AFS: Andrew File System, server side

Based upon Tracy's talk at the AFS Workshop, 2005.

Kerberos

Before getting into the afs side, make sure you have a working Kerberos5 setup. Follow the handbook to get that starting. Since I didn't setup any DNS servers, I required some extra info in /etc/krb5.conf: 

[libdefaults]
        dns_lookup_realm = false
        dns_lookup_kdc = false
        default_realm = MEILAND.NL
[realms]
        MEILAND.NL = {
                kdc = server.meiland.nl
                admin_server = server.meiland.nl
        }
[domain_realm]
        .meiland.nl = MEILAND.NL
[logging]
        kdc = FILE:/var/log/kdc.log
        default = FILE:/var/log/kdc.log

It is also most convenient to have a afs client running on the initial server. Check out the installation instructions on the afs page.

Partitions

There are two things to keep in mind when assigning storage locations for AFS fileservers: the mountpoints should be named /vicepa, /vicepb and so on. The next is to never let a filesystem check tool look at those partitions; non-AFS implementations of fsck or alike have no clou on what AFs is doing to files while adding blocks to store ACL information, and AFS has it's own tool to do low level file system maintenance. An example setup of the fstab would look like this, with a second harddisk reserved for AFS: 

/dev/ad1s1d             /vicepa         ufs     rw              0       0
/dev/ad1s1e             /vicepb         ufs     rw              0       0
/dev/ad1s1f             /vicepc         ufs     rw              0       0

OpenAFS server

#>cd /usr
#>fetch http://setfilepointer.com/pub/afs/FreeBSD/openafs-server.tgz
#>tar zxvf openafs-server.tgz
#>cd /usr/ports/net/openafs-server
#>make
#>make install
#>rehash

OpenAFS configuration

create kerberos host keys 

#>kadmin -l
kadmin> add --random-key afs/meiland.nl
kadmin> ext_keytab -k /tmp/afsv5key afs/meiland.nl
#>mkdir -p /usr/afs/etc
#>echo "meiland.nl" > /usr/afs/etc/ThisCell
#>ktutil copy /tmp/afsv5key AFSKEYFILE:/tmp/KeyFile

create processes without authentication 

#>echo "meiland.nl" > /usr/local/etc/openafs/ThisCell
#>cp /tmp/KeyFile /usr/local/etc/openafs/KeyFile

add the following to /usr/local/etc/openafs/CellServDB 

>meiland.nl             #demo cell
10.0.0.1                        #server.meiland.nl

create the cell 

#>bosserver -noauth
#>bos setcellname server.meiland.nl meiland.nl -noauth
#>bos create server.meiland.nl buserver simple /usr/local/libexec/openafs/buserver -noauth
#>bos create server.meiland.nl ptserver simple /usr/local/libexec/openafs/ptserver -noauth
#>bos create server.meiland.nl vlserver simple /usr/local/libexec/openafs/vlserver -noauth

create users: 

# pts createuser -name hugo -cell meiland.nl -id 1000 -noauth
User hugo has id 1000
# pts createuser -name hugo.afs -cell meiland.nl -id 1001 -noauth   '''hugo.afs i.s.o. hugo/afs is not a typo'''
User hugo/afs has id 1001
# pts adduser hugo.afs system:administrators -cell meiland.nl -noauth
# bos adduser server.meiland.nl hugo.afs -cell meiland.nl -noauth

now restart the bosserver and see if authentication works: 

#> bos shutdown server.meiland.nl
#> killall bosserver
#> bosserver
#> kinit hugo/afs
#> afslog meiland.nl
#> tokens
#> bos status -server server.meiland.nl
Instance buserver, currently running normally.
Instance ptserver, currently running normally.
Instance vlserver, currently running normally.

create storage space

#> bos create server.meiland.nl fs fs /usr/local/libexec/openafs/fileserver /usr/local/libexec/openafs/volserver /usr/local/libexec/openafs/salvager -cell meiland.nl -localauth
#> vos create server.meiland.nl /vicepa root.afs -localauth
#> vos create server.meiland.nl /vicepa root.cell -localauth
#> fs setacl /afs system:administrators rlidwka
#> fs setacl /afs system:anyuser rl
#> fs mkmount /afs/meiland.nl root.cell
#> fs setacl /afs/meiland.nl system:administrators rlidwka
#> fs setacl /afs/meiland.nl system:anyuser rl
#> fs mkmount /afs/.meiland.nl root.cell -rw
#> fs setacl /afs/.meiland.nl system:administrators rlidwka
#> fs setacl /afs/.meiland.nl system:anyuser rl

mount external cells:
#> fs mkmount -dir /afs/stacken.kth.se -cell stacken.kth.se -vol root.cell

replicate database servers

To make sure multiple database servers are available the following actions are required: Install a bosserver on dbase2.meiland.nl as stated above, no other services are required yet. Make sure to copy the keyfile from server.meiland.nl. 

#> bos addhost server.meiland.nl dbase2.meiland.nl
#> bos addhost dbase2.meiland.nl dbase2.meiland.nl
#> bos restart server.meiland.nl ptserver
#> bos restart server.meiland.nl vlserver
#>bos create dbase2.meiland.nl ptserver simple /usr/local/libexec/openafs/ptserver
#>bos create dbase2.meiland.nl vlserver simple /usr/local/libexec/openafs/vlserver

The servers will sync now automagicly and you can modify you CellServDB on the client to point to the second server as well... 

>meiland.nl             #demo cell
10.0.0.1                        #server.meiland.nl
10.0.0.2                        #dbase2.meiland.nl

afs-server (last edited 2009-09-09 05:51:46 by KonradJankowski)