BEFOREMOUNT
(all on one line)
mknod /dev/nnpfs0 c 165 0
mkdir /afs
Change:
lkm=YES
in /etc/rc.conf, and add
arlad=YES
in the same file.
Restart.
/local/pkgs/openafs/openafs-1.3.82/sbin/bosserver &
If your afs database servers (the ones listed in CellServDB) are also slave kdc (or a master one, for that matter), and you are running a heimdal kdc, you can get tokens directly by setting enable-kaserver in the [kdc] section of /etc/krb5.conf file. I think there is also a kaforwarder, which you run on your db servers to forward requests to your kdc -- XXX look for this
Once again, kinit looks in a particular spot to find ThisCell. I put mine in /usr/arla/etc/ThisCell.
XXX Really, find a krb5.conf configuration for this nonsense. Or merge the trees together so that stuff looks in sane places for stuff for both server and client.
cd /local/pkgs/openafs/openafs-1.3.82/
service-3# kinit kula/afs
kula/afs@TPROA.NET's Password:
kinit: NOTICE: ticket renewable lifetime is 1 week
service-3# klist -T
Credentials cache: FILE:/tmp/krb5cc_0
Principal: kula/afs@TPROA.NET
Issued Expires Principal
May 18 23:22:39 May 19 09:22:39 krbtgt/TPROA.NET@TPROA.NET
May 18 23:22:39 May 19 09:22:39 krbtgt/TPROA.NET@TPROA.NET
May 18 23:22:39 May 19 09:22:39 afs/tproa.net@TPROA.NET
V4-ticket file: /tmp/tkt0
Principal: kula.afs@TPROA.NET
Issued Expires Principal
May 18 23:22:39 May 19 09:22:39 krbtgt.TPROA.NET@TPROA.NET
May 18 23:22:39 May 19 09:22:39 Tokens for tproa.net
bin/fs setacl /afs system:anyuser rl
service-3# sbin/vos create service-3.tproa.net /vicepa root.cell Volume 536870915 created on partition /vicepa of service-3.tproa.net service-3# bin/fs mkmount /afs/tproa.net root.cell service-3# bin/fs setacl /afs/tproa.net system:anyuser rl
bin/fs mkmount /afs/.tproa.net root.cell -rw
service-3# sbin/vos addsite service-3.tproa.net /vicepa root.afs Added replication site service-3.tproa.net /vicepa for volume root.afs service-3# sbin/vos addsite service-3.tproa.net /vicepa root.cell Added replication site service-3.tproa.net /vicepa for volume root.cell service-3# bin/fs examine /afs File /afs (536870912.1.1) contained in volume 536870912 Volume status for vid = 536870912 named root.afs Current disk quota is 5000 Current blocks used are 4 The partition has 9430319 blocks available out of 9430365 service-3# bin/fs examine /afs/tproa.net/ File /afs/tproa.net/ (536870915.1.1) contained in volume 536870915 Volume status for vid = 536870915 named root.cell Current disk quota is 5000 Current blocks used are 2 The partition has 9430319 blocks available out of 9430365 afs-1# sbin/vos release root.afs Released volume root.afs successfully afs-1# sbin/vos release root.cell Released volume root.cell successfully
Now you can add other stuff, see the AFS documentation on suggestions for that
http://www.openafs.org/pages/doc/QuickStartUnix/auqbg002.htm#ToC_91
2004 AFS Best Prac. Conf : Lots of good stuff there Russ Allbery's Software 