[moira.git] / afssync / INSTRUCTIONS

[This is a still-under-construction rewrite of the afssync
instructions, adapted to the Ingres/Maxine -> Oracle/SPARC port, and
is also being updated and simplified.]


The executables are in /moira/bin/ on the moira server, with sources
in /mit/moiradev/src/afssync/.  Most of the commands are run on the
Moira server.

FULL INSTRUCTIONS
("SUMMARY" is below)

####	Set up a workspace						####

mkdir -p /moira/sync
cd /moira/sync

####	This is preparation for the resync, to save non-Moira users.    ####
First, get a recent copy of the prdb, and extract non-Moira entries:

	/moira/bin/udebug aggy -port 7002
	rcp root@aggy:/usr/afs/db/prdb.DB0 prdb.old
	/moira/bin/udebug aggy -port 7002
If the two udebugs show that the version changed, lather-rinse-repeat.
(udebug can be found in afsuser; "aggy" here and below is some DB server)
(Also check for "0 of them for write" at the end.  It might matter.)

	/moira/bin/pt_util -x -m -u -g -d prdb.extra -p prdb.old
	perl /moira/bin/pt_util.pl < prdb.extra > prdb.extra.sort
to extract and prepare the personal groups and special user entries in
the old prdb for being reincorporated into the new prdb.

	awk -F\| '$8 == 3 {print $1}' /backup/backup_1/users > /tmp/deactivated
	perl -e 'for(`cat /tmp/deactivated`) { chop; $ex{$_}=1;} \
		$punt=0; foreach $L (`cat prdb.extra.sort`){ \
		@w=split(/ /,$L);  $_=$w[0]; if ( /:/ ) \
		{@x=split(/:/,$w[0]); if($ex{$x[0]}) {$punt=1;}else{$punt=0;}} \
		print $L unless $punt==1;}' > prdb.extra.trimmed
to remove the personal groups for users who are deactivated

	awk '/^[^ ][^:]*@/ {printf "KERBEROS:%s\n",$1}' prdb.extra > foreign
	blanche afs-foreign-users -f foreign
Get a list of all the @andrew.cmu.edu type (non- athena.mit.edu cell)
users, and sync the Moira list afs-foreign-users to this list.
Moira then adds those entries to the group system:afs-foreign-users,
thus keeping them from being lost in the prdb resync.
Sanity checking the diffs before running the blanche command is recommended.

	awk '/^[^ 0-9][^:@]*$/ {printf "KERBEROS:%s@ATHENA.MIT.EDU\n",$1}' \
		prdb.extra > oddities
	awk '/^[^ ][0-9.]* .*$/ {printf "KERBEROS:%s\n",$1}' prdb.extra >> oddities
	echo "LIST:afs-foreign-users" >> oddities
	blanche afs-odd-entities -f oddities
Do the equivalent of afs-foreign-users for domestic users.  We make
the afs-foreign-users list a member of the more general afs-odd-entities.
Sanity checking the diffs before running the blanche command is recommended.

WAIT for the incremental updates from the `blanche` changes to complete.

####   Now the actual resync begins.  Incremental updates must stop.   ####

	touch /moira/afs/noafs
to disable AFS incremental updates during the synchronization.  The
afs.incr (?) will wait 30 minutes on an incremental update before
timing out, so the resync should complete in that time, or list
changes in Moira might need to be propagated by hand.

	/moira/bin/afssync prdb.moira
to dump the prdb data that is in Moira (users, groups, and group
memberships).  This step takes about ten minutes, but can be done
concurrently with the next few steps.

REPEAT the above commands, thus regenerating prdb.trimmed from a now
completely-up-to-date prdb.

*** Make sure the "afssync" command has completed ***

	cp prdb.moira prdb.new
	/moira/bin/pt_util -w -d prdb.extra.trimmed -p prdb.new \
		>& prdb.extra.err
This use of pt_util will presumably log errors about failed user
creations and list additions.  (To start over, do both the `cp` and
`pt_util` again.)  You can filter out the "User or group doesn't exist"
type of lines that were caused by a user deactivation with something
like:
	awk -F\| '$8 == 3 {print $1}' /backup/backup_1/users > /tmp/deactivated
	perl -e 'for(`cat /tmp/deactivated`){ chop; $ex{$_}=1;} \
		foreach $L (`cat prdb.extra.err`){ $f=0; \
		@w=split(/[ :]/,$L); for(@w){ $f=1 if $ex{$_}; } \
		next if $f; print $L; }'
Now, back to the resync.

The only remaining errors should be errors creating system:foo groups,
be cause they already exist.  These generally mean that that group has
an odd user on it (root instance, IP acl, etc.) and can safely be
ignored.

Errors of the form:
Error while creating dcctdw:foo: Badly formed name (group prefix doesn't match owner?)
are probably an indication that a user with personal groups had a
username change (in the past they have also meant that a user with
personal groups was deactivated and the uid was re-used (this was
becasue we didn't trim the prdb.extra.sort file in the past.))
Assuming htese errors are due to a username change, the groups should
be renamed, and you should regenerate prdb.extra.trimmed starting with
a fresh prdb from aggy.  (You may want to abort and
rm /moira/afs/noafs and try again later.)

	pts listmax > /var/prdb.listmax
	foreach i ( <db servers> )
	    rsh $i -l root -x /bin/athena/detach -a 	# detach packs
	    rsh $i -l root -x rm -f /usr/afs/db/{prdb.new,pre-resync-prdb}
	    rcp -px prdb.new root@${i}:/usr/afs/db/prdb.new
	end						# staging
	foreach i ( <db servers> )
	    bos shutdown $i ptserver -wait
	    bos exec $i "mv /usr/afs/db/prdb.DB0 /usr/afs/db/pre-resync-prdb; rm /usr/afs/db/prdb.DB*; mv /usr/afs/db/prdb.new /usr/afs/db/prdb.DB0"
	end
	foreach i ( <db servers> )
	    bos restart $i ptserver
	end

	/moira/bin/udebug prill -port 7002
to watch the status of the servers to make sure things are going well,
where "prill" is preferred db server (the sync site).

Make sure the beacons are working, and that once quorom is established
(~90 seconds) that the servers are resynchronizing their notions of
the databases and that the "dbcurrent" and "up" fields all become set
and the state goes to "1f".  Also, if "sdi" isn't running, watch out
for large rx packet queues on port 7002 using rxdebug, as the
fileservers may get excessively backlogged, and restart servers, if
necessary, if the congestion remains excessive.

	pts listmax
	cat /var/prdb.listmax
and if the id maxima are lower than the saved ones, reset them
appropriately to the saved ones using `pts setmax`.

	pts ex system:administrators
as a good spot check, especially since it has special people.
(also spot check one of the personal groups and perhaps, something like
the membership of rcmd.ronald-ann)

	rm /moira/afs/noafs
to remove the lock file and let Moira's afs incrementals continue.


NOTES

1. Don't do this when you're tired...  There may be no cleanup procedure
available, with certain mistakes.

2. /moira/afs/noafs is only good for 30 minutes.  Keep track of the
critical log, and you may have to do some operations by hand when the
operation is complete.  Also, if requests depend on other requests, they
may be processed out of order, and fail, and may need to be done by hand.


SUMMARY

	# db servers with sync site first:
set db=(prill agamemnon chimera)
set u="/moira/bin/udebug -port 7002 -server"
set prefix="/moira/sync/prdb"
cd `dirname $prefix`

#######    The following DOES NOT WORK currently.  pt_util needs fixing
####	BEFORE Moira and afs.incr are closed off:
	# repeat as necessary:
$u $db[2]; rcp root@$db[2]\:/usr/afs/db/prdb.DB0 $prefix.old; $u $db[2]
/moira/bin/pt_util -x -m -u -g -d $prefix.extra -p $prefix.old
awk '/^[^ ][^:]*@/ {printf "KERBEROS:%s\n",$1}' $prefix.extra > extra.foreign
blanche afs-foreign-users -f extra.foreign
awk '/^[^ ][^:@]*$/ {printf "KERBEROS:%s\n",$1}' $prefix.extra > extra.domestic
echo "LIST:afs-foreign-users" >> extra.domestic
blanche afs-odd-entities -f extra.domestic

####	WAIT for the above afs.incr events to take place (see moira.log)
touch /moira/afs/noafs
/moira/bin/afssync $prefix.moira >& $prefix.afssync.err &
	# repeat as necessary:
$u $db[2]; rcp root@$db[2]\:/usr/afs/db/prdb.DB0 $prefix.old; $u $db[2]
/moira/bin/pt_util -x -m -u -g -d $prefix.extra -p $prefix.old
perl /moira/bin/pt_util.pl < $prefix.extra > $prefix.extra.sort
wait
more $prefix.afssync.err
cp $prefix.moira $prefix.new
/moira/bin/pt_util -w -d $prefix.extra.sort -p $prefix.new >& $prefix.extra.err
	# and review $prefix.extra.err

pts listmax > $prefix.listmax
set dbdir=/usr/afs/db
foreach i ( $db )
    echo "$i..."
    rcp -px $prefix.new ${i}:$dbdir
end
foreach i ( $db )
    bos shutdown $i ptserver
    bos exec $i "rm $dbdir/prdb.DB*; mv $dbdir/prdb.new $dbdir/prdb.DB0"
end
foreach i ( $db )
    bos restart $i ptserver
end

	# checks, etc:
$u $db[1]

######## more on checks

rm /moira/afs/noafs
Commit	Line	Data
26efe406	1	[This is a still-under-construction rewrite of the afssync
	2	instructions, adapted to the Ingres/Maxine -> Oracle/SPARC port, and
	3	is also being updated and simplified.]
	4
	5
	6	The executables are in /moira/bin/ on the moira server, with sources
	7	in /mit/moiradev/src/afssync/. Most of the commands are run on the
	8	Moira server.
	9
	10	FULL INSTRUCTIONS
	11	("SUMMARY" is below)
	12
a46edefa	13	#### Set up a workspace ####
	14
	15	mkdir -p /moira/sync
	16	cd /moira/sync
	17
26efe406	18	#### This is preparation for the resync, to save non-Moira users. ####
	19	First, get a recent copy of the prdb, and extract non-Moira entries:
	20
a46edefa	21	/moira/bin/udebug aggy -port 7002
	22	rcp root@aggy:/usr/afs/db/prdb.DB0 prdb.old
	23	/moira/bin/udebug aggy -port 7002
26efe406	24	If the two udebugs show that the version changed, lather-rinse-repeat.
a46edefa	25	(udebug can be found in afsuser; "aggy" here and below is some DB server)
26efe406	26	(Also check for "0 of them for write" at the end. It might matter.)
26efe406	27
a46edefa	28	/moira/bin/pt_util -x -m -u -g -d prdb.extra -p prdb.old
a46edefa	29	perl /moira/bin/pt_util.pl < prdb.extra > prdb.extra.sort
26efe406	30	to extract and prepare the personal groups and special user entries in
	31	the old prdb for being reincorporated into the new prdb.
	32
7827a830	33	awk -F\\| '$8 == 3 {print $1}' /backup/backup_1/users > /tmp/deactivated
	34	perl -e 'for(`cat /tmp/deactivated`) { chop; $ex{$_}=1;} \
	35	$punt=0; foreach $L (`cat prdb.extra.sort`){ \
	36	@w=split(/ /,$L); $_=$w[0]; if ( /:/ ) \
	37	{@x=split(/:/,$w[0]); if($ex{$x[0]}) {$punt=1;}else{$punt=0;}} \
	38	print $L unless $punt==1;}' > prdb.extra.trimmed
	39	to remove the personal groups for users who are deactivated
	40
26efe406	41	awk '/^[^ ][^:]*@/ {printf "KERBEROS:%s\n",$1}' prdb.extra > foreign
	42	blanche afs-foreign-users -f foreign
	43	Get a list of all the @andrew.cmu.edu type (non- athena.mit.edu cell)
	44	users, and sync the Moira list afs-foreign-users to this list.
	45	Moira then adds those entries to the group system:afs-foreign-users,
	46	thus keeping them from being lost in the prdb resync.
7827a830	47	Sanity checking the diffs before running the blanche command is recommended.
26efe406	48
7827a830	49	awk '/^[^ 0-9][^:@]*$/ {printf "KERBEROS:%s@ATHENA.MIT.EDU\n",$1}' \
	50	prdb.extra > oddities
	51	awk '/^[^ ][0-9.]* .*$/ {printf "KERBEROS:%s\n",$1}' prdb.extra >> oddities
26efe406	52	echo "LIST:afs-foreign-users" >> oddities
	53	blanche afs-odd-entities -f oddities
	54	Do the equivalent of afs-foreign-users for domestic users. We make
	55	the afs-foreign-users list a member of the more general afs-odd-entities.
7827a830	56	Sanity checking the diffs before running the blanche command is recommended.
7827a830	57
26efe406	58	WAIT for the incremental updates from the `blanche` changes to complete.
	59
	60	#### Now the actual resync begins. Incremental updates must stop. ####
	61
	62	touch /moira/afs/noafs
	63	to disable AFS incremental updates during the synchronization. The
	64	afs.incr (?) will wait 30 minutes on an incremental update before
	65	timing out, so the resync should complete in that time, or list
	66	changes in Moira might need to be propagated by hand.
	67
a46edefa	68	/moira/bin/afssync prdb.moira
26efe406	69	to dump the prdb data that is in Moira (users, groups, and group
	70	memberships). This step takes about ten minutes, but can be done
	71	concurrently with the next few steps.
	72
7827a830	73	REPEAT the above commands, thus regenerating prdb.trimmed from a now
7827a830	74	completely-up-to-date prdb.
3d8d4b36	75
3d8d4b36	76	* Make sure the "afssync" command has completed *
3d8d4b36	77
a46edefa	78	cp prdb.moira prdb.new
7827a830	79	/moira/bin/pt_util -w -d prdb.extra.trimmed -p prdb.new \
7827a830	80	>& prdb.extra.err
26efe406	81	This use of pt_util will presumably log errors about failed user
	82	creations and list additions. (To start over, do both the `cp` and
	83	`pt_util` again.) You can filter out the "User or group doesn't exist"
	84	type of lines that were caused by a user deactivation with something
	85	like:
	86	awk -F\\| '$8 == 3 {print $1}' /backup/backup_1/users > /tmp/deactivated
7827a830	87	perl -e 'for(`cat /tmp/deactivated`){ chop; $ex{$_}=1;} \
26efe406	88	foreach $L (`cat prdb.extra.err`){ $f=0; \
	89	@w=split(/[ :]/,$L); for(@w){ $f=1 if $ex{$_}; } \
	90	next if $f; print $L; }'
	91	Now, back to the resync.
	92
7827a830	93	The only remaining errors should be errors creating system:foo groups,
	94	be cause they already exist. These generally mean that that group has
	95	an odd user on it (root instance, IP acl, etc.) and can safely be
	96	ignored.
	97
	98	Errors of the form:
	99	Error while creating dcctdw:foo: Badly formed name (group prefix doesn't match owner?)
	100	are probably an indication that a user with personal groups had a
	101	username change (in the past they have also meant that a user with
	102	personal groups was deactivated and the uid was re-used (this was
	103	becasue we didn't trim the prdb.extra.sort file in the past.))
	104	Assuming htese errors are due to a username change, the groups should
	105	be renamed, and you should regenerate prdb.extra.trimmed starting with
	106	a fresh prdb from aggy. (You may want to abort and
	107	rm /moira/afs/noafs and try again later.)
	108
26efe406	109	pts listmax > /var/prdb.listmax
26efe406	110	foreach i ( <db servers> )
7827a830	111	rsh $i -l root -x /bin/athena/detach -a # detach packs
	112	rsh $i -l root -x rm -f /usr/afs/db/{prdb.new,pre-resync-prdb}
	113	rcp -px prdb.new root@${i}:/usr/afs/db/prdb.new
	114	end # staging
	115	foreach i ( <db servers> )
	116	bos shutdown $i ptserver -wait
	117	bos exec $i "mv /usr/afs/db/prdb.DB0 /usr/afs/db/pre-resync-prdb; rm /usr/afs/db/prdb.DB*; mv /usr/afs/db/prdb.new /usr/afs/db/prdb.DB0"
26efe406	118	end
	119	foreach i ( <db servers> )
	120	bos restart $i ptserver
	121	end
	122
	123	/moira/bin/udebug prill -port 7002
	124	to watch the status of the servers to make sure things are going well,
	125	where "prill" is preferred db server (the sync site).
	126
	127	Make sure the beacons are working, and that once quorom is established
	128	(~90 seconds) that the servers are resynchronizing their notions of
	129	the databases and that the "dbcurrent" and "up" fields all become set
	130	and the state goes to "1f". Also, if "sdi" isn't running, watch out
	131	for large rx packet queues on port 7002 using rxdebug, as the
	132	fileservers may get excessively backlogged, and restart servers, if
	133	necessary, if the congestion remains excessive.
	134
	135	pts listmax
	136	cat /var/prdb.listmax
	137	and if the id maxima are lower than the saved ones, reset them
	138	appropriately to the saved ones using `pts setmax`.
	139
	140	pts ex system:administrators
	141	as a good spot check, especially since it has special people.
3d8d4b36	142	(also spot check one of the personal groups and perhaps, something like
	143	the membership of rcmd.ronald-ann)
	144
26efe406	145	rm /moira/afs/noafs
26efe406	146	to remove the lock file and let Moira's afs incrementals continue.
3d8d4b36	147
3d8d4b36	148
26efe406	149	NOTES
3d8d4b36	150
26efe406	151	1. Don't do this when you're tired... There may be no cleanup procedure
3d8d4b36	152	available, with certain mistakes.
3d8d4b36	153
26efe406	154	2. /moira/afs/noafs is only good for 30 minutes. Keep track of the
3d8d4b36	155	critical log, and you may have to do some operations by hand when the
	156	operation is complete. Also, if requests depend on other requests, they
	157	may be processed out of order, and fail, and may need to be done by hand.
	158
3d8d4b36	159
26efe406	160	SUMMARY
	161
	162	# db servers with sync site first:
a46edefa	163	set db=(prill agamemnon chimera)
26efe406	164	set u="/moira/bin/udebug -port 7002 -server"
	165	set prefix="/moira/sync/prdb"
	166	cd `dirname $prefix`
	167
	168	####### The following DOES NOT WORK currently. pt_util needs fixing
	169	#### BEFORE Moira and afs.incr are closed off:
	170	# repeat as necessary:
	171	$u $db[2]; rcp root@$db[2]\:/usr/afs/db/prdb.DB0 $prefix.old; $u $db[2]
	172	/moira/bin/pt_util -x -m -u -g -d $prefix.extra -p $prefix.old
	173	awk '/^[^ ][^:]*@/ {printf "KERBEROS:%s\n",$1}' $prefix.extra > extra.foreign
	174	blanche afs-foreign-users -f extra.foreign
	175	awk '/^[^ ][^:@]*$/ {printf "KERBEROS:%s\n",$1}' $prefix.extra > extra.domestic
	176	echo "LIST:afs-foreign-users" >> extra.domestic
	177	blanche afs-odd-entities -f extra.domestic
	178
	179	#### WAIT for the above afs.incr events to take place (see moira.log)
	180	touch /moira/afs/noafs
	181	/moira/bin/afssync $prefix.moira >& $prefix.afssync.err &
	182	# repeat as necessary:
	183	$u $db[2]; rcp root@$db[2]\:/usr/afs/db/prdb.DB0 $prefix.old; $u $db[2]
	184	/moira/bin/pt_util -x -m -u -g -d $prefix.extra -p $prefix.old
	185	perl /moira/bin/pt_util.pl < $prefix.extra > $prefix.extra.sort
	186	wait
	187	more $prefix.afssync.err
	188	cp $prefix.moira $prefix.new
	189	/moira/bin/pt_util -w -d $prefix.extra.sort -p $prefix.new >& $prefix.extra.err
	190	# and review $prefix.extra.err
	191
	192	pts listmax > $prefix.listmax
	193	set dbdir=/usr/afs/db
	194	foreach i ( $db )
	195	echo "$i..."
	196	rcp -px $prefix.new ${i}:$dbdir
	197	end
	198	foreach i ( $db )
	199	bos shutdown $i ptserver
	200	bos exec $i "rm $dbdir/prdb.DB*; mv $dbdir/prdb.new $dbdir/prdb.DB0"
	201	end
	202	foreach i ( $db )
	203	bos restart $i ptserver
	204	end
3d8d4b36	205
26efe406	206	# checks, etc:
26efe406	207	$u $db[1]
3d8d4b36	208
26efe406	209	######## more on checks
3d8d4b36	210
26efe406	211	rm /moira/afs/noafs