Difference between revisions of "Qsub-tunnel-admin"
Line 14: | Line 14: | ||
== Enabling a user == | == Enabling a user == | ||
− | Create a directory on the tunnel device, hosted at <tt>perscontainer.nikhef.nl</tt> ( | + | Create a directory on the tunnel device, hosted at <tt>perscontainer.nikhef.nl</tt> ([ssh://root@dart.nikhef.nl/ ssh://root@dart.nikhef.nl/] has no_root_squash access): |
ssh root@dart.nikhef.nl | ssh root@dart.nikhef.nl |
Revision as of 11:03, 22 November 2016
The Qsub-tunnel is a user mechanism to submit jobs from ikohefnet to the NDPF clusters managed by the 'stro' Torque server directly. It works by virtue of having teh same userID mapping on both sides, and a common NFS-mounted directory that is visible on 'both sides of the divide' via the same logical path name.
User management
Although the tunnel will work even without a shared directory, for staging input and output files (even stdin and stderr) we rely on a shared file system in order to overcome issues with password-less SSH access needed to stage files back and forth, and to allow users to easily share job scripts. So for a user to benefit from the tunnel, a shared stage directory must exist.
By default, users have no stage directory, because: - users must have write permission on the directory - the stage directory must be made visible as the user home directory on the NDPF side (since users do not have their default home directory mounted there for obvious reasons!) - a quota must be assigned to this directory to prevent unintended use
In order to encourage proper use of the stage directory, the quota per user is limited: 256 MByte per user (hard limit at 512 MByte/user).
Enabling a user
Create a directory on the tunnel device, hosted at perscontainer.nikhef.nl (ssh://root@dart.nikhef.nl/ has no_root_squash access):
ssh root@dart.nikhef.nl cd /data/tunnel/user USER=username mkdir $USER chown $USER:`id -gn $USER` $USER edquota -p davidg $USER
and then add the user in the home automount map only if the user did not previously have a home directory on the NDPF(vlaai):
ldapadd -x -W -H ldaps://teugel.nikhef.nl/ -D 'cn=your-CN,ou=Managers,dc=farmnet,dc=nikhef,dc=nl'
and feed it the following LDIF:
dn: cn=$USER,ou=local,ou=auto.home,ou=automount,dc=farmnet,dc=nikhef,dc=nl objectClass: automount objectClass: top automountInformation: -vers=3,rsize=32768,wsize=32768 perscontainer.nikhef.nl:/shared/ndpf/tunnel/user/$USER cn: $USER
Enabling a group
A few groups (Atlas, LHCb) are enabled by default, i.e., they have a 'gratis' share allocated in MAUI on stro. Also, the groups must be allowed to submit to a queue, e.g. the 'medium@stro.nikhef.nl' queue. If necessary, configure the (ikohefnet) group on stro via Quattor
Disabling a user
The simplest way to disable a user from using the tunnel is to make the directory inaccessible. To remove a user from submitting to stro, put the user in the blacklist and/or remove the home directory mount from the automount map.