UNC OpenAFS Client Installation Guide for Linux Systems

Introduction

This document provides instructions for installing:

Red Hat Enterprise Linux 3.0.

Red Hat Enterprise Linux 4.0.

Red Hat Enterprise Linux 5.0.

Create a partition to house the AFS cache

Every OpenAFS client must have a cache in which to store local copies of files brought over from AFS file servers. The AFS Cache Manager can cache either on disk or in machine memory. It is strongly recommended that you create a separate partition to house the AFS cache. The size of the AFS cache depends on the needs of the client. The maximum AFS cache size that can be specified in the /usr/vice/etc/cacheinfo file is 1024000 (1GB). A good size is around 512000 (500MB).

Do not specify the AFS cache size larger than 95% of the space available on the partition housing the AFS cache.

To determine the size of the partition, use this formula:

            Partition-size  (MB)  =  AFS-cache-size  (MB)  x  100  /  95  +  10  (MB)
The filesystem type of the partition that houses the AFS cache must be ext2, no other filesystem type is supported at this time!

Once the size of the partition that houses the AFS cache has been determined, create the partition. Then make the mount point at /usr/vice/cache using the following command: 

            #  mkdir  -p  /usr/vice/cache

Add an entry for the partition in the /etc/fstab file. Finally, to mount the partition, use the mount command: 

            #  mount  /usr/vice/cache

Install the OpenAFS client

From ftp.unc.edu anonymous FTP server, download the OpenAFS UNC client tar file for your version of RedHat (It should be in the pub/openafs/current directory). The UNC OpenAFS client provides basic client binaries and configuration files needed to mount and manipulate AFS and has been customized for use at UNC Chapel Hill. Once you have the tar file on the local machine, move it to the root directory and untar it: 

                #  cd  /
                #  tar  -xvf  <full  path  of  tar  file>

If you can't find the OpenAFS client for your version of RedHat, visit the openafs.org download site and install the following RPMS:

openafs

openafs-kernel

openafs-client

openafs-compat

Configure the OpenAFS client

In order to customize the OpenAFS client to your particular machine and to the UNC enviroment the following modifications must be made:

1. The OpenAFS client must be informed of UNC's AFS Database servers. The /usr/vice/etc/CellServDB file contains the location of the AFS database servers of AFS cells. For UNC ITS AFS cell, they are: 

>isis.unc.edu                #  University  of  North  Carolina  at  Chapel  Hill
152.2.1.5                        #db0.isis.unc.edu
152.2.1.6                        #db1.isis.unc.edu
152.2.1.7                        #db2.isis.unc.edu

2. The OpenAFS client must be told it is a member of the UNC ITS AFS cell. The /usr/vice/etc/ThisCell file contains the name of the OpenAFS client's home AFS cell (or domain). The file needs to change to read: "isis.unc.edu".

3. The OpenAFS client must be informed of its local cache parameters. See the "Create a partition to house the AFS cache" section above for details. For both type of caching, afsd consults the /usr/vice/etc/cacheinfo file as it initializes the Cache Manager and cache to learn the cache size and where to mount AFS locally.

The file has three colon delimited fields and looks like the following:

/afs:/usr/vice/cache:512000

a) The first field specifies where to mount AFS on the local disk. This value needs to be /afs.

b) The second field defines the local disk directory to be used for caching, in the case of disk cache. The standard choice is /usr/vice/cache. Something must appear in this field even if the machine uses memory caching.

c) The third field defines AFS cache size as a number of kilobytes (1024 byte) blocks. A good size is around 500 MBs (a value of 512000 in the cacheinfo file). By default, the RPM installs a cacheinfo file that tells the OpenAFS client to use 500MBs. If a separate cache partition has been created, or if a different size of AFS cache is desired, this last field of the cacheinfo file should be edited to reflect the desired cache size.

4. Copy the default afs configuration file into place:

                #  cp  /usr/vice/etc/afs.conf  /etc/sysconfig/afs

By default, variables CACHESIZE and OPTIONS are set to "AUTOMATIC". If you leave these as-is, the init script will choose a set of options based on the cache size. Otherwise the values specified in this file will be used. For more information to help determine what these values should be, please refer to the cache sizing section of the AFS Administrator's Guide.

By default, variables ENABLE_AFSDB and ENABLE_DYNROOT are turned on. These two variables need to change to read:

ENABLE_AFSDB=off
ENABLE_DYNROOT=off

5. If /usr/afsws does not exist, then make links from your local space to AFS space to gain easier access to AFS binaries:

                #  ln  -s  /afs/isis/@sys/usr/afsws  /usr/afsws

6. Red Hat Enterprise Linux systems use iptables for firewalling. While ITS doesn't officially support any firewall products or configurations, doing the following should allow the AFS client's cache manager to communicate with the AFS file servers:

1. Save the current iptables configuration:

#  service  iptables  save

The service iptables save command saves the iptables configuration in the /etc/sysconfig/iptables file. When the system reboots, the iptables-restore program reads the configuration and makes it the active configuration.

2. Create a new iptables with the current values:

#  iptables-save  >  /etc/sysconfig/iptables.new

3. Here is a sample configuration that allows AFS and iptables to coexist. Use this example to update the /etc/sysconfig/iptables.new file. 

*filter
:INPUT  ACCEPT  [0:0]
:FORWARD  ACCEPT  [0:0]
:OUTPUT  ACCEPT  [45:6530]
:AFS-INPUT  -  [0:0]
:KERBEROS-INPUT  -  [0:0]
:RH-Firewall-1-INPUT  -  [0:0]
-A  INPUT  -j  KERBEROS-INPUT
-A  INPUT  -j  AFS-INPUT
-A  INPUT  -j  RH-Firewall-1-INPUT
-A  FORWARD  -j  RH-Firewall-1-INPUT
-A  AFS-INPUT  -p  udp  -m  udp  --sport  7000  --dport  7001  -j  ACCEPT
-A  AFS-INPUT  -p  udp  -m  state  --state  ESTABLISHED  -m  udp  --sport  7002:7005  --dport  1025:65535  -j  ACCEPT
-A  KERBEROS-INPUT  -p  udp  -m  state  --state  ESTABLISHED  -m  udp  --sport  88  --dport  1025:65535  -j  ACCEPT
-A  KERBEROS-INPUT  -p  udp  -m  state  --state  ESTABLISHED  -m  udp  --sport  750  --dport  1025:65535  -j  ACCEPT
-A  KERBEROS-INPUT  -p  udp  -m  state  --state  ESTABLISHED  -m  udp  --sport  4444  --dport  1025:65535  -j  ACCEPT
-A  RH-Firewall-1-INPUT  -i  lo  -j  ACCEPT
-A  RH-Firewall-1-INPUT  -p  icmp  -m  icmp  --icmp-type  any  -j  ACCEPT
-A  RH-Firewall-1-INPUT  -p  ipv6-crypt  -j  ACCEPT
-A  RH-Firewall-1-INPUT  -p  ipv6-auth  -j  ACCEPT
-A  RH-Firewall-1-INPUT  -d  224.0.0.251  -p  udp  -m  udp  --dport  5353  -j  ACCEPT
-A  RH-Firewall-1-INPUT  -s  152.2.0.26  -p  udp  -m  udp  --sport  53  -j  ACCEPT
-A  RH-Firewall-1-INPUT  -s  152.2.21.1  -p  udp  -m  udp  --sport  53  -j  ACCEPT
-A  RH-Firewall-1-INPUT  -s  152.2.253.100  -p  udp  -m  udp  --sport  53  ACCEPT
-A  RH-Firewall-1-INPUT  -p  udp  -m  udp  --dport  631  -j  ACCEPT
-A  RH-Firewall-1-INPUT  -m  state  --state  RELATED,ESTABLISHED  -j  ACCEPT
-A  RH-Firewall-1-INPUT  -p  tcp  -m  state  --state  NEW  -m  tcp  --dport  22  -j  ACCEPT
-A  RH-Firewall-1-INPUT  -p  udp  -m  udp  --dport  7001  -j  ACCEPT
-A  RH-Firewall-1-INPUT  -j  REJECT  --reject-with  icmp-host-prohibited
COMMIT

This configuration introduces two new input chains:

KERBEROS-INPUT: tells iptables to allow messages from Kerberos services (kerberos, kerberos5, and krb524) through to the Kerberos client on ports above 1024 if and only if the Kerberos client sent out the request on the same port.

AFS-INPUT: does the same for AFS service ports 7002 through 7005. This chain also allows any udp message bound for port 7001 through. This is because the AFS fileserver (port 7000) will often send unsolicited messages to the AFS cache manager that listens to port 7001.

4. Reload it into the active firewall rule set with the iptables-restore command: 

#  iptables-restore  <  /etc/sysconfig/iptables.new

5. Finally, you should permanently save the active configuration so that it will be loaded automatically when the system reboots:

#  service  iptables  save

2. If a firewall product other than iptables is in use on the client machine, then these ports must be opened to allow the OpenAFS client to function properly.

7001/udp for communication between the AFS file servers and AFS client cache manager.

7002/udp for communications used by the 'pts' command.

7003/udp for communications used by the 'vos' command.

7004/udp for communications used by AFS authentication.

7005/udp for communications used by the 'vos' command.

750/udp for Kerberos 4 authentication.

88/udp for Kerberos 5 authentication.

4444/udp for Kerberos5 to Kerberos4 ticket translation services.

Start OpenAFS client

Copy the initialization script into place:

            #  cp  /usr/vice/etc/afs.rc  /etc/init.d/afs

Complete this step if you are installing the OpenAFS client on RHEL 4-5 64-bit operating systems (x86_64).

Edit the /etc/init.d/afs file and locate the block commands that start with the following:

            #  Start  AFS  client
            if    is_on  $AFS_CLIENT  &&  test  -x  $AFSD    ;  then
                        generate_cacheinfo
                        choose_afsdoptions
                        $AFSD  ${AFSD_OPTIONS}
                        test  "$afs_rh"  &&  touch  /var/lock/subsys/afs
                        $AFS_POST_INIT
            fi

Add the following to the block of commands, just right before $AFS_POST_INIT:

For RHEL 4.0 64-bit O/S (x86_64):

/usr/bin/fs sysname amd64_linux26_rh4

For RHEL 5.0 64-bit O/S (x86_64):

/usr/bin/fs sysname amd64_linux26_rh5

Start OpenAFS client:

            #  /etc/init.d/afs  start

Onyen Authentications

To make a service authenticate Onyens, follow Openssh Installation Instructions to install ITS supported version of openssh.

Now that a OpenAFS client has been installed, Onyens can be added to the system. There exists a mechanism that pulls information about selected Onyens from a central database and makes entries in the system files. This mechanism is called prop and it needs to be configured and run to add Onyens to the system.

Some users have their default shell running from AFS package space. In order to let these users login, the /etc/shells file needs to be updated. Add the following lines to this file: 

            #  /afs/isis/pkg/tcsh/bin/tcsh
            #  /afs/isis/pkg/bash/bin/bash

OpenAFS Client Install Verification

If the OpenAFS client installation was successful, it should be configured to start upon reboot. To verify this, invoke the chkconfig command. The output should look like the following:

            #  chkconfig  --list  afs
            afs  0:off  1:off  2:off  3:on  4:off  5:on  6:off

If this is not the output that is generated by the command, check to make sure that /etc/init.d/afs exists. If the file does exist, try issuing a chkconfig --add afs command.

Once other configurations have been completed, try to login from another machine. Check that you can access AFS space and that you have been given your correct AFS tokens.

To check whether you have tokens, use the /usr/afsws/bin/tokens command: 

Tokens  held  by  the  Cache  Manager:

User's  (AFS  ID  62083)  tokens  for  afs@isis.unc.edu  [Expires  Aug    3  09:05]
User  hpham's  tokens  for  krbtgt.ISIS.UNC.EDU@isis.unc.edu  [Expires  Aug    3  09:18]
    --End  of  list--

Top
University of North Carolina - Chapel Hill