AFS

From FarmShare

(Difference between revisions)
Jump to: navigation, search
(one user's experience)
(Removed legacy FarmShare information)
 
(17 intermediate revisions not shown)
Line 1: Line 1:
-
==Links==
+
FarmShare no longer uses AFS for users' home directories, but AFS is still accessible on <code>rice</code> systems (and on <code>rice</code> systems ''only''). A link to users’ AFS home directories, <code>~/afs-home</code>, is provided as a convenience, but locations in AFS should not be used as working directories for batch jobs.
-
*https://itservices.stanford.edu/service/afs/intro
+
-
*https://itservices.stanford.edu/service/kerberos/user_guide/how
+
-
*http://fnal.gov/docs/strongauth/user.html
+
-
==automated status==
+
== Authentication ==
-
You may want to add something like these lines to your .login (or the equivalent for your preferred shell)
+
-
  echo " === === === Your Kerberos ticket and AFS token status: === === ==="
+
Access to AFS requires valid Kerberos credentials and an AFS token. You can examine your current authentication status using the <code>klist</code> and <code>tokens</code> commands, and re-authenticate when necessary using the <code>kinit</code> and <code>aklog</code> commands. If you have trouble accessing files in AFS, try re-authenticating.
-
  klist -5 -f | grep -2 krbtgt | grep Flags | xargs echo 'Kerberos:'
+
-
  tokens | grep AFS | xargs -0 echo 'AFS: '
+
-
You'll get output like this is you don't have the right ticket/token:
+
  kinit && aklog
-
<pre>
+
-
  === === === Your Kerberos ticket and AFS token status: === === ===
+
-
klist: No credentials cache found (ticket cache FILE:/tmp/krb5cc_45787_8xDfEP)
+
-
Kerberos:
+
-
AFS:
+
-
</pre>
+
-
You'll get output like this if you do have the right credentials:
+
Tokens expire after 25 hours (the maximum Kerberos ticket lifetime in the <code>stanford.edu</code> realm). You can renew your Kerberos credentials without having to re-authenticate if you do so before they expire, and then run <code>aklog</code> to get a new token. Kerberos tickets are renewable daily, for up to 7 days.
-
<pre>
+
-
=== === === Your Kerberos ticket and AFS token status: === === ===
+
-
Kerberos: renew until 01/27/12 15:11:17, Flags: FRIA
+
-
AFS:  User's (AFS ID 45787) tokens for afs@ir.stanford.edu [Expires Jan 21 16:11]
+
-
</pre>
+
-
==commands==
+
kinit -R && aklog
-
To obtain and cache Kerberos ticket-granting ticket:
+
-
<pre style="margin-left: 40px;">kinit</pre>
+
-
To&nbsp;list cached Kerberos tickets:
+
-
<pre style="margin-left: 40px;">klist</pre>
+
-
Next, you'll want to ensure you have a valid AFS token.
+
-
To obtain tokens for authentication to AFS:
+
[[Advanced Connection Options]] includes instructions for making sure you have an AFS token at login when using GSSAPI for authentication. See the <code>man</code> pages for the <code>klist</code>, <code>tokens</code>, <code>kinit</code>, and <code>aklog</code> commands, as well as the [https://itservices.stanford.edu/service/kerberos Kerberos] and [https://itservices.stanford.edu/service/afs AFS] service documentation, for more information.
-
<pre style="margin-left: 40px;">aklog</pre>  
+
-
To display the issuer's tokens:
+
-
<pre style="margin-left: 40px;">tokens</pre>  
+
-
Then you can just submit jobs to the resource manager, and the jobs will be able to read/write to/from your AFS directories, assuming your kerberos ticket is renewable and forwardable.
+
-
To submit a batch job to Grid Engine:
+
== Quota and Backup ==
-
<pre style="margin-left: 40px;">echo "sleep 3600" | qsub</pre>
+
-
A simple, complete example:
+
-
<pre style="margin-left: 40px;">ssh corn
+
-
kinit
+
-
aklog
+
-
echo "sleep 3600" | qsub</pre>
+
-
Use "klist -f" and "tokens" for any troubleshooting.
+
The default, per-user quota for AFS home directories is 5 GB, but you may have additional quota due to your enrollment in certain courses, and you can [https://tools.stanford.edu/cgi-bin/afs-request request] additional quota (up to 20 GB total) with faculty sponsorship. You can use the <code>fs</code> command to examine your quota and usage.
-
== grid engine integration ==
+
fs listquota ~/afs-home
-
We use AUKS and if you have your renewable TGT and AFS tokens, they will get saved and applied to your job when it runs.
+
-
== keeping your tokens for more than 24hrs ==
+
AFS is backed up every night, and backups are kept for 30 days. The most recent snapshot of your AFS home directory is available in the <code>.backup</code> subdirectory, and you can request recovery from older backups by submitting a [https://helpsu.stanford.edu HelpSU] ticket.
-
 
+
-
If you're using cardinal/corn, you should use "keeptoken" per https://itservices.stanford.edu/service/afs/learningmore/tokens
+
-
 
+
-
'keeptoken' uses the 'krenew' command, you can read the script directly, it's /usr/local/bin/keeptoken on any corn
+
-
 
+
-
If you're submitting a job to the barleys (from the corns) you should _not_ use keeptoken. The AUKS/SGE integration will handle the krenew/aklog process for you, but you should verify that you have renewable tickets and re-authenticate, if necessary, before submitting.
+
-
 
+
-
If you have have Kerberos credentials when you submit your job, the queuing system should:
+
-
 
+
-
    - Store your credentials on a remote server at submission time
+
-
    - Renew those stored credentials while your job is waiting to run
+
-
    - Retrieve your credentials on the execution host before your job starts there
+
-
    - Renew your credentials on the execution host while the job is running
+
-
 
+
-
==checking your quota==
+
-
To check your AFS space quota, try
+
-
  fs quota
+
-
or
+
-
  /usr/bin/check-stanford-afs-quota
+
-
 
+
-
They output different formats.  If you want to check your e-mail quota, you can log in to webmail and mouseover your name in the upper right corner.  You can also look in the "Account status & storage quota" section of stanfordyou.stanford.edu
+
-
 
+
-
==one user's experience==
+
-
To keep your afs permissions for more than a day you need to do the following
+
-
 
+
-
# pagsh
+
-
# kinit;aklog
+
-
# screen
+
-
# keeptoken
+
-
# paste whatever prints out. This will keep afs permissions for up to 7 days (the maximum renewable lifetime of a Kerberos ticket in the Stanford realm)
+
-
 
+
-
This is also written here:
+
-
https://itservices.stanford.edu/?q=service/afs/learningmore/tokens
+
-
 
+
-
==keeptoken==
+
-
 
+
-
Keeptoken is an old wrapper script around krenew.  My understanding it that it was more useful before we moved to Kerberos5 many years ago.
+

Latest revision as of 10:04, 25 January 2018

FarmShare no longer uses AFS for users' home directories, but AFS is still accessible on rice systems (and on rice systems only). A link to users’ AFS home directories, ~/afs-home, is provided as a convenience, but locations in AFS should not be used as working directories for batch jobs.

Authentication

Access to AFS requires valid Kerberos credentials and an AFS token. You can examine your current authentication status using the klist and tokens commands, and re-authenticate when necessary using the kinit and aklog commands. If you have trouble accessing files in AFS, try re-authenticating. 

kinit && aklog

Tokens expire after 25 hours (the maximum Kerberos ticket lifetime in the stanford.edu realm). You can renew your Kerberos credentials without having to re-authenticate if you do so before they expire, and then run aklog to get a new token. Kerberos tickets are renewable daily, for up to 7 days. 

kinit -R && aklog

Advanced Connection Options includes instructions for making sure you have an AFS token at login when using GSSAPI for authentication. See the man pages for the klist, tokens, kinit, and aklog commands, as well as the Kerberos and AFS service documentation, for more information.

Quota and Backup

The default, per-user quota for AFS home directories is 5 GB, but you may have additional quota due to your enrollment in certain courses, and you can request additional quota (up to 20 GB total) with faculty sponsorship. You can use the fs command to examine your quota and usage. 

fs listquota ~/afs-home

AFS is backed up every night, and backups are kept for 30 days. The most recent snapshot of your AFS home directory is available in the .backup subdirectory, and you can request recovery from older backups by submitting a HelpSU ticket.

Retrieved from "https://web.stanford.edu/group/farmshare/cgi-bin/wiki/index.php/AFS"
Personal tools
Toolbox
LANGUAGES