[OpenAFS] Potential connection loss to CERN AFS cell (retirement of old VLDB servers)

Jeffrey E Altman jaltman@auristor.com
Thu, 26 Jan 2023 12:02:52 -0500


This is a cryptographically signed message in MIME format.

--------------ms090903090504090909040106
Content-Type: multipart/alternative;
 boundary="------------xfke3r25Hp26qxXd0hlQDe8V"

--------------xfke3r25Hp26qxXd0hlQDe8V
Content-Type: text/plain; charset=UTF-8; format=flowed
Content-Transfer-Encoding: 8bit

On 1/26/2023 10:18 AM, Diogo Castro (diogo.castro@cern.ch) wrote:
>
> In the next week, CERN will turn off the last two original AFS CERN 
> VLDB servers (or rather, the machines using their IP addresses). For 
> reasons related to our network structure and IP allocation, we could 
> not keep the old IPs when retiring the current server generation.
>
> AFS clients still using (only) these IPs will no longer be able to 
> connect to the CERN AFS cell.
>
> We have attempted to get the central CellServDB updated ahead of this 
> change (first with new IPs, then to use (only) DNS for "cern.ch"). 
> However, CellServDB is shipped by various distributions, and anyway 
> only considered at (Linux) client start.
>
CERN sent the requests to update the GRAND.CENTRAL.ORG Public Cell 
Service Database [https://grand.central.org/csdb.html] and OpenAFS 
[https://gerrit.openafs.org/#/c/14842/] in November 2021.   I do not 
believe there is anything more that CERN could have done to prevent end 
user inconvenience.

Thank you for trying.

> How to check whether a particular AFS client is affected:
>
> $ fs getserverprefs -vlservers | grep -E 'afsdb[0-9]+.cern.ch'
>
> - if the output only mentions afsdb1{1,2,3,4}.cern.ch, the 
> configuration is DNS-based and correct - no issues expected.
>
> - if the output mentions a mix of afsdb{1,2}.cern.ch and 
> afsdb1{1,2,3}.cern.ch (the current central CellServDB config), this 
> client will switch automatically to our new servers, possibly after a 
> short hiccup - no major issues expected.
>
> - if the output only has afsdb{1,2}.cern.ch, this client will not be 
> able to connect to CERN.CH in the future.
>
> Our recommendation is to use DNS - CellServDB should have an entry for 
> the cell but no IPs:
>
> >cern.ch                #European Laboratory for Particle Physics, Geneva
>
> />(next cell info here)
>
>
For those that have AuriStorFS clients deployed, graceful transition to 
the afsdb1{1,2,3,4}.cern.ch servers occurred when the afsdb{1,2}.cern.ch 
sites were removed from the published _afs3-vlserver._udp.cern.ch DNS 
SRV record.

Jeffrey Altman


--------------xfke3r25Hp26qxXd0hlQDe8V
Content-Type: text/html; charset=UTF-8
Content-Transfer-Encoding: 8bit

<html>
  <head>
    <meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
  </head>
  <body>
    <div class="moz-cite-prefix">On 1/26/2023 10:18 AM, Diogo Castro
      (<a class="moz-txt-link-abbreviated" href="mailto:diogo.castro@cern.ch">diogo.castro@cern.ch</a>) wrote:<br>
    </div>
    <blockquote type="cite"
cite="mid:GV0P278MB03379D33AD3CCE385FBF2E9199CF9@GV0P278MB0337.CHEP278.PROD.OUTLOOK.COM">
      <meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
      <meta name="Generator" content="Microsoft Word 15 (filtered
        medium)">
      <style>@font-face
	{font-family:"Cambria Math";
	panose-1:2 4 5 3 5 4 6 3 2 4;}@font-face
	{font-family:Calibri;
	panose-1:2 15 5 2 2 2 4 3 2 4;}p.MsoNormal, li.MsoNormal, div.MsoNormal
	{margin:0cm;
	font-size:11.0pt;
	font-family:"Calibri",sans-serif;
	mso-ligatures:standardcontextual;
	mso-fareast-language:EN-US;}span.EmailStyle17
	{mso-style-type:personal-compose;
	font-family:"Calibri",sans-serif;
	color:windowtext;}.MsoChpDefault
	{mso-style-type:export-only;
	mso-ligatures:standardcontextual;
	mso-fareast-language:EN-US;}div.WordSection1
	{page:WordSection1;}</style>
      <div class="WordSection1">
        <p class="MsoNormal"><span lang="EN-US"><o:p> </o:p></span></p>
        <p class="MsoNormal"><span lang="EN-US">In the next week</span>,
          CERN will turn off the last two original AFS CERN VLDB servers
          (or rather, the machines using their IP addresses). For
          reasons related to our network structure and IP allocation, we
          could not keep the old IPs when retiring the current server
          generation.<o:p></o:p></p>
        <p class="MsoNormal"><o:p> </o:p></p>
        <p class="MsoNormal">AFS clients still using (only) these IPs
          will no longer be able to connect to the CERN AFS cell.<o:p></o:p></p>
        <p class="MsoNormal">We have attempted to get the central
          CellServDB updated ahead of this change (first with new IPs,
          then to use (only) DNS for "cern.ch"). However, CellServDB is
          shipped by various distributions, and anyway only considered
          at (Linux) client start.<o:p></o:p></p>
      </div>
    </blockquote>
    <p>CERN sent the requests to update the GRAND.CENTRAL.ORG Public
      Cell Service Database [<a class="moz-txt-link-freetext" href="https://grand.central.org/csdb.html">https://grand.central.org/csdb.html</a>] and
      OpenAFS [<a class="moz-txt-link-freetext" href="https://gerrit.openafs.org/#/c/14842/">https://gerrit.openafs.org/#/c/14842/</a>] in November
      2021.   I do not believe there is anything more that CERN could
      have done to prevent end user inconvenience.</p>
    <p>Thank you for trying.<br>
    </p>
    <blockquote type="cite"
cite="mid:GV0P278MB03379D33AD3CCE385FBF2E9199CF9@GV0P278MB0337.CHEP278.PROD.OUTLOOK.COM">
      <div class="WordSection1">
        <p class="MsoNormal"><o:p> </o:p></p>
        <p class="MsoNormal">How to check whether a particular AFS
          client is affected:<o:p></o:p></p>
        <p class="MsoNormal">$ fs getserverprefs -vlservers | grep -E
          'afsdb[0-9]+.cern.ch'<o:p></o:p></p>
        <p class="MsoNormal"><o:p> </o:p></p>
        <p class="MsoNormal"><span lang="EN-US">- </span>if the output
          only mentions afsdb1{1,2,3,4}.cern.ch, the configuration is
          DNS-based and correct - no issues expected.<o:p></o:p></p>
        <p class="MsoNormal"><span lang="EN-US">- </span>if the output
          mentions a mix of afsdb{1,2}.cern.ch and afsdb1{1,2,3}.cern.ch
          (the current central CellServDB config), this client will
          switch automatically to our new servers, possibly after a
          short hiccup - no major issues expected.<o:p></o:p></p>
        <p class="MsoNormal"><span lang="EN-US">- </span>if the output
          only has afsdb{1,2}.cern.ch, this client will not be able to
          connect to CERN.CH in the future.<o:p></o:p></p>
        <p class="MsoNormal"><o:p> </o:p></p>
        <p class="MsoNormal">Our recommendation is to use DNS -
          CellServDB should have an entry for the cell but no IPs:<o:p></o:p></p>
        <p class="MsoNormal">&gt;cern.ch                #European
          Laboratory for Particle Physics, Geneva<o:p></o:p></p>
        <p class="MsoNormal">/&gt;(next cell info here)<o:p></o:p></p>
        <br>
      </div>
    </blockquote>
    <p>For those that have AuriStorFS clients deployed, graceful
      transition to the afsdb1{1,2,3,4}.cern.ch servers occurred when
      the afsdb{1,2}.cern.ch sites were removed from the published
      _afs3-vlserver._udp.cern.ch DNS SRV record.</p>
    <p>Jeffrey Altman</p>
    <p><br>
    </p>
  </body>
</html>

--------------xfke3r25Hp26qxXd0hlQDe8V--

--------------ms090903090504090909040106
Content-Type: application/pkcs7-signature; name="smime.p7s"
Content-Transfer-Encoding: base64
Content-Disposition: attachment; filename="smime.p7s"
Content-Description: S/MIME Cryptographic Signature

MIAGCSqGSIb3DQEHAqCAMIACAQExDzANBglghkgBZQMEAgEFADCABgkqhkiG9w0BBwEAAKCC
DHEwggXSMIIEuqADAgECAhBAAYJpmi/rPn/F0fJyDlzMMA0GCSqGSIb3DQEBCwUAMDoxCzAJ
BgNVBAYTAlVTMRIwEAYDVQQKEwlJZGVuVHJ1c3QxFzAVBgNVBAMTDlRydXN0SUQgQ0EgQTEz
MB4XDTIyMDgwNDE2MDQ0OFoXDTI1MTAzMTE2MDM0OFowcDEvMC0GCgmSJomT8ixkAQETH0Ew
MTQxMEQwMDAwMDE4MjY5OUEyRkQyMDAwMjMzQ0QxGTAXBgNVBAMTEEplZmZyZXkgRSBBbHRt
YW4xFTATBgNVBAoTDEF1cmlTdG9yIEluYzELMAkGA1UEBhMCVVMwggEiMA0GCSqGSIb3DQEB
AQUAA4IBDwAwggEKAoIBAQCkC7PKBBZnQqDKPtZPMLAy77zo2DPvwtGnd1hNjPvbXrpGxUb3
xHZRtv179LHKAOcsY2jIctzieMxf82OMyhpBziMPsFAG/ukihBMFj3/xEeZVso3K27pSAyyN
fO/wJ0rX7G+ges22Dd7goZul8rPaTJBIxbZDuaykJMGpNq4PQ8VPcnYZx+6b+nJwJJoJ46kI
EEfNh3UKvB/vM0qtxS690iAdgmQIhTl+qfXq4IxWB6b+3NeQxgR6KLU4P7v88/tvJTpxIKkg
9xj89ruzeThyRFd2DSe3vfdnq9+g4qJSHRXyTft6W3Lkp7UWTM4kMqOcc4VSRdufVKBQNXjG
IcnhAgMBAAGjggKcMIICmDAOBgNVHQ8BAf8EBAMCBPAwgYQGCCsGAQUFBwEBBHgwdjAwBggr
BgEFBQcwAYYkaHR0cDovL2NvbW1lcmNpYWwub2NzcC5pZGVudHJ1c3QuY29tMEIGCCsGAQUF
BzAChjZodHRwOi8vdmFsaWRhdGlvbi5pZGVudHJ1c3QuY29tL2NlcnRzL3RydXN0aWRjYWEx
My5wN2MwHwYDVR0jBBgwFoAULbfeG1l+KpguzeHUG+PFEBJe6RQwCQYDVR0TBAIwADCCASsG
A1UdIASCASIwggEeMIIBGgYLYIZIAYb5LwAGAgEwggEJMEoGCCsGAQUFBwIBFj5odHRwczov
L3NlY3VyZS5pZGVudHJ1c3QuY29tL2NlcnRpZmljYXRlcy9wb2xpY3kvdHMvaW5kZXguaHRt
bDCBugYIKwYBBQUHAgIwga0MgapUaGlzIFRydXN0SUQgQ2VydGlmaWNhdGUgaGFzIGJlZW4g
aXNzdWVkIGluIGFjY29yZGFuY2Ugd2l0aCBJZGVuVHJ1c3QncyBUcnVzdElEIENlcnRpZmlj
YXRlIFBvbGljeSBmb3VuZCBhdCBodHRwczovL3NlY3VyZS5pZGVudHJ1c3QuY29tL2NlcnRp
ZmljYXRlcy9wb2xpY3kvdHMvaW5kZXguaHRtbDBFBgNVHR8EPjA8MDqgOKA2hjRodHRwOi8v
dmFsaWRhdGlvbi5pZGVudHJ1c3QuY29tL2NybC90cnVzdGlkY2FhMTMuY3JsMB8GA1UdEQQY
MBaBFGphbHRtYW5AYXVyaXN0b3IuY29tMB0GA1UdDgQWBBQB+nzqgljLocLTsiUn2yWqEc2s
gjAdBgNVHSUEFjAUBggrBgEFBQcDAgYIKwYBBQUHAwQwDQYJKoZIhvcNAQELBQADggEBAJwV
eycprp8Ox1npiTyfwc5QaVaqtoe8Dcg2JXZc0h4DmYGW2rRLHp8YL43snEV93rPJVk6B2v4c
WLeQfaMrnyNeEuvHx/2CT44cdLtaEk5zyqo3GYJYlLcRVz6EcSGHv1qPXgDT0xB/25etwGYq
utYF4Chkxu4KzIpq90eDMw5ajkexw+8ARQz4N5+d6NRbmMCovd7wTGi8th/BZvz8hgKUiUJo
Qle4wDxrdXdnIhCP7g87InXKefWgZBF4VX21t2+hkc04qrhIJlHrocPG9mRSnnk2WpsY0MXt
a8ivbVKtfpY7uSNDZSKTDi1izEFH5oeQdYRkgIGb319a7FjslV8wggaXMIIEf6ADAgECAhBA
AXA7OrqBjMk8rp4OuNQSMA0GCSqGSIb3DQEBCwUAMEoxCzAJBgNVBAYTAlVTMRIwEAYDVQQK
EwlJZGVuVHJ1c3QxJzAlBgNVBAMTHklkZW5UcnVzdCBDb21tZXJjaWFsIFJvb3QgQ0EgMTAe
Fw0yMDAyMTIyMTA3NDlaFw0zMDAyMTIyMTA3NDlaMDoxCzAJBgNVBAYTAlVTMRIwEAYDVQQK
EwlJZGVuVHJ1c3QxFzAVBgNVBAMTDlRydXN0SUQgQ0EgQTEzMIIBIjANBgkqhkiG9w0BAQEF
AAOCAQ8AMIIBCgKCAQEAu6sUO01SDD99PM+QdZkNxKxJNt0NgQE+Zt6ixaNP0JKSjTd+SG5L
wqxBWjnOgI/3dlwgtSNeN77AgSs+rA4bK4GJ75cUZZANUXRKw/et8pf9Qn6iqgB63OdHxBN/
15KbM3HR+PyiHXQoUVIevCKW8nnlWnnZabT1FejOhRRKVUg5HACGOTfnCOONrlxlg+m1Vjgn
o1uNqNuLM/jkD1z6phNZ/G9IfZGI0ppHX5AA/bViWceX248VmefNhSR14ADZJtlAAWOi2un0
3bqrBPHA9nDyXxI8rgWLfUP5rDy8jx2hEItg95+ORF5wfkGUq787HBjspE86CcaduLka/Bk2
VwIDAQABo4IChzCCAoMwEgYDVR0TAQH/BAgwBgEB/wIBADAOBgNVHQ8BAf8EBAMCAYYwgYkG
CCsGAQUFBwEBBH0wezAwBggrBgEFBQcwAYYkaHR0cDovL2NvbW1lcmNpYWwub2NzcC5pZGVu
dHJ1c3QuY29tMEcGCCsGAQUFBzAChjtodHRwOi8vdmFsaWRhdGlvbi5pZGVudHJ1c3QuY29t
L3Jvb3RzL2NvbW1lcmNpYWxyb290Y2ExLnA3YzAfBgNVHSMEGDAWgBTtRBnA0/AGi+6ke75C
5yZUyI42djCCASQGA1UdIASCARswggEXMIIBEwYEVR0gADCCAQkwSgYIKwYBBQUHAgEWPmh0
dHBzOi8vc2VjdXJlLmlkZW50cnVzdC5jb20vY2VydGlmaWNhdGVzL3BvbGljeS90cy9pbmRl
eC5odG1sMIG6BggrBgEFBQcCAjCBrQyBqlRoaXMgVHJ1c3RJRCBDZXJ0aWZpY2F0ZSBoYXMg
YmVlbiBpc3N1ZWQgaW4gYWNjb3JkYW5jZSB3aXRoIElkZW5UcnVzdCdzIFRydXN0SUQgQ2Vy
dGlmaWNhdGUgUG9saWN5IGZvdW5kIGF0IGh0dHBzOi8vc2VjdXJlLmlkZW50cnVzdC5jb20v
Y2VydGlmaWNhdGVzL3BvbGljeS90cy9pbmRleC5odG1sMEoGA1UdHwRDMEEwP6A9oDuGOWh0
dHA6Ly92YWxpZGF0aW9uLmlkZW50cnVzdC5jb20vY3JsL2NvbW1lcmNpYWxyb290Y2ExLmNy
bDAdBgNVHQ4EFgQULbfeG1l+KpguzeHUG+PFEBJe6RQwHQYDVR0lBBYwFAYIKwYBBQUHAwIG
CCsGAQUFBwMEMA0GCSqGSIb3DQEBCwUAA4ICAQB/7BKcygLX6Nl4a03cDHt7TLdPxCzFvDF2
bkVYCFTRX47UfeomF1gBPFDee3H/IPlLRmuTPoNt0qjdpfQzmDWN95jUXLdLPRToNxyaoB5s
0hOhcV6H08u3FHACBif55i0DTDzVSaBv0AZ9h1XeuGx4Fih1Vm3Xxz24GBqqVudvPRLyMJ7u
6hvBqTIKJ53uCs3dyQLZT9DXnp+kJv8y7ZSAY+QVrI/dysT8avtn8d7k7azNBkfnbRq+0e88
QoBnel6u+fpwbd5NLRHywXeH+phbzULCa+bLPRMqJaW2lbhvSWrMHRDy3/d8HvgnLCBFK2s4
Spns4YCN4xVcbqlGWzgolHCKUH39vpcsDo1ymZFrJ8QR6ihIn8FmJ5oKwAnnd/G6ADXFC9bu
db9+532phSAXOZrrecIQn+vtP366PC+aClAPsIIDJDsotS5z4X2JUFsNIuEgXGqhiKE7SuZb
rFG9sdcLprSlJN7TsRDc0W2b9nqwD+rj/5MN0C+eKwha+8ydv0+qzTyxPP90KRgaegGowC4d
UsZyTk2n4Z3MuAHX5nAZL/Vh/SyDj/ajorV44yqZBzQ3ChKhXbfUSwe2xMmygA2Z5DRwMRJn
p/BscizYdNk2WXJMTnH+wVLN8sLEwEtQR4eTLoFmQvrK2AMBS9kW5sBkMzINt/ZbbcZ3F+eA
MDGCAxQwggMQAgEBME4wOjELMAkGA1UEBhMCVVMxEjAQBgNVBAoTCUlkZW5UcnVzdDEXMBUG
A1UEAxMOVHJ1c3RJRCBDQSBBMTMCEEABgmmaL+s+f8XR8nIOXMwwDQYJYIZIAWUDBAIBBQCg
ggGXMBgGCSqGSIb3DQEJAzELBgkqhkiG9w0BBwEwHAYJKoZIhvcNAQkFMQ8XDTIzMDEyNjE3
MDI1MlowLwYJKoZIhvcNAQkEMSIEIJ2RDmPh/iPds49idQao3iXyDWlfh6nDBARPGc9YKoCP
MF0GCSsGAQQBgjcQBDFQME4wOjELMAkGA1UEBhMCVVMxEjAQBgNVBAoTCUlkZW5UcnVzdDEX
MBUGA1UEAxMOVHJ1c3RJRCBDQSBBMTMCEEABgmmaL+s+f8XR8nIOXMwwXwYLKoZIhvcNAQkQ
AgsxUKBOMDoxCzAJBgNVBAYTAlVTMRIwEAYDVQQKEwlJZGVuVHJ1c3QxFzAVBgNVBAMTDlRy
dXN0SUQgQ0EgQTEzAhBAAYJpmi/rPn/F0fJyDlzMMGwGCSqGSIb3DQEJDzFfMF0wCwYJYIZI
AWUDBAEqMAsGCWCGSAFlAwQBAjAKBggqhkiG9w0DBzAOBggqhkiG9w0DAgICAIAwDQYIKoZI
hvcNAwICAUAwBwYFKw4DAgcwDQYIKoZIhvcNAwICASgwDQYJKoZIhvcNAQEBBQAEggEAnOGc
MrxPdofDMLkWCW9mv0aRRpEJVmw+TaAD9QdXeoQvFROu2ts8wf+/FtUEjWsaLiKp0mtcu+0G
+CXEfu1z+HejjUL2wjhNAEu3iGpPgdG0ZDQNYfyhjPwvwJLmsaYeNclmQ1HcRuzV4jtkTxTm
2EVSjquXnReYFkyYdwm1VrPljogokfh7z/SQ4ApCT9rG3M2JTS+ltwru+BkvSkcsp9lBeG0N
iS42URA3Ha5/GqJO3361Sx04W8W33v54ApOq4hiGMg7K8yvcRTm1fNVdvqE3bBRYMSqA6LNd
6qwnKDv4EHfUGNo7qIiSSS/01rY1QPllz8foB7Ak6sfVYfh1ZwAAAAAAAA==
--------------ms090903090504090909040106--