Difference between revisions of "Qsub-tunnel-admin"

From PDP/Grid Wiki
Jump to navigationJump to search
Line 14: Line 14:
 
== Enabling a user ==
 
== Enabling a user ==
  
Create a directory on the tunnel device, hosted at <tt>perscontainer.nikhef.nl</tt> ([[ssh://root@dart.nikhef.nl/]] has no_root_squash access):
+
Create a directory on the tunnel device, hosted at <tt>perscontainer.nikhef.nl</tt> ([ssh://root@dart.nikhef.nl/ ssh://root@dart.nikhef.nl/] has no_root_squash access):
  
 
  ssh root@dart.nikhef.nl
 
  ssh root@dart.nikhef.nl

Revision as of 11:03, 22 November 2016

The Qsub-tunnel is a user mechanism to submit jobs from ikohefnet to the NDPF clusters managed by the 'stro' Torque server directly. It works by virtue of having teh same userID mapping on both sides, and a common NFS-mounted directory that is visible on 'both sides of the divide' via the same logical path name.

User management

Although the tunnel will work even without a shared directory, for staging input and output files (even stdin and stderr) we rely on a shared file system in order to overcome issues with password-less SSH access needed to stage files back and forth, and to allow users to easily share job scripts. So for a user to benefit from the tunnel, a shared stage directory must exist.

By default, users have no stage directory, because: - users must have write permission on the directory - the stage directory must be made visible as the user home directory on the NDPF side (since users do not have their default home directory mounted there for obvious reasons!) - a quota must be assigned to this directory to prevent unintended use

In order to encourage proper use of the stage directory, the quota per user is limited: 256 MByte per user (hard limit at 512 MByte/user).

Enabling a user

Create a directory on the tunnel device, hosted at perscontainer.nikhef.nl (ssh://root@dart.nikhef.nl/ has no_root_squash access):

ssh root@dart.nikhef.nl
cd /data/tunnel/user
USER=username
mkdir $USER
chown $USER:`id -gn $USER` $USER
edquota -p davidg $USER

and then add the user in the home automount map only if the user did not previously have a home directory on the NDPF(vlaai):

ldapadd -x -W -H ldaps://teugel.nikhef.nl/ -D 'cn=your-CN,ou=Managers,dc=farmnet,dc=nikhef,dc=nl' 

and feed it the following LDIF:

dn: cn=$USER,ou=local,ou=auto.home,ou=automount,dc=farmnet,dc=nikhef,dc=nl
objectClass: automount
objectClass: top
automountInformation: -vers=3,rsize=32768,wsize=32768 perscontainer.nikhef.nl:/shared/ndpf/tunnel/user/$USER
cn: $USER

Enabling a group

A few groups (Atlas, LHCb) are enabled by default, i.e., they have a 'gratis' share allocated in MAUI on stro. Also, the groups must be allowed to submit to a queue, e.g. the 'medium@stro.nikhef.nl' queue. If necessary, configure the (ikohefnet) group on stro via Quattor

Disabling a user

The simplest way to disable a user from using the tunnel is to make the directory inaccessible. To remove a user from submitting to stro, put the user in the blacklist and/or remove the home directory mount from the automount map.