[OpenAFS] Using OpenAFS with Web Servers

Jason Garman jgarman@wedgie.org
Mon, 18 Mar 2002 14:37:06 -0500

On Mon, Mar 18, 2002 at 02:13:32PM -0500, BNQ wrote:
> How suitable is OpenAFS for use as network attached storage for production
> level web servers?  The reason I want to do this is because I want all my
> clients to be in a center place.  Then I can have all my web server access
> pages from that place.  By doing this I have increased scalability, because
> I can expand the AFS cell as my storage needs grow, and I can have multiple
> web servers serving the same website.
> Has anybody tried doing this before?  How well would OpenAFS respond to read
> requests for thousands of small file every second?
I haven't personally tried this, but I'm itching to set up a system like
this for someone.  It seems like the absolute perfect solution for large
web sites.  Scalability is not an issue; if you need more front-end
servers, add new Apache servers.  If you need more back-end I/O bandwidth,
add new read/only replica AFS servers, so on and so forth.

Another great advantage is the ability to have a read/write staging copy
of web content where web developers can actively make changes, and then
atomically rolling those changes into production with one command.

Performance shouldn't be a problem because if there are any performance
problems, adding replica servers is easy...

> If there anything that can be done to optimize such a system?  On the
> clients is the cache stored in memory or hard disk?  Is it possible to store
> it in both?  Would having a large client side cache (like 2G) solve my
> problems?
I guess i'd lean toward a hard disk cache since the OS is already
aggressively caching in memory... seems wasteful to cache twice in RAM,
I'm assuming that this is how things work?

> This system will also require me to create and maintain a large number of
> users.  I have decided that OpenLDAP is the best way to go about doing this.
> Is it possible to integrate OpenAFS with OpenLDAP so that authentication is
> done though OpenLDAP, and authorized access to files is done though OpenAFS
> ACLs?
AFS really doesn't communicate with anything like LDAP.  I'd recommend
using Kerberos V for authentication and as for authorization, the AFS
protection server is pretty much the only game in town.

Jason Garman / jgarman@wedgie.org