RE: [OpenAFS] Preferred way to do backup? [Was] Re: best way to control butc tape host process?
Hi Andrew, Thank you for your suggestion. I actually ran into a problem pretty fast after setting it up via bos. Are there a better method of doing backups now days than using the backup utilities? (It's a totally different question so I updated the subject.) -- Emil -Original Message- From: openafs-info-ad...@openafs.org [mailto:openafs-info-ad...@openafs.org] On Behalf Of Andrew Deason Sent: onsdag den 15 december 2010 16:52 To: openafs-info@openafs.org Subject: [OpenAFS] Re: best way to control butc tape host process? On Wed, 15 Dec 2010 12:04:03 +0100 Assarsson, Emil emil.assars...@sonyericsson.com wrote: I currently run butc -localauth as a instance in bos. Is this the way to do it or should I find another way? I can't find any suggestions about this in the documentation :-P The last time I used it (about 5 years ago, csl.tjhsst.edu), we just ran it in a screen session. IIRC, butc can prompt for input if it gets confused, which makes being able to provide input rather useful. That's not really a recommentation as a better way to do it or anything, as that obviously has problems, and I'm not sure which is better to do. But it worked well enough for us, at any rate. -- Andrew Deason adea...@sinenomine.net ___ OpenAFS-info mailing list OpenAFS-info@openafs.org https://lists.openafs.org/mailman/listinfo/openafs-info ___ OpenAFS-info mailing list OpenAFS-info@openafs.org https://lists.openafs.org/mailman/listinfo/openafs-info
Re: [OpenAFS] Preferred way to do backup? [Was] Re: best way to control butc tape host process?
On Fri, Dec 17, 2010 at 4:27 AM, Assarsson, Emil emil.assars...@sonyericsson.com wrote: Hi Andrew, Thank you for your suggestion. I actually ran into a problem pretty fast after setting it up via bos. Are there a better method of doing backups now days than using the backup utilities? That's a subjective question. It really depends on what else you have at your site, what you want to back up to, what you're comfortable with. TSM supports AFS. So does TiBS. Don't want a commercial product? There are tools to allow use of Amanda or Bacula. Or perhaps you want to have backups in the form of storage with volume dumps, in which case scripts dumping to an HSM or something else elsewhere might be your choice. It also depends how you define better :) -- Derrick ___ OpenAFS-info mailing list OpenAFS-info@openafs.org https://lists.openafs.org/mailman/listinfo/openafs-info
[OpenAFS] AFS version of sudo for admin ?
Does anyone know of a sudo like command for AFS admin commands? admindo vos release pkg.foo It would be nice, but not essential to have the token stick around for 5 minutes in case you need to do another admindo soon afterwards. Regards, John ___ OpenAFS-info mailing list OpenAFS-info@openafs.org https://lists.openafs.org/mailman/listinfo/openafs-info
Re: [OpenAFS] AFS version of sudo for admin ?
John Tang Boyland wrote: Does anyone know of a sudo like command for AFS admin commands? admindo vos release pkg.foo It would be nice, but not essential to have the token stick around for 5 minutes in case you need to do another admindo soon afterwards. Make a simple script (heimdal): #!/bin/sh kinit $USER/admin $* If you want the ccache to stay around for a while then do something more clever like: #!/bin/sh export KRB5CCNAME=/tmp/aksu.$USER if klist -t ; then /usr/bin/pagsh -c aklog; $* else kinit -l 300 $USER/admin $* fi -- Ragge ___ OpenAFS-info mailing list OpenAFS-info@openafs.org https://lists.openafs.org/mailman/listinfo/openafs-info
[OpenAFS] Re: AFS version of sudo for admin ?
On Fri, 17 Dec 2010 15:59:31 +0100 Anders Magnusson ra...@ltu.se wrote: John Tang Boyland wrote: Does anyone know of a sudo like command for AFS admin commands? admindo vos release pkg.foo It would be nice, but not essential to have the token stick around for 5 minutes in case you need to do another admindo soon afterwards. Make a simple script (heimdal): This doesn't require you to enter a password for a release, though, which I assumed John wanted (it might help to say which specific aspects of 'sudo' you're looking for). That is, you can still 'kinit foo/admin' and walk away and someone else can vos whatever. -- Andrew Deason adea...@sinenomine.net ___ OpenAFS-info mailing list OpenAFS-info@openafs.org https://lists.openafs.org/mailman/listinfo/openafs-info
[OpenAFS] Re: Preferred way to do backup?
On Fri, 17 Dec 2010 07:41:16 -0500 Derrick Brashear sha...@gmail.com wrote: Are there a better method of doing backups now days than using the backup utilities? That's a subjective question. It really depends on what else you have at your site, what you want to back up to, what you're comfortable with. TSM supports AFS. So does TiBS. Don't want a commercial product? There are tools to allow use of Amanda or Bacula. Or perhaps you want to have backups in the form of storage with volume dumps, in which case scripts dumping to an HSM or something else elsewhere might be your choice. Don't forget Stephen Joyce's BackupAFS. I haven't used it, but I think it's worth mentioning as one of the few backup systems that is actively paying attention to AFS. -- Andrew Deason adea...@sinenomine.net ___ OpenAFS-info mailing list OpenAFS-info@openafs.org https://lists.openafs.org/mailman/listinfo/openafs-info
Re: [OpenAFS] Re: AFS version of sudo for admin ?
Andrew Deason wrote: On Fri, 17 Dec 2010 15:59:31 +0100 Anders Magnusson ra...@ltu.se wrote: John Tang Boyland wrote: Does anyone know of a sudo like command for AFS admin commands? admindo vos release pkg.foo It would be nice, but not essential to have the token stick around for 5 minutes in case you need to do another admindo soon afterwards. Make a simple script (heimdal): This doesn't require you to enter a password for a release, though, which I assumed John wanted (it might help to say which specific aspects of 'sudo' you're looking for). That is, you can still 'kinit foo/admin' and walk away and someone else can vos whatever. Eh, how? You loses your pag when kinit exits, so no credentials left...? -- Ragge ___ OpenAFS-info mailing list OpenAFS-info@openafs.org https://lists.openafs.org/mailman/listinfo/openafs-info
[OpenAFS] Re: AFS version of sudo for admin ?
On Fri, 17 Dec 2010 16:35:38 +0100 Anders Magnusson ra...@ltu.se wrote: This doesn't require you to enter a password for a release, though, which I assumed John wanted (it might help to say which specific aspects of 'sudo' you're looking for). That is, you can still 'kinit foo/admin' and walk away and someone else can vos whatever. Eh, how? You loses your pag when kinit exits, so no credentials left...? As long as you're using that script. Nothing prevents you from acquiring admin credentials manually and then doing whatever you want. I'm also assuming he wants to restrict the user to a certain subset of operations, or to be able to release a certain subset of volumes (like Russ' afs-backend scripts). You can't just give someone an admin principal for that. -- Andrew Deason adea...@sinenomine.net ___ OpenAFS-info mailing list OpenAFS-info@openafs.org https://lists.openafs.org/mailman/listinfo/openafs-info
RE: [OpenAFS] Re: Preferred way to do backup?
Thanks all for the suggestions :-) I found this on internet http://linuxbox.com/drupal/files/downloads/afs_backup_afsbp2005.pdf that seems to bring up some of the solutions. Now I have something to do this weekend too :-P -- Emil -Original Message- From: openafs-info-ad...@openafs.org [mailto:openafs-info-ad...@openafs.org] On Behalf Of Andrew Deason Sent: fredag den 17 december 2010 16:34 To: openafs-info@openafs.org Subject: [OpenAFS] Re: Preferred way to do backup? On Fri, 17 Dec 2010 07:41:16 -0500 Derrick Brashear sha...@gmail.com wrote: Are there a better method of doing backups now days than using the backup utilities? That's a subjective question. It really depends on what else you have at your site, what you want to back up to, what you're comfortable with. TSM supports AFS. So does TiBS. Don't want a commercial product? There are tools to allow use of Amanda or Bacula. Or perhaps you want to have backups in the form of storage with volume dumps, in which case scripts dumping to an HSM or something else elsewhere might be your choice. Don't forget Stephen Joyce's BackupAFS. I haven't used it, but I think it's worth mentioning as one of the few backup systems that is actively paying attention to AFS. -- Andrew Deason adea...@sinenomine.net ___ OpenAFS-info mailing list OpenAFS-info@openafs.org https://lists.openafs.org/mailman/listinfo/openafs-info ___ OpenAFS-info mailing list OpenAFS-info@openafs.org https://lists.openafs.org/mailman/listinfo/openafs-info
Re: [OpenAFS] Preferred way to do backup? [Was] Re: best way to control butc tape host process?
Hi, I may be misremembering here, but my recollection of the current Amanda and Bacula solutions is that they are somewhat primitive, e.g., compared with TiBs or TSM integrations. (I think Russ has talked a not infrequently about further work on Bacula integration would be desirable.) Someone should mention that Michigan has built some kind of infrastructure around incremental volume shadowing, which should be a pretty efficient approach given what OpenAFS gives you to work with... I don't know how you go about getting/using that (if if you can)... Matt - Derrick Brashear sha...@gmail.com wrote: On Fri, Dec 17, 2010 at 4:27 AM, Assarsson, Emil emil.assars...@sonyericsson.com wrote: are tools to allow use of Amanda or Bacula. Or perhaps you want to have backups in the form of storage with volume dumps, in which case scripts dumping to an HSM or something else elsewhere might be your choice. It also depends how you define better :) -- Derrick ___ OpenAFS-info mailing list OpenAFS-info@openafs.org https://lists.openafs.org/mailman/listinfo/openafs-info -- Matt Benjamin The Linux Box 206 South Fifth Ave. Suite 150 Ann Arbor, MI 48104 http://linuxbox.com tel. 734-761-4689 fax. 734-769-8938 cel. 734-216-5309 ___ OpenAFS-info mailing list OpenAFS-info@openafs.org https://lists.openafs.org/mailman/listinfo/openafs-info
Re: [OpenAFS] Re: Preferred way to do backup?
FYI, I'm -actually- and AFS backup lamer and archive volume dumps in a Bacula repo. Sorry. Matt - Emil Assarsson emil.assars...@sonyericsson.com wrote: Thanks all for the suggestions :-) I found this on internet http://linuxbox.com/drupal/files/downloads/afs_backup_afsbp2005.pdf that seems to bring up some of the solutions. Now I have something to do this weekend too :-P -- Emil -Original Message- From: openafs-info-ad...@openafs.org [mailto:openafs-info-ad...@openafs.org] On Behalf Of Andrew Deason Sent: fredag den 17 december 2010 16:34 To: openafs-info@openafs.org Subject: [OpenAFS] Re: Preferred way to do backup? On Fri, 17 Dec 2010 07:41:16 -0500 Derrick Brashear sha...@gmail.com wrote: Are there a better method of doing backups now days than using the backup utilities? That's a subjective question. It really depends on what else you have at your site, what you want to back up to, what you're comfortable with. TSM supports AFS. So does TiBS. Don't want a commercial product? There are tools to allow use of Amanda or Bacula. Or perhaps you want to have backups in the form of storage with volume dumps, in which case scripts dumping to an HSM or something else elsewhere might be your choice. Don't forget Stephen Joyce's BackupAFS. I haven't used it, but I think it's worth mentioning as one of the few backup systems that is actively paying attention to AFS. -- Andrew Deason adea...@sinenomine.net ___ OpenAFS-info mailing list OpenAFS-info@openafs.org https://lists.openafs.org/mailman/listinfo/openafs-info ___ OpenAFS-info mailing list OpenAFS-info@openafs.org https://lists.openafs.org/mailman/listinfo/openafs-info -- Matt Benjamin The Linux Box 206 South Fifth Ave. Suite 150 Ann Arbor, MI 48104 http://linuxbox.com tel. 734-761-4689 fax. 734-769-8938 cel. 734-216-5309 ___ OpenAFS-info mailing list OpenAFS-info@openafs.org https://lists.openafs.org/mailman/listinfo/openafs-info
Re: [OpenAFS] AFS version of sudo for admin ?
Anders Magnusson ra...@ltu.se wrote: ] John Tang Boyland wrote: ] Does anyone know of a sudo like command for AFS admin commands? ] admindo vos release pkg.foo ] It would be nice, but not essential to have the token stick around ] for 5 minutes in case you need to do another admindo soon afterwards. ] ] Make a simple script (heimdal): ] ] #!/bin/sh ] kinit $USER/admin $* ] ] If you want the ccache to stay around for a while then do something more ] clever like: ] ] #!/bin/sh ] export KRB5CCNAME=/tmp/aksu.$USER ] if klist -t ; then ] /usr/bin/pagsh -c aklog; $* ] else ] kinit -l 300 $USER/admin $* ] fi ] ] -- Ragge Thanks. I don't have Heimdahl (still using MIT) and I have an old /bin/sh, But I was able to modify your script as follows: #!/bin/sh KRB5CCNAME=FILE:/tmp/aksu.$USER export KRB5CCNAME if klist -s ; then echo (Reusing token) else kinit -l 300 $USER/admin fi pagsh -c aklog; $* Here's a sample session: pabst.cs 270 % ./admindo vos release pkg.twelf Password for boyland/ad...@cs.uwm.edu: Released volume pkg.twelf successfully pabst.cs 271 % vos release pkg.twelf Could not lock the VLDB entry for the volume 536874088. VLDB: no permission access for call Error in vos release command. VLDB: no permission access for call pabst.cs 272 % ./admindo vos release pkg.twelf (Reusing token) Released volume pkg.twelf successfully pabst.cs 273 % And yes, the token times out after five minutes. Thanks everyone, John ] ___ OpenAFS-info mailing list OpenAFS-info@openafs.org https://lists.openafs.org/mailman/listinfo/openafs-info
Re: [OpenAFS] AFS version of sudo for admin ?
Am Freitag 17 Dezember 2010, um 15:29:41 schrieb John Tang Boyland: Does anyone know of a sudo like command for AFS admin commands? Errh, what about sudo? You could create a special kerberos principal with a random key (scripts), which is stored in a keytab (/etc/scripts.keytab). Also make it an afs user and put it into system:administrators. Put the following commands at the beginning of your script: export KRB5CCNAME=/tmp/krb5cc_scripts kinit -k -t /etc/scripts.keytab scripts aklog and these ones at the end: unlog kdestroy The rest is configuring sudo properly so that only selected users can execute the script. HTH... Dirk ___ OpenAFS-info mailing list OpenAFS-info@openafs.org https://lists.openafs.org/mailman/listinfo/openafs-info
Re: [OpenAFS] Re: AFS version of sudo for admin ?
We had a program we called afs-sudo. I don't know the origin. but I don't think it was passwordless. It appears there might be afs support in sudo already. http://www.sfr-fresh.com/unix/misc/sudo-1.7.4p4.tar.gz:a/sudo-1.7.4p4/auth/afs.c Quoting Andrew Deason adea...@sinenomine.net: On Fri, 17 Dec 2010 16:35:38 +0100 Anders Magnusson ra...@ltu.se wrote: This doesn't require you to enter a password for a release, though, which I assumed John wanted (it might help to say which specific aspects of 'sudo' you're looking for). That is, you can still 'kinit foo/admin' and walk away and someone else can vos whatever. Eh, how? You loses your pag when kinit exits, so no credentials left...? As long as you're using that script. Nothing prevents you from acquiring admin credentials manually and then doing whatever you want. I'm also assuming he wants to restrict the user to a certain subset of operations, or to be able to release a certain subset of volumes (like Russ' afs-backend scripts). You can't just give someone an admin principal for that. -- Andrew Deason adea...@sinenomine.net ___ OpenAFS-info mailing list OpenAFS-info@openafs.org https://lists.openafs.org/mailman/listinfo/openafs-info -- The information in this email, and attachment(s) thereto, is strictly confidential and may be legally privileged. It is intended solely for the named recipient(s), and access to this e-mail, or any attachment(s) thereto, by anyone else is unauthorized. Violations hereof may result in legal actions. Any attachment(s) to this e-mail have been checked for viruses, but please rely on your own virus-checker and procedures. If you contact us by e-mail, we will store your name and address to facilitate communications in the matter concerned. If you do not consent to us storing your name and address for above stated purpose, please notify the sender promptly. Also, if you are not the intended recipient please inform the sender by replying to this transmission, and delete the e-mail, its attachment(s), and any copies of it without, disclosing it. ___ OpenAFS-info mailing list OpenAFS-info@openafs.org https://lists.openafs.org/mailman/listinfo/openafs-info
[OpenAFS] Re: AFS version of sudo for admin ?
On Fri, 17 Dec 2010 15:35:07 -0500 omall...@msu.edu wrote: It appears there might be afs support in sudo already. http://www.sfr-fresh.com/unix/misc/sudo-1.7.4p4.tar.gz:a/sudo-1.7.4p4/auth/afs.c That appears to be for authenticating to kaserver for 'sudo' commands instead of PAM or whatever local databases, not for executing AFS operations. -- Andrew Deason adea...@sinenomine.net ___ OpenAFS-info mailing list OpenAFS-info@openafs.org https://lists.openafs.org/mailman/listinfo/openafs-info
Re: [OpenAFS] Re: AFS version of sudo for admin ?
This should be a part of the afs permissions just in general. Ours was written in 2k and potentially updated once a long time before we had krb5 support and isn't passwordless. It uses an environment variable. It compiled against the 1.4.2 afs source. I can ask if I can donate it, if it is really needed. Quoting Andrew Deason adea...@sinenomine.net: On Fri, 17 Dec 2010 15:35:07 -0500 omall...@msu.edu wrote: It appears there might be afs support in sudo already. http://www.sfr-fresh.com/unix/misc/sudo-1.7.4p4.tar.gz:a/sudo-1.7.4p4/auth/afs.c That appears to be for authenticating to kaserver for 'sudo' commands instead of PAM or whatever local databases, not for executing AFS operations. -- Andrew Deason adea...@sinenomine.net ___ OpenAFS-info mailing list OpenAFS-info@openafs.org https://lists.openafs.org/mailman/listinfo/openafs-info ___ OpenAFS-info mailing list OpenAFS-info@openafs.org https://lists.openafs.org/mailman/listinfo/openafs-info
Re: [OpenAFS] AFS version of sudo for admin ?
I wrote an afs sudo kind of thing around 2003 or so mainly intended to replace the adm stuff that ceased working after a server upgrade. It mostly handles vos releases for end-users but definitely not limited to that. Aside from sudo in the name and the fact that it handles elevated privs, it doesn't behave like sudo with configurable token time-out, etc. It runs as a daemon process on a host under a user that does have admin access. The client side then contacts this server where they do a challenge/response sort of thing first over the TCP port (for the challenge) and then through a spool dir (for the response), which proves through AFS who the user is. So, it just relies the user having a token in the first place. The user is then permitted to run scripts from out of a controlled path so long as they're in a pts group named after the script, or it finds a script suffixed with -anyuser. Yeah, the auth is definitely a kluge and can't do anything kas releated, but it works for the ~500 requests/day it gets. Not sure how ready the code is for public consumption, though. ;) -Ducky On 12/17/2010 06:29 AM, John Tang Boyland wrote: Does anyone know of a sudo like command for AFS admin commands? admindo vos release pkg.foo It would be nice, but not essential to have the token stick around for 5 minutes in case you need to do another admindo soon afterwards. Regards, John ___ OpenAFS-info mailing list OpenAFS-info@openafs.org https://lists.openafs.org/mailman/listinfo/openafs-info ___ OpenAFS-info mailing list OpenAFS-info@openafs.org https://lists.openafs.org/mailman/listinfo/openafs-info
Re: [OpenAFS] AFS version of sudo for admin ?
On Dec 17, 2010, at 2:24 PM, Chris (Ducky) Chapin wrote: Yeah, the auth is definitely a kluge and can't do anything kas releated, but it works for the ~500 requests/day it gets. Not sure how ready the code is for public consumption, though. ;) Several hundred of us think that it works pretty well... :) ___ OpenAFS-info mailing list OpenAFS-info@openafs.org https://lists.openafs.org/mailman/listinfo/openafs-info
Re: [OpenAFS] AFS version of sudo for admin ?
On Fri, Dec 17, 2010 at 5:24 PM, Chris (Ducky) Chapin ccha...@qualcomm.com wrote: I wrote an afs sudo kind of thing around 2003 or so mainly intended to replace the adm stuff that ceased working after a server upgrade. It mostly handles vos releases for end-users but definitely not limited to that. shoulda asked the adm maintainers about it. adm still worked when i left CMU and was extended to support krb5, cyrus imap and several other goodies :) ___ OpenAFS-info mailing list OpenAFS-info@openafs.org https://lists.openafs.org/mailman/listinfo/openafs-info
Re: [OpenAFS] Re: Redundant Internet links
Quoting Andrew Deason adea...@sinenomine.net: ... We don't provide the tools for a split-horizon vldb (yet, anyway). Actually, if we're all going to move to IPv6 anyway, of what use would that be? To be clear, the fileserver does not become readonly; what becomes readonly are the databases that contain volume location information and authenticated user metadata. So, that means you can read and write to files to any fileserver you can reach, but you cannot create, remove, or release volumes, create, remove, or alter users/groups, or anything else that requires modifying those databases. Very interesting. So, I take it a different, local database is used to keep track of the changes made to individual files in local R/W volumes, and this database stays R/W even if the server it's on gets cut off? ... You contact the vlserver at site A, and it will tell you that the volume is on a fileserver at site B, and it will also tell you all known IP addresses for the fileserver at site B. Sounds like you're referring to the IP addresses for the servers that the clients are given. In that case I understand. I can do that with AFSDB RRs. What I meant, though, are the IP addresses that the servers have to contact each other. On Debian, these are in /etc/openafs/server/CellServDB. I'd like to use multiple IP addresses for each host in there too, but that would adversely affect the voting algorithm. On the other hand, what if I were to set up virtual hosts on which to run the file servers separately? In that case, each database server would still run on the bare metal OS and those CellServDB files would still contain only three IP addresses. Lower level routing would still take care of connectivity if one of the main links went down. The files servers, however, could each have a CellServDB file with five addresses: a local private range address and four public addresses for the two remote file servers (which would be reached through port-forwarding). Still, even if this would work, I no longer think I'd want to do it. That's because I'd rather have the AFS servers avoid the secondary links entirely unless the main links go down, and I can't instruct them to do that (yet) through prioritization. I can only do that with routing. Cheers, Jaap ___ OpenAFS-info mailing list OpenAFS-info@openafs.org https://lists.openafs.org/mailman/listinfo/openafs-info
Re: [OpenAFS] Re: Redundant Internet links
On Fri, Dec 17, 2010 at 9:41 PM, Jaap Winius jwin...@umrk.nl wrote: Quoting Andrew Deason adea...@sinenomine.net: ... We don't provide the tools for a split-horizon vldb (yet, anyway). Actually, if we're all going to move to IPv6 anyway, of what use would that be? ipv4 isn't going away tomorrow... To be clear, the fileserver does not become readonly; what becomes readonly are the databases that contain volume location information and authenticated user metadata. So, that means you can read and write to files to any fileserver you can reach, but you cannot create, remove, or release volumes, create, remove, or alter users/groups, or anything else that requires modifying those databases. Very interesting. So, I take it a different, local database is used to keep track of the changes made to individual files in local R/W volumes, and this database stays R/W even if the server it's on gets cut off? each volume is tracked individually on the server hosting it (whether RW or RO; RO are just published, snapshot copies, of the RW) ... You contact the vlserver at site A, and it will tell you that the volume is on a fileserver at site B, and it will also tell you all known IP addresses for the fileserver at site B. Sounds like you're referring to the IP addresses for the servers that the clients are given. In that case I understand. I can do that with AFSDB RRs. What I meant, though, are the IP addresses that the servers have to contact each other. On Debian, these are in /etc/openafs/server/CellServDB. I'd like to use multiple IP addresses for each host in there too, but that would adversely affect the voting algorithm. can't do it. sorry. On the other hand, what if I were to set up virtual hosts on which to run the file servers separately? In that case, each database server would still run on the bare metal OS and those CellServDB files would still contain only three IP addresses. Lower level routing would still take care of connectivity if one of the main links went down. The files servers, however, could each have a CellServDB file with five addresses: a local private range address and four public addresses for the two remote file servers (which would be reached through port-forwarding). doable, albeit potentially fussy if there are issues with the routing. Still, even if this would work, I no longer think I'd want to do it. That's because I'd rather have the AFS servers avoid the secondary links entirely unless the main links go down, and I can't instruct them to do that (yet) through prioritization. I can only do that with routing. ___ OpenAFS-info mailing list OpenAFS-info@openafs.org https://lists.openafs.org/mailman/listinfo/openafs-info
