[OpenAFS] Re: openafs versus systemd

Jan Henrik Sylvester me@janh.de
Fri, 9 Jun 2023 13:38:30 +0200 

On 6/9/23 12:00, Harald Barth wrote:
> I think a step-by-step guide how to run an Ubuntu 22.04LTS and 23.04
> desktop along with OpenAFS would be very much appreciated because I
> hear that folks are struggling with this and as it "is not possible"
> do use that argument to "then we can not run AFS - period".

At the math department of the University of Hamburg, we do use home 
directories in the AFS on Ubuntu 22.04 desktop machines.

The main configuration:
- Use ppa:openafs/stable
- Apparmor must ignore /afs and /var/cache/openafs
- pam_afs_session must use the nopag option (we used to have scripts to 
copy credentials between contexts, but they did not always work)
- you cannot use snap packaged with a home directory outside /home: use 
ppa:mozillateam/ppa for Firefox and Google Chrome instead of Chromium

We have fairly large scripts to setup an Ubuntu desktop. I have tried to 
extract the relevant lines for AFS (which are not all needed):

TAB=$(printf '\t')
debconf-set-selections <<EOF
openafs-client${TAB}openafs-client/run-client${TAB}boolean${TAB}true
openafs-client${TAB}openafs-client/afsdb${TAB}boolean${TAB}true
openafs-client${TAB}openafs-client/dynroot${TAB}boolean${TAB}true
openafs-client${TAB}openafs-client/fakestat${TAB}boolean${TAB}true
openafs-client${TAB}openafs-client/crypt${TAB}boolean${TAB}true
openafs-client${TAB}openafs-client/cachesize${TAB}string${TAB}262144
openafs-client${TAB}openafs-client/thiscell${TAB}string${TAB}math.uni-hamburg.de
openafs-client${TAB}openafs-client/cell-info${TAB}string${TAB}afs-core.math.uni-hamburg.de 
afs-core2.math.uni-hamburg.de afs-core3.math.uni-hamburg.de
apparmor${TAB}apparmor/homedirs${TAB}string${TAB}/afs/math.uni-hamburg.de/users/*/ 
/afs/physnet.uni-hamburg.de/users/*/
EOF

     add-apt-repository -y ppa:openafs/stable

     grep -q '^@{HOMEDIRS}+=' /etc/apparmor.d/tunables/home.d/ubuntu && 
sed -i '/^@{HOMEDIRS}+=/d' /etc/apparmor.d/tunables/home.d/ubuntu
     echo '@{HOMEDIRS}+=/afs/math.uni-hamburg.de/users/*/ 
/afs/physnet.uni-hamburg.de/users/*/' >> 
/etc/apparmor.d/tunables/home.d/ubuntu
     AAAB=/etc/apparmor.d/abstractions/base
     AAAB_AFS_CACHE_LINE='/var/cache/openafs/** rw,'
     AAAB_AFS_BASE_LINE='/afs/** rw,'
         grep -q afs/ "$AAAB" || AA_RELOAD=yes
         fgrep -q "$AAAB_AFS_CACHE_LINE" "$AAAB" || cat >>"$AAAB" <<EOF

   # OpenAFS seems to use the credentials of random processes to read
   # and write the AFS cache, so we need to allow all such accesses.
   $AAAB_AFS_CACHE_LINE
EOF
         fgrep -q "$AAAB_AFS_BASE_LINE" "$AAAB" || cat >>"$AAAB" <<EOF
   $AAAB_AFS_BASE_LINE
EOF
     service apparmor reload

apt -y install --install-recommends heimdal-clients openafs-client 
openafs-krb5
apt -y install libpam-afs-session libpam-cracklib libpam-krb5 
libpam-ldap build-essential

for FILE in /etc/pam.d/*
do
   grep '^[^#].*pam_afs_session' "$FILE" | grep -qv 'nopag' \
     && sudo sed -e 's|^[^#].*pam_afs_session.*[^ ]$|& |' \
                 -e 's|^[^#].*pam_afs_session.*$|&nopag|' \
                 -i "$FILE"
done

sudo add-apt-repository ppa:mozillateam/ppa
cat | sudo tee /etc/apt/preferences.d/mozilla-firefox <<EOF
Package: *
Pin: release o=LP-PPA-mozillateam
Pin-Priority: 1001

Package: firefox*
Pin: release o=Ubuntu*
Pin-Priority: -1

EOF
sudo apt update
sudo snap remove firefox
sudo apt install firefox
sudo ln -s /etc/apparmor.d/usr.bin.firefox /etc/apparmor.d/disable/
sudo systemctl reload apparmor

Best,
Jan Henrik