Creating AFS Group Space

There doesn't seem to be an existing document on creating AFS group space. So I thought I'd note down what I did to create some. Note at present we don't have a scheme for where to locate (ie which AFS partitions) to put group volumes and their mirrors. One thing for sure is that they shouldn't go on the recently allocated AFS user partitions.

A few basic points:

• The group areas in the afs space are mounted at /afs/inf.ed.ac.uk/group/<sub-dir>/GROUP_NAME in a similar manner to the existing /group/<sub-dir>/GROUP_NAME NFS structure that we have. See AFSGroupSpaceUpdate.
• Not all group space is mirrored and backed up to tape. All AFS RW volumes, including group volumes, should have at least a local readonly and backup volumes, but perhaps not the offsite RO copy.
• We don't (currently) have any guidance on how to actually manage group ACLs.
• PTS group entries live in the same namespace as usernames, which means in the UUN name space, so you shouldn't create a PTS group entry called ephones unless you've got it excluded from the UUN name space. Or Ms Emily Phones is going to be a bit miffed when she turns up to Informatics looking for her AFS space!

Select a server and partition

Currently this is a black art and needs to be formalised. The only thing for certain is that you should not use any of the partitions that are allocated for AFS User space (see the list of AFSPartitions). If appropriate, you will also need to identify a server and partition for the offsite RO copy.

You should probably try to pick a server that is physically near to the bulk of people in the group that will be using the space, but also bear in mind overloadings of the partitions.

Also see https://groups.inf.ed.ac.uk/cos/disk_script/servers.html probably click on the "all four" links for the Forum in most cases to see where there is space.

Creating and mounting the space

Having selected the server and partition for the area, create a group.NAME volume:

  /usr/sbin/vos create <server> <partition> group.<groupname>
eg
  /usr/sbin/vos create -verbose sphinx /vicepb group.ephones

Create the local RO volume:

  vos addsite sphinx /vicepb group.ephones
  vos release -verbose group.ephones

Where an offsite RO volume is also needed, see the "Backups and Mirrors" section.

Then mount it as a read write volume, note the leading "." before inf.ed.ac.uk, this get you to the read/write version of the /group/ directory so that you can create the mount point within it.

  fs mkmount -rw /afs/.inf.ed.ac.uk/group/<groupname> group.<groupname>
eg
  fs mkmount -rw /afs/.inf.ed.ac.uk/group/ephones group.ephones

The -rw option forces the mounting of the read/write version of the group volume, otherwise the cache manager will mount the RO copies.

Once mounted, the group-directory-containing directory should be updated, eg:

    /usr/sbin/vos release gdir

Or it may be under gdir.project, gdir.conference, gdir.cstrproj gdir.mscproj etc - use fs exam XXX to see which gdir XXX is on. e.g.

  fs ls /afs/inf.ed.ac.uk/group/teaching

This updates any read-only copies of /afs/inf.ed.ac.uk/group/. Then flushes the cached data:

    fs checkvolumes 

Set the agreed/requested quota for the volume, eg:

    fs setquota /afs/inf.ed.ac.uk/group/<groupname> -max 1000000 

Then create a backup volume:

    /usr/sbin/vos backup group.<groupname> 

and mount it as Yesterday:

    fs mkmount /afs/inf.ed.ac.uk/group/<groupname>/Yesterday group.<groupname>.backup

Apply an appropriate ACL to the group area. Probably just make it full access to the user that requested the area eg:

  fs setacl /afs/inf.ed.ac.uk/group/<groupname>  <username> all

The default unix file permissions for this new area will be drwxrwxrwx which though (nearly) irrelevant with AFS ACLs, can cause some confusion, so perhaps best to remove Group and Other write bits:

  chmod go-w /afs/inf.ed.ac.uk/group/<groupname>

At this point you might want to do another vos backup group.<groupname> so that the ACL will get copied to the .backup version of the volume, and hence Yesterday will be accessible to the user. This will happen automatically during the nightly AFS backup run.

Backups and Mirrors

Depending on what the group wants/has/hasn't paid for, you should create off site readonly (RO) copies of their group volume, and add it to the backups exclusion list. Remember, by default everything will be backed up to tape. You perhaps don't want this if they've not paid for it, and have 500GB of data!

Excluding from tape backup

To exclude the group volume group.foo from the tibs tape backups, you need to update the header live/tibsconf-server.h. The old way was to add something like:

!tibsconf.omissions mADD(foo)
tibsconf.omit_foo  |group.foo|

however, due the the wonders of a labour saving macro, you can now just put:

TIBS_OMIT_GROUP(foo)

This assumes the volume is named "group.foo", which it will be if you're following the naming convention. Also make sure you do this after the macro definition.

Create offsite ReadOnly (RO) volume - mirroring

To create offsite RO volumes use "vos addsite". You should have already created a RO volume on the same partition as the RW volume (see above). All that remains is to add the offsite RO location. Based on the location of the RW volume, from the AFSPartitions page find out what the corresponding offsite server and partition should be. Then do:

   /usr/sbin/vos addsite <readonly_server> <readonly_partition> group.<groupname>
eg
   /usr/sbin/vos addsite nuggle /vicepc group.ephones

Then update the RO copies with a vos release group.<groupname eg vos release group.ephones

Group ACL Management

[I'm kind of running out of steam here, so only the basics ...]

See the bullet points at the top of this, but essentially the PTS group names are in the same name-space as UUNs, so you need to get your group name excluded from the UUN space - or choose something that doesn't clash, eg it could contain a hyphen. It has been suggested that we simply prefix all AFS group names with afs-, but at this time this hasn't been confirmed. But it is as close to a decision as we've made, so go with it!

Note if this is space for an existing group for which a unix group already exists, then perhaps the Automatics AFS groups section below will remove the need to do any of the following.

It is probably helpful to create an AFS group that the requester can maintain, do this with: (ephones is the name of the group in this case, see the UUN name consideration above):

  pts creategroup -name afs-ephones

  pts adduser -user <requester> -group afs-ephones

  pts chown -name afs-ephones -owner afs-ephones

So now there is a new AFS pts group "afs-ephones" owned by the members of "afs-ephones" ie anyone in that group can administer that group, and it has a single member set to the person who requested the ASF group space. This means they can then add further people to the group.

You should then set the ACL of the group volume to give the appropriate access to the group you have just created.

What to tell the user

Here's an example of what I sent to the requester who asked for the group space:

There is now a 7GB group area
for you at /afs/inf.ed.ac.uk/group/ephones/

I've created an AFS "afs-ephones" group, which is managed by people in that
group, and currently you are the only member. See "man pts", or "pts
help", or http://www.inf.ed.ac.uk/systems/AFS/1/pts.html for the list of
pts commands, eg:

pts membership afs-ephones
pts adduser neilb afs-ephones

You can then give that group appropriate access to the ephones space, eg:

fs setacl /afs/inf.ed.ac.uk/group/ephones afs-ephones all
fs setacl /afs/inf.ed.ac.uk/group/ephones neilb rl

The first gives all members of "afs-ephones" full AFS access, the second
only gives the named user (me) Read and List access.

Again there are man pages and web pages for "fs",
http://www.inf.ed.ac.uk/systems/AFS/1/fs.html

Automatics AFS groups

To make AFS more friendly to users moving from the NFS world, we automatically generate afs PTS entries of the form "inf:<group-name>" that have the same membership of the unix group <group-name> and so generated from roles and capabilities, eg the unix group sysman will be equivalent to the AFS PTS group inf:sysman. The syncgroups2afs script currently runs hourly during the day on the tibs backup server, it's part of the dice-afsutils RPM.

Hey, maybe they want some group webspace too

group webspace

-- NeilBrown - 13 Mar 2007 updated -- NeilBrown - 05 Jun 2009 updated -- JenniferOxley - 11 Jan 2012 updated -- RogerBurroughes - 18 Mar 2013 updated -- RichardBell - 15 Jun 2016