Re: [OpenAFS] Limiting mount point to known cells
I would look for the AFSDB RR DNS lookup in the code and somehow prevent that names without dot in the middle are looked up - just fail it. But there are folks who are much more familiar with the code that me. Harald. ___ OpenAFS-info mailing list [email protected] https://lists.openafs.org/mailman/listinfo/openafs-info
Re: [OpenAFS] Limiting mount point to known cells
On 8/28/22 09:54, Dirk Heinrichs wrote: Yes, systemd-resolved provides a local caching DNS server on that address and configures /etc/resolv.conf (by symlinking it to its own file in /run) to use it. Yep, that's it. Still not sure where the delay comes from, though. With tcpdump I see that most requests are immediately answered with "no such domain". The only exception are AFSDB? requests for top-level domains -- those seem to take up to four seconds: 10:45:43.637524 IP localhost.58442 > localhost.domain: 57292+ [1au] AFSDB? git. (32) 10:45:47.131635 IP localhost.domain > localhost.58442: 57292 NXDomain* 0/0/1 (32) Multiply that with retries and other VCS and the whole delay blows up to a minute. Regards, Ingo ___ OpenAFS-info mailing list [email protected] https://lists.openafs.org/mailman/listinfo/openafs-info
Re: [OpenAFS] Limiting mount point to known cells
On 8/27/22 17:46, Ed Rude wrote: I have faced similar issues at times. If you like everything about the current behavior of AFS aside from the impact it can have on git you might attack it from the git side. Maybe there is a way to stop git from recursing all the way to /afs/ ? As Kostas suggested (thanks!), setting GIT_CEILING_DIRECTORIES=/afs will stop git from trying to access /afs/.git. That clearly seems like a good idea. But then I'd need to find similar solutions for Mercurial (looking for /afs/.hg), Bazaar (/afs/.bzr) and Subversion (/afs/.svn). I'm using one of those fancy shell prompts that tries to display VCS information whenever I'm inside a working copy. Regards, Ingo ___ OpenAFS-info mailing list [email protected] https://lists.openafs.org/mailman/listinfo/openafs-info
Re: [OpenAFS] Limiting mount point to known cells
> I seem to remember seeing many paths of the form /afs/cs/ or /afs/ece/ > where the full cell names were cs.cmu.edu or ece.cmu.edu. But probably "ece" was entered into CellServDB and not into DNS. Harald. ___ OpenAFS-info mailing list [email protected] https://lists.openafs.org/mailman/listinfo/openafs-info
Re: [OpenAFS] Limiting mount point to known cells
Ingo van Lil: git tries to access the directory /afs/.git, and I see that afsd sends multiple DNS requests to the loopback address 127.0.0.53. Not sure why it does that, it seems to be somehow related to systemd-resolved in Fedora Linux. Yes, systemd-resolved provides a local caching DNS server on that address and configures /etc/resolv.conf (by symlinking it to its own file in /run) to use it. HTH... Dirk -- Dirk Heinrichs Matrix-Adresse: @heini:chat.altum.de GPG Public Key: 80F1540E03A3968F3D79C382853C32C427B48049 Privacy Handbuch: https://www.privacy-handbuch.de OpenPGP_signature Description: OpenPGP digital signature
Re: [OpenAFS] Limiting mount point to known cells
On 8/27/2022 4:34 AM, Harald Barth ([email protected]) wrote: But wait a moment... Can't we assume that all cell names that we ask in DNS contain at least one dot "." in the middle? I doubt that there are AFS cells named without dot that we need to resolve with DNS. What do you think about that? Please keep in mind that /afs/.git might be a cell whose alias is "git" or that "git" is to be combined with a domain in the DNS search list. I seem to remember seeing many paths of the form /afs/cs/ or /afs/ece/ where the full cell names were cs.cmu.edu or ece.cmu.edu. A question for the original poster is "what are the DNS queries that are being issued to the DNS resolver at 127.0.0.53? Jeffrey Altman smime.p7s Description: S/MIME Cryptographic Signature
Re: [OpenAFS] Limiting mount point to known cells
I have faced similar issues at times. If you like everything about the current behavior of AFS aside from the impact it can have on git you might attack it from the git side. Maybe there is a way to stop git from recursing all the way to /afs/ ? Similar solutions have worked for me with things other than git. You probably don’t want git to check that directory anyway, even if you can make it happen much faster. Ed On Fri, Aug 26, 2022 at 22:14 Jeffrey E Altman wrote: > On 8/26/2022 5:13 PM, Ingo van Lil ([email protected]) wrote: > > Hello OpenAFS experts, > > is there any way to run an AFS client with both the -dynroot and -afsdb > options, but still limit the /afs mount point to known cells > (specifically: only my home cell)? > > There is no explicit support for this behavior in OpenAFS but you might be > able to approximate it by > >- enabling -dynroot >- disabling -afsdb >- removing the OpenAFS distributed CellServDB file >- creating a CellServDB file contain only one line for the cell and no >servers >>my.cell # My personal cell > > A cell entry with no servers is an implicit request to lookup the servers > via DNS. > I do not remember if this works with -afsdb disabled but it might. > > > Longer explanation of my problem: > > When I run "git status" somewhere inside the AFS hierarchy it freezes > for a minute or two. git tries to access the directory /afs/.git, and I > see that afsd sends multiple DNS requests to the loopback address > 127.0.0.53. Not sure why it does that, it seems to be somehow related to > systemd-resolved in Fedora Linux. > > Running without -dynroot solves the issue, but according to the manual > it will keep my machine from booting in case my home cell can't be > contacted. Not very attractive. > > Running without -afsdb solves the issue. That's what I do now, but it > requires to manually specify the servers for my home cell in CellServDB. > Ideally I'd like to get that info from DNS. > > Thanks in advance for any advice you can give! > > Regards, > Ingo > > ___ > OpenAFS-info mailing list > [email protected] > https://lists.openafs.org/mailman/listinfo/openafs-info > > -- Edward A. Rude Systems Administrator - Unix Systems Division of Information Technology
Re: [OpenAFS] Limiting mount point to known cells
> In the same thread, a blacklist (or whitelist) of cell names was > suggested to prevent afsdb queries for troublesome domains but it > seems it never got implemented. If the blacklist specification is visible and not hidden in some new magic file, I think that would be good. My suggestion would be to add the possibility to specify this in CellServDB. >git BLACKLIST or something like that. Because then anyone who wants a cell named "git" (you never know the users' wishes) would see this when looking through CellServDB to determine why it does not work as expected. I am normally not for blacklists, but what can you do? But wait a moment... Can't we assume that all cell names that we ask in DNS contain at least one dot "." in the middle? I doubt that there are AFS cells named without dot that we need to resolve with DNS. What do you think about that? Harald. ___ OpenAFS-info mailing list [email protected] https://lists.openafs.org/mailman/listinfo/openafs-info
Re: [OpenAFS] Limiting mount point to known cells
Hi, There was a thread about /afs/.git hanging back in 2014 which ended up with a work around from Jonathan Billings: https://lists.openafs.org/pipermail/openafs-info/2014-August/040888.html Basically, he suggested setting GIT_CEILING_DIRECTORIES ( https://git-scm.com/docs/git/2.35.2#Documentation/git.txt-codeGITCEILINGDIRECTORIEScode ) environmental variable and limit git's search. In the same thread, a blacklist (or whitelist) of cell names was suggested to prevent afsdb queries for troublesome domains but it seems it never got implemented. -K. On 27/08/2022 00.13, Ingo van Lil wrote: Hello OpenAFS experts, is there any way to run an AFS client with both the -dynroot and -afsdb options, but still limit the /afs mount point to known cells (specifically: only my home cell)? Longer explanation of my problem: When I run "git status" somewhere inside the AFS hierarchy it freezes for a minute or two. git tries to access the directory /afs/.git, and I see that afsd sends multiple DNS requests to the loopback address 127.0.0.53. Not sure why it does that, it seems to be somehow related to systemd-resolved in Fedora Linux. Running without -dynroot solves the issue, but according to the manual it will keep my machine from booting in case my home cell can't be contacted. Not very attractive. Running without -afsdb solves the issue. That's what I do now, but it requires to manually specify the servers for my home cell in CellServDB. Ideally I'd like to get that info from DNS. Thanks in advance for any advice you can give! Regards, Ingo ___ OpenAFS-info mailing list [email protected] https://lists.openafs.org/mailman/listinfo/openafs-info ___ OpenAFS-info mailing list [email protected] https://lists.openafs.org/mailman/listinfo/openafs-info
Re: [OpenAFS] Limiting mount point to known cells
On 8/26/2022 5:13 PM, Ingo van Lil ([email protected]) wrote: Hello OpenAFS experts, is there any way to run an AFS client with both the -dynroot and -afsdb options, but still limit the /afs mount point to known cells (specifically: only my home cell)? There is no explicit support for this behavior in OpenAFS but you might be able to approximate it by * enabling -dynroot * disabling -afsdb * removing the OpenAFS distributed CellServDB file * creating a CellServDB file contain only one line for the cell and no servers >my.cell # My personal cell A cell entry with no servers is an implicit request to lookup the servers via DNS. I do not remember if this works with -afsdb disabled but it might. Longer explanation of my problem: When I run "git status" somewhere inside the AFS hierarchy it freezes for a minute or two. git tries to access the directory /afs/.git, and I see that afsd sends multiple DNS requests to the loopback address 127.0.0.53. Not sure why it does that, it seems to be somehow related to systemd-resolved in Fedora Linux. Running without -dynroot solves the issue, but according to the manual it will keep my machine from booting in case my home cell can't be contacted. Not very attractive. Running without -afsdb solves the issue. That's what I do now, but it requires to manually specify the servers for my home cell in CellServDB. Ideally I'd like to get that info from DNS. Thanks in advance for any advice you can give! Regards, Ingo ___ OpenAFS-info mailing list [email protected] https://lists.openafs.org/mailman/listinfo/openafs-info smime.p7s Description: S/MIME Cryptographic Signature
