You are here

AFS top tips

Printer-friendly versionPrinter-friendly version

This page is for those in a hurry to use AFS. For documentation and explanations see AFS and filesystems.

  1. How do I see what access permissions a directory has?
  2. How do I change access permissions on a file?
  3. How do I change access permissions on a directory?
  4. How do I interpret ACL permissions?
  5. Can I still use Unix file permissions?
  6. How do I create a local group?
  7. How do I set up a long-running job?
  8. Serving web pages from AFS
  9. How to run a cron job
  10. Why can't I see Chinese properly?
  11. Using Unison with an AFS home directory
  12. How many files can I have in an AFS directory?
  13. Why can't I copy a file larger than 8.6GB to a location in AFS space using Nautilus?


  1. How do I see a directory's access permissions?
        % fs listacl -path <directory> 

    See the fs listacl manual page for more info.


  2. How do I change access permissions on a file?

    You can't - access permissions (ACLs) are per-directory. All files within a particular directory have the same access constraints. (These are inherited at directory creation time, but can be changed subsequently.) Note that access permission to a file will change if it is moved to another directory with a different ACL.

    See the chapter on "Protecting your Directories and Files" in the AFS User Guide for more info.


  3. How do I change access permissions on a directory?

    Use fs setacl. For example:

        % fs setacl -dir <directory> -acl <username>:<groupname> rl 

    This gives (read & list) permissions for the specified <groupname> to <directory> (or "." for current working directory).

    Note this command is NOT recursive and only sets permissions for the directory specified. To set the permissions recursively so that subdirectories will also inherit the ACL use the fsr command.

        % fsr setacl -dir <directory> -acl <username>:<groupname> rl 

    A user needs the l (lookup) permission on a parent directory to reach its subdirectories.

    See the fs setacl manual page for more info.


  4. How do I interpret ACL permissions?


    Directory permissions are:

    • l (lookup):
      Permission to search or list directories, and access sub-directories
    • i (insert):
      Permission to create files and immediate sub-directories
    • d (delete):
      Permission to remove files and subdirectories
    • a (administer):
      Permission to change the ACL

    File permissions are:

    • r (read):
      Permission to read the contents of files in the directory, and to get file details (long listing)
    • w (write):
      Permission to modify the contents of files in the directory and to use the 'chmod' command.
    • k (lock):
      Permission to run programs that issue system calls to lock files in the directory.

    See section "AFS ACL Permissions" in chapter "Protecting your Directories and Files" of the AFS User Guide for more info.


  5. Can I still use Unix file permissions?

    Yes, but in AFS they don't behave in quite the same way. Mode bits on directories are ignored, and only the user set of mode bits is used for files. These can be used to grant or deny read and/or write access to everyone. Note that this only applies to files in AFS filespace.

    See section "How AFS uses the Unix mode bits" in chapter "Protecting your Directories and Files" of the AFS User Guide for more info.


  6. How do I create a local AFS group?


    AFS groups can be used in AFS ACLs (see above).

        % pts creategroup -name <myusername>:<groupname>
        % pts adduser -user <username(s)> -group <groupname> 

    This creates a group <groupname>, and adds <username(s)> to it. Note that a group can contain users and/or machines. Also note that we synchronise our existing Unix groups in to AFS but with a "inf:" prefix, so for example the Unix group staff becomes the AFS group inf:staff.

    After being added as a group member, a user must reauthenticate (for example with "aklog") to gain the permissions granted by an ACL.

    See the pts creategroup and pts adduser manual pages for more info.


  7. How do I set up a long-running job?

    If a computing job is still running after your AFS credentials expire, it will no longer be able to write files to AFS.

    AFS credentials have a lifetime of 18 hours, so short term jobs should just work. Before starting a job, renew your credentials with renc to ensure that the job gets the full 18 hours access to AFS.

    For medium term jobs (more than 18 hours, but less than 28 days), use krenew. See man krenew for more info. Some user accounts do not have permission to run medium term jobs, so if you find that krenew does not work, please contact us via the Support Form.

    Set up a medium term job as follows:

    1. Get credentials into a separate credentials cache:

        export KRB5CCNAME=/tmp/mykerbcred 

    Use a different filename in /tmp if you wish!

    2. Run kinit:

        kinit -r28day 

    3. Run the job with krenew. See man krenew for more details.

        krenew -k /tmp/mykerbcred -t <jobname> 

    On DICE machines longjob simplifies the above commands.

        longjob -28day -c <jobname> 

    The job will run in the background, leaving you free to log out. Read man longjob for more details.

    Long term jobs (greater than 28 days) need extra setup. Ask for this via the Support Form.


  8. Serving web pages from AFS

    sweb.inf.ed.ac.uk can serve pages straight from AFS. See the sweb service for details.


  9. How to run a cron job

    (cron can run commands at a specified time or date. Read man crontab and man 5 crontab for details.)

    You MUST add "HOME=/tmp" as the first part of your cron job to stop the local cron daemon trying to access your AFS home directory (which will fail if your AFS tokens have expired, or cron is not running as you). This can be added to the cron entry (as listed by "crontab -l"), and appear something like:

        HOME=/tmp
        2 10 12 * * <cron command>
    

    Note also that you shouldn't need to add "HOME=/tmp" to your script, since it is only cron that's affected - by default, our version of cron tries to look for configuration settings in your home directory - more accurately, the value of $HOME - and if it can't read that location (which it won't be able to if it's on AFS and restricted by ACLs) it will fail. Setting "HOME=/tmp" for the environment in which cron runs should prevent it trying to look in your AFS home directory. Setting this in/for any scripts is a separate issue, which may or may not be appropriate.

    Note that this will only work for non-AFS filespace. Any cron jobs that access AFS filespace will need an alternative mechanism.


  10. Why can't I see Chinese properly?

    Your X11 fonts directory has to be read-accessible to system:anyuser, since the X server is running as root, not as you.


  11. Using Unison with an AFS home directory

    Unison is a tool used to keep a local and remote file area in synchronisation. Normally people will use ssh to access the remote file system - for example their Informatics home directory - so that files can be compared and transferred as necessary. This will just continue to work if you are providing your DICE password when connecting via ssh.


    However some people use unison with ssh public keys to remove the need to enter a password when synchronising. As stated here, this will not work, as without a password the ssh daemon will not obtain the kerberos and AFS tokens needed to access the AFS home directory. If this is how you use Unison, there are three solutions:

    • Stop using ssh public keys, and just enter your DICE password as required.
    • (Better, more secure) Use kerberos and a kerberos-aware ssh client on your machine. You will then only need to kinit uun@INF.ED.AC.UK once a day on your local machine, after which ssh to DICE machines will work without a password.
    • (Even better) Install kerberos and AFS on your local machine. Once you are authenticated and able to access your AFS home directory, you can then configure unison to synchronise between the AFS path and your local files, without any need to use ssh.

    For details about setting up kerberos and AFS on your machine, see:


  12. How many files can I have in an AFS directory?

    You can have around 64,000 files (directory entries) in an AFS directory if the filenames are all less than 16 characters long. If there are filenames with 16 characters or more, the maximum number of files decreases.

    There are 64,000 filename "slots" per directory. Each file of less than 16 characters takes 1 slot, and additional slots are required to store entries with names that are longer than 15 characters. The longer a filename is, the more slots it needs, and hence the number of files the directory can hold is reduced.

    Once a filename reaches 16 characters, another slot is required - and each such slot allows an additional 32 characters of filename, so two slots allow filenames of up to 48 characters. If all filenames in a directory were 16-48 characters long, the maximum number of files that the directory could contain would be halved.


  13. Why can't I copy a file larger than 8.6GB to a location in AFS space using Nautilus?

    The AFS client has no way of knowing exactly how much can be written to the /afs filesystem, since this depends on the permissions of the individual user. It would also take a long time to search the whole of the AFS file space on start up. To get around this, the AFS client arbitrarily claims 8.6GB as the size of the /afs filesystem. This cannot easily be changed. Most utilities cheerfully ignore this figure, but Nautilus takes the AFS client at its word and will not allow files larger than 8.6GB to be copied to the /afs/ filesystem, since Nautilus believes that doing so would completely fill the partition. Unfortunately, the only way around this is to use some other means (cp comes to mind) to copy the file across.


Last reviewed: 
23/02/2016

System Status

Home dirs (AFS)
Network
Mail
Other services
Scheduled downtime

Choose a topic