Transcript AFS -- Andrew File System 中科院高能物理研究所计算中心 范 勇

AFS
-- Andrew File System
中科院高能物理研究所计算中心
2002.11.11
范 勇
内容安排

AFS概述
 AFS的组成与功能
 AFS管理
 AFS应用
===================
AFS概述

AFS is an enterprise file system designed
for use in a distributed environment on
multiple computing platforms.
AFS的发展历史
AFS分布式文件系统计算环境
AFS分布式文件系统计算环境
AFS的特性





A single, shared name space for all users, from all
machines.
Location-independent file sharing.
Client caching and efficient wide-area protocols for
excellent performance
Extended security through Kerberos authentication
and Access Control Lists
Replication techniques for file system reliability
AFS中的几个基本概念







Cell
Volumes
Mount Points
Replication
Caching and Callbacks
Tokens
Access Control List
Cell





A cell is an independently administered site
running AFS.
A machine can only belong to one cell at a
time.
Users also belong to a cell in the sense of
having an account in it, but unlike machines
can belong to (have an account in) multiple
cells.
/usr/vice/etc/CellDB
/usr/afs/etc/CellDB
Volumes

An AFS volume is a logical unit of disk space that
functions like a container for the files in an AFS directory,
keeping them all together on one partition of a file server
machine.
 Make administrative tasks easier and help improve
overall system performance.
 Three types of volumes in AFS:
– single read/write version
– read-only volume
– backup volume
Mount Points

Mechanism that associates the directory and
volume is called a mount point.
 Mount Points < ========== > Volumes
Replication

Replication refers to making a copy, or clone,
of a source read/write volume and then
placing the copy on one or more additional
file server machines in a cell.
 Increases the availability of the contents.
 Most appropriate for volumes that contain
popular files that do not change very often.
Caching& Callbacks

The problem of maintaining consistency among the
many cached copies of a file and the source version
of a file.
 A callback is a promise by a File Server to a Cache
Manager to inform the latter when a change is made
to any of the data delivered by the File Server.
 Two types of Callbacks:
– a callback with a writable copy of file.
– a callback associated with the entire read-only volume
Tokens





The token is a small collection of data that certifies
that the user has correctly provided the password
associated with a particular AFS identity.
When a user successfully authenticates, the AFS
authentication service passes a token to the user’s
Cache Manager.
The Cache Manager presents the token to AFS
server processes along with service requests, as
proof that the user is genuine.
The Cache Manager stores tokens in the user’s
credential structure in kernel memory.
A user can have only one token per cell
ACL (Access Control List)



AFS ACLs provide more refined access control on a
directory and all of the files in it.
seven access permissions:
– a (administer)
– d (delete)
– i (insert)
– k (lock)
– l (lookup)
– r (read)
– w (write)
Three system groups:
– system: anyuser
– system: authuser
– system:administrators
AFS Vs UFS
AFS
UFS
Protection at directory level
Protection at file level
Only user with right ACL permission can set Normal mode bits set.
mode bits
Seven access permissions:
Three access permissions:
a (administer) d (delete) i (insert) k r (read), w(write), and x (execute).
(lock)
l (lookup) r (read) w (write)
Different set of access permissions to
each users and groups with ACL
Three defined users and groups
AFS vs. NFS (I)
NFS
AFS
Installed Base
very large
small, growing somewhat
Acces Transparency (i.e., no
special commands to get to files.
They look like they are "local")
Yes
Yes
Caching
Minimal
Full
Authorization
Global GID/UID
Kerberos
Security
Standard Unix (3 rights ACL's granting individual
to files and/or
or groups any combination
directories)
of seven rights to entire
directories
•AFS,Andrew File System; Fermilab Final Evaluation Report and Implementation
Recommendations, Farhad Abar, Gary Roedigers, Joseph Stith2, Matt Wicks. May 12,
1992.
AFS vs. NFS (II)
Location transparency (i.e. will the
client machine continue to work if the
files are moved from one location to
another?)
NFS
AFS
No
Yes
Access to local disk which is also served Better
to the network
Worse
LAN and WAN performance
Worse
Better
dedicated Servers
Sometimes
Usually
Scalability of management demands
Worse
Better
Common name space
Sometimes
Yes
Online backup
No
Yes
Online volume move
No
Yes
AFS vs. NFS: Architecture
Architecture
AFS 3
NFS 3
File servers and clients form a logical
administrative unit called a cell.
File servers and clients. Each file
server is managed independently.
Administration by collections of files Administration by individual files.
called volumes.
Automatic file location tracking by
system processes and Volume
Location Database.
Mountpoints for tracking file's physical
location set by administrators and
users.
Stateful servers.
Nearly stateless servers.
•Transarc Corporation, The AFS File System in Distributed Computing Environment,
1996
AFS vs. NFS: Performance
Performance
AFS 3
NFS 3
Robust disk caching reduces file server
and network load.
Memory caching with small buffers.
Server callbacks guarantee cache Time-based cache consistency may
consistency. Open-to-close semantics. cause inconsistencies to occur. Attributes
Attributes cached several hours.
cached 3-30 seconds.
Replicas spread the load among
preferred servers. No replication to
reduce load.
No replication to reduce load.
Excellent performance in wide-area
configurations.
Inefficient in wide-area configurations.
Scaleable; maintains performance in any
size installation.
Best in small- to medium-size
installations.
AFS vs. NFS: Availability
Availability
AFS 3
NFS 3
No standard data replication.
Read-only replication by volume.
Automatic switchover to available replica.
Files remain available to users during Users lose access to files during
reconfiguration. File names remain the reconfiguration. File moves require
same.
mountpoint changes to adjust file names.
AFS vs. NFS: Management
Management
AFS 3
NFS 3
Management tasks executed from any
machine.
Management tasks frequently require
telnet to designated machines.
Disk quotas based on volumes; easy for Disk quotas based on user ID; difficult for
user to check status. .
user to check status.
No system downtime with AFS Backup Standard UNIX backup requires system
downtime.
System.
Backup clones often used for user- All
restores
assistance.
controlled restores.
require
administrator
AFS vs. NFS: Security
Security
AFS 3
NFS 3
Kerberos version 4 authentication.
Unencrypted user IDs, trusted users and
hosts. Can be kerberized.
Access control lists for fine tuning Access control with standard UNIX mode
directory access. UNIX mode bits for the bits on files and directories.
owner.
User-definable groups.
Groups defined by system administrator.
Mutual
authentication
by
system Can use secure RPC .
processes and databases. Always uses
secure RPC.
===================
AFS的体系结构
AFS的组成

File Server
 BOS Server
 Protection Server
 Volume Server
 Volume Location Server
 Update Server
 Backup Server
 Salvager
 Cache Manager
 NTPD
File Server

Provides the same services across the network that the UNIX
file system provides on the local disk.
 Delivering programs and data files to client workstations as
requested and storing them again when the client workstation
finishes with them.
 Maintaining the hierarchical directory structure that users
create to organize their files.
 Handling requests for copying, moving, creating, and deleting
files and directories.
 Keeping track of status information about each file and
directory
 Making sure that users are authorized to perform the actions
they request on particular files or directories.
 Creating symbolic links between files.
Bos (Basic OverSeer Server)

Constantly monitors the other server processes
(local) to make sure they are running correctly.
 Automatically restarts failed processes.
 Accepts requests from the system administrator.
 Helps system administrators to manage system
configuration information.
BOS Server和其他进程的关系
Authentication Server

Verifying the identity of users as they log into
the system by requiring that they provide a
password.
 Providing the means through which server
and client processes prove their identities to
each other.
 Maintains the Authentication Database,
stores user passwords converted into
encryption key form as well as the AFS
server encryption key.
Authentication Server和其他Server的关系
Protection Server
The Protection Server’s main duty is to help the File Server
determine if a user is authorized to access a file in the
requested manner.
 Defining seven access permissions with access control list
(ACL) for each directory.
 Enabling users to grant permissions to numerous individual
users.
 Enabling users to define their own groups of users,
recorded in the Protection Database maintained by the
Protection Server.
 Enabling system administrators to create groups containing
client machine IP addresses to permit access.

File Server和Protection Server的关系
Volume Server

The Volume Server provides the interface
through which you create, delete, move, and
replicate volumes, as well as prepare them
for archiving to tape or other media (backing
up).
Volume Location Server

The VL Server maintains a complete list of
volume locations in the Volume Location
Database (VLDB).
 The VLDB and VL Server make it possible for
AFS to take advantage of the increased
system availability gained by using multiple
file server machines, because the Cache
Manager knows where to find a particular file.
Volume Server和Volume Location Server的关系
Update Server

The Update Server helps guarantee that all
file server machines are running the same
version of a server process.
 In cells that run the United States edition of
AFS, the Update Server also distributes
configuration files that all file server machines
need to store on their local disks.
Backup Server

The Backup Server maintains the information
in the Backup Database.
 Enable administrators to back up data from
AFS volumes to tape and restore it from tape
to the file system if necessary.
Salvager

The Salvager attempts to repair disk
corruption that can result from a failure.
 The BOS Server invokes the Salvager when
the File Server, Volume Server, or both fail.
Cache Manager

A set of extensions or modifications in the
client machine’s kernel that enable
communication with the server processes
running on server machines.
 Translate file requests into remote procedure
calls (RPCs) to the File Server.
 Tracks the state of files in its cache.
File Server、Cache Manager和Volume Location
Server之间的关系
Network Time Protocol Daemon

It helps guarantee that all of the file server
machines agree on the time.
 Keeping clocks synchronized coordinates the
copies of the Authentication, Backup,
Protection, and Volume Location Databases.
AFS 布署的实例
=====================
AFS的管理

Monitoring and Controlling Server Processes
 Managing Volumes
 Administering User Accounts
– uss Command Suite
 AFS Security Management
– Managing Server Encryption Keys
– Managing Access Control Lists
– Managing Administrative Privilege
 AFS Backup System
– Configuring the AFS Backup System
– Backing Up and Restoring AFS Data
 Administering Client Machines and the Cache
Manager
 Monitoring and Auditing AFS Performance
常用的AFS系统管理命令
Bos
The administrative interface to the Basic OverSeer (BOS) Server
Vos
Interface to the Volume Server and Volume Location (VL) Server.
Used to create, move, delete, replicate, back up and examine
Volumes.
Uss
Command suite help administrators to create AFS user accounts
more easily and efficiently.
Pts
Interface to the Protection Server.
Kas
Interface to the Authentication Server
Backup
The administrative interface to the AFS Backup System.
Fs
Interface to the Cache Manager on an AFS client machine.
Salvager
Initializes the Salvager component of the fs process.
常用的AFS监控命令
Scout
Monitors the File Server process
Kdb
Displays log or privileged actions performed by the Authentication
Server
Afsmonitor
Monitors File Servers and Cache Managers
Fstrace
traces Cache Manager operations in Detail.
AFS服务器管理: BOS Command Suits
BOS Command Suits
administer server process binary
files
bos getdate, Bos install, bos prune, bos uninstall
maintain system configuration files
bos addhost, bos addkey, bos adduser, bos
listhosts, bos listkeys, bos listusers, bos
removehost, bos removekey, bos removeuser,
bos setcellname
start and stop processes
bos create, bos delete, bos restart, bos
shutdown, bos start, bos startup, bos stop
set and verify server process and Bos getlog, bos getrestart, bos setauth, bos
server machine status
setrestart, bos status
restore file system consistency
bos salvage
obtain help
bos apropos, bos help
AFS卷管理: VOS Command Suits
VOS Command Suits
Create, move, and rename volumes:
vos backup, vos backupsys, vos create,
vos move, and vos rename
Remove VLDB volume records or
volumes or both:
Vos delentry, vos remove, and vos zap
Edit or display VLDB server entries:
vos changeaddr and vos listaddrs
Create and restore dump files:
vos dump and vos restore
Administer replicated volumes:
vos addsite, vos release, and vos remsite
Display
VLDB
headers:
records,
volume Vos examine, vos listvldb, and vos listvol
Display information about partitions Vos listpart and vos partinfo
that house volumes:
Restore consistency between
VLDB and volume headers:
the vos syncserv and vos syncvldb
Lock and unlock VLDB entries:
vos lock, vos unlock, and vos
Unlockvldb
Report Volume Server status:
vos status
AFS用户管理：Three types of user account

An authentication-only account.
– This type of account consists only of entries in
the Authentication Database and Protection
Database.

A basic account
– In addition to Authentication Database and
Protection Database entries, this type of account
includes a volume mounted at the home
directory with owner and ACL set appropriately.

A full account
– This type of account includes configuration files
for basic functions such as logging in, printing,
and mail delivery, making it more convenient and
useful.
AFS用户管理：用户账号的组成
AFS user account components
Protection Database entry
defines the username (the name provided
when authenticating with AFS), and maps
it to an AFS user ID
Authentication Database entry
records the user’s AFS password
home volume
Stores all the files in the user’s home
directory together on a single partition of a
file server machine. Has an associated
quota
mount point
Makes the contents of the user’s volume
visible and accessible in the AFS
filespace.
Full access permissions on the home enable the user to manage his or her files.
directory’s access control list(ACL)
local password file entry
enables the user to log in and access AFS
files through the Cache Manager.
Other optional configuration files
help the user log in and log out more
easily, receive electronic mail, print, and
AFS文件管理: FS Command Suits
FS Command Suits
set and report how the Cache
Manager interacts with server
machines:
fs checkservers, fs getcellstatus, fs
getserverprefs, fs listcells, fs newcell, fs
setcell, fs setserverprefs, fs sysname, fs
wscell
administer access control lists
(ACLs):
fs cleanacl, fs copyacl, fs listacl, fs setacl
administer server machines,
volumes or partitions :
fs diskfree, fs examine, fs listquota, fs quota,
fs
setquota, fs setvol,fs whereis, fs whichcell
administer the local client cache and Fs checkvolumes, fs flush, fs flushvolume, fs
related information:
getcacheparms, fs Setcachesize
administer volume mount points:
fs lsmount, fs mkmount, fs rmmount
control monitoring and tracing:
fs debug, fs messages
administer the Cache Manager’s
interaction with other file Systems:
fs exportafs
to obtain help:
fs apropos, fs help
AFS 安全管理：KAS Command Suits
KAS Command Suits
create, modify, examine and delete
entries in the Authentication
Database, including passwords:
kas create, kas delete, kas examine, kas
list, kas setfields, kas setkey, kas
setpassword, and kas
Unlock
create, delete, and examine tokens
and server tickets:
Kas forgetticket, kas listtickets, kas
noauthentication, and kas stringtokey
enter interactive mode:
kas interactive
trace Authentication Server
operations:
kas statistics
obtain help:
kas apropos and kas help
AFS 安全管理: PTS Command Suits
PTS Command Suits:
create and remove Protection
Database entries:
Pts creategroup, pts createuser, pts delete
administer and display group
membership:
pts adduser, pts listowned, pts membership,
pts removeuser
administer and display properties
of user and group entries other
than membership:
pts chown, pts examine, pts listentries, pts
rename, pts setfields
set and examine the counters used
when assigning IDs to users and
groups:
pts listmax, pts setmax
obtain help:
pts apropos, pts help
AFS备份管理：Backup Command Suits
Backup Command Suits:
copy data from AFS volumes to tape
or a backup data file, restore to file
system:
backup diskrestore, backup dump,
backup volrestore, and backup
volsetrestore
administer the records in the
Backup Database:
Backup adddump, backup addhost, backup
addvolentry, backup addvolset, backup
deldump, backup deletedump, backup
delhost, backup delvolentry, backup
delvolset, backup dumpinfo, backup
listdumps, backup listhosts, backup
listvolsets, backup scantape, backup
setexp, and backup volinfo
write and read tape labels:
backup labeltape and backup readlabel
list and change the status of backup
operations and the machines :
(backup) jobs, (backup) kill, and backup
status
enter and leave interactive mode:
backup (interactive) and
(backup) quit
check for and repair corruption in
the Backup Database:
backup dbverify, backup restoredb, and
backup savedb
===================
AFS的使用

Login
 Quota
 Access Control
 Groups
常用的AFS用户命令(I)
klog
authenticate with AFS.
tokens
display user tokens.
kas examine
Display authentication information
Unlog
discard user tokens
Kpasswd
change the password.
fs quota
displays the percentage of quota used for the volumes
fs listquota
Display information about a volume
fs examine
displays quota and other information about the volume that
houses the current working directory.
fs whereis
Display File Directory’s Location
fs
checkservers
check the status of file server machines.
fs listcells
Display foreign Cells
fs
Display the file server machine preference ranks used by the
常用的AFS用户命令(II)
fs listacl
Display ACL of a directory
Fs setacl
edit entries in the normal permissions section of the ACL.
fs copyacl
copy a source ACL to the ACL on one or more destination
directories.
pts
membership
Display the members of a group, or the groups to which a
user belongs.
pts listowned
display the groups that a user or group Owns.
pts examine
display general information about a user or group, including
its name, AFS ID, creator, and owner.
pts
creategroup
to create a group
pts adduser
add members to a group
pts members
list membership of a user or group
fs cleanacl
remove obsolete entries from ACLs after the corresponding
user or group has been deleted.
pts delete
delete a group.
常用的AFS用户命令(III)
pts chown
change a group’s name.
pts rename
change a group’s name.
pts setfields
set the privacy flags on one or more groups.
The End