AFS is a network-based filesystem that provides world-wide access to files. DESY uses the AFS for the home directories of all users and for the distribution of software, for example. The AFS is mounted under /afs and is structured in so-called cells, one of which is desy.de. Your home directory is located at /afs/desy.de/user/u/username (with the single letter being the first letter of your username) and is the same on every AFS host in the DESY network. Note that you can access not only files inside the DESY cell, but also in all other cells that are known to the AFS client – this happens completely transparently, even though the speed will of course depend on the network connection. You can use the AFS just like any other filesystem (such as local filesystems or the well-known NFS), but there are a few things to keep in mind.
Home directories have a quota which is set to 500 MB by default. You can use the command fs quota to view the current usage, and the command fs listquota will display more detailed information. If your quota is exceeded, you won’t be able to write data to the AFS anymore. Note that it may become impossible to use a graphical user interface such as KDE – in that case, log in to a plain terminal and free up some space first. You may want to keep temporary data, such as browser caches, out of your home directory and use /tmp instead – this will not only save valuable AFS space, it is also usually faster to retain such data on a local disk.
Access permissions in the AFS are managed with Access Control Lists, which allow a much finer adjustment of various rights than the usual Unix-style file access permissions. ACLs are set on a per-directory basis and can be displayed and modified with the commands fs listacl and fs setacl, respectively – type the command fs help for more information. It is important to keep in mind that for files, the “group” and “other” parts (i. e. the second and third “rwx” triplet) of the Unix permissions are not considered in the AFS – only the “user” part (i. e. the first “rwx” triplet) acts as a master switch for read and write permissions which are granted in the ACL of the directory which contains the file. The Unix permissions of directories in the AFS are completely ignored! AFS access permissions consist of a set of seven attributes:
“r” (read) – read files in this directory
“l” (lookup) – view the contents and the ACL of this directory
“i” (insert) – create files or subdirectories in this directory
“d” (delete) – remove files or subdirectories from this directory
“w” (write) – write to files in this directory or change their Unix access permissions
“k” (lock) – lock files in this directory
“a” (administer) – change the ACL of this directory
Note that there is no such thing as an “executable” attribute – this is taken from the Unix permissions. You can grant AFS access permissions to individual users (who will need a valid Kerberos token, including yourself), to certain predefined groups, or to DESY-specific groups:
system:anyuser – anybody with AFS access, even without a valid token
system:authuser – anybody with a valid token of the local cell, i. e. desy.de
system:administrators – the AFS administrators of the local cell
desy-hosts – all hosts in the DESY networks at Hamburg and Zeuthen
usg:flc – all users who are members of FLC (try pts membership usg:flc)
You can also define your personal AFS groups and include them in your ACLs – type the command pts help for more information. Note that the ACL for a directory is inherited from its parent directory when the directory is created, but it will not be affected anymore when you move a directory to another location in the AFS tree. When you get a new account, there are a few predefined subdirectories with special ACLs inside your home directory: ~/public is readable for system:anyuser, ~/flc is readable for usg:flc, and ~/private has no permissions for anybody but you (and the administrators). Most other directories have the “lookup” permission (but not the “read” permission) for system:anyuser by default – note that an appropriate “lookup” permission is needed for all levels of parent directories in order to access any given directory.
If a filename in the AFS directory tree contains the character sequence “@sys”, this substring will be replaced by the name of the operating system – i. e. the first matching name in the output of the command fs sysname. This mechanism is most often used in symbolic links, which can then point to different targets, depending on the current system. If no matching target for the expansion of “@sys” can be found, the filename is invalid.
Introduction to AFS at DESY – the official UCO documentation
- From the AFS Guides:
- Auxiliary Tools:
K5Cron – if your cronjobs need access to the AFS
Transarc AFS FAQ – ancient, but in most parts still valid