Overview

BIRN is continually evaluating and implementing new ways to make it easier for the BIRN testbeds and collaborators to integrate high-performance distributed data resources into their scientific analyses.

AFS provides a number of very nice features:

• Security hooks including GSI authentication compatibility with BIRN standards
• User-controlled Access Control Lists (ACLs)
• Nice windows integration (directly mountable for access by any program)
• Cross-platform, open source

Configuration Notes

Notes for how AFS does replication:

AFS allows administrators to define volumes. A volume may be located at any fileserver (all BIRN gcomps can act as file servers for AFS).

Volumes are either RW (read-write) or RO (read only).

AFS clients have a preference for a RO only replica, if it exists. Some things of note

• For any Volume, there is one and only one RW version. You cannot replicate and get another RW version
• RO only versions are created with a specific command "vos release". That is data written to the RW master volume is not automatically pushed out to a RO replica
• Local client caches register with their file server, so that if a new release of a volume is created, the client cache is invalidated.
• You cannot replicate a RO volume, you must replicate a RW master.

Conventions

• A pathname preceded by a "." is considered a RW name
• Once you take a RW "branch" when traversing a filesystem tree, everything below it is a RW branch. This means that common directory paths should be RO. This is not a convention, but the way AFS works.

Suggested High Level Directory Structure

nbirn.net is our cell name Suggest high-level directories that are

• nbirn.net/projects
• nbirn.net/sites
• nbirn.net/users

Under projects you might have

• nbirn.net/projects/birncc
• nbirn.net/projects/function
• nbirn.net/projects/mouse
• nbirn.net/projects/morph

Software Versions

Initial BIRN testing on version 1.3.8201.

Getting Access

Contact Vicky Rowley (vrowley at nbirn.net)

Firewall Issues

Are being worked on...

AFS Port Information

For everything in AFS tcp/udp 7000-7009

Authentication (DB Servers) Incoming Kerberos and Kerberos4 ports open

Clients need to be able to connect to Authentication DB Server on the above ports.

NAT based Firewalls

Must set the timeout on ports 7000-7009 UDP to be greater than 15 minutes, this is the time that's allowed the Cache Manager on the client to communicate with the file server to make sure the data is still fresh (not configurable on all firewalls - e.g. some Linksys and Microsoft branded firewalls do not support this). Per default configuration, 5 minutes have reportely all that's needed to keep AFS Cache Manager happy.

SSH and stunnel

Apparently these solutions only work for tcp ports (not udp as needed by AFS).

Zebedee is a possible substitute that could be used: http://www.winton.org.uk/zebedee/

An overlay network to the birn racks may facilitate setting up the routing.

VPN

Could be hosted by the birn racks.

Server side

Needs to be able to scale to handle many users, which is a bandwidth issue. May need proprietary or HW accelerated solution. Currently use Cisco VPN server on the BIRN Racks, maybe could be used for making extra connections. Could also buy extra hardware for specific racks that beef up the capability of particular racks (say, one East Coast, one West Coast).

Client Side

Microsoft and Max OSX 10.4 should work with most VPN clients.

Links

http://www.openacs.org