The Special Case of

The contents of file:///afs/ are regularly mutated manually by admins. While changes will be propagated by the normal autonomic release machinery to file:///afs/ (symlinked from file:///afs/ for compatibility), depending on the mutations made, it may be advisable to manually release this volume ( to more eagerly push changes to the read-only mountpoint. Many of the files therein are referenced via symlink or explicit configuration on various hosts; see below for the manifest.

AFS Volumes Impacted

Note that (and groups.readonly and and root.cell.readonly, which are necessary for the full paths above) are even being served by our “core database” machines, e.g. typhon and friends, so that its contents remain available even in incredibly adverse conditions.




Administrator SSH public keys. See SSH. Externally referenced by symlink and/or cron copy by admin-controlled hosts at ~localadmin/.ssh and/or ~root/.ssh.


A list of /admin principals for kerberized logins to administrative accounts on admin-controlled machines. Externally referenced similarly to authorized_keys.


The contents of ~/.forward on administrative accounts on admin-controlled machines. Externally referenced similarly to authorized_keys.


An abortive attempt at a single authoritative file for our DNS and DHCP needs; was more relevant when our configuration mattered to other people.


Skeleton user home directory, used by ../scripts/new-user.


Automation of adminly tasks. Mutually referential and often referenced by this documentation.

Global Parameters


The Kerberos Key Distribution Center’s global, non-secret parameters. See Configuration. Externally referenced by all KDCs via symlink at /etc/krb5kdc/kdc.conf.


Global parameters of the Ceph cluster. See Ceph Storage System. Externally referenced by all ceph nodes via symlink at /etc/ceph/ceph.conf.


AFS CellServDB file for AFS servers. Not externally referenced (yet?), but should match /etc/openafs/server/CellServDB on these nodes.


Super-users of the AFS cell. See AFS. Externally referenced on all AFS servers via symlink in /etc/openafs/server.


A comment-ful version of the above. See AFS.

Published Materials


The public components of X.509 certificates issued to us. Available for ease of access, not externally referenced by systems.


The certificate chain from a global CA to our certificates. Externally referenced by name on servers speaking TLS; see for example ../networks/webserver.


What you are reading now!


Patches to postfix to make it build a local.afs program for delivery into AFS. See Patching for AFS.

The paths README-BRAVE-NEW-WORLD and README-BRAVE-NEW-WORLD-GROUPS are symlinks into these notes now but are preserved from earlier days.