Copyright Xerox Corporation 1982Inter-Office MemorandumToIFS AdministratorsDateOctober 3, 1982FromEd TaftLocationPalo AltoSubjectIFS Operation (version 1.37)OrganizationPARC/CSLXEROXFiled on: Operation1 & 2.bravo, Operation.pressThis memo describes operating procedures for the Interim File System software. It assumes thatyou are familiar with standard Alto software in general and with IFS from the user's point of view(HowToUse.bravo).A short summary of revisions to this document may be found at the end. Also, section 14 containsa summary of known bugs in the current release of the software and how to avoid them.The current release of IFS should be run under OS version 20 or later. For correct error reporting,you must have current versions of Swat and Sys.errors.1. Hardware requirements and organizationIFS requires a standard Alto with a Trident disk controller and one to eight Trident T-80 or T-300disk drives in any combination. A T-80 disk pack holds 36,675 pages of 1024 words each, while aT-300 holds 139,365 pages. Due to a software limitation, only 130,986 pages of a T-300 are accessible.The software deals with a primary file system consisting of one or more disk packs. A multiple-packIFS behaves logically as a single file system, and all packs must be present and on-line in order toaccess any files. Files created by IFS are not accessible to other Trident-based programs (e.g., TFU,FTP) or vice versa.Additionally, the software can deal with one or more secondary file systems that may be mountedand dismounted while IFS is running. An example of a secondary file system is a disk pack usedfor on-line, incremental backup.The number of disk drives needed to support a given size file system depends both on how backupis to be accomplished and what degree of redundancy is desired in case of disk drive failure.Backup procedures are discussed in a later section.Any Alto (Alto-I or Alto-II) with a Trident disk controller will run the IFS software; however, forperformance reasons, it is strongly recommended that an Alto-II with at least 128K words of memorybe used. See section 13.2 for details. Beginning with of IFS 1.36, we have abandoned the practice of packagingthe code to minimize working set in a 64K configuration. Certain common operations such as FTP Store now have aworking set greater than 64K, so a server with only 64K of memory is likely to thrash very badly even under light load.There is an Alto-II hardware modification that is recommended for machines that are to be IFSs (orother servers requiring high reliability). This modification corrects a design bug in the memorysingle-error correction. The memory chips are so reliable that the single-error correction is hardlyever invoked; but servers that run for months at a time eventually exercise even low-probabilitybugs. The modification is described in [Maxc2]MemECMod.press. &pX]g~qi cr]pX-r7Bp \r]p-r7Bp V!r]p-r 7Bp`Os K>p9 EtL CZ Bl ?:' >&/ ;K 96 5t) 2)pK 07) /!r= , directory on Maxc2. It consists of thefollowing files:IFS.Run, the program itself.IFS.Syms, for debugging by means of Swat.IFS.Errors, mapping error numbers to strings.IFSScavenger.Run, the IFS Scavenger.IFSScavenger.Syms, symbols for the IFS Scavenger.Versions of these files also exist on [Indigo], but in general these are development versions of the software that havenot been released. You should use only the versions on Maxc2 unless instructed otherwise.These files should be installed on a fairly clean Alto disk, along with standard Alto subsystems suchas FTP. Additionally, the following programs may be useful (obtained from the directory):TFU.Run, for formatting and testing Trident disk packs.Triex.Run, for checking out the Trident disk hardware.CopyDisk.Run, for copying disks.There exists a command file, [Maxc2]IFSOpDisk.cm, that constructs an IFS Operation diskwith all the necessary files. You should first do an Install, go through the long installation dialogue,and erase the disk. Then retrieve IFSOpDisk.cm and execute it. This command file gets all filesfrom Maxc2; you might want to edit it to get standard subsystems and the like from a local fileserver instead, if you are sure the file server has up-to-date versions.All announcements of new IFS releases are made to the distribution list IFSAdministrators^.PA. Ifyou operate an IFS, you should make sure you are included in this list (add yourself using theMaintain program, or send a message to Owners-IFSAdministrators^.PA). Such announcementsinclude the version number of the system (e.g., 1.03); this is the first number printed out in the IFSherald when you connect using FTP or Chat. Be sure to obtain all three of the IFS.* files listedabove.It is important that you use the version of IFSScavenger appropriate to the version of IFS you arerunning. The IFSScavenger has intimate knowledge of the file system format, which sometimeschanges in minor ways from one release to the next. fp G b01 `"up7 _B# ]4* Zr.O YA V` U QNt NipM LJG)D7-AR$>m1 ;rb :nvrW 7p+: 6(E3C70_6-z *\ )"G '3. & @ $H !B ^ H (> .3   'F '5 3 >/T3IFS Operation33. Testing disk hardware and disk packsA file system should be built on a set of disk packs that have been thoroughly tested using theCertify' command in the latest release of TFU. This procedure is essential for reliable operation.The procedure for each pack is as follows.Mount the pack on some drive, d. Then issue the command:TFU Drive d | CertifyTFU will display the message Confirm wiping the pack on drive d', to which you should respondOK'.TFU will now initialize the headers on the pack, then execute 10 passes of writing and readingrandom data on the entire surface of the pack. Any bad spots that it finds are recordedpermanently on the pack in a place that IFS and other Trident software can find. IFS will simply avoidusing pages known to contain bad spots. The running time for this test is 27 minutes for a T-80 pack and91 minutes for a T-300 pack. If possible, it is recommended that the test be run for more than 10 passes. This isaccomplished by the command TFU Drive d | Certify n', where n is the desired number of passes. The running time isapproximately 3 minutes per pass on a T-80 and 9 minutes per pass on a T-300.Before IFS is run in a new installation, it is a good idea to exercise the hardware thoroughly. TheTFU program has an Exercise' command that exercises the hardware thoroughly in a mannersimilar to IFS. The basic procedure is as follows.1.Mount scratch packs on all Trident disk drives (including backup and spare drives).2.If the packs haven't already been certified, use TFU Certify' to initialize the headers on allpacks, as described above.3.For each drive, issue the command TFU Drive d | Erase'. TFU will display the messageConfirm wiping the pack on drive d', to which you should respond OK'.4.For each T-300 drive (if any), issue the command TFU Drive 40d | Erase', and continue asin step 3. This initializes empty file systems on the second half of each T-300 disk.5.Issue the command TFU Exercise n'.This begins a lengthy exercise procedure that creates, reads, writes, and copies files on all packs. nis the number of passes to execute. Each pass takes about 20 minutes per T-80 and 60 minutes perT-300 being exercised. The display will flicker and tear while this test is running; do not be alarmed. TFUwrites a log file TFU.Log on the Diablo disk (which should be quite empty), at the end of whichshould appear the message There were 0 errors' when TFU is done.For further information on the operation of TFU, consult the Trident software documentation in theAlto Subsystems Manual or in TFS.tty.4. Initializing a file systemIFS is invoked by the commandIFS/switcheswhere the switches control the operation of the system in various ways. For a binary switch,preceding it with ' negates its action. Switches defined at present are:/AAllocator debug (every call to the storage allocator invokes some special consistencychecking; this debugging aid slows down system operation slightly.)/CCreate a new file system (see below) fp G bt' _9pU ]S \1* YLupVg up S?up Q O=! M(0 L(rp%r J'p0 I  rW G'vr vrvr6 FkM CpS B%Q @3 = F :Y9T 6o-up 4"up$ 2up02$ -up *Iu )4pG 'r@p &,V $A !M ?/ t p U KA C 3$ ?/^AIFS Operation4/DDebug mode (various non-fatal errors call Swat rather than just continuing on)./FEach occurrence of this switch extends the directory file map by 100 words. This isnecessary only if the directory has become badly fragmented. The standard file map'scapacity is 40 runs; each occurrence of /F increases it by 50 runs./LRetain the Leaf server capability even if the server itself has not been enabled (seesection 9.4)./MEnable the miscellaneous' servers (name, time, and boot). They are ordinarilyenabled and disabled by means of the privileged Change System-parameterscommand (described later), but /M or /M will override the effects of thatcommand for one invocation of IFS. (See section 9.)/SCreate a buffer (spyBuffer) for use by the Swat Spy facility, for performancemeasurements./VVerify the structure of the directory B-Tree when the system is started (see section5). The default state of this switch is true./XUse extended memory, if present, to hold executable code overlays (rather thanswapping them from disk into bank zero when needed). This improves performancesubstantially. The default state of this switch is true./n(n is a number between 1 and 4) Use at most n*64K of memory, even if the Altohas more than that. This is useful primarily for debugging purposes.When IFS is started with the /C switch, it enters a dialogue in which you must supply various filesystem parameters. The dialogue takes the following form.Do you really want to create a file system?Answer y'.Number of disk units:Type in the number of disk units to be included in the file system, terminated byReturn.Logical unit 0 = Disk drive:Type the physical unit number of the drive that is to be logical unit 0 in the filesystem. This question is repeated for each logical unit in the file system.File system name:Enter the name of the file system, followed by Return. This name is displayed asthe first part of the herald generated by the file server and Executive, and should besomething like Parc IFS'.Directory size (pages):This determines the number of disk pages to preallocate for the directory. IFS willsuggest a number (based on the number of disk units) which you may confirm bytyping Return; or you may type some other number followed by Return. To beconservative, you should specify 1000 times the number of disk packs you everexpect to include in the primary file system. (See section 10.)Ok? [Confirm]Answer y' if you want to go ahead, or n' if you made a mistake and wish to repeat fp Gb?_9=]*r\TCYp?X U*;SHR"6P4MEL5 IP5G.DA Cc4A9>upup'uprp=vE :Z 9 :6(+3C 0_-zJ+)&,8$L!7Z H (,M6%(@   37 >/^&IFS Operation5the dialogue.IFS now initializes the file system, an operation that takes about 2 minutes per T-80 and 7 minutesper T-300 in the system. When the screen turns black and the cursor changes from an hourglass toIFS', initialization is complete.The file system initially has only three directories defined: System, Default-User, and Mail. Thepassword for System is IFS. You should connect to the IFS using Chat, login as System (passwordIFS), create some other users (by means of the Create command, described below), and changeSystem's password for the sake of security.Before putting the system into service, there are various system parameters you must set; these aredescribed in later sections. They include:clock correction and server limit (section 7);switches to enable or disable Press printing and the Boot, Name, Time, Leaf, CopyDisk, andLookupFile servers (sections 7 and 9);switches, default registry, and group names for Grapevine authentication and access control(section 6);mail system parameters (section 8);backup system parameters (section 11).5. Normal operationThe system is normally started simply by invoking IFS with no switches. All file system packs mustbe mounted and on-line, and all Read-only switches must be turned off (including those on backupand spare drives). It is unimportant which packs are mounted on which drives, since the softwarereads each pack to discover what the system configuration is. (However, there must be no otherprimary IFS packs on-line. After copying an IFS pack with CopyDisk, you should be careful toremove the copy from the system.)If IFS fails to start up properly, it will call Swat with an appropriate error message. This will occur,for example, if all necessary disk drives are not on-line. While IFS is starting up, the cursorcontains an hourglass; this changes to IFS' when startup is complete and the system is in operation.During startup, IFS also runs a brief test of the Control RAM and S-registers, failure of which willcause IFS not to function even though a great deal of other Alto software works correctly. IFS willcall Swat with an appropriate message if this test fails.When IFS is started, it verifies the consistency of the directory B-Tree (unless inhibited by /V').Inconsistencies can result from crashes at inopportune moments when the B-Tree is in the process ofbeing modified, so the startup-time check is valuable in determining whether it is appropriate to runthe IFS Scavenger. The time required for the check is proportional to the number of files in thesystem; it has been observed to take 2 minutes for 20,000 files.If an inconsistency is detected, IFS will call Swat with an appropriate message. The messageRecord count disagrees' is relatively benign and it is reasonably safe to proceed from this (withcontrol-P). If you do so, it is likely that one or more files in the file system will become inaccessible and will remainso until the next time the IFS Scavenger is run. Other possible errors include Records out of order' andMalformed B-Tree record'; these are more serious and proceeding is not recommended.Immediately after IFS starts, it will perform some other initialization operations requiring a lot ofdisk activity, including obtaining and installing the network directory (name server data base) andboot files. IFS can service user requests during this time (5 minutes or more), but performance willbe noticeably poorer than normal. fp Gb _912 ]L \1" YL(: WD VD*1 T+ Q9* PW+Mr.JVI &F$+0D A#>& :Kt 7fpH 5u)p 4^10 2N 1UH /! ,<- +iU )O '%rp' %|K #9 !7. Q  V a @ = G  r]  $p:  Dup )^ c I ! U?/]AIFS Operation6While IFS is running, the entire screen is black except for the cursor. The position of the cursor isan indication of disk activity. The horizontal position indicates the disk unit most recently accessed(unit zero at the extreme left, unit seven at the right), and the vertical position is the cylinder atwhich the heads are currently positioned (zero at the top, 814 at the bottom). The cursor blinkseach time a page is transferred to or from a user file by the file server.You can tell whether IFS is running normally by pressing the space bar. If the Alto screen flashes,everything is in order; if not, the system has failed in some way.There are two ways to stop the system. The normal (and cleaner) way is to connect to IFS usingChat, log in, Enable, and issue the Halt command. The system will then refuse to admit furtherusers, will wait for all present users (including you) to log out or disconnect, and will return controlto the Alto Executive.The system may also be stopped by typing Shift-Swat on the IFS Alto keyboard (the Swat key mustbe pressed firmly). This aborts all active connections and returns control to the Executiveimmediately; however, it may leave partially-written files lying around so it is not recommended fornormal use.6. Directory and user group managementThis section assumes that you thoroughly understand IFS's use of Grapevine for authentication andaccess control, described in the How to use IFS' document. Additionally, before beginning tocreate IFS directories and groups, you should read Access Controls', file[Maxc]AccessControls.press, for a description of the policies and procedures required to ensureproper information security.6.1. Setting up user directoriesThe IFS Executive (accessed via Chat) has several privileged commands that are available only tousers with the wheel' capability, and only after enabling this capability with the Enable command.When you are so enabled, the Executive's prompt is !' rather than @'. While you are enabled, IFS willnot log you out automatically after three minutes of inactivity as it does normally.The following privileged commands are defined.! Create (directory) directory-name [new] (password) password!! sub-commandsCreates a directory with the supplied name and password. Capitalization of the nameshould be precisely as the user wants to see it. Capitalization of the password isunimportant.If Grapevine authentication is enabled, directory-name may or may not be a fully-qualifiedR-Name of the form simpleName.registry. For a local user whose registry is the same as theIFS's default registry, it is best to omit the .registry when creating the directory, and just usethe simpleName. However, for a user whose registry is different from the IFS's defaultregistry, the directory name must consist of the full R-Name, else Grapevine authenticationwon't work properly.In general, names for files-only directories should not be qualified by registry (and shouldn'tbe registered in Grapevine either).For a directory that corresponds to a Grapevine R-Name, the password you supply isirrelevant, since IFS consults Grapevine for authentication. For a non-Grapevine name, ifyou specify an empty password, then the password cannot be used to gain access to thedirectory. This is useless for a login directory; but it is useful for a files-only directory towhich access is granted solely on the basis of group membership rather than on users fp G b Z `R _A% ]O \J Y)P WB TM S<N Q=+ P4 MO Q KC JG40 H D7t& ARp=$ ?(6 >J890 <] ;A 6u 3pY 2L&= 06r /hT ,p. )u pu (=pu %XpO#%."P k(u p$ u pup5c "up*u pG[!: )up(n#-up W G  C y%/ 2?/]XIFS Operation7knowing the directory's password.The sub-commands are used to change various parameters from their default values. Theseinclude all the sub-commands of the Change Directory-Parameters command, described inHow to use IFS', and additionally include:!! Files-only (owner) user-nameDeclares the directory to be a files-only (i.e., non-login) directory. Theuser-name is the person responsible for this directory; that user is permittedto connect to the directory without giving a password. User-name mustinclude a .registry part if the user's registry is different from the IFS'sdefault registry, but may be omitted if it is the same as the IFS's defaultregistry.!! Disk-limit numberSpecifies the maximum number of disk pages that may be used in thisdirectory.!! WheelDeclares the user to have the wheel' capability, which permits issuingprivileged commands and bypasses all access checking and disk limits.!! MailCreates a mailbox, thereby enabling IFS to receive Laurel mail for this user.(More information about mail is presented in section 8.)!! Group Membership (in groups) groups!! Group Ownership (of groups) groups!! No Group Membership (in groups) groups!! No Group Ownership (of groups) groupsEstablishes the user's membership in or ownership of user groups. (TheGroup Membership sub-command duplicates the function of the top-levelChange Group-Membership command.) Use of these commands ismeaningful only for non-Grapevine members of non-Grapevine groups.Note that in an IFS that does not use Grapevine for access control, anyuser able to log into the IFS is automatically a member of World, regardlessof the setting of the directory's group membership. In an IFS that does useGrapevine for access control, a user whose names is registered in Grapevineis a member of World or not according to whether he is a member of theIFS's World' group, usually USRegistries^.Internet. A user whose name isnot registered in Grapevine but who is able to log into the IFS (because anIFS directory by that name exists) is a member of World only if sospecified by use of the Group Membership command.If directory-name already exists, you are not asked for a password but rather are sent directlyinto subcommand mode. This permits modifying parameters for an existing directory. Inthis context, the following additional subcommands are of interest:!! Password password!! Not Files-only!! Not Wheel fp Gb!_9u p-]9\1+YLXuVgp5Tup; S_6upQup8PW'$NKX uI pCG DXA*@7+=SX:nD886Xu4pu2p#u1yp"u.p!&-5+.8/*/'#*%:$'%",!B<  up!up%11u p:HC1X uLp g l 99[6IFS Operation8!! Not MailNote that to make a non-Grapevine directory unusable for login purposes, you should issuethe Password sub-command with an empty password. The top-level Change Passwordcommand cannot be used for this purpose.The Create command is terminated by typing two Returns in response to the !!'subcommand prompt. You may cancel the entire command by typing control-C.The default values of all parameters for new directories are copied from a dummy directorycalled Default-User. When a file system is created, the default values are Not Files-only,Not Wheel, Not Mail, and Disk-limit 1000. To change the defaults, use the Createcommand to modify the parameters for the directory Default-User. Not Mail' is the default forfiles-only directories, even if Default-User specifies Mail'.! Destroy (directory) directory-name [Confirm]Destroys the specified directory. This operation includes deleting all the files containedwithin it, and destroying the associated mailbox if there is one.! Change Directory-Parameters (of directory) directory-name! Show Directory-Parameters (of directory) directory-nameThese commands work as described in the How to Use' document with the addition thatwhile you are enabled, you may access any directory, not just your own. Also, while youare enabled, Change Directory-Parameters has all the sub-commands described above underCreate.6.2. Setting up Grapevine authentication and groupsThe commands in this section are used to control IFS's use of Grapevine for authentication andaccess control.! Change System-Parameters!! sub-commandsPermits you to issue sub-commands to change one or more system operating parameters.Each sub-command takes effect immediately. Sub-command mode is terminated when youtype CR in response to the !!' prompt.!! Default-Registry registrySets the default Grapevine registry to be registrye.g., PA, ES, etc. Thisshould be the registry to which the majority of the local users of the IFSbelong. Names of directories belonging to these users need not be (andgenerally should not be) qualified by the registry name; but names ofdirectories belonging to users in other registries must be qualified byregistry name.You should set a default registry even if you are not using Grapevine forauthentication and access control. This is to permit local users to presenttheir user names either with or without registry qualification.Note: if the mail server is enabled (section 8), registry must be the same asthe mail server registry specified by the Registry sub-command of the Mailcommand.!! Enable Grapevine Authentication!! Disable Grapevine Authentication fp GbX _9>]up\1(YL#+WJTCS_@Q)(PW2 rN> L5pXu p IP!:GA DX-u Ccp+u @~p4>:=v0'; 7fu3 4p6( 2 0X .u +pT*+*)(rp%Xu"p*up !Y+*Q"#: I d-5\?wup"(o X"/# N C>/[4IFS Operation9Enables and disables IFS's use of Grapevine for authentication. When thisis enabled, any user whose name is registered in Grapevine and who is ableto supply the correct (Grapevine) password can log into IFS. When this isdisabled, only users who have personal directories on the IFS can log in,and they must present the password maintained by that IFS.Before enabling Grapevine authentication, you must specify a defaultregistry as described above.!! Enable Grapevine Groups!! Disable Grapevine GroupsEnables and disables IFS's use of Grapevine for access control (groupmembership checking). When this is enabled, users' access to files iscontrolled by membership in Grapevine groups, as discussed in How to useIFS'. When this is disabled, user group membership is maintained entirelywithin the IFS, and is controlled by the Change Group-Membership orChange Directory-Parameters commands.Before enabling Grapevine group checking, you must specify a defaultregistry as described above, and you must associate Grapevine group nameswith IFS group numbers as described below. It is probably not sensible toenable Grapevine group checking without also enabling Grapevineauthentication.!! Group (name of group) group-number (is) group-nameAssociates the Grapevine group-name with the IFS group-number, which is anumber in the range 0 to 61. The group-name must be a fully-qualifiedname acceptable to Grapevine as either a real group (e.g., CSL^.PA) or apseudo-group (e.g., *.PA).Caution: if you use this command to associate a name with a group numberthat already has a name, the meanings of all existing protections that referto that group will be changed. For example, suppose group 3 is originallyassociated with the name CSL^.PA, and some files' protections are set topermit reading by members of group CSL^.PA. If you then change group3 to associate it with the name PARC^.PA, those files will become readableby all members of PARC^.PA.It is permissible for a group to have a name that is not registered inGrapevine; however, such a group can only contain members whose namesare also not registered in Grapevine, and their membership must bemanaged by use of the IFS Change Group-Membership and ChangeDirectory-Parameters commands. Consequently, this mode of use is reallysuitable only for IFSs in which Grapevine group checking is disabled.To eliminate a group's name (i.e., make the group number no longer have aname), use the Group command as described above, but specify an emptygroup-name. That is, when IFS prompts you for the group-name andsuggests the existing one as a default, erase the existing name using CTRL-Wand then strike CR.!! World (group is) group-nameDefines the membership of the World' group for this IFS. An appropriatevalue of group-name for most IFSs at Xerox sites in the U.S. isUSRegistries^.Internet'. If this is unspecified or empty, any user able tolog into the IFS is considered a member of World'.Note: this restricted definition of World' is enforced only if Grapevine fp Gb0` ?_J]&#\:Y) DWTX/Q+PW+N-MO:K!"JG%Gb+E)DZ1BY5Z AR>mXu pu ;pu p u p :"u p 8(640251C/0.E,J*(1&E%)#5" 2 / ;)u pu p'rprpXu p >C-u p.,/ ;3 V7 /M]lIFS Operation10group membership checking is enabled.6.3. Converting an existing IFS to use GrapevineThis section outlines the procedure for converting an existing IFS to use Grapevine forauthentication and access control. The general idea is to extract the existing authenticationinformation and group structure from the IFS and then capture this state in the Grapevine database. Some of the information here is also relevant when starting up a new IFS.6.3.1. Use the Accountant program to obtain an accounts listing and a group membership summary,as described in section 12.6.3.2. Decide what the default registry is to be. This will usually be obvious: the Grapevine registryof the majority of the local users of the IFS. Set this by means of the Default-Registry sub-command of Change System-Parameters.6.3.3. For each login (non-files-only) directory in the IFS, make sure thatdirectoryName.defaultRegistry' is registered as an individual in Grapevine, and that the Grapevineentry indeed represents the same user as the IFS directory's owner. For most local users this willalready be the case, assuming that Grapevine is in regular use locally for mail service. (Note: youneed not take any action on the built-in directory names Default-User, Mail, and System.)In the case of a login directory belonging to a user in another registry, you may take one of threeactions:1.Most commonly, such a directory exists solely to give that user access to files in otherdirectories on the same IFS, and the user does not store any files at all on his own directory.In this case, simply destroy the directory and instruct the user to use his own full R-Namewhen logging in. If the user is a member of any IFS user groups, you should make surethat the user's full R-Name appears in the corresponding Grapevine groups (below).2.If the remote user actually uses his own directory for storage of files on the IFS, you shouldchange the directory name to include the registry qualification. For example, if the IFS'sdefault registry is PA, and user Jones.ES has a directory whose name is simply Jones' (orJohnJones' or something), then the directory's name should be changed to Jones.ES'.Unfortunately, the only way to do this is to create a new directory, move the files from theold directory to the new (using FTP or Brownie), and destroy the old directory.3.This alternative is not recommended, but is sometimes workable in desperate situations. Ifthe result of appending the IFS's default registry to the directory name yields an R-Namethat is not registered in Grapevine, then you can leave the directory as-is. Thedisadvantages of this alternative are that the user cannot gain access to files by virtue of hisR-Name being in Grapevine groups, and the directory name may conflict with a nameregistered in Grapevine in the future. Note: you may need to explicitly specifiy the directory'smembership in the World group, as discussed above in the description of the Group Membership sub-commandof Create.Since all registered users are able to log in under their full R-Names, Guest' accounts are no longerneeded and should be abolished. This will result in a substantial improvement in informationsecurity. Accounts that permit automatic access by programs using compiled-in credentials shouldlikewise be abolished; procedures for dealing with such situations are described in the AccessControls' memo.6.3.4. In general, the names of files-only directories should not be registered in Grapevine.Ordinarily, users gain access to a files-only directory by virtue of membership in user groupsreferenced by that directory's connect protection, not by presenting the directory's password.However, so long as the result of appending the IFS's default registry to the directory name yieldsan R-Name that is not registered as an individual in Grapevine, the directory may be left as it is;IFS will use local information to authenticate users' attempts to connect to it. (If you are so fp G?b% ]u0 Zp&5'" Y)#; W,2 V!P S<F Q NU MOO K$ H< Gbu pup2 EL DZP BY ?M >m ;R:P8@64"5x8 2^1E/C.6,\*O ((3&Y%up ;#*6" 8 &r/ % [ &pf  S  W !>  1,up -1 )T !B up? Y U?/]qIFS Operation11unfortunate as to encounter a files-only directory whose name is registered in Grapevine, then eitherusers must use the Grapevine password to connect or you must change the name of the directory.)6.3.5. Issue the Enable Grapevine Authentication sub-command of Change System-Parameters. IFSwill now use Grapevine for user authentication, while continuing to use local user group informationfor access control.6.3.6. You will need the cooperation of the Grapevine registry's maintainer to perform this step.Compare the IFS group membership information obtained in step 6.3.2 with the existing Grapevinegroups, using the Maintain program. In most cases you will find that some existing Grapevinegroup is substantially the same as the IFS group, and that any discrepancies are most likely mistakesor oversights. (This is particularly true of organization and project groups.) In such cases, adjustthe Grapevine group membership as necessary and use it for the IFS group. For the remaining IFSgroups, create new Grapevine groups with the same memberships as the IFS groups. Rememberthat each name in a Grapevine group must include a registry name, even when the registry name isthe same as the IFS's default registry.The groups used for IFS access control should be chosen with some care. The simplest groups thatwill do the job should be used. Grapevine takes a long time to check for membership in extremelylarge or complex groups (e.g., SDD^.ES, which is both large and complex); this has the potential forcausing severe performance bottlenecks. In this connection, it should be mentioned that pseudo-groups of the form *.registry' (e.g., *.PA, *.ES) can be checked extremely rapidly, in contrast withgroups such as AllPA^.PA which require lengthy enumerations.It is OK for a group to refer to other groups, but the simpleNames of those other groups must endin ^', else they won't be expanded by Grapevine when checking for group membership. (However,it is not required that the top-level group name contain ^'.)Now use the Group sub-command of Change System-Parameters to associate the chosen Grapevinegroup names with the in-use IFS group numbers. Again, each group name must be a full R-Name,including registry.You should do this step carefully to ensure that you have captured in Grapevine the existing IFSgroup structure, because step 6.3.8 will invalidate and destroy the IFS group structure.6.3.7. Decide on a definition of the World' group. This controls access to all files (both existingand new) whose protections specify World'which is to say, all files accessible to Guest in IFSsthat have had Guest accounts until now.World' is intended to be an all-encompassing group that permits limited access to public files by allauthentic users. The main reason for restricting World' membership is to satisfy U.S. technologyexport regulations. Several non-U.S. Grapevine registries are now being established, and foreignaccess to U.S. information is expected to be conducted through more formal and controlledchannels. (This topic is discussed in detail in the Access Controls' memo.)Therefore, the definition of World' appropriate for most IFSs in the U.S. is a special group calledUSRegistries^.Internet, which includes all members of all U.S. registries. Certain IFSs may chooseto adopt a more restricted group for World'. Note that a user who is not a member of an IFS's World' groupcan still be a member of other of that IFS's groups and can access files whose protections mention those groups.Use the World sub-command of Change System-Parameters to set the name of the IFS's World'group.6.3.8. Issue the Enable Grapevine Groups sub-command of Change System-Parameters. Theconversion to Grapevine is complete.6.3.9. You may now delete all user directories that have disk limits of zero. Such directoriespresumably exist solely to give the users access to other directories on the IFS; since authenticationand access control are now done using Grapevine, these directories are no longer needed.Exception: directories that have special capabilities (Mail' or Wheel') should not be deleted, as fp G? b>up% `_ ]Z \1M Z W%= VDL TE S<\ QX P4` N@ M,%u K&p HU G?7* E` D7'9 Bup? A.< >J7u p < S ;A> 8]F 6F 5U 2pB 0X .!E ,\ *' (_ &%= %># #Y " M %W c /r* [ pH v W  $ )/1 9-  0 ( u pFup8 U?/]mIFS Operation12these capabilities are remembered only by the IFS and not by Grapevine.It is worth mentioning the measures IFS takes to prevent Grapevine from becoming a bottleneckand to enable continued service if all Grapevine servers become unavailable. When a user first logsin or first attempts to access a file in a way that requires membership in some group, IFS interactswith Grapevine in whatever ways are necessary and remembers the result. This means thatsubsequent logins or file accesses involving the same group membership do not require anyinteraction with Grapevine.The Grapevine information that IFS remembers locally is invalidated after 12 hours; this preventsIFS from getting more than 12 hours out of date with respect to Grapevine. Furthermore, IFSremembers only successful user accesses, not unsuccessful ones. This means that when a newGrapevine R-Name is created for a user, or a user is added to a Grapevine group used for accesscontrol by IFS, the changes have an immediate effect on the user's access to IFS. However, whenan R-Name or group member is removed, IFS may continue to allow access on the basis of theobsolete information for up to 12 hours.Finally, if Grapevine becomes inaccessible for an extended period, IFS will continue to use itsremembered Grapevine information indefinitely.7. Other privileged commands! DisableLeaves enabled mode (the Executive's prompt reverts to @').! HaltStops IFS and returns control to the Alto Executive as soon as all present users (includingyou) log out or disconnect. If any Leaf connections are active, there may be a delay ofseveral minutes before the connections are broken and IFS halts.! Show Printing-requests (for user) user! Cancel (printing requests) (for user) userIf you type just RETURN in place of user, these commands will run through all printingrequests for all users.! Change System-Parameters!! sub-commandsPermits you to issue sub-commands to change one or more system operating parameters.Each sub-command takes effect immediately. Sub-command mode is terminated when youtype CR in response to the !!' prompt.The following sub-commands have permanent effects that survive restarts of IFS. (Thepermanent information is kept in file Info!1 in the IFS's primary file system.)!! Clock-Correction correctionSets the software clock correction, which is specified as a sign (+ or )followed by a decimal number. This causes the Alto clock to run faster(+) or slower () than its nominal rate by that number of seconds per day.Alto clocks are quite stable but not particularly accurate, and softwarecorrection is desirable in a server that runs continuously for long periods oftime.The amount by which the clock should be corrected may be determined bycomparison with an accurate reference over a period of several days (using fp G? bG _9 R ]04 \1F Z> Y)E W Ta S<< Qu pB P4L N@ M,> K( H*5 G?. Bt ?pX<< :X7$75@4@ 12X$u /p(u,prp up'+E (`X &u #pT"s*) rp 6?Xu pF9.*1(7) DF %%  y>/]1IFS Operation13the IFS Executive's DayTime' command), or by use of an accuratefrequency counter to measure the Alto system clock (slot 5 pin 63 on anAlto-I, slot 13 pin 63 on an Alto-II) and computing the correction by theformulac = 86400 * (1  f / 5880000)where f is the frequency in Hz.!! Server-Limit nLimits the number of simultaneous server processes (FTP, Chat, and Mailcombined) to n. At present, n may be as high as 6 on an Alto with 64K ofmemory, 8 with 128K, and 10 with 192K or more; the default Server-Limitis one less than the absolute maximum. See section 13.2 for information onsetting this parameter properly.!! Enable Press-printing!! Disable Press-printing!! Enable CopyDisk-server!! Disable CopyDisk-server!! Enable Boot-server!! Disable Boot-server!! Enable Name-server!! Disable Name-server!! Enable Time-server!! Disable Time-server!! Enable LookupFile-server!! Disable LookupFile-serverEnables and disables the Press printing facility and various servers (the FTPserver is always enabled, and the mail system is controlled by subcommandsto the Mail command). When a file system is created, all the servers aredisabled.!! Enable New-boot-files!! Disable New-boot-filesThis controls the operation of the automatic boot file maintenancemechanisms, and is relevant only if the boot server is enabled. If New-boot-files is enabled, IFS will obtain and maintain copies of all boot filesavailable from any other boot servers on the same Ethernet. If New-boot-files is disabled, IFS will maintain only those boot files that it already has.When a file system is created, New-boot-files is enabled.!! Enable Leaf-server!! Disable Leaf-serverEnables and disables the Leaf page-level access server (see section 9.4). TheEnable command does not take effect until IFS is next restarted, unless IFSwas last restarted with the /L switch. Similarly, the Disable command doesnot free resources consumed by the Leaf server until IFS is next restarted.When a file system is created, the Leaf server is disabled.The following sub-commands have one-time-only effects.!! Disable LoginsDisallows further user access to the system. This is useful during debuggingand while reloading the file system from backup.!! Enable LoginsCancels the effect of Disable Logins.!! Reset-TimeCauses IFS to reset its clock from a time server on the directly-connected fp G?b1`8_ =]ZupupupWupTXuQp =Pz upup rpNrprp"Mr7KI X/G/F/D}/B/Au/>/= -;3:7X/4:/ 052-12L/,.*9,9)X/&N%X5#K"P'$ ;6X70X% X  $& 8 0M]L0IFS Operation14Ethernet. This operation is performed once automatically, immediatelyafter IFS restarts.8. Mail systemIFS contains a mail server that is compatible with Laurel and the Grapevine message system. IFScan keep in-boxes for users of that system and can also forward mail to mail servers in otherGrapevine servers, IFSs, and Maxc.If your IFS is in the Xerox Research Internet and you wish to operate a mail server, you should firstconsult the network support organization to obtain useful advice. A mail servermust be assigned a registry name that is distinct from the name of the IFS Alto itself. An IFS canbe either a self-contained registry or an adjunct to a Grapevine registry.To enable a user to receive mail, issue the Mail subcommand of the Create command, as describedpreviously. Of course, if you turn on the Mail capability for Default-User, then all new useraccounts you create subsequently will have Mail capability automatically.When mail is received from a user mail program such as Laurel, it is queued briefly in files namedNew>Mail!*'. A process called MailJob then wakes up and distributes the messages toindividual in-boxes, which are files named Box>user-name!1'. When a user retrieves the mailfrom his in-box, the in-box file is reset to empty. If you disable the mail capability for a user who has mailpending in his in-box, the in-box file will be deleted next time it is read.The MailJob process also forwards mail to other mail server hosts. Specifically, messages addressedto user.registry, where registry is the name of some other mail server, will get forwarded to thatserver by the Mailer process. While being forwarded, such messages are queued in files namedFwd>registry'. If registry maps to multiple addresses, as does GV' and other Grapevine registries, then theMailer will try each of those addresses, closest first, until it succeeds in delivering the messages.When a file system is first created, the mail system is disabled. You should set the enable switchesand configure the mail system using the commands below.8.1. Mail system commandsThe mail system is controlled by a command processor which is entered via the privileged Mailcommand to the IFS Executive. The commands that change parameters take effect immediately andsurvive restarts of IFS.* Enable (mail) System* Disable (mail) System* Enable (mail) Forwarding* Disable (mail) ForwardingEnables and disables the mail system. The first command turns on and off the mailsystem as a whole; the second command enables or disables forwarding of mail toother mail servers.* Dead-letter (recipient name) nameSpecifies the name of the in-box to which notification of mail system problems (e.g.,undeliverable messages with no return address) should be directed. Name may bethe name of an in-box on this IFS or (if forwarding is enabled) the fully-qualifiedname (user.registry') of a recipient on some other server. If the IFS has access to aGrapevine server, DeadLetter.MS' is a good value for name.* Distribution-lists (directory name) nameSpecifies the name of the directory that holds distribution lists (extension .dl') thatare to be remotely accessible via the mail server. Name must not be enclosed by <' fp G?b-` \t Y)pF WH V!" S<14 Qrp) P4u p- NJ K0/ JG> HI E&< DZ8# B6up AR3r* ?L =/pZ ;upupup= :' P 8 uprvr$. 7Be 4pF 27 .qu +pE * P (%X*$*!6>G.IXudp#25up\6u p(T6upoX&u p.* 4upup  >/]LXIFS Operation15and >'; that is, if you keep distribution lists as DLs>*.dl', you shouldspecify Distribution-lists System>DLs'.This mechanism is used to keep distribution lists only for non-Grapevine registries.For Grapevine registries, distribution lists (groups) are maintained exclusively byGrapevine, even if IFS keeps some of the mailboxes for that registry.If name is empty, the distribution list retrieval mechanism is disabled.* Grapevine (server name) nameSpecifies the name of a Grapevine server (ordinarily GV'). Mail to a user at aremote registry is forwarded to name. Mail to a user whose registry maps to thisIFS or matches the registry system parameter, but for which no local mailbox exists,is forwarded to name. If name is empty, mail for a remote user is forwarded to itsregistry, and in the second case is returned as undeliverable.* Registry (we are part of) nameSpecifies the name of a Grapevine registry to which this IFS belongs. Mail to auser whose registry matches name is treated as if the recipient's mailbox is local. Ifno local mailbox exists and a Grapevine name has been specified, then the mail isforwarded there. If name is empty then this IFS's registry name is determined bylooking up its machine address (mail server socket 7). Note: if Grapevineauthentication is enabled, name must be the same as the default registry establishedby the Default-Registry sub-command of Change System-Parameters.* StatusGives the current status of the mail system, and a summary of mail server operatingstatistics covering the interval since the file system was created or last reloaded.Statistics are kept on five items; for each item three things are recorded: Samples',the total number of times a statistic for that item was recorded; Avg', the averagevalue of the statistic; and Histogram', an eight slot, logarithmically scaled histogramof the values.Length (characters)This is the length of a message received by the mail server, includingheader text. A message with multiple recipients is counted once in thisstatistic.RecipientsThis is the number of recipients (To:' plus cc:') of a message received bythe mail server.Sort delay (sec)This is the time between receiving a message and appending copies to localin-boxes or queueing copies for forwarding. It is recorded once for eachlocal recipient and once for each remote mail site.Fwd delay (sec)This is the time between queueing a message for a remote mail server andsuccessfully delivering it to that server. The statistic is recorded once foreach message forwarded, even if the message is addressed to multiplerecipients at the given remote server. fp G?b E`(]:\1PZEWupATXuQp;Pzup-NBMrupup5K>I XuF$pF Dup!C4Aup *@ <>up-= @:'X7B0#5T4:62T12X/ ,X)((`C& # !3X2A.3X =o4 + g& ^ 5C[4IFS Operation16Retrieve delay (min)This is the time between the mail system's appending a copy of a messageto a local in-box and the owner's retrieving it.If any messages have been discarded by the mail system, the number of occurrenceswill be displayed. A message is discarded when it can't be delivered to a recipientand it can't be returned to its sender and it can't be delivered to the dead letterdestination. This is an indication of serious trouble.* Reset (mail statistics)Resets the mail statistics, which are kept continuously and ordinarily survive restartsof IFS. fp G?bX_94]0Z#.YL?W;VD7S_XPzNNB N4C\TIFS Operation179. Other serversIFS contains various servers that provide essential services to other hosts on the directly-connectedEthernet. These include the miscellaneous' servers (principally boot, name, and time), the Leafpage-level access server, the CopyDisk server, and the LookupFile server.The boot, name, and time server functions duplicate those provided by gateway systems, so in anetwork with at least one gateway, it is not necessary for IFS to provide these services. But in anetwork that includes an IFS and no gateways, it is necessary for the IFS to provide the services.Even in networks that do have one or more gateways, running the IFS miscellaneous servers may beadvantageous in that the availability of the services is improved. (Also, it should be noted that theIFS boot server is noticeably faster than the boot servers of existing gateway systems.)Since running the miscellaneous servers may slightly degrade the performance of an IFS in itsprincipal functions, means are provided to turn them off (the Change System-Parameters command,described in section 7). When a file system is first created, all the miscellaneous servers aredisabled.IFS participates in the protocols for automatic distribution and maintenance of the date and time,the network directory, and the common boot files. When IFS is started up for the first time, andthereafter whenever any changes are distributed, IFS obtains all necessary files from neighboringservers (gateways or other IFSs). The name server data base is maintained even if the IFS nameserver is disabled, because IFS requires it for its own internal purposes (principally mail forwarding).9.1. Name serverThe name server data base is kept as file Pup-network.directory'; a new version is createdand older versions deleted whenever a new file is distributed. If there are no other name servers onthe directly-connected Ethernet, you must use the BuildNetworkDirectory procedure to install newversions of the network directory.9.2. Boot serverThe boot files are kept in files Boot>number-name.boot', where name is the name of theboot file and number is its boot file number in octal (for example, Boot>4-CopyDisk.boot').Standard boot files have centrally-assigned boot file numbers less than 100000 octal, and aredistributed automatically. Non-standard boot files have boot file numbers greater than or equal to100000 octal and are not distributed automatically.Ordinarily, IFS will obtain and maintain its own copy of all standard boot files maintained by anyother boot server on the same Ethernet. This is the appropriate mode of operation for most bootservers. However, in some situations it is desirable for an IFS boot server to maintain only a subsetof all available boot files. The Disable New-boot-files sub-command of Change System-parametersmay be used to enter this mode; subsequently, IFS will not obtain any new boot files, but willcontinue to maintain and update any boot files that it already has. Additionally, boot files with numbers inthe range 40000 to 77777 octal will always be managed in this fashion, regardless of the setting of the New-boot-filesswitch. Also, a boot file will not participate in the update protocol if it has a different number than the correspondingly-named boot file in other boot servers. By this means, special versions of standard boot files may be maintained onparticular servers without interfering with the update of the standard versions on all other servers.You may install or delete boot files by manual means (e.g., FTP), keeping in mind the file nameand boot file number conventions described above.Additionally, the boot server supports the MicrocodeBoot protocol, used to boot-load microcode onDolphins and Dorados. The microcode files use a different numbering scheme from normal bootfiles. For purposes of boot file update, microcode file number n is assigned boot file number3000B+n. fp G? bq _9pI ]A \1I YLO WY VDX TC S<R QX NY MOK KB JG GbK E%< DZP B? AR/9 ' 6-3 5U" 0r -p/r p rp ,_ rp/! *B )WJ '3 $(: #jO !L bP : rp Z7rps* g F7 ~^ Ae pZ 1 B  P @rp sprpp C?/[dIFS Operation18The boot server is also capable of boot-loading Sun workstations. The Sun boot protocol identifiesboot files by name rather than by number. However, Sun boot files must still be assigned numbersto control the boot file update process, as described previously. Users need not mention thesenumbers when invoking boot files.The various boot protocols are documented in [Maxc]EtherBoot.press.9.3. Time serverYou should not enable the time server unless you have first calibrated and corrected the Alto clock,using the procedure described in section 7.9.4. Leaf serverIFS contains a server for the Leaf' page-level access protocol, which permits random access to partsof IFS files as opposed to the transfer of entire files. There are several user programs that takeadvantage of this capability, though these programs are still experimental and not widely available.At present, the Leaf software is being made available on a use at your own risk' basis. While it isincluded in the standard IFS release, it is enabled only on some file servers. Leaf was developed bySteve Butterfield, and is presently maintained by Ted Wobber rather than by Taft andBoggs, who are responsible for the remainder of the system. Inquiries and trouble reportsconcerning the use of the Leaf server should be directed to Ted.For performance reasons, the Leaf server should not be enabled in an IFS that also supports heavyFTP, Mail, CopyDisk and Telnet traffic, and the IFS Alto should have at least 192K of memory.The Leaf server is enabled and disabled by sub-commands to the Change System-parameterscommand (section 7). However, for the Leaf server, the IFS software has to do a substantial amountof memory management at startup time which is impractical to perform during normal operation.Therefore, the Enable/Disable Leaf-server commands do not take effect immediately but rather aredeferred until the next restart of IFS. More precisely, the Enable Leaf-server command is deferreduntil the next restart unless Leaf was already enabled at the last restart or IFS was last restarted withthe /L switch. The Disable Leaf-server command takes effect after a delay of at most 3 minutes,but memory resources consumed by the Leaf server are not reclaimed until the next restart of IFS.9.5. CopyDisk serverIFS contains a server for the CopyDisk protocol, which permits one to copy disks to and from anIFS. A CopyDisk server is equivalent to an FTP, Mail or Telnet server when deciding whether tocreate an IFS job in response to a request-for-connection. The load placed on the system by aCopyDisk job is about the same as an FTP job, except that transfers between disk and net willtypically last much longer (minutes rather than seconds).The CopyDisk server is enabled and disabled by sub-commands to the Change System-parameterscommand (section 7).9.6. LookupFile serverThe LookupFile server provides a means of verifying the existence of a file and determining itscreation date and length, using a protocol that is substantially less expensive than either FTP orLeaf. Unlike FTP or Leaf, this server provides information to unauthenticated clients. If available,this server is used heavily by the file cache validation machinery in Cedar, with performanceconsiderably better (and imposing less load on the server) than the corresponding operationperformed via FTP. fp G? b30 `H _5rp ]! ZH V!r S< p? Q+ M,r JGp_ H^ G?J DZH BN ARW ?,. >J@ ;e!@ 9 Gsp 6= 5xP 3I 2pU 0c /hU -E ,_L 'r $pF #jE !Y b] 9  O u r pF I &rp x"; C p 8 )?/\8IFS Operation19The LookupFile server is enabled and disabled by sub-commands to the Change System-parameterscommand (section 7). The LookupFile protocol is documented in [Maxc]LookupFile.press.10. Adding packs to the file systemThe capacity of an existing file system may be increased by adding more packs to it. This may beaccomplished by the following procedure.Initialize and test a pack using TFU Certify' in the normal fashion (section 3). Then, with IFSrunning, mount that pack on any free drive and issue the command:! Extend (file system) Primary (by adding drive) d [Confirm]Primary' is the name of the file system you are extending, and d is the drive on which the new packis mounted. IFS now initializes this pack, an operation that takes about 2 minutes for a T-80 and 7minutes for a T-300. When it completes, the new pack has become part of the file system.Note that there is no corresponding procedure for removing a pack from a file system. To decreasethe number of packs in a file system, it is necessary to dump it by means of the backup system,initialize a new file system, and reload all the files from backup. This procedure is also required tomove the contents of a file system from T-80 to T-300 packs.Note also that adding packs to a file system does not increase the amount of directory spaceavailable. The size of the directory is determined when you first create the file system; there is nostraightforward way (short of dumping and reloading) to extend it. (More precisely, while thesoftware will attempt to extend the directory automatically if it overflows, this will significantlydegrade subsequent performance, and too many such extensions will eventually cause the system tofail entirely.) Therefore, it is important that you allocate a directory large enough for all expectedfuture needs. Experience has shown that 1000 directory pages are required for every 25,000 files inthe file system, but this is highly dependent on a number of parameters including average file namelength.11. BackupThere are three facilities available for assuring reliability of file storage and for recovering fromvarious sorts of disasters.The first facility is the IFSScavenger program. It is analogous to the standard Alto Scavengersubsystem. It reads every page in the file system, makes sure that every file is well-formed, andchecks for consistency between files and directories. For safest operation, it should be run afterevery crash of the IFS program. However, since it takes a long time to run, in practice it shouldonly be run when major file system troubles are suspected (in particular, when IFS falls into Swatcomplaining about disk or directory errors). The IFSScavenger is described in a separate memo,available as IFSScavOp.Bravo (or .Press) on Maxc1.The second facility is an on-line incremental backup system that is part of the IFS program itself. Itoperates by copying files incrementally to a backup file system (ordinarily a single disk pack)mounted on an extra drive. The file system is available to users while the backup operation istaking place (though backup should be scheduled during periods of light activity to avoid seriousperformance degradations). Use of the incremental backup system requires that there be anadditional disk drive connected to the Alto, over and above the drives needed for the primary filesystem itself. The backup system is described in the next section.The third facility is the CopyDisk program. To back up the file system, one must take IFS downand copy each of the file system packs onto backup packs. On a machine with multiple disk drives,one may copy from one drive to another, an operation that takes about 4 minutes per T-80 and 15minutes per T-300 if the check pass is turned off. One may also copy disks over the Ethernet to fp G? b] `-. \q# Y)pB W( TD S<APWX1rp Mr@rp  KT JjD G-5 FI D}S B< @B >33 = B ; W :#= 8L 6a 5xQ 3 /hq ,p\ * (G &Q % Y #X " 9) I 7 Q L D M  I C C  Z I 4+ @ L>/\UIFS Operation20another Alto-Trident system, but this takes about five times as long.At PARC we use the Scavenger and the Backup system; we no longer use CopyDisk for backing upIFS. Regular operation of either the Backup system or CopyDisk is essential for reliable file storage.We have observed several instances of Trident disk drive failures that result in widespreaddestruction of data. It is not possible to recover from such failures using only the IFSScavenger: theIFSScavenger repairs only the structure of a file system, not its contents.11.1. Backup system operationThe backup system works in the following way. Periodically (e.g., every 24 hours), a process in IFSstarts up, checks to make sure a backup pack is mounted, and sweeps through the primary filesystem. Whenever it encounters a file that either has never been backed up before or was lastbacked up more than n days ago (a reasonable n is 30), it copies the file to the backup pack andmarks the file as having been backed up now. Human intervention is required only to changebackup packs when they become full.The result of this is that all files are backed up once within 24 hours of their creation, and thereafterevery n days. Hence every file that presently exists in the primary file system is also present on abackup pack written within the past n days. This makes it possible to re-use backup packs on an n-day cycle.Operation of the backup system has been made relatively automatic so as to permit it to rununattended during the early morning hours when the number of users is likely to be small. This isimportant because system performance is degraded seriously while the backup system is running.11.2. Initializing backup packsTo operate the backup system, you need a disk drive and some number of packs dedicated to thispurpose. The number of packs required depends on the size of your primary file system, the fileturnover rate, and the backup cycle period n. The packs should have their headers and labelsinitialized using TFU Certify' in the normal fashion (section 3). Then they must each be initializedfor the backup system as follows.With IFS running, mount a backup pack on the extra drive. Connect to IFS from some other Altousing Chat, log in, enable, issue the Initialize command, and go through this dialogue:! Initialize (file system type)Answer Backup'.Do you really want to create a file system?Answer y'.Number of disk units:Answer 1'.Logical unit 0 = Disk drive:Type the physical unit number of the drive on which the backup pack is mounted.File system ID:Type some short name that may be used to uniquely identify the pack, e.g.,Backup1', Backup2', etc. No spaces are permitted in this identifier. It should berelatively short, since you will have to type it every time you mount the pack. (You fp G? bE _9sp/& ]Crp \1F ZU Y)rp$ Tr Qpd P4H NA M,rprp/ KQ J## G?G" Erp5) D7rpJ.4 <@ 89r 5Up T 3L 2L+rp/ 0P /D! ,_I *W'X%"-X+H cX~ X/X - g3" 6 ?/]o+IFS Operation21should mark this name on the pack itself, also.)File system name:Type some longer identifying information, e.g., Parc IFS Backup 1', or Serialnumber xxxx', or something.Directory size (pages):Type RETURN. (The default of 1000 pages is plenty.)Ok? [Confirm]Answer y' if you want to go ahead, or n' if you made a mistake and wish to repeatthe dialogue.IFS now initializes the backup file system, an operation that takes about 2 minutes for a T-80 and 7minutes for a T-300. The message Done' is displayed when it is finished.11.3. Setting backup parametersThe next step is to set the backup parameters, an operation that generally need be done only once.Issue the Backup command to enter the backup system command processor (whose prompt is *'),then the Change command. It will lead you through the following dialogue:* Change (backup parameters)Start next backup at:Enter the date and time at which the next backup run is to be started, in the form7-Oct-77 02:00'.Stop next backup at:Enter the date and time at which the next backup run is to stop if it has not yetcompleted, e.g., 7-Oct-77 05:00'.Interval between backup runs (hours):Type 24'.Full file system dump period (days):Enter the number of days between successive backups of existing files (theparameter n above). A good value is 30.The backup system command processor is exited by means of the Quit command in response to the*' prompt.11.4. Normal operationThe following commands are used during normal operation. All of them require that you firstEnable and enter the backup system command processor by means of the Backup command.* StatusPrints a message describing the state of the backup system. It will appearsomething like: fp G?b0_9X\T@ZWXUsp)R"X O=7M JQ IPJ Dr Ap"@ @[L >J;X:n7=63 X0;?."+X%( & X$#$E! rp 0- 7 r p O BD]Xx3  ?/[^IFS Operation22Backup system is enabled and waiting.Backup scheduled between 7-Oct-77 02:00 and 7-Oct-77 05:00File system Backup1 is available to backup system.73589 free pages.Enabled' means that at the appropriate time the backup system will start upautomatically; the opposite is disabled'. The backup system becomes enabled whenyou mount a backup pack (see Mount command, below), and disabled when thebackup system can no longer run due to come condition such as the backup packbeing full.Waiting' means that the backup system is not presently running; the opposite isrunning'. When it is running (or has been interrupted in the middle of a backuprun for whatever reason), it will display an additional message of the form:Presently working on file filenameas an indication of progress (files are backed up in alphabetical order).The last lines display the status of the current backup pack (assuming one has beenmounted. If several backup packs have been mounted, they will all be listed.) Thepossible states are available', presently in use', and no longer usable'. In the lastcase, the reason for the non-usability is also stated, e.g., Backup file system is full'.* Enable (backup system)* Disable (backup system)Enables or disables running of the backup system. If Disable is issued while thebackup system is actually running, it will stop immediately (within a few seconds).These commands are not ordinarily needed, because an Enable is automaticallyexecuted by Mount (see below) and a Disable is executed when the backup systemfinds that there are no longer any usable backup packs. The backup system also stopsautomatically if IFS is halted by the Halt command, but it is not disabled and will resume runningwhen IFS is restarted.* Mount (backup file system) nameMakes a backup pack known to the system. name is the file system ID of thebackup pack (e.g., Backup1'). The pack must be on-line.If the file system is successfully mounted, a message appears in the form:Backup1 (Parc IFS Backup 1),initialized on 6-Oct-77 19:32, 273 free pages.Is this the correct pack? [Confirm]If this is the pack you intend to use, you should answer y'. Then:Do you want to overwrite (re-initialize) this pack? [Confirm]Normally you will be mounting a backup pack that has either never been usedbefore or was last used more than n (e.g., 30) days ago. In this case you shouldanswer y'. This will cause the backup pack to be erased (destroying all files storedin it) at the beginning of the next backup run.If, however, you are re-mounting a partially-filled backup pack that was removedfor some reason, you should answer n'. The backup system will then not erase thebackup pack but rather will simply copy additional files to it.* Dismount (backup file system) name fp G?bX%`:_2]Z8Y)E W"'V!2T Q@P4:NB KXrHpIF(+D}>B+.Au6$>X= :'G 8"17)#5847s 2N1U.qpXr+p*rp *9'#J$>X".!6#QDlX=7 rp.:/HD ? *Xr 5C](1IFS Operation23Makes a previously mounted backup pack unavailable to IFS. This command maybe issued only while the backup system is disabled (use the Disable command ifnecessary).The normal operating procedure is very simple. Every day, issue the Enable and Backup commandsto enter the backup system command processor, then issue the Status command. The status willindicate one of the following conditions:1. Enabled and waiting', with one or more packs available to backup system'. In this case youneed not do anything.2. Disabled and waiting', with one pack no longer available to backup system' because Backupfile system is full'. In this case, you should remove the backup pack, install another one(making sure it was last used more than n days ago), and declare it to IFS by means of theMount command (above).3. Disabled and waiting', with some other condition (e.g., Can't find logical unit 0'). Youshould correct the condition (most likely the required pack wasn't mounted at the time thebackup system last started to run), then issue the Mount command as above.When done, issue the Quit command to exit the backup system command processor. It is a goodidea to keep a record of the dates on which each backup pack was mounted and dismounted so thatyou know when a pack is available for re-use.11.5. Restoring individual files from backup; listing backup filesIndividual files may be restored from backup in the following manner. It is not a good idea to dothis while the backup system is running.Install the desired backup pack on any free drive. Issue the Enable and Backup commands to enterthe backup command processor. Then go through the following dialogue:* Restore (from backup pack) namename (long-name) mountedRestore: file-designatorThe name is the File system ID of the backup pack (e.g., Backup1'). In response to Restore:', typethe name of a file to be restored. *'s are permitted, and the default version is !*'. The name ofeach file is typed out as it is restored.When all files matching file-designator have been restored, IFS will again prompt you with Restore:'.You may either restore more files (from the same backup file system) or type RETURN to indicatethat you are finished.Files are restored from the backup system with precisely the attributes (version number, referencedates, etc.) they had when backed up. If a file already exists in the primary file system, IFS willrefuse to overwrite it unless the version in the backup file system is newer.It is also possible to examine the directory of a backup pack (or, indeed, any IFS file system youcan mount in its entirety) by means of the following commands:* OnLine (file system) namename (long-name) mountedMakes the secondary file system name available for use by the commands describedbelow. If some other file system was already put on-line by a previous OnLinecommand, it is first put off-line.* List (files) file-designator fp G?b!+`;_ \1A ZJ Y))VDETQ_PW PN(rp1MOJjGHJGbJ D}L B0/ Au- Xrprprp,)!- " Xr x y?/];IFS Operation24This command is identical to the standard top-level List command (with all its sub-commands), but applies to the secondary file system most recently specified in anOnLine command rather than to the primary file system.* OffLineMakes unavailable the file system most recently specified in an OnLine command.This operation is performed automatically if you exit the Backup command by Quitor control-C.After doing an OnLine, you may issue as may List commands as you want; control remains in theBackup command (unless you abort by control-C), and the secondary file system remains on-line. ARestore command will use the current secondary file system if there is one, and will automaticallyput it off-line when it is finished.You must issue OffLine or an equivalent command before turning off the drive on which thesecondary file system is mounted. Failure to do so will cause IFS to fall into Swat.11.6. Reloading the entire file system from backupIf the primary file system is clobbered in a way that the Scavenger can't repair, the followingprocedure may be used to recreate it from backup. If performed correctly, this procedure willrestore the primary file system to its exact state at the time of the most recent backup run.11.6.1. Complete reloadFirst, re-initialize the primary file system as described earlier (section 4). Then connect to IFS fromanother Alto using Chat, login as System (password IFS), and issue the Enable command. It isadvisable at this point to disable logins with the Disable Logins sub-command of the Change System-parameters commandso as to prevent users from accessing the file system while you are reloading it.Mount (on any free drive) the most recent backup pack, i.e., the one most recently written on by thebackup system (this is very important). Then:* Reload (file system)Reload the entire file system? [confirm] yesNote: mount the LAST backup pack first.Mount backup pack: nameThe name is the ID of the backup pack you have mounted. IFS will now proceed to restore filesfrom the backup pack to the primary file system. When it is done, it will again ask you to Mountbackup pack:', at which point you should mount the next most recent backup pack. Repeat thisprocedure until you have mounted all packs written within the past n days. When you are done,type control-C to terminate the reload process.IFS will list out the files as they are restored. (To disable the pause at the end of each page, typeahead one space.) You will notice that not all files are restored. In particular:Files that were backed up at some time but no longer existed at the time of the last backupare not restored. (The listing will say such a file is deleted'.)Files already restored from a more recent backup are not restored from an earlier one. (Thelisting will say already exists'.)It is important to understand the difference between Restore and Reload. Restore simply copies thespecified files from the backup pack to the primary file system. Reload, on the other hand, attemptsto recreate the state of the primary file system as of the most recent backup. To this end, Reloadwill restore only those files that actually existed at the time of the most recent backup run, and will fp G?bN`4_6\1XYL?W9VD S_<! QF PW.4 N$ KrpD JjU Er2 Bp*5 Au5) ?,1 ;er 8p9/ 6(0s 5 i 4^Q 1pr p) 0.-3X+,*+'(r %prp> $>T "(5 !6Crp / U ISdECFw# I 8- O J >/]L=IFS Operation25skip files that once existed (and were backed up) but were subsequently deleted.It is essential that the last backup pack be reloaded first. Failure to heed this instruction will causesome files not to be reloaded that should have been, and vice versa. If the reload is interrupted forany reason and must be restarted, you must again start by reloading the last backup pack (eventhough all files from that pack may have been reloaded already), and then skip to the pack whosereload was interrupted. This is because the decision whether or not to reload each file is made onthe basis of the last state of the file system as recorded on the most recent backup pack.Reloading the file system restores all system and backup parameters to their former state, so long asthe System directory is one of those restored. If you are using the backup system to move files enmasse from one file server to another, you should check to make sure that the system parametersthat are restored are suitable for the new system. Also, after completing a reload, it is necessary tohalt and restart IFS to ensure that all system parameters take effect.11.6.2. Partial reloadOrdinarily you should answer yes' to the question reload the entire file system?'. However, thereare situations when you might wish to reload only some of the directories, such as when moving agroup of users' files from one IFS to another. The easiest way (though not the only way) toaccomplish this is to reload those directories from the original IFS's backup packs onto the new IFS.If you answer no' to reload the entire file system?', IFS will ask you to type in the names of thedirectories to be reloaded, separated by spaces and terminated by RETURN. You should type thesenames carefully, as they are not being error-checked by IFS and there is no way to go back andmake a correction. (Do not type angle brackets around the directory names.) After you typeRETURN, the remainder of the reload process will take place as described above, but only thedirectories you specified will be restored and the rest will be skipped.11.6.3. Reloading damaged filesWhen the IFSScavenger is run to repair a broken file system, it may find one or more files whosecontents are damaged. The IFSScavenger is capable of repairing only the file system's structure, notits contents. When it detects a damaged file, it marks the file as being damaged, sets the file'sprotection to empty so as to discourage access by users, and puts an error report in theIFSScavenger.log file. (Certain kinds of damage cause the file to be deleted altogether; this is alsonoted in the log file.)When only a few files are damaged or deleted, the easiest recovery procedure is to restore themindividually using the Restore command described in section 11.5. But when many files areinvolved, it is better to use the following procedure, which is relatively automatic but quite time-consuming.The procedure is simply to use the Reload command described in section 11.6.1, but without firstinitializing the file system. Reload will consider all the files on all the backup packs you mount(starting with the most recent one), but will copy only those files that are either damaged or missingin the primary file system. This procedure may be carried out while the file server is available tousers.Note that this operation will also reload copies of any files that were deliberately deleted by userssince the most recent run of the backup system. This is because the Reload process has no way ofdetermining whether a missing file was deleted by a user or by the IFSScavenger. After completingthis procedure, you should warn users that recently-deleted files may have been resurrected. fp G? bP _9rpZ ]=) \1*4 Z-rp Y)c W"8 TZ S<$=r Qp!9 P4"E NF J#r G?p V E` D7> BF ?K >J(sp <U ;A/- 9sp*, 89H 3r 0p?! /D23 -O ,< < *)= )4 &OJ $K #G?% ! ;% ZY T RD  )< e01 M ]%7 >/VJIFS Operation2611.7. Repeating backup runsIt may happen that you want to repeat one or more of the most recent backupssay, because thecurrent pack suffered hard errors or irreparable damage, and you wish to repeat the backup of theaffected files onto a fresh backup pack. This is controlled by the following commands:* Repeat (backups later than) dateDuring the next run of the backup system, IFS will back up all files that were last backed up morerecently than date, in addition to the files it normally backs up.* Don't Repeat (backups)Cancels the Repeat command. The Repeat command is also cancelled automatically upon successfulcompletion of a backup run.12. AccountingAccountant.run is a program which collects accounting and administrative information from arunning IFS. It retrieves copies of all of the Directory Information Files (DIFs) from a runningIFS and produces a text file containing per-directory and system-wide information.In order to run Accountant, you must be a wheel, since the DIFs which Accountant reads areprotected. Note that you run this program on some other Alto, not on the IFS Alto.When first started up, Accountant asks you for the name of the IFS that it is to connect to. It thenasks three questions: Generate accounts listing?', Generate group membership summary?', andGenerate disk usage listing?'; for each one, if you answer yes' then it requests an output file name(on your local Alto disk). It then connects to the IFS and produces the requested output.An accounts listing consists of the names and attributes of all directories in the system, includingdisk page limit and current usage. At the end of the listing are the totals of page limits and currentusages.A group membership summary shows the memberships of each of the IFS user groups. Thisinformation is valid only for non-Grapevine members of non-Grapevine groups. The groupmembership summary is useful in managing an IFS that does not use Grapevine for access control,and is also useful when converting an existing IFS from non-Grapevine to Grapevine access control.Additionally, the summary includes, for each group, a list of directories whose connect, create, ordefault file protections refer to the group; this is useful in determining what a group is used for andwhether it is still in active use.A disk usage listing includes, for each directory, the number of files and pages accounted for byold' versions (all but the most current version of files for which multiple versions exist) and ahistogram of time since most recent access. This information is useful for discovering obsolete filesand directories.The accounts listing and group membership summary are generated fairly quickly15 minutes or sofor a large IFS (4 T-300 disks). The disk usage listing takes a long time2 to 3 hours for a largeIFS. All three listings can be generated simultaneously; however, due to peculiarities of the FTPprotocol, generating a disk usage listing at the same time as either or both of the others is likely totake longer than generating them separately. fp G? br _9p P ]H \1WYLXr Vgp>$ T rp0QX OT M I q F$p*1 DY CR @7P >3rp ;O :K> 8A% 7BH 4^K 2T 1U .q< ,W +iJ ) W (`R &c %X" "s6+ 9) kK  _ ~[ W vO , >S`IFS Operation2713. Miscellaneous13.1. Disk pack identificationIf you forget the ID of some Trident pack (e.g., a backup pack), there is no way to Mount' it forthe backup system. This is why it is a good idea to mark the ID on the pack itself (not on itsplastic cover, which is interchangeable with other packs). A good place to mark it is on the plasticring on the top of the pack. Do not affix a paper label: it will fly off and destroy the heads, thepack, or both.There is, however, a command for finding out vital information about a pack. It is:! What (is the pack on drive) dwhere d is a drive number. If the pack is an IFS pack (primary or backup), this command will printout the vital parameters, including the ID. If the pack is not an IFS pack, it will say so.13.2. Software performanceThe IFS software strains the Alto's capacity severly, particularly with respect to main memory. Incombination with certain deficiencies of the BCPL runtime environment, this can lead to rather poorperformance (in particular, excessive disk thrashing) when there are more than a few simultaneoususers of the system.Also, there are times when certain data structures and code segments cannot be swapped out. It ispossible for the system to deadlock if all of memory is occupied by such immovable objects. Thesymptom of this is that IFS ceases to respond to requests for service, the Alto screen looks normal(black with IFS' in the cursor), and the screen does not flash when you press the space bar. Thepossibility of deadlocks is the principal reason for imposing a limit on the number of simultaneousserver processes. To make things worse, deadlocks frequently occur during major changes to the directory, therebyleaving it in an inconsistent state requiring the IFSScavenger to correct.If the IFS Alto has only 64K of memory, IFS must both keep data and swap code using thatmemory. Considering that there is over 100K of swappable code and only 32K of memory availablefor swapping both code and data, this leads to serious disk thrashing. In the 64K configuration, themaximum possible Server-limit is 6 and the default is 5. Even with a limit of 5, memory deadlocksare likely (depending on usage patterns), and it may be necessary to reduce the Server-limit to 4 oreven 3 in order to entirely prevent deadlocks. For all practical purposes, a 64K Alto should beconsidered an unsupported configuration.If the IFS Alto has extended memory, the situation is much better. IFS has an extended emulator'that is able (with some restrictions) to execute BCPL code residing in extended memory, though itcan still reference data only in the first 64K of memory. Consequently, performance is significantlyimproved, since most or all of the first 64K is available for data and code swapping is reduced oreliminated.The IFS software running on an Alto with 128K of memory can support up to 8 simultaneous users,and with 192K or more up to 10 simultaneous users. It is believed that memory deadlocks areimpossible with these configurations. Therefore, it is strongly recommended that IFS Altos have atleast 128K of memory, and systems that serve large or highly demanding user communities shouldhave 192K of memory. (The software does not presently take any advantage of memory beyond192K.) fp G? bq ]r ZpS Y)_ W W V! rp@ T QTNXr KprpI JjX Er Bp\ AuT ?5, >m ;6, : T 8H 6J 5x4/ 3s2/ 2J /psp# .M"spsp ,Nsp +E20 ) Z (=Msp &( #K "PO -sp , H(sp6  #sp2 [ spG 4/ SspA spN Ksp >/UJIFS Operation2813.3. Interpreting system statisticsThe IFS Executive's Statistics command pours out various internal operating statistics, some havingto do with hardware and some with software. Many are of interest only to IFS implementors, butall are explained here for completeness. An IFS administrator should examine these statisticsperiodically (say, once per day) to notice problems that may lead to progressive failures; this isparticularly important in the case of memory and disk errors. Except where noted, all statisticscover the interval since IFS was last restarted.If you terminate the Statistics command with SPACE rather than CR, you will be asked for anadditional keyword (one of Directory, Disk, Mail, Memory, or Server); and only the specified subsetof the system statistics will be displayed.SmallZone overflows, bigZone overflows, overflow pagesIFS has a three-level memory storage allocator. SmallZone and bigZone are heap-typeallocators for objects of less than 25 words and of 25 to 500 words, respectively. Objectslarger than 500 words are allocated by removing one or more 1024-word pages from theVMem (virtual memory manager) pool. If one of the first two zones becomes exhausted, itrecovers by borrowing space from the next larger zone.It is normal to encounter up to 100 or so zone overflows per day, and for there to be amaximum of 2 or 3 VMem pages used to recover from bigZone overflows. More overflowsare indicative of the need to change some compile-time parameters. If the current' numberof overflow pages remains nonzero for any significant length of time, it is indicative of abug (loss of allocated storage).Net blocks allocated minus blocks freedThis is simply the number of memory storage blocks presently allocated. If there is nosystem activity besides your Chat connection, this should be more-or-less constant. If itincreases slowly over time, storage is being lost.PBIs, PBI overflowsThe Pup software maintains a pool of packet buffers (PBIs) that are shared among all activeservers. The first number displayed is the normal number of PBIs, which is constant for agiven IFS release and Alto memory configuration. Under certain circumstances (particularlywhen connections are made through slow links), the system runs out of PBIs; when thishappens, additional PBIs are temporarily allocated (from bigZone) to cover the shortage.(Frequently this will cause bigZone to overflow as well.)VMem buffers, buffer shortagesApproximately half of Alto memory is turned over to the VMem package, which manages itas a buffer pool of 1024-word pages and implements a software virtual memory foraccessing various objects on the disk, including code overlays (if not resident in extendedmemory), directories, and bit tables. The number of VMem buffers is constant for a givenIFS release and Alto memory configuration.If the VMem package receives a request that it can't satisfy because all buffers are in use bylocked objects (or have been removed to service a zone overflow), it increments the buffershortages' count (vMemBufferShortages, accessible from Swat) and then waits, in the hopethat some other process will run to completion and release some buffers. Sometimes thisworks. On other occasions, all processes in the system get into this state and the system isdeadlocked.VMem reads and writesThis table contains the number of swap reads and writes for each of four main types of fp G? br$ _9p\ ]5* \1E ZK Y)a W0 T-sp sp S<N Q+ NX6KTJjDH6Gb#5E6BWAuJ ?6%>m<< :X'72%5S42 12X.MT,B+EA)P(=(0&9 #X ++k4Jc*/*&8v?rp3n8O f X ? h U>/]NIFS Operation29objects managed by the VMem package: code overlays, VFile pages (virtually accessed files,principally the IFS directory B-Tree), DiskDescriptor (disk bit map) pages, and Leaf pages(file pages accessed via the Leaf server).Overlays read from XM and from diskIf the Alto has extended memory, this indicates how many overlay reads have been satisfiedby reading from extended memory rather than from the disk. Most overlays are executeddirectly by the extended emulator, but under certain conditions overlays must be swappedinto the first 64K before execution. There should be virtually no overlay swapping (fromeither XM or disk) on a machine with 192K of memory or more.Main memory errorsFor an Alto-II, if any main memory errors have occurred since IFS was last restarted, theoffending memory card and chip numbers are reported. These are single-bit errors thathave been corrected by the hardware, so they are not cause for immediate alarm. However,when such errors occur, you should schedule hardware maintenance for replacement of badchips at the next convenient time. This will reduce the likelihood that a single-bit errordevelops into an uncorrectable error, causing the server to crash.Disk statistics (cumulative)This table contains operating statistics for each Trident disk unit, and, in the case of T-300disks, each of the two logical file systems on the unit. All disk statistics are cumulative fromthe time the file system was created.File systemFile system name and logical unit number within that file system. Logicalunit 0 contains the IFS directory and the code swapping region.TransfersNumber of pages transferred to and from the unit.ErrThe number of errors of all kinds except data-late errors and label checkerrors knowingly caused by the software. (See below for moreinformation.)ECCThe number of data errors detected by the Error Correction Code. (Seebelow for more information.)FixThe number of ECC errors that have been corrected. The ECC permitscorrecting error bursts up to 11 bits long.RestThe number of times a head-restore operation has been performed. This isdone as a last-resort measure when an uncorrectable error persists through8 retries.UnrecThe number of errors unrecoverable after 16 retries. This usually causesIFS to fall into Swat and report an unrecoverable disk error. This may beindicative of a hardware problem or of an inconsistency in the structure ofthe file system. Running the IFSScavenger can tell you which.BTerrThe number of times the bit table has been found to be incorrect, i.e., toclaim that a page is free when it isn't. This in itself is a non-fatal error,but it may be indicative of serious hardware or software problems. On theother hand, it can also be caused by restarting IFS after a crash withoutfirst running the IFSScavenger.FreeThe number of free pages on the logical unit. IFS always allocates newfiles on the emptiest unit, and every file is contained completely within oneunit. The software does not always recover from running out of disk space fp G?b?`K_* \1X#YLKWVVD&2Tsp@S<(sp PWXMr.+K5!JjCH@GbJEB BX@ T>O= %:' @)@8?5@12@.@1UH(I@/ ,@: @+i(@;@'+$@ <@"B@! .@"'@6@&K@>@A@9G@F@1A@ @.@ D8@ #' y99]XIFS Operation30(i.e., it may fall into Swat), so be careful not to let the amount of freespace get too low.Disk drive statistics (since last restart)This table corresponds to a portion of the previous table, but it is reset every time IFS isrestarted, and the software-related information is omitted. Progressive hardware problemsare more evident in this table than the previous one.TransfersNumber of pages transferred to and from the unit.ErrThe number of errors of all kinds except data-late errors and label checkerrors knowingly caused by the software. It is normal for these to occur ata low rate; they are caused by known hardware problems in the controllerand disk drives, and by random electronic glitches. A sudden jump in thiserror count not accompanied by a corresponding jump in the ECC count isgrounds for suspicion of a non-data-related problem (e.g., positioningerrors or momentary not-ready conditions.)ECCThe number of data errors detected by the Error Correction Code. Theseshould be extremely infrequent, especially on T-300 drives which are veryreliable if properly maintained. A sudden jump in the rate of ECC errorsis grounds for suspicion of a hardware problem./10^10 bitsThe ECC error rate per 1010 bits transferred. The Century Dataspecification for T-300 drives is one recoverable ECC error per 1010 bits;but this assumes perfect testing of disk packs, no interchanging of packsbetween drives, etc. Nevertheless, this statistic is useful for comparisonbetween drives in one system, or between different systems.Directory statisticsThese include the total number of files in the system; the number of pages actually in useby the directory B-Tree; and (most important) the number of runs (fragments) comprisingthe directory file IFS.dir. Ordinarily there should be only one run; however, if thedirectory has grown larger than its preallocated size (as discussed in section 10), theadditional required pages will cause more runs to be created. (This can also occur if IFS.dirsuffers hard disk errors and is destroyed and recreated by the IFSScavenger.) If the numberof runs exceeds 40, IFS must be started with one or more /F switches, as described insection 4; otherwise it will crash occasionally due to running out of space in its file map.Server statisticsThese show, for each type of server, the number of connection requests that have beenaccepted and the number that have been refused due to the system reaching the Server-limit.Mail statisticsThese are described in section 8.1. They are cumulative since the file system was created orthe mail statistics were last reset explicitly.14. Known bugs and what to do about themNo bugs are presently known to exist in IFS version 1.37. fp G?@b$&@` ]X*ZYYL2(W5T@1Q@.@Pz($@N6@Mr6@K rp8@Jj3@H*F@A@D}*@BB@Au/> @?s>p$@<1=Ss ]@ \12 YLXVgQsTp QXO? L5XIP FkXCI B< ?X<8A:D 7X4+- 2X/!&--% *X'>&O*&$)+#GB!Q ?- ZXu'4%-m?0e X"4 +4 ? @ L>/\IFS Operation32among other Telnet commands.Version 1.24; March 8, 1980Extended emulator included, enabling substantially improved performance and moresimultaneous users if the IFS Alto has extended memory (see section 13.2); new commandfile available to construct an IFS Operation disk from scratch (section 2); a few additionalstatistics are kept and displayed by the Statistics command (section 13.3); sub-commandadded to privileged Mail command to reset the mail statistics (section 8.1); optional Leafpage-level access server included on a use at your own risk' basis (section 13.4). Note: dueto a format change, the mail statistics will be reset automatically the first time IFS 1.24 isstarted.Version 1.25; May 19, 1980CopyDisk server added (see section 13.5); new commands to display and cancel pressprinting requests (section 7); new commands to repeat the backup of files (section 11.7).Version 1.27; September 6, 1980Mail server changes, required for compatibility with the Grapevine servers; Printed-by sub-command added to Print command; a few bugs fixed.Version 1.28; January 3, 1981Rename command defaults new file name; Print command has new sub-commands Duplexand Password; backup system can reload selected directories rather than the entire filesystem (section 11.6); boot server can now boot-load microcode for Dolphins and Dorados;the boot server's automatic acquisition of new boot files can be disabled (section 9);Accountant program augmented to produce disk usage listing (section 12); mail serverchanges, required for compatibility with the Grapevine servers (section 8.1). Note: the Leafprotocol has undergone minor changes that may require Leaf clients to be changedcorrespondingly; implementors of software that uses Leaf should contact Ted for information.Version 1.30; January 28, 1981The Change Protection command has been generalized to Change Attributes, with new sub-commands Backup, Byte-size, and Type. The Backup command has new sub-commandsOnLine, OffLine, and List (section 11.5). Some hardware error checks have been added:the Control RAM and S-registers are tested during startup (section 5), and corrected single-bit main memory errors are recorded (section 13.3). Additionally, a number of bugs havebeen fixed.Version 1.31; May 10, 1981The action of the /A switch has changed. The directory statistics (section 13.3) and themeaning of the /F switch are now documented. Mail system changes have been made tofacilitate conversion of an IFS-based registry to Grapevine; in particular, disabling a user'smail capability causes his in-box to be destroyed next time it is read rather thanimmediately; and the forwarder now understands about registry names that map to multipleaddresses (section 8). The Leaf server now supports a multipleWriters' mode of access;consult Ted for details. The FTP server now deals in date properties thatinclude time zones; in conjunction with a new release of FTP.run, this enables file dateproperties to be transferred correctly between different time zones.Version 1.33; June 29, 1981The purpose of this release is principally to fix two long-standing and notorious bugs: theB-Tree delete bug' and the infinite return-to-sender bug'. Additionally, the Trident disk fp G?b _9X\T!2"Z6YL>W!6VDFTT S<CQ NXKLJjR GXD/,C1 @7X=S,$;R:KI8E7B,(5N4::2W12 .MX+iA)%)(`E& sp9%X#5# X LA^~1!DvB8nSD X W N U99]LIFS Operation33software's handling of recoverable disk errors has changed somewhat; in particular, the rateof non-ECC errors is substantially reduced. Some additional disk error information isdisplayed by the Statistics command (section 13.3).Version 1.35; December 11, 1981IFS can be configured to use Grapevine for authentication and access control; this replacesthe user name and group structure maintained by IFS, and eliminates the need for Guestaccounts (section 6). You should read the new How to use IFS' document, as it includesan explanation of how IFS uses Grapevine that is not repeated here. A Show System-Parameters command has been added. The Create and Change Directory-Parameterscommands now have the same set of sub-commands (section 6). Reloading the file systemfrom backup now properly restores all system parameters instead of resetting them todefault values (section 11.6). Accountant generates a group membership summary (section12). A new version of the IFSScavenger accompanies this release. Note: for proper errorreporting, you should obtain the latest [Maxc2]Sys.errors.March 14, 1982 (documentation update only)A summary of known bugs has been added (section 14). There is now a separate documentdescribing access control policies and procedures in considerably more detail; please obtainand read [Maxc]AccessControls.press.Version 1.36; May 13, 1982This is principally a maintenance release to fix a number of bugs found in previous releases.Functional changes are as follows. In an IFS that uses Grapevine group checking, a userwho is not registered in Grapevine but does have a login directory on the IFS is no longerautomatically a member of World; his membership in World is now controlled just the sameas membership in other groups (using the Change Group-Membership command). TheBackup Reload command may now be used to repair damage detected by the IFSScavenger(section 11.6.3). The FTP server supports some recent extensions to the FTP protocol thatpermit substantially improved performance in certain operations (particularly enumerations,which in certain cases are now over 10 times as fast as before); some changes to clientsoftware are required to take full advantage of this improvement.Version 1.37; October 3, 1982This release introduces some minor new features. The boot server can now boot-load Sunworkstations; also, new boot files installed by manual means (e.g., FTP) are now noticedimmediately instead of after a delay of up to 8 hours (section 9.2). A new server,LookupFile, is included and may optionally be enabled (section 9.6). The backup systemnow automatically fixes any incorrect directory page usage totals which it encounters.Additionally, internal changes in the VMem software have resulted in a modest performanceimprovement and elimination of the long-standing Can't flush locked page' bug. fp G?bW` L_3 \1XYL9"WVVD.*T(+S<<QJ P4TN:M,HK@ HX*EBDZ1+B) ?X= G;-+:rp rp/8?625x/$3U2pG0G/hA ,X)A(A&>%W#%1" 8! O B ?:9G TIMESROMAN  TIMESROMAN  TIMESROMANLOGO TIMESROMAN  TIMESROMAN  TIMESROMAN TIMESROMAN  TIMESROMAN  TIMESROMAN  TIMESROMAN ' 07?G Q \dk t|    "∄B$Odvdv~ddfQdEDddd~ddf]dddd~dddddde i~faf\􌽨ddd~dǽN~f\Ƚddj/"DŽ{Operation.pressTaft.PA 3-Oct-82 16:47:07 PDT: