1ca6e9049SMauro Carvalho Chehab.. SPDX-License-Identifier: GPL-2.0 2ca6e9049SMauro Carvalho Chehab 3ca6e9049SMauro Carvalho Chehab==================== 4ca6e9049SMauro Carvalho ChehabkAFS: AFS FILESYSTEM 5ca6e9049SMauro Carvalho Chehab==================== 6ca6e9049SMauro Carvalho Chehab 7ca6e9049SMauro Carvalho Chehab.. Contents: 8ca6e9049SMauro Carvalho Chehab 9ca6e9049SMauro Carvalho Chehab - Overview. 10ca6e9049SMauro Carvalho Chehab - Usage. 11ca6e9049SMauro Carvalho Chehab - Mountpoints. 12ca6e9049SMauro Carvalho Chehab - Dynamic root. 13ca6e9049SMauro Carvalho Chehab - Proc filesystem. 14ca6e9049SMauro Carvalho Chehab - The cell database. 15ca6e9049SMauro Carvalho Chehab - Security. 16ca6e9049SMauro Carvalho Chehab - The @sys substitution. 17ca6e9049SMauro Carvalho Chehab 18ca6e9049SMauro Carvalho Chehab 19ca6e9049SMauro Carvalho ChehabOverview 20ca6e9049SMauro Carvalho Chehab======== 21ca6e9049SMauro Carvalho Chehab 22ca6e9049SMauro Carvalho ChehabThis filesystem provides a fairly simple secure AFS filesystem driver. It is 23ca6e9049SMauro Carvalho Chehabunder development and does not yet provide the full feature set. The features 24ca6e9049SMauro Carvalho Chehabit does support include: 25ca6e9049SMauro Carvalho Chehab 26ca6e9049SMauro Carvalho Chehab (*) Security (currently only AFS kaserver and KerberosIV tickets). 27ca6e9049SMauro Carvalho Chehab 28ca6e9049SMauro Carvalho Chehab (*) File reading and writing. 29ca6e9049SMauro Carvalho Chehab 30ca6e9049SMauro Carvalho Chehab (*) Automounting. 31ca6e9049SMauro Carvalho Chehab 32ca6e9049SMauro Carvalho Chehab (*) Local caching (via fscache). 33ca6e9049SMauro Carvalho Chehab 34ca6e9049SMauro Carvalho ChehabIt does not yet support the following AFS features: 35ca6e9049SMauro Carvalho Chehab 36ca6e9049SMauro Carvalho Chehab (*) pioctl() system call. 37ca6e9049SMauro Carvalho Chehab 38ca6e9049SMauro Carvalho Chehab 39ca6e9049SMauro Carvalho ChehabCompilation 40ca6e9049SMauro Carvalho Chehab=========== 41ca6e9049SMauro Carvalho Chehab 42ca6e9049SMauro Carvalho ChehabThe filesystem should be enabled by turning on the kernel configuration 43ca6e9049SMauro Carvalho Chehaboptions:: 44ca6e9049SMauro Carvalho Chehab 45ca6e9049SMauro Carvalho Chehab CONFIG_AF_RXRPC - The RxRPC protocol transport 46ca6e9049SMauro Carvalho Chehab CONFIG_RXKAD - The RxRPC Kerberos security handler 47*626c8205SLukas Bulwahn CONFIG_AFS_FS - The AFS filesystem 48ca6e9049SMauro Carvalho Chehab 49ca6e9049SMauro Carvalho ChehabAdditionally, the following can be turned on to aid debugging:: 50ca6e9049SMauro Carvalho Chehab 51ca6e9049SMauro Carvalho Chehab CONFIG_AF_RXRPC_DEBUG - Permit AF_RXRPC debugging to be enabled 52ca6e9049SMauro Carvalho Chehab CONFIG_AFS_DEBUG - Permit AFS debugging to be enabled 53ca6e9049SMauro Carvalho Chehab 54ca6e9049SMauro Carvalho ChehabThey permit the debugging messages to be turned on dynamically by manipulating 55ca6e9049SMauro Carvalho Chehabthe masks in the following files:: 56ca6e9049SMauro Carvalho Chehab 57ca6e9049SMauro Carvalho Chehab /sys/module/af_rxrpc/parameters/debug 58ca6e9049SMauro Carvalho Chehab /sys/module/kafs/parameters/debug 59ca6e9049SMauro Carvalho Chehab 60ca6e9049SMauro Carvalho Chehab 61ca6e9049SMauro Carvalho ChehabUsage 62ca6e9049SMauro Carvalho Chehab===== 63ca6e9049SMauro Carvalho Chehab 64ca6e9049SMauro Carvalho ChehabWhen inserting the driver modules the root cell must be specified along with a 65ca6e9049SMauro Carvalho Chehablist of volume location server IP addresses:: 66ca6e9049SMauro Carvalho Chehab 67ca6e9049SMauro Carvalho Chehab modprobe rxrpc 68ca6e9049SMauro Carvalho Chehab modprobe kafs rootcell=cambridge.redhat.com:172.16.18.73:172.16.18.91 69ca6e9049SMauro Carvalho Chehab 70ca6e9049SMauro Carvalho ChehabThe first module is the AF_RXRPC network protocol driver. This provides the 71ca6e9049SMauro Carvalho ChehabRxRPC remote operation protocol and may also be accessed from userspace. See: 72ca6e9049SMauro Carvalho Chehab 739f72374cSMauro Carvalho Chehab Documentation/networking/rxrpc.rst 74ca6e9049SMauro Carvalho Chehab 75ca6e9049SMauro Carvalho ChehabThe second module is the kerberos RxRPC security driver, and the third module 76ca6e9049SMauro Carvalho Chehabis the actual filesystem driver for the AFS filesystem. 77ca6e9049SMauro Carvalho Chehab 78ca6e9049SMauro Carvalho ChehabOnce the module has been loaded, more modules can be added by the following 79ca6e9049SMauro Carvalho Chehabprocedure:: 80ca6e9049SMauro Carvalho Chehab 81ca6e9049SMauro Carvalho Chehab echo add grand.central.org 18.9.48.14:128.2.203.61:130.237.48.87 >/proc/fs/afs/cells 82ca6e9049SMauro Carvalho Chehab 83ca6e9049SMauro Carvalho ChehabWhere the parameters to the "add" command are the name of a cell and a list of 84ca6e9049SMauro Carvalho Chehabvolume location servers within that cell, with the latter separated by colons. 85ca6e9049SMauro Carvalho Chehab 86ca6e9049SMauro Carvalho ChehabFilesystems can be mounted anywhere by commands similar to the following:: 87ca6e9049SMauro Carvalho Chehab 88ca6e9049SMauro Carvalho Chehab mount -t afs "%cambridge.redhat.com:root.afs." /afs 89ca6e9049SMauro Carvalho Chehab mount -t afs "#cambridge.redhat.com:root.cell." /afs/cambridge 90ca6e9049SMauro Carvalho Chehab mount -t afs "#root.afs." /afs 91ca6e9049SMauro Carvalho Chehab mount -t afs "#root.cell." /afs/cambridge 92ca6e9049SMauro Carvalho Chehab 93ca6e9049SMauro Carvalho ChehabWhere the initial character is either a hash or a percent symbol depending on 94ca6e9049SMauro Carvalho Chehabwhether you definitely want a R/W volume (percent) or whether you'd prefer a 95ca6e9049SMauro Carvalho ChehabR/O volume, but are willing to use a R/W volume instead (hash). 96ca6e9049SMauro Carvalho Chehab 97ca6e9049SMauro Carvalho ChehabThe name of the volume can be suffixes with ".backup" or ".readonly" to 98ca6e9049SMauro Carvalho Chehabspecify connection to only volumes of those types. 99ca6e9049SMauro Carvalho Chehab 100ca6e9049SMauro Carvalho ChehabThe name of the cell is optional, and if not given during a mount, then the 101ca6e9049SMauro Carvalho Chehabnamed volume will be looked up in the cell specified during modprobe. 102ca6e9049SMauro Carvalho Chehab 103ca6e9049SMauro Carvalho ChehabAdditional cells can be added through /proc (see later section). 104ca6e9049SMauro Carvalho Chehab 105ca6e9049SMauro Carvalho Chehab 106ca6e9049SMauro Carvalho ChehabMountpoints 107ca6e9049SMauro Carvalho Chehab=========== 108ca6e9049SMauro Carvalho Chehab 109ca6e9049SMauro Carvalho ChehabAFS has a concept of mountpoints. In AFS terms, these are specially formatted 110ca6e9049SMauro Carvalho Chehabsymbolic links (of the same form as the "device name" passed to mount). kAFS 111ca6e9049SMauro Carvalho Chehabpresents these to the user as directories that have a follow-link capability 112f7775c20SRandy Dunlap(i.e.: symbolic link semantics). If anyone attempts to access them, they will 113ca6e9049SMauro Carvalho Chehabautomatically cause the target volume to be mounted (if possible) on that site. 114ca6e9049SMauro Carvalho Chehab 115ca6e9049SMauro Carvalho ChehabAutomatically mounted filesystems will be automatically unmounted approximately 116ca6e9049SMauro Carvalho Chehabtwenty minutes after they were last used. Alternatively they can be unmounted 117ca6e9049SMauro Carvalho Chehabdirectly with the umount() system call. 118ca6e9049SMauro Carvalho Chehab 119ca6e9049SMauro Carvalho ChehabManually unmounting an AFS volume will cause any idle submounts upon it to be 120ca6e9049SMauro Carvalho Chehabculled first. If all are culled, then the requested volume will also be 121ca6e9049SMauro Carvalho Chehabunmounted, otherwise error EBUSY will be returned. 122ca6e9049SMauro Carvalho Chehab 123ca6e9049SMauro Carvalho ChehabThis can be used by the administrator to attempt to unmount the whole AFS tree 124ca6e9049SMauro Carvalho Chehabmounted on /afs in one go by doing:: 125ca6e9049SMauro Carvalho Chehab 126ca6e9049SMauro Carvalho Chehab umount /afs 127ca6e9049SMauro Carvalho Chehab 128ca6e9049SMauro Carvalho Chehab 129ca6e9049SMauro Carvalho ChehabDynamic Root 130ca6e9049SMauro Carvalho Chehab============ 131ca6e9049SMauro Carvalho Chehab 132ca6e9049SMauro Carvalho ChehabA mount option is available to create a serverless mount that is only usable 133ca6e9049SMauro Carvalho Chehabfor dynamic lookup. Creating such a mount can be done by, for example:: 134ca6e9049SMauro Carvalho Chehab 135ca6e9049SMauro Carvalho Chehab mount -t afs none /afs -o dyn 136ca6e9049SMauro Carvalho Chehab 137ca6e9049SMauro Carvalho ChehabThis creates a mount that just has an empty directory at the root. Attempting 138ca6e9049SMauro Carvalho Chehabto look up a name in this directory will cause a mountpoint to be created that 139ca6e9049SMauro Carvalho Chehablooks up a cell of the same name, for example:: 140ca6e9049SMauro Carvalho Chehab 141ca6e9049SMauro Carvalho Chehab ls /afs/grand.central.org/ 142ca6e9049SMauro Carvalho Chehab 143ca6e9049SMauro Carvalho Chehab 144ca6e9049SMauro Carvalho ChehabProc Filesystem 145ca6e9049SMauro Carvalho Chehab=============== 146ca6e9049SMauro Carvalho Chehab 147f7775c20SRandy DunlapThe AFS module creates a "/proc/fs/afs/" directory and populates it: 148ca6e9049SMauro Carvalho Chehab 149ca6e9049SMauro Carvalho Chehab (*) A "cells" file that lists cells currently known to the afs module and 150ca6e9049SMauro Carvalho Chehab their usage counts:: 151ca6e9049SMauro Carvalho Chehab 152ca6e9049SMauro Carvalho Chehab [root@andromeda ~]# cat /proc/fs/afs/cells 153ca6e9049SMauro Carvalho Chehab USE NAME 154ca6e9049SMauro Carvalho Chehab 3 cambridge.redhat.com 155ca6e9049SMauro Carvalho Chehab 156ca6e9049SMauro Carvalho Chehab (*) A directory per cell that contains files that list volume location 157ca6e9049SMauro Carvalho Chehab servers, volumes, and active servers known within that cell:: 158ca6e9049SMauro Carvalho Chehab 159ca6e9049SMauro Carvalho Chehab [root@andromeda ~]# cat /proc/fs/afs/cambridge.redhat.com/servers 160ca6e9049SMauro Carvalho Chehab USE ADDR STATE 161ca6e9049SMauro Carvalho Chehab 4 172.16.18.91 0 162ca6e9049SMauro Carvalho Chehab [root@andromeda ~]# cat /proc/fs/afs/cambridge.redhat.com/vlservers 163ca6e9049SMauro Carvalho Chehab ADDRESS 164ca6e9049SMauro Carvalho Chehab 172.16.18.91 165ca6e9049SMauro Carvalho Chehab [root@andromeda ~]# cat /proc/fs/afs/cambridge.redhat.com/volumes 166ca6e9049SMauro Carvalho Chehab USE STT VLID[0] VLID[1] VLID[2] NAME 167ca6e9049SMauro Carvalho Chehab 1 Val 20000000 20000001 20000002 root.afs 168ca6e9049SMauro Carvalho Chehab 169ca6e9049SMauro Carvalho Chehab 170ca6e9049SMauro Carvalho ChehabThe Cell Database 171ca6e9049SMauro Carvalho Chehab================= 172ca6e9049SMauro Carvalho Chehab 173ca6e9049SMauro Carvalho ChehabThe filesystem maintains an internal database of all the cells it knows and the 174ca6e9049SMauro Carvalho ChehabIP addresses of the volume location servers for those cells. The cell to which 175ca6e9049SMauro Carvalho Chehabthe system belongs is added to the database when modprobe is performed by the 176ca6e9049SMauro Carvalho Chehab"rootcell=" argument or, if compiled in, using a "kafs.rootcell=" argument on 177ca6e9049SMauro Carvalho Chehabthe kernel command line. 178ca6e9049SMauro Carvalho Chehab 179ca6e9049SMauro Carvalho ChehabFurther cells can be added by commands similar to the following:: 180ca6e9049SMauro Carvalho Chehab 181ca6e9049SMauro Carvalho Chehab echo add CELLNAME VLADDR[:VLADDR][:VLADDR]... >/proc/fs/afs/cells 182ca6e9049SMauro Carvalho Chehab echo add grand.central.org 18.9.48.14:128.2.203.61:130.237.48.87 >/proc/fs/afs/cells 183ca6e9049SMauro Carvalho Chehab 184ca6e9049SMauro Carvalho ChehabNo other cell database operations are available at this time. 185ca6e9049SMauro Carvalho Chehab 186ca6e9049SMauro Carvalho Chehab 187ca6e9049SMauro Carvalho ChehabSecurity 188ca6e9049SMauro Carvalho Chehab======== 189ca6e9049SMauro Carvalho Chehab 190ca6e9049SMauro Carvalho ChehabSecure operations are initiated by acquiring a key using the klog program. A 191ca6e9049SMauro Carvalho Chehabvery primitive klog program is available at: 192ca6e9049SMauro Carvalho Chehab 193011c9ec3SAlexander A. Klimov https://people.redhat.com/~dhowells/rxrpc/klog.c 194ca6e9049SMauro Carvalho Chehab 195ca6e9049SMauro Carvalho ChehabThis should be compiled by:: 196ca6e9049SMauro Carvalho Chehab 197ca6e9049SMauro Carvalho Chehab make klog LDLIBS="-lcrypto -lcrypt -lkrb4 -lkeyutils" 198ca6e9049SMauro Carvalho Chehab 199ca6e9049SMauro Carvalho ChehabAnd then run as:: 200ca6e9049SMauro Carvalho Chehab 201ca6e9049SMauro Carvalho Chehab ./klog 202ca6e9049SMauro Carvalho Chehab 203ca6e9049SMauro Carvalho ChehabAssuming it's successful, this adds a key of type RxRPC, named for the service 204f7775c20SRandy Dunlapand cell, e.g.: "afs@<cellname>". This can be viewed with the keyctl program or 205ca6e9049SMauro Carvalho Chehabby cat'ing /proc/keys:: 206ca6e9049SMauro Carvalho Chehab 207ca6e9049SMauro Carvalho Chehab [root@andromeda ~]# keyctl show 208ca6e9049SMauro Carvalho Chehab Session Keyring 209ca6e9049SMauro Carvalho Chehab -3 --alswrv 0 0 keyring: _ses.3268 210ca6e9049SMauro Carvalho Chehab 2 --alswrv 0 0 \_ keyring: _uid.0 211ca6e9049SMauro Carvalho Chehab 111416553 --als--v 0 0 \_ rxrpc: afs@CAMBRIDGE.REDHAT.COM 212ca6e9049SMauro Carvalho Chehab 213ca6e9049SMauro Carvalho ChehabCurrently the username, realm, password and proposed ticket lifetime are 214ca6e9049SMauro Carvalho Chehabcompiled into the program. 215ca6e9049SMauro Carvalho Chehab 216ca6e9049SMauro Carvalho ChehabIt is not required to acquire a key before using AFS facilities, but if one is 217ca6e9049SMauro Carvalho Chehabnot acquired then all operations will be governed by the anonymous user parts 218ca6e9049SMauro Carvalho Chehabof the ACLs. 219ca6e9049SMauro Carvalho Chehab 220ca6e9049SMauro Carvalho ChehabIf a key is acquired, then all AFS operations, including mounts and automounts, 221ca6e9049SMauro Carvalho Chehabmade by a possessor of that key will be secured with that key. 222ca6e9049SMauro Carvalho Chehab 223ca6e9049SMauro Carvalho ChehabIf a file is opened with a particular key and then the file descriptor is 224ca6e9049SMauro Carvalho Chehabpassed to a process that doesn't have that key (perhaps over an AF_UNIX 225ca6e9049SMauro Carvalho Chehabsocket), then the operations on the file will be made with key that was used to 226ca6e9049SMauro Carvalho Chehabopen the file. 227ca6e9049SMauro Carvalho Chehab 228ca6e9049SMauro Carvalho Chehab 229ca6e9049SMauro Carvalho ChehabThe @sys Substitution 230ca6e9049SMauro Carvalho Chehab===================== 231ca6e9049SMauro Carvalho Chehab 232ca6e9049SMauro Carvalho ChehabThe list of up to 16 @sys substitutions for the current network namespace can 233ca6e9049SMauro Carvalho Chehabbe configured by writing a list to /proc/fs/afs/sysname:: 234ca6e9049SMauro Carvalho Chehab 235ca6e9049SMauro Carvalho Chehab [root@andromeda ~]# echo foo amd64_linux_26 >/proc/fs/afs/sysname 236ca6e9049SMauro Carvalho Chehab 237ca6e9049SMauro Carvalho Chehabor cleared entirely by writing an empty list:: 238ca6e9049SMauro Carvalho Chehab 239ca6e9049SMauro Carvalho Chehab [root@andromeda ~]# echo >/proc/fs/afs/sysname 240ca6e9049SMauro Carvalho Chehab 241ca6e9049SMauro Carvalho ChehabThe current list for current network namespace can be retrieved by:: 242ca6e9049SMauro Carvalho Chehab 243ca6e9049SMauro Carvalho Chehab [root@andromeda ~]# cat /proc/fs/afs/sysname 244ca6e9049SMauro Carvalho Chehab foo 245ca6e9049SMauro Carvalho Chehab amd64_linux_26 246ca6e9049SMauro Carvalho Chehab 247ca6e9049SMauro Carvalho ChehabWhen @sys is being substituted for, each element of the list is tried in the 248ca6e9049SMauro Carvalho Chehaborder given. 249ca6e9049SMauro Carvalho Chehab 250ca6e9049SMauro Carvalho ChehabBy default, the list will contain one item that conforms to the pattern 251ca6e9049SMauro Carvalho Chehab"<arch>_linux_26", amd64 being the name for x86_64. 252