AFS: Andrew File System, server side
Based upon Tracy's talk at the AFS Workshop, 2005. Heavily modified for OpenAFS coverage by BenKaduk in 2011.
Kerberos
Before getting into the afs side, make sure you have a working Kerberos5 setup. Follow the handbook to get that starting. Since I didn't setup any DNS servers, I required some extra info in /etc/krb5.conf:
[libdefaults] dns_lookup_realm = false dns_lookup_kdc = false default_realm = MEILAND.NL [realms] MEILAND.NL = { kdc = server.meiland.nl admin_server = server.meiland.nl } [domain_realm] .meiland.nl = MEILAND.NL [logging] kdc = FILE:/var/log/kdc.log default = FILE:/var/log/kdc.log
It is also most convenient to have a afs client running on the initial server. Check out the installation instructions on the afs page.
Partitions
There are a few things to keep in mind when assigning storage locations for AFS fileservers: first, the mountpoints should be named /vicepa, /vicepb and so on. (This is a long tradition that is essentially hardcoded in.) Long ago, one could use a fileserver with the "inode" backend, that manually stored information in inodes on disk that would get trashed by a normal fsck. Any modern OpenAFS server should be using the namei backend, which just stores information in files on disk, and requires only ~POSIX functionality. An example setup of the fstab would look like this, with a second harddisk (ada1) reserved for AFS:
/dev/ada1s1d /vicepa ufs rw 0 0 /dev/ada1s1e /vicepb ufs rw 0 0 /dev/ada1s1f /vicepc ufs rw 0 0
OpenAFS server
The OpenAFS client and server are currently installed in the same port, but may be enabled and disabled separately in rc.conf.
#>cd /usr/ports/net/openafs #>make install #>echo 'afsserver_enable="YES"' >> /etc/rc.conf
Unlike the client, the idea of default configuration values for the AFS server does not make sense, so they are not provided. The fileserver's man page lists the various configuration knobs. Note that the -L ("large") and similar options were designed several iterations of Moore's law ago: don't use them.
OpenAFS configuration
create kerberos host keys
#>mkdir -p /usr/local/etc/openafs/server #>kadmin -l kadmin> add --random-key afs/meiland.nl kadmin> ext_keytab -k /usr/local/etc/openafs/server/rxkad.keytab afs/meiland.nl
create some configuration files
#>echo "meiland.nl" > /usr/local/etc/openafs/server/ThisCell
add the following to /usr/local/etc/openafs/server/CellServDB
>meiland.nl #demo cell 10.0.0.1 #server.meiland.nl
create the cell. Old instructions use the '-noauth' argument to bosserver, which is insecure and no longer needed after the introduction of '-localauth' for most bos commands.
#>mkdir /var/openafs #>chmod 700 /var/openafs #>touch /usr/local/etc/openafs/server/KeyFile #>chmod 600 /usr/local/etc/openafs/server/KeyFile #>bosserver #>bos create server.meiland.nl ptserver simple /usr/local/libexec/openafs/ptserver -localauth #>bos create server.meiland.nl vlserver simple /usr/local/libexec/openafs/vlserver -localauth
create users:
# pts createuser -name hugo -id 1000 -localauth User hugo has id 1000 # pts createuser -name hugo.afs -id 1001 -localauth '''hugo.afs instead of hugo/afs is not a typo''' User hugo/afs has id 1001 # pts adduser hugo.afs system:administrators -localauth # bos adduser server.meiland.nl hugo.afs -localauth
now restart the bosserver and check that authentication works:
#> bos shutdown server.meiland.nl #> pkill bosserver #> service afsserver start #> kinit hugo/afs #> aklog meiland.nl #> tokens #> bos status -server server.meiland.nl Instance ptserver, currently running normally. Instance vlserver, currently running normally.
create storage space
#> bos create server.meiland.nl dafs dafs /usr/local/libexec/openafs/dafileserver /usr/local/libexec/openafs/davolserver /usr/local/libexec/openafs/salvageserver /usr/local/libexec/openafs/dasalvager -cell meiland.nl -localauth #> vos create server.meiland.nl /vicepa root.afs -localauth #> vos create server.meiland.nl /vicepa root.cell -localauth #> fs setacl /afs/meiland.nl system:administrators rlidwka #> fs setacl /afs/meiland.nl system:anyuser rl #> cd /afs/meiland.nl #> fs mkmount root.afs root.afs #> cd root.afs #> fs setacl . system:administrators all #> fs setacl . system:anyuser rl #> fs mkmount meiland.nl root.cell #> fs mkmount .meiland.nl root.cell -rw mount external cells: #> fs mkmount -dir athena.mit.edu -cell athena.mit.edu -vol root.cell remove temporary mountpoint: #> cd .. #> fs rmmount root.afs
replicate database servers
To make sure multiple database servers are available the following actions are required: Install a bosserver on dbase2.meiland.nl as stated above, no other services are required yet. Make sure to copy the keyfile from server.meiland.nl.
#> bos addhost server.meiland.nl dbase2.meiland.nl #> bos addhost dbase2.meiland.nl dbase2.meiland.nl #> bos restart server.meiland.nl ptserver #> bos restart server.meiland.nl vlserver #>bos create dbase2.meiland.nl ptserver simple /usr/local/libexec/openafs/ptserver #>bos create dbase2.meiland.nl vlserver simple /usr/local/libexec/openafs/vlserver
The servers will sync now automagicly and you can modify you CellServDB on the client to point to the second server as well...
>meiland.nl #demo cell 10.0.0.1 #server.meiland.nl 10.0.0.2 #dbase2.meiland.nl