jimzah/openafs
1
0
Fork 0
mirror of https://git.openafs.org/openafs.git synced 2025-01-31 13:38:01 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity
openafs/doc/man-pages/pod8/fragments/volserver-options.pod
Nathaniel Wesley Filardo 49106a5499 Use rxkad_crypt for inter-volser traffic, if asked 
Add a -s2scrypt option to the volume server, with possible options:

  * never -- the existing behavior

  * always -- switch to using afsconf_ClientAuthSecure, which uses
    rxkad_crypt, for ForwardVolume calls.

  * inherit -- encrypt inter-server traffic if the causal client
    connection is encrypted.  This has the effect of "inheriting" the
    "-encrypt" flag given to "vos release", for example.

Thanks to Jeffrey Altman for pointers and to Andrew Deason for noting
the existence of rxkad_GetServerInfo.

[mmeffie@sinenomine.net fix assertion and style update.]

Change-Id: Ia295ba3f29a8494c8250a480fb26594468d2116a
Reviewed-on: https://gerrit.openafs.org/11349
Reviewed-by: Mark Vitale <mvitale@sinenomine.net>
Tested-by: BuildBot <buildbot@rampaginggeek.com>
Reviewed-by: Thomas Keiser <tkeiser@gmail.com>
Reviewed-by: Benjamin Kaduk <kaduk@mit.edu>
2016-05-16 23:52:40 -04:00

167 lines
5.7 KiB
Plaintext
Raw Blame History

=over 4
=item B<-d> <I<debug level>>
Sets the detail level for the debugging trace written to the
F</usr/afs/logs/VolserLog> file. Provide one of the following values, each
of which produces an increasingly detailed trace: C<0>, C<1>, C<5>, C<25>,
and C<125>.
=item B<-log>
Records in the /usr/afs/logs/VolserLog file the names of all users who
successfully initiate a B<vos> command. The Volume Server also records any
file removals that result from issuing the B<vos release> command with the
B<-f> flag.
=item B<-transarc-logs>
Use Transarc style logging features. Rename the log file
F</usr/afs/logs/VolserLog> to F</usr/afs/logs/VolserLog.old> when the volume server is
restarted. This option is provided for compatibility with older versions.
=item B<-p> <I<number of processes>>
Sets the number of server lightweight processes (LWPs) to run. Provide an
integer between C<4> and C<16>. The default is C<9>.
=item B<-auditlog> <I<log path>>
Turns on audit logging, and sets the path for the audit log. The audit
log records information about RPC calls, including the name of the RPC
call, the host that submitted the call, the authenticated entity (user)
that issued the call, the parameters for the call, and if the call
succeeded or failed.
=item B<-audit-interface> (file | sysvmq)
Specifies what audit interface to use. Defaults to C<file>. See
L<fileserver(8)> for an explanation of each interface.
=item B<-udpsize> <I<size of socket buffer>>
Sets the size of the UDP buffer in bytes, which is 64 KB by
default. Provide a positive integer, preferably larger than the default.
=item B<-jumbo>
Allows the server to send and receive jumbograms. A jumbogram is
a large-size packet composed of 2 to 4 normal Rx data packets that share
the same header. The volserver does not use jumbograms by default, as some
routers are not capable of properly breaking the jumbogram into smaller
packets and reassembling them.
=item B<-nojumbo>
Deprecated; jumbograms are disabled by default.
=item B<-enable_peer_stats>
Activates the collection of Rx statistics and allocates memory for their
storage. For each connection with a specific UDP port on another machine,
a separate record is kept for each type of RPC (FetchFile, GetStatus, and
so on) sent or received. To display or otherwise access the records, use
the Rx Monitoring API.
=item B<-enable_process_stats>
Activates the collection of Rx statistics and allocates memory for their
storage. A separate record is kept for each type of RPC (FetchFile,
GetStatus, and so on) sent or received, aggregated over all connections to
other machines. To display or otherwise access the records, use the Rx
Monitoring API.
=item B<-allow-dotted-principals>
By default, the RXKAD security layer will disallow access by Kerberos
principals with a dot in the first component of their name. This is to avoid
the confusion where principals user/admin and user.admin are both mapped to the
user.admin PTS entry. Sites whose Kerberos realms don't have these collisions
between principal names may disable this check by starting the server
with this option.
=item B<-preserve-vol-stats>
Preserve volume access statistics over volume restore and reclone operations.
By default, volume access statistics are reset during volume restore and reclone
operations.
=item B<-sync> <I<sync behavior>>
This is the same as the B<-sync> option in L<fileserver(8)>. See
L<fileserver(8)>.
=item B<-logfile> <I<log file>>
Sets the file to use for server logging. If logfile is not specified and
no other logging options are supplied, this will be F</usr/afs/logs/VolserLog>.
Note that this option is intended for debugging and testing purposes.
Changing the location of the log file from the command line may result
in undesirable interactions with tools such as B<bos>.
=item B<-config> <I<configuration directory>>
Set the location of the configuration directory used to configure this
service. In a typical configuration this will be F</usr/afs/etc> - this
option allows the use of alternative configuration locations for testing
purposes.
=item B<-rxmaxmtu> <I<bytes>>
Defines the maximum size of an MTU. The value must be between the
minimum and maximum packet data sizes for Rx.
=item B<-rxbind>
Bind the Rx socket to the primary interface only. (If not specified, the Rx
socket will listen on all interfaces.)
=item B<-syslog>[=<I<syslog facility>>]
Specifies that logging output should go to syslog instead of the normal
log file. B<-syslog>=I<FACILITY> can be used to specify to which facility
the log message should be sent.
=item B<-sleep> <I<sleep_time>/I<run_time>>
This option is obsolete, and is now only accepted for compatibility with older
releases. All it does now is log a warning message about how the option is
obsolete.
=item B<-restricted_query> (anyuser | admin)
Restrict RPCs that query information about volumes to a specific group
of users. You can use C<admin> to restrict to AFS administrators. The
C<anyuser> option doesn't restrict the RPCs and leaves it open for all
users including unauthenticated users, this is the default.
=item B<-s2scrypt> (never | always | inherit)
Set the cryptographic disposition of inter-volserver traffic.
=over 4
=item B<never>
All inter-volserver traffic is unencrypted. This is the default behavior.
=item B<always>
All inter-volserver traffic is encrypted (using rxkad).
=item B<inherit>
Inter-volserver traffic will be encrypted if the client connection triggering
the server-to-server traffic is encrypted. This has the effect of encrypting
inter-server traffic if the "-encrypt" option is provided to
L<B<vos release>|vos_release(1)>, for example.
=back
=item B<-help>
Prints the online help for this command. All other valid options are
ignored.
=back
Reference in New Issue View Git Blame Copy Permalink