Skip to content

Instantly share code, notes, and snippets.

@JoschD

JoschD/cern_afs_kerberos_wsl2.md

Last active April 24, 2024 18:35
Show Gist options
  • Star 3 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save JoschD/194b3f6c6fcc408684a481fd4a2ff4e5 to your computer and use it in GitHub Desktop.
Save JoschD/194b3f6c6fcc408684a481fd4a2ff4e5 to your computer and use it in GitHub Desktop.
Download ZIP
AFS in WSL2 for CERN realm
Raw
cern_afs_kerberos_wsl2.md

AFS Kerberos at CERN from inside WSL2 (Ubuntu 20.04)

Trying to get openAFS running on WSL2 following the regular guides from OmeGak and twiki ended for me in

aklog: a pioctl failed while obtaining tokens for cell cern.ch

Here I describe the procedure to make it work, based on some hints I found on reddit

The standard

as decribed in the links above. We add the openafs/stable ppa, as version 1.8.6-5 is required by afs since 14.01.2021 (otherwise accessing folders will end in a timeout) and it was not available in the default repositories at the time of writing.

🗨️ you can skip through the setups when asked for input as the configuration is automatically set with the last three commands.

sudo add-apt-repository ppa:openafs/stable
sudo apt install openafs-client openafs-modules-dkms openafs-krb5 krb5-user krb5-config
wget http://linux.web.cern.ch/linux/docs/krb5.conf
sudo mv -f ./krb5.conf /etc/krb5.conf
echo "cern.ch" | sudo tee /etc/openafs/ThisCell

Now kinit should work fine.

⚠️ You may setup the keytab as described by OmeGak, but beware that this is a security risk! Never do that on a shared machine or shared file-system.

$ ktutil
ktutil: addent -password -p username@CERN.CH -k 1 -e aes256-cts
ktutil: addent -password -p username@CERN.CH -k 1 -e arcfour-hmac-md5
ktutil: wkt .keytab
ktutil: q

and then create an alias or cronjob for

kinit -kt .keytab username & aklog

If this does not work (noticed on some machines), try creating the keytab from lxplus via cern-get-keytab --keytab private/.keytab --user --login username

Starting the client with

sudo /etc/init.d/openafs-client start

🗨️ sudo systemctl start openafs-client.service should do the same, but DOES NOT WORK in WSL2 due to the missing systemd

Now the WSL-related problem:

kinit && aklog

fails with aklog: a pioctl failed while obtaining tokens for cell cern.ch.

Having encountered this error before on Ubuntu it was usually solved by reconfigurig via

sudo dpkg-reconfigure openafs-modules-dkms

which does run on WSL2 but uses the wrong kernel (the default ubuntu kernel instead of the microsoft one)

The solution

The trick is to get the kernel headers into the right location, so that dpkg-reconfigure can find them and build on them. The process described here on reddit helped.

First: Find out which microsoft kernel you are running

uname -r

for me, that was 4.19.128-microsoft-standard.

⚠️ The naming scheme between the sources and your uname -r might not agree. You should still be able to find the right version easily, but you have to manually replace $(uname -r) with the correct name (e.g. linux-msft-5.4.72) when refering to the download source in the following commands. Make sure you need to keep the naming of /lib/modules/$(uname -r) so the headers can be found.

Then find and download the source-code of this kernel from https://github.com/microsoft/WSL2-Linux-Kernel/releases.

Via terminal:

cd ~
wget https://github.com/microsoft/WSL2-Linux-Kernel/archive/$(uname -r).tar.gz ./
tar -xzf $(uname -r).tar.gz

Then we prepare the headers and create a symlink where the headers should be found if this was a proper linux kernel.

sudo apt install bison flex libelf-dev libssl-dev dwarves 
cd WSL2-Linux-Kernel-$(uname -r)
cp /proc/config.gz ./
gzip -d config.gz
mv config .config
make prepare
make modules_prepare
make modules
sudo mkdir /lib/modules/$(uname -r)
sudo ln /home/$USER/WSL2-Linux-Kernel-$(uname -r) -s /lib/modules/$(uname -r)/build

🗨️ The make modules step will take some time. In earlier versions it was not required, and you could try without it. It will fix the errors you get if starting the afs client will fail with:

modprobe: ERROR: could not insert 'openafs': Unknown symbol in module, or unknown parameter (see dmesg)

with the dmesg saying openafs: Unknown symbol lru_cache_add (err -2)

⚠️ In case the make modules itself fails with something like:

BTF: .tmp_vmlinux.btf: pahole (pahole) is not available
Failed to generate BTF for vmlinux
Try to disable CONFIG_DEBUG_INFO_BTF
make: *** [Makefile:1106: vmlinux] Error 1

you will have to sudo apt install dwarves and run again.

now reconfiguring the modules should work (it might just take a while as it will do that now for both kernels).

sudo dpkg-reconfigure openafs-modules-dkms

restart afs client:

sudo /etc/init.d/openafs-client restart

and now aklog should work just fine!

Error returns after reboot

As WLS2 has no easy way of using services (related), one can automatically start the afs-service from the ~/.bashrc if needed

# Check if afs-service is running, if not, start it
if [ -z "$(pidof afsd)" ]; then
        sudo /etc/init.d/openafs-client start
fi

Changelog

2022-11-25

  • added dwarves as requirement
  • added hint for make modules and dwarves

2021-04-21:

  • hint about source-package naming (thanks @mcejp)

2021-01-21:

  • added make modules and hints
  • added ppa:openafs/stable again

2021-01-05:

  • added $(uname -r) and $USER for simplicity (thanks @mihofer)

2020-11-07: Kernel 4.19.128-microsoft-standard

  • added libssl-dev to install
  • removed ppa:openafs/stable
@mcejp
Copy link

mcejp commented Apr 21, 2021

Thanks for this guide ❤️

I think something has changed recently again, because the address I had to wget was

wget https://github.com/microsoft/WSL2-Linux-Kernel/archive/refs/tags/linux-msft-5.4.72.tar.gz

while uname -r prints 5.4.72-microsoft-standard-WSL2

@JoschD
Copy link
Author

JoschD commented Apr 21, 2021
edited

I'm very happy it helped someone :)

You are correct. I've noticed that for some versions their name in the kernel-source-archive is not the same as the actual uname -r (Why though...?). I think it's only this version for now, that was delivered with the windows update and does not follow the naming scheme.
So one has to find the name manually.
I left it in the guide in the hopes that the developers will one day realize their mistakes and are going back to how things should be ;)
Put in a warning now, so it doesn't confuse people :)

@frswedom
Copy link

Hi @JoschD, thank you very much for such a guide!
I would also add that, as far as I understood, one can delete the whole WSL2-Linux-Kernel-... directory, as it occupies 1.6G of space.

@JoschD
Copy link
Author

JoschD commented Nov 19, 2021

Hi @JoschD, thank you very much for such a guide! I would also add that, as far as I understood, one can delete the whole WSL2-Linux-Kernel-... directory, as it occupies 1.6G of space.

Hey @frswedom,
I'm happy it helped you!
Which directory do you mean? The old ones?
You are linking /lib/modules/$(uname -r)/build to the new Kernel directory, so it would be weird if it was gone...?

@frswedom
Copy link

I deleted folder with unpacked kernel, and for me it works fine. Maybe, linking is needed only for dpkg-reconfigure ?

@JoschD
Copy link
Author

JoschD commented Nov 22, 2021

Ah, yes. You only need the modules for the sudo dpkg-reconfigure openafs-modules-dkms step.
Afterwards you could in principle delete them. I usually keep them until I am sure my next kernel update worked, as it might be useful to have them, e.g. when reverting a kernel update or updating the openafs package. You can always just redo the steps again if it ever comes to this, but I am not bothered by the 1-2GB occupied space.

@dariaphoebe
Copy link

If @auristor is workable for you, there are AuriStor kernel modules for all WSL2 kernels from 5.10.74.3 on, including yesterday's release, here: https://www.auristor.com/filesystem/v2021.05/wsl/

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment