linux/Documentation/filesystems/afs.txt
<<
>>
Prefs
   1                             ====================
   2                             kAFS: AFS FILESYSTEM
   3                             ====================
   4
   5Contents:
   6
   7 - Overview.
   8 - Usage.
   9 - Mountpoints.
  10 - Proc filesystem.
  11 - The cell database.
  12 - Security.
  13 - Examples.
  14
  15
  16========
  17OVERVIEW
  18========
  19
  20This filesystem provides a fairly simple secure AFS filesystem driver. It is
  21under development and does not yet provide the full feature set.  The features
  22it does support include:
  23
  24 (*) Security (currently only AFS kaserver and KerberosIV tickets).
  25
  26 (*) File reading and writing.
  27
  28 (*) Automounting.
  29
  30 (*) Local caching (via fscache).
  31
  32It does not yet support the following AFS features:
  33
  34 (*) pioctl() system call.
  35
  36
  37===========
  38COMPILATION
  39===========
  40
  41The filesystem should be enabled by turning on the kernel configuration
  42options:
  43
  44        CONFIG_AF_RXRPC         - The RxRPC protocol transport
  45        CONFIG_RXKAD            - The RxRPC Kerberos security handler
  46        CONFIG_AFS              - The AFS filesystem
  47
  48Additionally, the following can be turned on to aid debugging:
  49
  50        CONFIG_AF_RXRPC_DEBUG   - Permit AF_RXRPC debugging to be enabled
  51        CONFIG_AFS_DEBUG        - Permit AFS debugging to be enabled
  52
  53They permit the debugging messages to be turned on dynamically by manipulating
  54the masks in the following files:
  55
  56        /sys/module/af_rxrpc/parameters/debug
  57        /sys/module/kafs/parameters/debug
  58
  59
  60=====
  61USAGE
  62=====
  63
  64When inserting the driver modules the root cell must be specified along with a
  65list of volume location server IP addresses:
  66
  67        modprobe rxrpc
  68        modprobe kafs rootcell=cambridge.redhat.com:172.16.18.73:172.16.18.91
  69
  70The first module is the AF_RXRPC network protocol driver.  This provides the
  71RxRPC remote operation protocol and may also be accessed from userspace.  See:
  72
  73        Documentation/networking/rxrpc.txt
  74
  75The second module is the kerberos RxRPC security driver, and the third module
  76is the actual filesystem driver for the AFS filesystem.
  77
  78Once the module has been loaded, more modules can be added by the following
  79procedure:
  80
  81        echo add grand.central.org 18.9.48.14:128.2.203.61:130.237.48.87 >/proc/fs/afs/cells
  82
  83Where the parameters to the "add" command are the name of a cell and a list of
  84volume location servers within that cell, with the latter separated by colons.
  85
  86Filesystems can be mounted anywhere by commands similar to the following:
  87
  88        mount -t afs "%cambridge.redhat.com:root.afs." /afs
  89        mount -t afs "#cambridge.redhat.com:root.cell." /afs/cambridge
  90        mount -t afs "#root.afs." /afs
  91        mount -t afs "#root.cell." /afs/cambridge
  92
  93Where the initial character is either a hash or a percent symbol depending on
  94whether you definitely want a R/W volume (percent) or whether you'd prefer a
  95R/O volume, but are willing to use a R/W volume instead (hash).
  96
  97The name of the volume can be suffixes with ".backup" or ".readonly" to
  98specify connection to only volumes of those types.
  99
 100The name of the cell is optional, and if not given during a mount, then the
 101named volume will be looked up in the cell specified during modprobe.
 102
 103Additional cells can be added through /proc (see later section).
 104
 105
 106===========
 107MOUNTPOINTS
 108===========
 109
 110AFS has a concept of mountpoints. In AFS terms, these are specially formatted
 111symbolic links (of the same form as the "device name" passed to mount).  kAFS
 112presents these to the user as directories that have a follow-link capability
 113(ie: symbolic link semantics).  If anyone attempts to access them, they will
 114automatically cause the target volume to be mounted (if possible) on that site.
 115
 116Automatically mounted filesystems will be automatically unmounted approximately
 117twenty minutes after they were last used.  Alternatively they can be unmounted
 118directly with the umount() system call.
 119
 120Manually unmounting an AFS volume will cause any idle submounts upon it to be
 121culled first.  If all are culled, then the requested volume will also be
 122unmounted, otherwise error EBUSY will be returned.
 123
 124This can be used by the administrator to attempt to unmount the whole AFS tree
 125mounted on /afs in one go by doing:
 126
 127        umount /afs
 128
 129
 130===============
 131PROC FILESYSTEM
 132===============
 133
 134The AFS modules creates a "/proc/fs/afs/" directory and populates it:
 135
 136  (*) A "cells" file that lists cells currently known to the afs module and
 137      their usage counts:
 138
 139        [root@andromeda ~]# cat /proc/fs/afs/cells
 140        USE NAME
 141          3 cambridge.redhat.com
 142
 143  (*) A directory per cell that contains files that list volume location
 144      servers, volumes, and active servers known within that cell.
 145
 146        [root@andromeda ~]# cat /proc/fs/afs/cambridge.redhat.com/servers
 147        USE ADDR            STATE
 148          4 172.16.18.91        0
 149        [root@andromeda ~]# cat /proc/fs/afs/cambridge.redhat.com/vlservers
 150        ADDRESS
 151        172.16.18.91
 152        [root@andromeda ~]# cat /proc/fs/afs/cambridge.redhat.com/volumes
 153        USE STT VLID[0]  VLID[1]  VLID[2]  NAME
 154          1 Val 20000000 20000001 20000002 root.afs
 155
 156
 157=================
 158THE CELL DATABASE
 159=================
 160
 161The filesystem maintains an internal database of all the cells it knows and the
 162IP addresses of the volume location servers for those cells.  The cell to which
 163the system belongs is added to the database when modprobe is performed by the
 164"rootcell=" argument or, if compiled in, using a "kafs.rootcell=" argument on
 165the kernel command line.
 166
 167Further cells can be added by commands similar to the following:
 168
 169        echo add CELLNAME VLADDR[:VLADDR][:VLADDR]... >/proc/fs/afs/cells
 170        echo add grand.central.org 18.9.48.14:128.2.203.61:130.237.48.87 >/proc/fs/afs/cells
 171
 172No other cell database operations are available at this time.
 173
 174
 175========
 176SECURITY
 177========
 178
 179Secure operations are initiated by acquiring a key using the klog program.  A
 180very primitive klog program is available at:
 181
 182        http://people.redhat.com/~dhowells/rxrpc/klog.c
 183
 184This should be compiled by:
 185
 186        make klog LDLIBS="-lcrypto -lcrypt -lkrb4 -lkeyutils"
 187
 188And then run as:
 189
 190        ./klog
 191
 192Assuming it's successful, this adds a key of type RxRPC, named for the service
 193and cell, eg: "afs@<cellname>".  This can be viewed with the keyctl program or
 194by cat'ing /proc/keys:
 195
 196        [root@andromeda ~]# keyctl show
 197        Session Keyring
 198               -3 --alswrv      0     0  keyring: _ses.3268
 199                2 --alswrv      0     0   \_ keyring: _uid.0
 200        111416553 --als--v      0     0   \_ rxrpc: afs@CAMBRIDGE.REDHAT.COM
 201
 202Currently the username, realm, password and proposed ticket lifetime are
 203compiled in to the program.
 204
 205It is not required to acquire a key before using AFS facilities, but if one is
 206not acquired then all operations will be governed by the anonymous user parts
 207of the ACLs.
 208
 209If a key is acquired, then all AFS operations, including mounts and automounts,
 210made by a possessor of that key will be secured with that key.
 211
 212If a file is opened with a particular key and then the file descriptor is
 213passed to a process that doesn't have that key (perhaps over an AF_UNIX
 214socket), then the operations on the file will be made with key that was used to
 215open the file.
 216
lxr.linux.no kindly hosted by Redpill Linpro AS, provider of Linux consulting and operations services since 1995.