On 6/9/23 12:00, Harald Barth wrote:
I think a step-by-step guide how to run an Ubuntu 22.04LTS and 23.04
desktop along with OpenAFS would be very much appreciated because I
hear that folks are struggling with this and as it "is not possible"
do use that argument to "then we can not run AFS - period".
At the math department of the University of Hamburg, we do use home
directories in the AFS on Ubuntu 22.04 desktop machines.
The main configuration:
- Use ppa:openafs/stable
- Apparmor must ignore /afs and /var/cache/openafs
- pam_afs_session must use the nopag option (we used to have scripts to
copy credentials between contexts, but they did not always work)
- you cannot use snap packaged with a home directory outside /home: use
ppa:mozillateam/ppa for Firefox and Google Chrome instead of Chromium
We have fairly large scripts to setup an Ubuntu desktop. I have tried to
extract the relevant lines for AFS (which are not all needed):
TAB=$(printf '\t')
debconf-set-selections <<EOF
openafs-client${TAB}openafs-client/run-client${TAB}boolean${TAB}true
openafs-client${TAB}openafs-client/afsdb${TAB}boolean${TAB}true
openafs-client${TAB}openafs-client/dynroot${TAB}boolean${TAB}true
openafs-client${TAB}openafs-client/fakestat${TAB}boolean${TAB}true
openafs-client${TAB}openafs-client/crypt${TAB}boolean${TAB}true
openafs-client${TAB}openafs-client/cachesize${TAB}string${TAB}262144
openafs-client${TAB}openafs-client/thiscell${TAB}string${TAB}math.uni-hamburg.de
openafs-client${TAB}openafs-client/cell-info${TAB}string${TAB}afs-core.math.uni-hamburg.de
afs-core2.math.uni-hamburg.de afs-core3.math.uni-hamburg.de
apparmor${TAB}apparmor/homedirs${TAB}string${TAB}/afs/math.uni-hamburg.de/users/*/
/afs/physnet.uni-hamburg.de/users/*/
EOF
add-apt-repository -y ppa:openafs/stable
grep -q '^@{HOMEDIRS}+=' /etc/apparmor.d/tunables/home.d/ubuntu &&
sed -i '/^@{HOMEDIRS}+=/d' /etc/apparmor.d/tunables/home.d/ubuntu
echo '@{HOMEDIRS}+=/afs/math.uni-hamburg.de/users/*/
/afs/physnet.uni-hamburg.de/users/*/' >>
/etc/apparmor.d/tunables/home.d/ubuntu
AAAB=/etc/apparmor.d/abstractions/base
AAAB_AFS_CACHE_LINE='/var/cache/openafs/** rw,'
AAAB_AFS_BASE_LINE='/afs/** rw,'
grep -q afs/ "$AAAB" || AA_RELOAD=yes
fgrep -q "$AAAB_AFS_CACHE_LINE" "$AAAB" || cat >>"$AAAB" <<EOF
# OpenAFS seems to use the credentials of random processes to read
# and write the AFS cache, so we need to allow all such accesses.
$AAAB_AFS_CACHE_LINE
EOF
fgrep -q "$AAAB_AFS_BASE_LINE" "$AAAB" || cat >>"$AAAB" <<EOF
$AAAB_AFS_BASE_LINE
EOF
service apparmor reload
apt -y install --install-recommends heimdal-clients openafs-client
openafs-krb5
apt -y install libpam-afs-session libpam-cracklib libpam-krb5
libpam-ldap build-essential
for FILE in /etc/pam.d/*
do
grep '^[^#].*pam_afs_session' "$FILE" | grep -qv 'nopag' \
&& sudo sed -e 's|^[^#].*pam_afs_session.*[^ ]$|& |' \
-e 's|^[^#].*pam_afs_session.*$|&nopag|' \
-i "$FILE"
done
sudo add-apt-repository ppa:mozillateam/ppa
cat | sudo tee /etc/apt/preferences.d/mozilla-firefox <<EOF
Package: *
Pin: release o=LP-PPA-mozillateam
Pin-Priority: 1001
Package: firefox*
Pin: release o=Ubuntu*
Pin-Priority: -1
EOF
sudo apt update
sudo snap remove firefox
sudo apt install firefox
sudo ln -s /etc/apparmor.d/usr.bin.firefox /etc/apparmor.d/disable/
sudo systemctl reload apparmor
Best,
Jan Henrik
_______________________________________________
OpenAFS-info mailing list
[email protected]
https://lists.openafs.org/mailman/listinfo/openafs-info
