Skip to content
Snippets Groups Projects
Commit cc47cf31 authored by Lukáš Krupčík's avatar Lukáš Krupčík
Browse files

oprava

parent 198f6972
No related branches found
No related tags found
No related merge requests found
Hide whitespace changes
Inline Side-by-side
Showing
with 248 additions and 329 deletions
docs.it4i/get-started-with-it4innovations/accessing-the-clusters/graphical-user-interface/vnc.md
+ 16
28
View file @ cc47cf31
VNC
===
# VNC
The **Virtual Network Computing** (**VNC**) is a graphical [desktop sharing](http://en.wikipedia.org/wiki/Desktop_sharing "Desktop sharing") system that uses the [Remote Frame Buffer protocol (RFB)](http://en.wikipedia.org/wiki/RFB_protocol "RFB protocol") to remotely control another [computer](http://en.wikipedia.org/wiki/Computer "Computer"). It transmits the [keyboard](http://en.wikipedia.org/wiki/Computer_keyboard "Computer keyboard") and [mouse](http://en.wikipedia.org/wiki/Computer_mouse") events from one computer to another, relaying the graphical [screen](http://en.wikipedia.org/wiki/Computer_screen "Computer screen") updates back in the other direction, over a [network](http://en.wikipedia.org/wiki/Computer_network "Computer network").
The recommended clients are [TightVNC](http://www.tightvnc.com) or [TigerVNC](http://sourceforge.net/apps/mediawiki/tigervnc/index.php?title=Main_Page) (free, open source, available for almost any platform).
Create VNC password
-------------------
## Create VNC password
!!! Note "Note"
Local VNC password should be set before the first login. Do use a strong password.
Local VNC password should be set before the first login. Do use a strong password.
```bash
[username@login2 ~]$ vncpasswd
......@@ -17,13 +15,12 @@ Password:
Verify:
```
Start vncserver
---------------
## Start vncserver
!!! Note "Note"
To access VNC a local vncserver must be started first and also a tunnel using SSH port forwarding must be established.
To access VNC a local vncserver must be started first and also a tunnel using SSH port forwarding must be established.
[See below](vnc.md#linux-example-of-creating-a-tunnel) for the details on SSH tunnels. In this example we use port 61.
[See below](vnc.md#linux-example-of-creating-a-tunnel) for the details on SSH tunnels. In this example we use port 61.
You can find ports which are already occupied. Here you can see that ports " /usr/bin/Xvnc :79" and " /usr/bin/Xvnc :60" are occupied.
......@@ -67,10 +64,9 @@ username 10296 0.0 0.0 131772 21076 pts/29 SN 13:01 0:01 /usr/bin/Xvn
To access the VNC server you have to create a tunnel between the login node using TCP **port 5961** and your machine using a free TCP port (for simplicity the very same, in this case).
!!! Note "Note"
The tunnel must point to the same login node where you launched the VNC server, eg. login2. If you use just cluster-name.it4i.cz, the tunnel might point to a different node due to DNS round robin.
The tunnel must point to the same login node where you launched the VNC server, eg. login2. If you use just cluster-name.it4i.cz, the tunnel might point to a different node due to DNS round robin.
Linux/Mac OS example of creating a tunnel
-----------------------------------------
## Linux/Mac OS example of creating a tunnel
At your machine, create the tunnel:
......@@ -109,8 +105,7 @@ You have to destroy the SSH tunnel which is still running at the background afte
kill 2022
```
Windows example of creating a tunnel
------------------------------------
## Windows example of creating a tunnel
Use PuTTY to log in on cluster.
......@@ -133,29 +128,25 @@ Fill the Source port and Destination fields. **Do not forget to click the Add bu
Run the VNC client of your choice, select VNC server 127.0.0.1, port 5961 and connect using VNC password.
Example of starting TigerVNC viewer
-----------------------------------
## Example of starting TigerVNC viewer
![](../../../img/vncviewer.png)
In this example, we connect to VNC server on port 5961, via the ssh tunnel, using TigerVNC viewer. The connection is encrypted and secured. The VNC server listening on port 5961 provides screen of 1600x900 pixels.
Example of starting TightVNC Viewer
-----------------------------------
## Example of starting TightVNC Viewer
Use your VNC password to log using TightVNC Viewer and start a Gnome Session on the login node.
![](../../../img/TightVNC_login.png)
Gnome session
-------------
## Gnome session
You should see after the successful login.
![](../../../img/gnome_screen.png)
Disable your Gnome session screensaver
--------------------------------------
## Disable your Gnome session screensaver
Open Screensaver preferences dialog:
......@@ -165,8 +156,7 @@ Uncheck both options below the slider:
![](../../../img/gdmdisablescreensaver.png)
Kill screensaver if locked screen
---------------------------------
## Kill screensaver if locked screen
If the screen gets locked you have to kill the screensaver. Do not to forget to disable the screensaver then.
......@@ -178,8 +168,7 @@ username 24316 0.0 0.0 270564 3528 ? Ss 14:12 0:00 gnome-scree
[username@login2 .vnc]$ kill 24316
```
Kill vncserver after finished work
----------------------------------
## Kill vncserver after finished work
You should kill your VNC server using command:
......@@ -195,8 +184,7 @@ Or this way:
[username@login2 .vnc]$ pkill vnc
```
GUI applications on compute nodes over VNC
------------------------------------------
## GUI applications on compute nodes over VNC
The very same methods as described above, may be used to run the GUI applications on compute nodes. However, for maximum performance, proceed following these steps:
......
docs.it4i/get-started-with-it4innovations/accessing-the-clusters/graphical-user-interface/x-window-system.md
+ 17
29
View file @ cc47cf31
X Window System
===============
# X Window System
The X Window system is a principal way to get GUI access to the clusters. The **X Window System** (commonly known as **X11**, based on its current major version being 11, or shortened to simply **X**, and sometimes informally **X-Windows**) is a computer software system and network [protocol](http://en.wikipedia.org/wiki/Protocol_%28computing%29 "Protocol (computing)") that provides a basis for [graphical user interfaces](http://en.wikipedia.org/wiki/Graphical_user_interface "Graphical user interface") (GUIs) and rich input device capability for [networked computers](http://en.wikipedia.org/wiki/Computer_network "Computer network").
!!! Note "Note"
The X display forwarding must be activated and the X server running on client side
!!! tip
The X display forwarding must be activated and the X server running on client side
X display
---------
## X display
In order to display graphical user interface GUI of various software tools, you need to enable the X display forwarding. On Linux and Mac, log in using the -X option tho ssh client:
......@@ -15,10 +13,9 @@ In order to display graphical user interface GUI of various software tools, you
local $ ssh -X username@cluster-name.it4i.cz
```
X Display Forwarding on Windows
-------------------------------
## X Display Forwarding on Windows
On Windows use the PuTTY client to enable X11 forwarding. In PuTTY menu, go to Connection->SSH->X11, mark the Enable X11 forwarding checkbox before logging in. Then log in as usual.
On Windows use the PuTTY client to enable X11 forwarding. In PuTTY menu, go to Connection-SSH-X11, mark the Enable X11 forwarding checkbox before logging in. Then log in as usual.
To verify the forwarding, type
......@@ -34,18 +31,15 @@ localhost:10.0
then the X11 forwarding is enabled.
X Server
--------
## X Server
In order to display graphical user interface GUI of various software tools, you need running X server on your desktop computer. For Linux users, no action is required as the X server is the default GUI environment on most Linux distributions. Mac and Windows users need to install and run the X server on their workstations.
X Server on OS X
----------------
## X Server on OS X
Mac OS users need to install [XQuartz server](https://www.xquartz.org).
X Server on Windows
-------------------
## X Server on Windows
There are variety of X servers available for Windows environment. The commercial Xwin32 is very stable and rich featured. The Cygwin environment provides fully featured open-source XWin X server. For simplicity, we recommend open-source X server by the [Xming project](http://sourceforge.net/projects/xming/). For stability and full features we recommend the
[XWin](http://x.cygwin.com/) X server by Cygwin
......@@ -56,11 +50,10 @@ There are variety of X servers available for Windows environment. The commercial
Read more on [http://www.math.umn.edu/systems_guide/putty_xwin32.html](http://www.math.umn.edu/systems_guide/putty_xwin32.shtml)
Running GUI Enabled Applications
--------------------------------
## Running GUI Enabled Applications
!!! Note "Note"
Make sure that X forwarding is activated and the X server is running.
Make sure that X forwarding is activated and the X server is running.
Then launch the application as usual. Use the & to run the application in background.
......@@ -75,8 +68,7 @@ $ xterm
In this example, we activate the intel programing environment tools, then start the graphical gvim editor.
GUI Applications on Compute Nodes
---------------------------------
## GUI Applications on Compute Nodes
Allocate the compute nodes using -X option on the qsub command
......@@ -94,13 +86,11 @@ $ ssh -X r24u35n680
In this example, we log in on the r24u35n680 compute node, with the X11 forwarding enabled.
The Gnome GUI Environment
-------------------------
## The Gnome GUI Environment
The Gnome 2.28 GUI environment is available on the clusters. We recommend to use separate X server window for displaying the Gnome environment.
Gnome on Linux and OS X
-----------------------
## Gnome on Linux and OS X
To run the remote Gnome session in a window on Linux/OS X computer, you need to install Xephyr. Ubuntu package is
xserver-xephyr, on OS X it is part of [XQuartz](http://xquartz.macosforge.org/landing/). First, launch Xephyr on local machine:
......@@ -126,8 +116,7 @@ xinit /usr/bin/ssh -XT -i .ssh/path_to_your_key yourname@cluster-namen.it4i.cz g
However this method does not seem to work with recent Linux distributions and you will need to manually source
/etc/profile to properly set environment variables for PBS.
Gnome on Windows
----------------
## Gnome on Windows
Use Xlaunch to start the Xming server or run the XWin.exe. Select the "One window" mode.
......@@ -139,8 +128,7 @@ $ gnome-session &
In this way, we run remote gnome session on the cluster, displaying it in the local X server
Use System->Log Out to close the gnome-session
Use System-Log Out to close the gnome-session
### If no able to forward X11 using PuTTY to CygwinX
......@@ -162,7 +150,7 @@ PuTTY X11 proxy: unable to connect to forwarded X server: Network error: Connect
![XWin-listen-tcp.png](../../../img/XWinlistentcp.png "XWin-listen-tcp.png")
2. Check Putty settings:
1. Check Putty settings:
Enable X11 forwarding
![](../../../img/cygwinX11forwarding.png)
docs.it4i/get-started-with-it4innovations/accessing-the-clusters/introduction.md
+ 6
12
View file @ cc47cf31
Accessing the Clusters
======================
# Accessing the Clusters
The IT4Innovations clusters are accessed by SSH protocol via login nodes.
!!! Note "Note"
Read more on [Accessing the Salomon Cluster](../../salomon/shell-and-data-access.md) or [Accessing the Anselm Cluster](../../anselm-cluster-documentation/shell-and-data-access.md) pages.
Read more on [Accessing the Salomon Cluster](../../salomon/shell-and-data-access.md) or [Accessing the Anselm Cluster](../../anselm-cluster-documentation/shell-and-data-access.md) pages.
PuTTY
-----
## PuTTY
On **Windows**, use [PuTTY ssh client](shell-access-and-data-transfer/putty/).
SSH keys
--------
## SSH keys
Read more about [SSH keys management](shell-access-and-data-transfer/ssh-keys/).
Graphical User Interface
------------------------
## Graphical User Interface
Read more about [X Window System](./graphical-user-interface/x-window-system/).
Read more about [Virtual Network Computing (VNC)](./graphical-user-interface/vnc/).
Accessing IT4Innovations internal resources via VPN
---------------------------------------------------
## Accessing IT4Innovations internal resources via VPN
Read more about [VPN Access](vpn-access/).
docs.it4i/get-started-with-it4innovations/accessing-the-clusters/shell-access-and-data-transfer/putty.md
+ 33
38
View file @ cc47cf31
# PuTTY (Windows)
Windows PuTTY Installer
-----------------------
## Windows PuTTY Installer
We recommned you to download "**A Windows installer for everything except PuTTYtel**" with **Pageant** (SSH authentication agent) and **PuTTYgen** (PuTTY key generator) which is available [here](http://www.chiark.greenend.org.uk/~sgtatham/putty/download.html).
!!! Note "Note"
After installation you can proceed directly to private keys authentication using ["Putty"](putty#putty).
After installation you can proceed directly to private keys authentication using ["Putty"](putty#putty).
"Change Password for Existing Private Key" is optional.
......@@ -14,53 +13,49 @@ We recommned you to download "**A Windows installer for everything except PuTTYt
"Pageant" is optional.
PuTTY - how to connect to the IT4Innovations cluster
----------------------------------------------------
## PuTTY - how to connect to the IT4Innovations cluster
- Run PuTTY
- Enter Host name and Save session fields with [Login address](../../../salomon/shell-and-data-access.md) and browse Connection - > SSH -> Auth menu. The *Host Name* input may be in the format **"username@clustername.it4i.cz"** so you don't have to type your login each time.In this example we will connect to the Salomon cluster using **"salomon.it4i.cz"**.
* Run PuTTY
* Enter Host name and Save session fields with [Login address](../../../salomon/shell-and-data-access.md) and browse Connection - SSH - Auth menu. The *Host Name* input may be in the format **"username@clustername.it4i.cz"** so you don't have to type your login each time.In this example we will connect to the Salomon cluster using **"salomon.it4i.cz"**.
![](../../../img/PuTTY_host_Salomon.png)
- Category -> Connection - > SSH -> Auth:
* Category - Connection - SSH - Auth:
Select Attempt authentication using Pageant.
Select Allow agent forwarding.
Browse and select your [private key](ssh-keys/) file.
![](../../../img/PuTTY_keyV.png)
- Return to Session page and Save selected configuration with *Save* button.
* Return to Session page and Save selected configuration with *Save* button.
![](../../../img/PuTTY_save_Salomon.png)
- Now you can log in using *Open* button.
* Now you can log in using *Open* button.
![](../../../img/PuTTY_open_Salomon.png)
- Enter your username if the *Host Name* input is not in the format "username@salomon.it4i.cz".
- Enter passphrase for selected [private key](ssh-keys/) file if Pageant **SSH authentication agent is not used.**
* Enter your username if the *Host Name* input is not in the format "username@salomon.it4i.cz".
* Enter passphrase for selected [private key](ssh-keys/) file if Pageant **SSH authentication agent is not used.**
Another PuTTY Settings
----------------------
## Another PuTTY Settings
- Category -> Windows -> Translation -> Remote character set and select **UTF-8**.
- Category -> Terminal -> Features and select **Disable application keypad mode** (enable numpad)
- Save your configuration on Session page in to Default Settings with *Save* button.
* Category - Windows - Translation - Remote character set and select **UTF-8**.
* Category - Terminal - Features and select **Disable application keypad mode** (enable numpad)
* Save your configuration on Session page in to Default Settings with *Save* button.
Pageant SSH agent
-----------------
## Pageant SSH agent
Pageant holds your private key in memory without needing to retype a passphrase on every login.
- Run Pageant.
- On Pageant Key List press *Add key* and select your private key (id_rsa.ppk).
- Enter your passphrase.
- Now you have your private key in memory without needing to retype a passphrase on every login.
* Run Pageant.
* On Pageant Key List press *Add key* and select your private key (id_rsa.ppk).
* Enter your passphrase.
* Now you have your private key in memory without needing to retype a passphrase on every login.
![](../../../img/PageantV.png)
PuTTY key generator
-------------------
## PuTTY key generator
PuTTYgen is the PuTTY key generator. You can load in an existing private key and change your passphrase or generate a new public/private key pair.
......@@ -68,11 +63,11 @@ PuTTYgen is the PuTTY key generator. You can load in an existing private key and
You can change the password of your SSH key with "PuTTY Key Generator". Make sure to backup the key.
- Load your [private key](../shell-access-and-data-transfer/ssh-keys/) file with *Load* button.
- Enter your current passphrase.
- Change key passphrase.
- Confirm key passphrase.
- Save your private key with *Save private key* button.
* Load your [private key](../shell-access-and-data-transfer/ssh-keys/) file with *Load* button.
* Enter your current passphrase.
* Change key passphrase.
* Confirm key passphrase.
* Save your private key with *Save private key* button.
![](../../../img/PuttyKeygeneratorV.png)
......@@ -80,33 +75,33 @@ You can change the password of your SSH key with "PuTTY Key Generator". Make sur
You can generate an additional public/private key pair and insert public key into authorized_keys file for authentication with your own private key.
- Start with *Generate* button.
* Start with *Generate* button.
![](../../../img/PuttyKeygenerator_001V.png)
- Generate some randomness.
* Generate some randomness.
![](../../../img/PuttyKeygenerator_002V.png)
- Wait.
* Wait.
![](../../../img/PuttyKeygenerator_003V.png)
- Enter a *comment* for your key using format 'username@organization.example.com'.
* Enter a *comment* for your key using format 'username@organization.example.com'.
Enter key passphrase.
Confirm key passphrase.
Save your new private key `in "*.ppk" `format with *Save private key* button.
Save your new private key in "*.ppk" format with *Save private key* button.
![](../../../img/PuttyKeygenerator_004V.png)
- Save the public key with *Save public key* button.
* Save the public key with *Save public key* button.
You can copy public key out of the ‘Public key for pasting into authorized_keys file’ box.
![](../../../img/PuttyKeygenerator_005V.png)
- Export private key in OpenSSH format "id_rsa" using Conversion -> Export OpenSSH key
* Export private key in OpenSSH format "id_rsa" using Conversion - Export OpenSSH key
![](../../../img/PuttyKeygenerator_006V.png)
- Now you can insert additional public key into authorized_keys file for authentication with your own private key.
* Now you can insert additional public key into authorized_keys file for authentication with your own private key.
You must log in using ssh key received after registration. Then proceed to [How to add your own key](../shell-access-and-data-transfer/ssh-keys/).
docs.it4i/get-started-with-it4innovations/accessing-the-clusters/shell-access-and-data-transfer/ssh-keys.md
+ 9
14
View file @ cc47cf31
......@@ -19,12 +19,11 @@ After logging in, you can see .ssh/ directory with SSH keys and authorized_keys
!!! Hint
Private keys in .ssh directory are without passphrase and allow you to connect within the cluster.
Access privileges on .ssh folder
--------------------------------
## Access privileges on .ssh folder
- .ssh directory: 700 (drwx------)
- Authorized_keys, known_hosts and public key (.pub file): 644 (-rw-r--r--)
- Private key (id_rsa/id_rsa.ppk): 600 (-rw-------)
* .ssh directory: 700 (drwx------)
* Authorized_keys, known_hosts and public key (.pub file): 644 (-rw-r--r--)
* Private key (id_rsa/id_rsa.ppk): 600 (-rw-------)
```bash
cd /home/username/
......@@ -36,8 +35,7 @@ Access privileges on .ssh folder
chmod 600 .ssh/id_rsa.ppk
```
Private key
-----------
## Private key
!!! Note "Note"
The path to a private key is usually /home/username/.ssh/
......@@ -76,8 +74,7 @@ An example of private key format:
-----END RSA PRIVATE KEY-----
```
Public key
----------
## Public key
Public key file in "*.pub" format is used to verify a digital signature. Public key is present on the remote side and allows access to the owner of the matching private key.
......@@ -87,8 +84,7 @@ An example of public key format:
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCpujuOiTKCcGkbbBhrk0Hjmezr5QpM0swscXQE7fOZG0oQSURoapd9tjC9eVy5FvZ339jl1WkJkdXSRtjc2G1U5wQh77VE5qJT0ESxQCEw0S+CItWBKqXhC9E7gFY+UyP5YBZcOneh6gGHyCVfK6H215vzKr3x+/WvWl5gZGtbf+zhX6o4RJDRdjZPutYJhEsg/qtMxcCtMjfm/dZTnXeafuebV8nug3RCBUflvRb1XUrJuiX28gsd4xfG/P6L/mNMR8s4kmJEZhlhxpj8Th0iIc+XciVtXuGWQrbddcVRLxAmvkYAPGnVVOQeNj69pqAR/GXaFAhvjYkseEowQao1 username@organization.example.com
```
How to add your own key
-----------------------
## How to add your own key
First, generate a new keypair of your public and private key:
......@@ -97,7 +93,7 @@ First, generate a new keypair of your public and private key:
```
!!! Note "Note"
Please, enter **strong** **passphrase** for securing your private key.
Please, enter **strong** **passphrase** for securing your private key.
You can insert additional public key into authorized_keys file for authentication with your own private key. Additional records in authorized_keys file must be delimited by new line. Users are not advised to remove the default public key from authorized_keys file.
......@@ -109,7 +105,6 @@ Example:
In this example, we add an additional public key, stored in file additional_key.pub into the authorized_keys. Next time we log in, we will be able to use the private addtional_key key to log in.
How to remove your own key
--------------------------
## How to remove your own key
Removing your key from authorized_keys can be done simply by deleting the corresponding public key which can be identified by a comment at the end of line (eg. *username@organization.example.com*).
docs.it4i/get-started-with-it4innovations/accessing-the-clusters/shell-access-and-data-transfer/vpn-connection-fail-in-win-8.1.md
+ 10
12
View file @ cc47cf31
VPN - Connection fail in Win 8.1
================================
# VPN - Connection fail in Win 8.1
**Failed to initialize connection subsystem Win 8.1 - 02-10-15 MS patch**
## Failed to initialize connection subsystem Win 8.1 - 02-10-15 MS patch
AnyConnect users on Windows 8.1 will receive a "Failed to initialize connection subsystem" error after installing the Windows 8.1 02/10/15 security patch. This OS defect introduced with the 02/10/15 patch update will also impact WIndows 7 users with IE11. Windows Server 2008/2012 are also impacted by this defect, but neither is a supported OS for AnyConnect.
**Workaround:**
## Workaround
- Close the Cisco AnyConnect Window and the taskbar mini-icon
- Right click vpnui.exe in the 'Cisco AnyConnect Secure Mobility Client' folder. (C:Program Files (x86)CiscoCisco AnyConnect Secure Mobility Client)
- Click on the 'Run compatibility troubleshooter' button
- Choose 'Try recommended settings'
- The wizard suggests Windows 8 compatibility.
- Click 'Test Program'. This will open the program.
- Close
* Close the Cisco AnyConnect Window and the taskbar mini-icon
* Right click vpnui.exe in the 'Cisco AnyConnect Secure Mobility Client' folder. (C:Program Files (x86)CiscoCisco AnyConnect Secure Mobility Client)
* Click on the 'Run compatibility troubleshooter' button
* Choose 'Try recommended settings'
* The wizard suggests Windows 8 compatibility.
* Click 'Test Program'. This will open the program.
* Close
![](../../../img/vpnuiV.png)
docs.it4i/get-started-with-it4innovations/accessing-the-clusters/vpn-access.md
+ 12
14
View file @ cc47cf31
VPN Access
==========
# VPN Access
## Accessing IT4Innovations internal resources via VPN
Accessing IT4Innovations internal resources via VPN
---------------------------------------------------
For using resources and licenses which are located at IT4Innovations local network, it is necessary to VPN connect to this network. We use Cisco AnyConnect Secure Mobility Client, which is supported on the following operating systems:
- Windows XP
- Windows Vista
- Windows 7
- Windows 8
- Linux
- MacOS
* Windows XP
* Windows Vista
* Windows 7
* Windows 8
* Linux
* MacOS
It is impossible to connect to VPN from other operating systems.
VPN client installation
------------------------------------
## VPN client installation
You can install VPN client from web interface after successful login with LDAP credentials on address <https://vpn.it4i.cz/user>
![](../../img/vpn_web_login.png)
......@@ -40,8 +39,7 @@ After you click on the link, download of installation file will start.
After successful download of installation file, you have to execute this tool with administrator's rights and install VPN client manually.
Working with VPN client
-----------------------
## Working with VPN client
You can use graphical user interface or command line interface to run VPN client on all supported operating systems. We suggest using GUI.
......
docs.it4i/get-started-with-it4innovations/accessing-the-clusters/vpn1-access.md
+ 13
17
View file @ cc47cf31
VPN Access
==========
# VPN Access
Accessing IT4Innovations internal resources via VPN
---------------------------------------------------
## Accessing IT4Innovations internal resources via VPN
!!! Note "Note"
**Failed to initialize connection subsystem Win 8.1 - 02-10-15 MS patch**
**Failed to initialize connection subsystem Win 8.1 - 02-10-15 MS patch**
Workaround can be found at [vpn-connection-fail-in-win-8.1](../../get-started-with-it4innovations/accessing-the-clusters/shell-access-and-data-transfer/vpn-connection-fail-in-win-8.1.html)
Workaround can be found at [vpn-connection-fail-in-win-8.1](../../get-started-with-it4innovations/accessing-the-clusters/shell-access-and-data-transfer/vpn-connection-fail-in-win-8.1.html)
For using resources and licenses which are located at IT4Innovations local network, it is necessary to VPN connect to this network. We use Cisco AnyConnect Secure Mobility Client, which is supported on the following operating systems:
- Windows XP
- Windows Vista
- Windows 7
- Windows 8
- Linux
- MacOS
* Windows XP
* Windows Vista
* Windows 7
* Windows 8
* Linux
* MacOS
It is impossible to connect to VPN from other operating systems.
VPN client installation
------------------------------------
## VPN client installation
You can install VPN client from web interface after successful login with LDAP credentials on address <https://vpn1.it4i.cz/anselm>
......@@ -49,12 +46,11 @@ After you click on the link, download of installation file will start.
After successful download of installation file, you have to execute this tool with administrator's rights and install VPN client manually.
Working with VPN client
-----------------------
## Working with VPN client
You can use graphical user interface or command line interface to run VPN client on all supported operating systems. We suggest using GUI.
Before the first login to VPN, you have to fill URL **https://vpn1.it4i.cz/anselm** into the text field.
Before the first login to VPN, you have to fill URL [**https://vpn1.it4i.cz/anselm**](https://vpn1.it4i.cz/anselm) into the text field.
![](../img/firstrun.jpg)
......
docs.it4i/get-started-with-it4innovations/obtaining-login-credentials/certificates-faq.md
+ 25
41
View file @ cc47cf31
Certificates FAQ
================
# Certificates FAQ
FAQ about certificates in general
Q: What are certificates?
-------------------------
## Q: What are certificates?
IT4Innovations employs X.509 certificates for secure communication (e. g. credentials exchange) and for grid services related to PRACE, as they present a single method of authentication for all PRACE services, where only one password is required.
There are different kinds of certificates, each with a different scope of use. We mention here:
- User (Private) certificates
- Certificate Authority (CA) certificates
- Host certificates
- Service certificates
* User (Private) certificates
* Certificate Authority (CA) certificates
* Host certificates
* Service certificates
However, users need only manage User and CA certificates. Note that your user certificate is protected by an associated private key, and this **private key must never be disclosed**.
Q: Which X.509 certificates are recognised by IT4Innovations?
-------------------------------------------------------------
## Q: Which X.509 certificates are recognised by IT4Innovations?
[The Certificates for Digital Signatures](obtaining-login-credentials/#the-certificates-for-digital-signatures).
Q: How do I get a User Certificate that can be used with IT4Innovations?
------------------------------------------------------------------------
## Q: How do I get a User Certificate that can be used with IT4Innovations?
To get a certificate, you must make a request to your local, IGTF approved, Certificate Authority (CA). Usually you then must visit, in person, your nearest Registration Authority (RA) to verify your affiliation and identity (photo identification is required). Usually, you will then be emailed details on how to retrieve your certificate, although procedures can vary between CAs. If you are in Europe, you can locate [your trusted CA](www.eugridpma.org/members/worldmap).
In some countries certificates can also be retrieved using the TERENA Certificate Service, see the FAQ below for the link.
Q: Does IT4Innovations support short lived certificates (SLCS)?
---------------------------------------------------------------
## Q: Does IT4Innovations support short lived certificates (SLCS)?
Yes, provided that the CA which provides this service is also a member of IGTF.
Q: Does IT4Innovations support the TERENA certificate service?
--------------------------------------------------------------
## Q: Does IT4Innovations support the TERENA certificate service?
Yes, ITInnovations supports TERENA eScience personal certificates. For more information, please visit [TCS - Trusted Certificate Service](https://tcs-escience-portal.terena.org/), where you also can find if your organisation/country can use this service
Q: What format should my certificate take?
------------------------------------------
## Q: What format should my certificate take?
User Certificates come in many formats, the three most common being the ’PKCS12’, ’PEM’ and the JKS formats.
......@@ -54,8 +47,7 @@ JKS is the Java KeyStore and may contain both your personal certificate with you
To convert your Certificate from p12 to JKS, IT4Innovations recommends using the keytool utiliy (see separate FAQ entry).
Q: What are CA certificates?
----------------------------
## Q: What are CA certificates?
Certification Authority (CA) certificates are used to verify the link between your user certificate and the authority which issued it. They are also used to verify the link between the host certificate of a IT4Innovations server and the CA which issued that certificate. In essence they establish a chain of trust between you and the target server. Thus, for some grid services, users must have a copy of all the CA certificates.
......@@ -71,17 +63,15 @@ Lastly, if you need the CA certificates for a personal Globus 5 installation, th
If you run this command as ’root’, then it will install the certificates into /etc/grid-security/certificates. If you run this not as ’root’, then the certificates will be installed into $HOME/.globus/certificates. For Globus, you can download the globuscerts.tar.gz packet [available here](https://winnetou.surfsara.nl/prace/certs/).
Q: What is a DN and how do I find mine?
---------------------------------------
## Q: What is a DN and how do I find mine?
DN stands for Distinguished Name and is part of your user certificate. IT4Innovations needs to know your DN to enable your account to use the grid services. You may use openssl (see below) to determine your DN or, if your browser contains your user certificate, you can extract your DN from your browser.
For Internet Explorer users, the DN is referred to as the "subject" of your certificate. Tools-&gt;Internet Options-&gt;Content-&gt;Certificates-&gt;View-&gt;Details-&gt;Subject.
For Internet Explorer users, the DN is referred to as the "subject" of your certificate. ToolsInternet OptionsContentCertificatesViewDetailsSubject.
For users running Firefox under Windows, the DN is referred to as the "subject" of your certificate. Tools-&gt;Options-&gt;Advanced-&gt;Encryption-&gt;View Certificates. Highlight your name and then Click View-&gt;Details-&gt;Subject.
For users running Firefox under Windows, the DN is referred to as the "subject" of your certificate. ToolsOptionsAdvancedEncryptionView Certificates. Highlight your name and then Click ViewDetailsSubject.
Q: How do I use the openssl tool?
---------------------------------
## Q: How do I use the openssl tool?
The following examples are for Unix/Linux operating systems only.
......@@ -116,8 +106,7 @@ To check your certificate (e.g., DN, validity, issuer, public key algorithm, etc
To download openssl if not pre-installed, [please visit](https://www.openssl.org/source/). On Macintosh Mac OS X computers openssl is already pre-installed and can be used immediately.
Q: How do I create and then manage a keystore?
----------------------------------------------
## Q: How do I create and then manage a keystore?
IT4innovations recommends the java based keytool utility to create and manage keystores, which themselves are stores of keys and certificates. For example if you want to convert your pkcs12 formatted key pair into a java keystore you can use the following command.
......@@ -139,8 +128,7 @@ where $mydomain.crt is the certificate of a trusted signing authority (CA) and $
More information on the tool can be found [here](http://docs.oracle.com/javase/7/docs/technotes/tools/solaris/keytool.html)
Q: How do I use my certificate to access the different grid Services?
---------------------------------------------------------------------
## Q: How do I use my certificate to access the different grid Services?
Most grid services require the use of your certificate; however, the format of your certificate depends on the grid Service you wish to employ.
......@@ -150,26 +138,22 @@ If the grid service is UNICORE, then you bind your certificate, in either the p1
If the grid service is part of Globus, such as GSI-SSH, GriFTP or GRAM5, then the certificates can be in either p12 or PEM format and must reside in the "$HOME/.globus" directory for Linux and Mac users or %HOMEPATH%.globus for Windows users. (Windows users will have to use the DOS command ’cmd’ to create a directory which starts with a ’.’). Further, user certificates should be named either "usercred.p12" or "usercert.pem" and "userkey.pem", and the CA certificates must be kept in a pre-specified directory as follows. For Linux and Mac users, this directory is either $HOME/.globus/certificates or /etc/grid-security/certificates. For Windows users, this directory is %HOMEPATH%.globuscertificates. (If you are using GSISSH-Term from prace-ri.eu then you do not have to create the .globus directory nor install CA certificates to use this tool alone).
Q: How do I manually import my certificate into my browser?
-----------------------------------------------------------
## Q: How do I manually import my certificate into my browser?
If you employ the Firefox browser, then you can import your certificate by first choosing the "Preferences" window. For Windows, this is Tools-&gt;Options. For Linux, this is Edit-&gt;Preferences. For Mac, this is Firefox-&gt;Preferences. Then, choose the "Advanced" button; followed by the "Encryption" tab. Then, choose the "Certificates" panel; select the option "Select one automatically" if you have only one certificate, or "Ask me every time" if you have more then one. Then click on the "View Certificates" button to open the "Certificate Manager" window. You can then select the "Your Certificates" tab and click on button "Import". Then locate the PKCS12 (.p12) certificate you wish to import, and employ its associated password.
If you employ the Firefox browser, then you can import your certificate by first choosing the "Preferences" window. For Windows, this is ToolsOptions. For Linux, this is EditPreferences. For Mac, this is FirefoxPreferences. Then, choose the "Advanced" button; followed by the "Encryption" tab. Then, choose the "Certificates" panel; select the option "Select one automatically" if you have only one certificate, or "Ask me every time" if you have more then one. Then click on the "View Certificates" button to open the "Certificate Manager" window. You can then select the "Your Certificates" tab and click on button "Import". Then locate the PKCS12 (.p12) certificate you wish to import, and employ its associated password.
If you are a Safari user, then simply open the "Keychain Access" application and follow "File-&gt;Import items".
If you are a Safari user, then simply open the "Keychain Access" application and follow "FileImport items".
If you are an Internet Explorer user, click Start-&gt;Settings-&gt;Control Panel and then double-click on Internet. On the Content tab, click Personal, and then click Import. In the Password box, type your password. NB you may be prompted multiple times for your password. In the "Certificate File To Import" box, type the filename of the certificate you wish to import, and then click OK. Click Close, and then click OK.
If you are an Internet Explorer user, click StartSettingsControl Panel and then double-click on Internet. On the Content tab, click Personal, and then click Import. In the Password box, type your password. NB you may be prompted multiple times for your password. In the "Certificate File To Import" box, type the filename of the certificate you wish to import, and then click OK. Click Close, and then click OK.
Q: What is a proxy certificate?
-------------------------------
## Q: What is a proxy certificate?
A proxy certificate is a short-lived certificate which may be employed by UNICORE and the Globus services. The proxy certificate consists of a new user certificate and a newly generated proxy private key. This proxy typically has a rather short lifetime (normally 12 hours) and often only allows a limited delegation of rights. Its default location, for Unix/Linux, is /tmp/x509_u*uid* but can be set via the $X509_USER_PROXY environment variable.
Q: What is the MyProxy service?
-------------------------------
## Q: What is the MyProxy service?
[The MyProxy Service](http://grid.ncsa.illinois.edu/myproxy/) , can be employed by gsissh-term and Globus tools, and is an online repository that allows users to store long lived proxy certificates remotely, which can then be retrieved for use at a later date. Each proxy is protected by a password provided by the user at the time of storage. This is beneficial to Globus users as they do not have to carry their private keys and certificates when travelling; nor do users have to install private keys and certificates on possibly insecure computers.
Q: Someone may have copied or had access to the private key of my certificate either in a separate file or in the browser. What should I do?
--------------------------------------------------------------------------------------------------------------------------------------------
## Q: Someone may have copied or had access to the private key of my certificate either in a separate file or in the browser. What should I do?
Please ask the CA that issued your certificate to revoke this certificate and to supply you with a new one. In addition, please report this to IT4Innovations by contacting [the support team](https://support.it4i.cz/rt).
docs.it4i/get-started-with-it4innovations/obtaining-login-credentials/obtaining-login-credentials.md
+ 50
62
View file @ cc47cf31
Obtaining Login Credentials
===========================
# Obtaining Login Credentials
Obtaining Authorization
-----------------------
## Obtaining Authorization
The computational resources of IT4I are allocated by the Allocation Committee to a [Project](/), investigated by a Primary Investigator. By allocating the computational resources, the Allocation Committee is authorizing the PI to access and use the clusters. The PI may decide to authorize a number of her/his Collaborators to access and use the clusters, to consume the resources allocated to her/his Project. These collaborators will be associated to the Project. The Figure below is depicting the authorization chain:
![](../../img/Authorization_chain.png)
!!! note
You need to either [become the PI](../applying-for-resources/) or [be named as a collaborator](obtaining-login-credentials/#authorization-by-web) by a PI in order to access and use the clusters.
You need to either [become the PI](../applying-for-resources/) or [be named as a collaborator](obtaining-login-credentials/#authorization-by-web) by a PI in order to access and use the clusters.
Head of Supercomputing Services acts as a PI of a project DD-13-5. Joining this project, you may **access and explore the clusters**, use software, development environment and computers via the qexp and qfree queues. You may use these resources for own education/research, no paperwork is required. All IT4I employees may contact the Head of Supercomputing Services in order to obtain **free access to the clusters**.
Authorization of PI by Allocation Committee
-------------------------------------------
## Authorization of PI by Allocation Committee
The PI is authorized to use the clusters by the allocation decision issued by the Allocation Committee.The PI will be informed by IT4I about the Allocation Committee decision.
Authorization by web
--------------------
## Authorization by web
!!! warning
**Only** for those who already have their IT4I HPC account. This is a preferred way of granting access to project resources. Please, use this method whenever it's possible.
**Only** for those who already have their IT4I HPC account. This is a preferred way of granting access to project resources. Please, use this method whenever it's possible.
This is a preferred way of granting access to project resources. Please, use this method whenever it's possible.
Log in to the [IT4I Extranet portal](https://extranet.it4i.cz) using IT4I credentials and go to the **Projects** section.
* **Users:** Please, submit your requests for becoming a project member.
* **Primary Investigators:** Please, approve or deny users' requests in the same section.
* **Users:** Please, submit your requests for becoming a project member.
* **Primary Investigators:** Please, approve or deny users' requests in the same section.
Authorization by e-mail (an alternative approach)
-------------------------------------------------
## Authorization by e-mail (an alternative approach)
In order to authorize a Collaborator to utilize the allocated resources, the PI should contact the [IT4I support](https://support.it4i.cz/rt/) (E-mail: [support[at]it4i.cz](mailto:support@it4i.cz)) and provide following information:
1. Identify your project by project ID
2. Provide list of people, including himself, who are authorized to use the resources allocated to the project. The list must include full name, e-mail and affiliation. Provide usernames as well, if collaborator login access already exists on the IT4I systems.
3. Include "Authorization to IT4Innovations" into the subject line.
1. Identify your project by project ID
1. Provide list of people, including himself, who are authorized to use the resources allocated to the project. The list must include full name, e-mail and affiliation. Provide usernames as well, if collaborator login access already exists on the IT4I systems.
1. Include "Authorization to IT4Innovations" into the subject line.
Example (except the subject line which must be in English, you may use Czech or Slovak language for communication with us):
......@@ -60,17 +55,16 @@ Example (except the subject line which must be in English, you may use Czech or
Should the above information be provided by e-mail, the e-mail **must be** digitally signed. Read more on [digital signatures](obtaining-login-credentials/#the-certificates-for-digital-signatures) below.
The Login Credentials
---------------------
## The Login Credentials
Once authorized by PI, every person (PI or Collaborator) wishing to access the clusters, should contact the [IT4I support](https://support.it4i.cz/rt/) (E-mail: [support[at]it4i.cz](mailto:support@it4i.cz)) providing following information:
1. Project ID
2. Full name and affiliation
3. Statement that you have read and accepted the [Acceptable use policy document](http://www.it4i.cz/acceptable-use-policy.pdf) (AUP).
4. Attach the AUP file.
5. Your preferred username, max 8 characters long. The preferred username must associate your surname and name or be otherwise derived from it. Only alphanumeric sequences, dash and underscore signs are allowed.
6. In case you choose [Alternative way to personal certificate](obtaining-login-credentials/#alternative-way-of-getting-personal-certificate), a **scan of photo ID** (personal ID or passport or driver license) is required
1. Project ID
1. Full name and affiliation
1. Statement that you have read and accepted the [Acceptable use policy document](http://www.it4i.cz/acceptable-use-policy.pdf) (AUP).
1. Attach the AUP file.
1. Your preferred username, max 8 characters long. The preferred username must associate your surname and name or be otherwise derived from it. Only alphanumeric sequences, dash and underscore signs are allowed.
1. In case you choose [Alternative way to personal certificate](obtaining-login-credentials/#alternative-way-of-getting-personal-certificate), a **scan of photo ID** (personal ID or passport or driver license) is required
Example (except the subject line which must be in English, you may use Czech or Slovak language for communication with us):
......@@ -100,14 +94,13 @@ For various reasons we do not accept PGP keys.** Please, use only X.509 PKI cert
You will receive your personal login credentials by protected e-mail. The login credentials include:
1. username
2. ssh private key and private key passphrase
3. system password
1. username
1. ssh private key and private key passphrase
1. system password
The clusters are accessed by the [private key](../accessing-the-clusters/shell-access-and-data-transfer/ssh-keys/) and username. Username and password is used for login to the [information systems](http://support.it4i.cz/).
Change Passphrase
-----------------
## Change Passphrase
On Linux, use
......@@ -117,65 +110,60 @@ local $ ssh-keygen -f id_rsa -p
On Windows, use [PuTTY Key Generator](../accessing-the-clusters/shell-access-and-data-transfer/putty/#putty-key-generator).
Change Password
---------------
## Change Password
Change password in [your user profile](https://extranet.it4i.cz/user/).
The Certificates for Digital Signatures
---------------------------------------
## The Certificates for Digital Signatures
We accept personal certificates issued by any widely respected certification authority (CA). This includes certificates by CAs organized in [International Grid Trust Federation](http://www.igtf.net/), its European branch [EUGridPMA](https://www.eugridpma.org/) and its member organizations, e.g. the [CESNET certification authority](https://tcs.cesnet.cz). The Czech *"Qualified certificate" (Kvalifikovaný certifikát)* provided by [PostSignum](http://www.postsignum.cz/) or [I.CA](http://www.ica.cz/Kvalifikovany-certifikat.aspx), that is used in electronic contact with Czech authorities is accepted as well.
Certificate generation process is well-described here:
- [How to generate a personal TCS certificate in Mozilla Firefox web browser (in Czech)](http://idoc.vsb.cz/xwiki/wiki/infra/view/uzivatel/moz-cert-gen)
* [How to generate a personal TCS certificate in Mozilla Firefox web browser (in Czech)](http://idoc.vsb.cz/xwiki/wiki/infra/view/uzivatel/moz-cert-gen)
A FAQ about certificates can be found here: [Certificates FAQ](certificates-faq/).
Alternative Way to Personal Certificate
---------------------------------------
## Alternative Way to Personal Certificate
Follow these steps **only** if you can not obtain your certificate in a standard way. In case you choose this procedure, please attach a **scan of photo ID** (personal ID or passport or drivers license) when applying for [login credentials](obtaining-login-credentials/#the-login-credentials).
1. Go to [CAcert](www.cacert.org).
- If there's a security warning, just acknowledge it.
2. Click *Join*.
3. Fill in the form and submit it by the *Next* button.
- Type in the e-mail address which you use for communication with us.
- Don't forget your chosen *Pass Phrase*.
4. You will receive an e-mail verification link. Follow it.
5. After verifying, go to the CAcert's homepage and login using *Password Login*.
6. Go to *Client Certificates* -&gt; *New*.
7. Tick *Add* for your e-mail address and click the *Next* button.
8. Click the *Create Certificate Request* button.
9. You'll be redirected to a page from where you can download/install your certificate.
- Simultaneously you'll get an e-mail with a link to the certificate.
Installation of the Certificate Into Your Mail Client
-----------------------------------------------------
* Go to [CAcert](www.cacert.org).
* If there's a security warning, just acknowledge it.
* Click *Join*.
* Fill in the form and submit it by the *Next* button.
* Type in the e-mail address which you use for communication with us.
* Don't forget your chosen *Pass Phrase*.
* You will receive an e-mail verification link. Follow it.
* After verifying, go to the CAcert's homepage and login using *Password Login*.
* Go to *Client Certificates* *New*.
* Tick *Add* for your e-mail address and click the *Next* button.
* Click the *Create Certificate Request* button.
* You'll be redirected to a page from where you can download/install your certificate.
* Simultaneously you'll get an e-mail with a link to the certificate.
## Installation of the Certificate Into Your Mail Client
The procedure is similar to the following guides:
MS Outlook 2010
- [How to Remove, Import, and Export Digital certificates](http://support.microsoft.com/kb/179380)
- [Importing a PKCS #12 certificate (in Czech)](http://idoc.vsb.cz/xwiki/wiki/infra/view/uzivatel/outl-cert-imp)
* [How to Remove, Import, and Export Digital certificates](http://support.microsoft.com/kb/179380)
* [Importing a PKCS #12 certificate (in Czech)](http://idoc.vsb.cz/xwiki/wiki/infra/view/uzivatel/outl-cert-imp)
Mozilla Thudnerbird
- [Installing an SMIME certificate](http://kb.mozillazine.org/Installing_an_SMIME_certificate)
- [Importing a PKCS #12 certificate (in Czech)](http://idoc.vsb.cz/xwiki/wiki/infra/view/uzivatel/moz-cert-imp)
* [Installing an SMIME certificate](http://kb.mozillazine.org/Installing_an_SMIME_certificate)
* [Importing a PKCS #12 certificate (in Czech)](http://idoc.vsb.cz/xwiki/wiki/infra/view/uzivatel/moz-cert-imp)
End of User Account Lifecycle
-----------------------------
## End of User Account Lifecycle
User accounts are supported by membership in active Project(s) or by affiliation to IT4Innovations. User accounts, that loose the support (meaning, are not attached to an active project and are not affiliated with IT4I), will be deleted 1 year after the last project to which they were attached expires.
User will get 3 automatically generated warning e-mail messages of the pending removal:.
- First message will be sent 3 months before the removal
- Second message will be sent 1 month before the removal
- Third message will be sent 1 week before the removal.
* First message will be sent 3 months before the removal
* Second message will be sent 1 month before the removal
* Third message will be sent 1 week before the removal.
The messages will inform about the projected removal date and will challenge the user to migrate her/his data
docs.it4i/salomon/storage.md
+ 57
62
View file @ cc47cf31
Storage
=======
# Storage
Introduction
------------
## Introduction
There are two main shared file systems on Salomon cluster, the [HOME](#home) and [SCRATCH](#shared-filesystems).
All login and compute nodes may access same data on shared file systems. Compute nodes are also equipped with local (non-shared) scratch, ramdisk and tmp file systems.
Policy (in a nutshell)
----------------------
## Policy (in a nutshell)
!!! note
* Use [HOME](#home) for your most valuable data and programs.
* Use [WORK](#work) for your large project files.
* Use [TEMP](#temp) for large scratch data.
* Use [HOME](#home) for your most valuable data and programs.
* Use [WORK](#work) for your large project files.
* Use [TEMP](#temp) for large scratch data.
!!! warning
Do not use for [archiving](#archiving)!
Do not use for [archiving](#archiving)!
Archiving
-------------
## Archiving
Please don't use shared file systems as a backup for large amount of data or long-term archiving mean. The academic staff and students of research institutions in the Czech Republic can use [CESNET storage service](#cesnet-data-storage), which is available via SSHFS.
Shared File systems
----------------------
## Shared File systems
Salomon computer provides two main shared file systems, the [HOME file system](#home-filesystem) and the [SCRATCH file system](#scratch-filesystem). The SCRATCH file system is partitioned to [WORK and TEMP workspaces](#shared-workspaces). The HOME file system is realized as a tiered NFS disk storage. The SCRATCH file system is realized as a parallel Lustre file system. Both shared file systems are accessible via the Infiniband network. Extended ACLs are provided on both HOME/SCRATCH file systems for the purpose of sharing data with other users using fine-grained control.
###HOME file system
### HOME file system
The HOME file system is realized as a Tiered file system, exported via NFS. The first tier has capacity 100 TB, second tier has capacity 400 TB. The file system is available on all login and computational nodes. The Home file system hosts the [HOME workspace](#home).
###SCRATCH file system
### SCRATCH file system
The architecture of Lustre on Salomon is composed of two metadata servers (MDS) and six data/object storage servers (OSS). Accessible capacity is 1.69 PB, shared among all users. The SCRATCH file system hosts the [WORK and TEMP workspaces](#shared-workspaces).
Configuration of the SCRATCH Lustre storage
- SCRATCH Lustre object storage
- Disk array SFA12KX
- 540 x 4 TB SAS 7.2krpm disk
- 54 x OST of 10 disks in RAID6 (8+2)
- 15 x hot-spare disk
- 4 x 400 GB SSD cache
- SCRATCH Lustre metadata storage
- Disk array EF3015
- 12 x 600 GB SAS 15 krpm disk
* SCRATCH Lustre object storage
* Disk array SFA12KX
* 540 x 4 TB SAS 7.2krpm disk
* 54 x OST of 10 disks in RAID6 (8+2)
* 15 x hot-spare disk
* 4 x 400 GB SSD cache
* SCRATCH Lustre metadata storage
* Disk array EF3015
* 12 x 600 GB SAS 15 krpm disk
### Understanding the Lustre File systems
(source <http://www.nas.nasa.gov>)
[http://www.nas.nasa.gov](http://www.nas.nasa.gov)
A user file on the Lustre file system can be divided into multiple chunks (stripes) and stored across a subset of the object storage targets (OSTs) (disks). The stripes are distributed among the OSTs in a round-robin fashion to ensure load balancing.
......@@ -59,11 +57,11 @@ If multiple clients try to read and write the same part of a file at the same ti
There is default stripe configuration for Salomon Lustre file systems. However, users can set the following stripe parameters for their own directories or files to get optimum I/O performance:
1. stripe_size: the size of the chunk in bytes; specify with k, m, or g to use units of KB, MB, or GB, respectively; the size must be an even multiple of 65,536 bytes; default is 1MB for all Salomon Lustre file systems
2. stripe_count the number of OSTs to stripe across; default is 1 for Salomon Lustre file systems one can specify -1 to use all OSTs in the file system.
3. stripe_offset The index of the OST where the first stripe is to be placed; default is -1 which results in random selection; using a non-default value is NOT recommended.
1. stripe_count the number of OSTs to stripe across; default is 1 for Salomon Lustre file systems one can specify -1 to use all OSTs in the file system.
1. stripe_offset The index of the OST where the first stripe is to be placed; default is -1 which results in random selection; using a non-default value is NOT recommended.
!!! Note "Note"
Setting stripe size and stripe count correctly for your needs may significantly impact the I/O performance you experience.
Setting stripe size and stripe count correctly for your needs may significantly impact the I/O performance you experience.
Use the lfs getstripe for getting the stripe parameters. Use the lfs setstripe command for setting the stripe parameters to get optimal I/O performance The correct stripe setting depends on your needs and file access patterns.
......@@ -97,21 +95,21 @@ $ man lfs
### Hints on Lustre Stripping
!!! Note "Note"
Increase the stripe_count for parallel I/O to the same file.
Increase the stripe_count for parallel I/O to the same file.
When multiple processes are writing blocks of data to the same file in parallel, the I/O performance for large files will improve when the stripe_count is set to a larger value. The stripe count sets the number of OSTs the file will be written to. By default, the stripe count is set to 1. While this default setting provides for efficient access of metadata (for example to support the ls -l command), large files should use stripe counts of greater than 1. This will increase the aggregate I/O bandwidth by using multiple OSTs in parallel instead of just one. A rule of thumb is to use a stripe count approximately equal to the number of gigabytes in the file.
Another good practice is to make the stripe count be an integral factor of the number of processes performing the write in parallel, so that you achieve load balance among the OSTs. For example, set the stripe count to 16 instead of 15 when you have 64 processes performing the writes.
!!! Note "Note"
Using a large stripe size can improve performance when accessing very large files
Using a large stripe size can improve performance when accessing very large files
Large stripe size allows each client to have exclusive access to its own part of a file. However, it can be counterproductive in some cases if it does not match your I/O pattern. The choice of stripe size has no effect on a single-stripe file.
Read more on <http://wiki.lustre.org/manual/LustreManual20_HTML/ManagingStripingFreeSpace.html>
Read more on [http://wiki.lustre.org/manual/LustreManual20_HTML/ManagingStripingFreeSpace.html](http://wiki.lustre.org/manual/LustreManual20_HTML/ManagingStripingFreeSpace.html)
## Disk usage and quota commands
Disk usage and quota commands
------------------------------------------
User quotas on the Lustre file systems (SCRATCH) can be checked and reviewed using following command:
```bash
......@@ -124,10 +122,10 @@ Example for Lustre SCRATCH directory:
$ lfs quota /scratch
Disk quotas for user user001 (uid 1234):
Filesystem kbytes quota limit grace files quota limit grace
/scratch 8 0 100000000000 - 3 0 0 -
/scratch 8 0 100000000000 * 3 0 0 -
Disk quotas for group user001 (gid 1234):
Filesystem kbytes quota limit grace files quota limit grace
/scratch 8 0 0 - 3 0 0 -
/scratch 8 0 0 * 3 0 0 -
```
In this example, we view current quota size limit of 100TB and 8KB currently used by user001.
......@@ -178,8 +176,8 @@ $ man lfs
$ man du
```
Extended Access Control List (ACL)
----------------------------------
## Extended Access Control List (ACL)
Extended ACLs provide another security mechanism beside the standard POSIX ACLs which are defined by three entries (for owner/group/others). Extended ACLs have more than the three basic entries. In addition, they also contain a mask entry and may contain any number of named user and named group entries.
ACLs on a Lustre file system work exactly like ACLs on any Linux file system. They are manipulated with the standard tools in the standard manner. Below, we create a directory and allow a specific user access.
......@@ -215,15 +213,14 @@ Default ACL mechanism can be used to replace setuid/setgid permissions on direct
[http://www.vanemery.com/Linux/ACL/POSIX_ACL_on_Linux.html ](http://www.vanemery.com/Linux/ACL/POSIX_ACL_on_Linux.html)
Shared Workspaces
---------------------
## Shared Workspaces
###HOME
### HOME
Users home directories /home/username reside on HOME file system. Accessible capacity is 0.5 PB, shared among all users. Individual users are restricted by file system usage quotas, set to 250 GB per user. If 250 GB should prove as insufficient for particular user, please contact [support](https://support.it4i.cz/rt), the quota may be lifted upon request.
!!! Note "Note"
The HOME file system is intended for preparation, evaluation, processing and storage of data generated by active Projects.
The HOME file system is intended for preparation, evaluation, processing and storage of data generated by active Projects.
The HOME should not be used to archive data of past Projects or other unrelated data.
......@@ -244,14 +241,14 @@ The workspace is backed up, such that it can be restored in case of catasthropic
The WORK workspace resides on SCRATCH file system. Users may create subdirectories and files in directories **/scratch/work/user/username** and **/scratch/work/project/projectid. **The /scratch/work/user/username is private to user, much like the home directory. The /scratch/work/project/projectid is accessible to all users involved in project projectid.
!!! Note "Note"
The WORK workspace is intended to store users project data as well as for high performance access to input and output files. All project data should be removed once the project is finished. The data on the WORK workspace are not backed up.
The WORK workspace is intended to store users project data as well as for high performance access to input and output files. All project data should be removed once the project is finished. The data on the WORK workspace are not backed up.
Files on the WORK file system are **persistent** (not automatically deleted) throughout duration of the project.
Files on the WORK file system are **persistent** (not automatically deleted) throughout duration of the project.
The WORK workspace is hosted on SCRATCH file system. The SCRATCH is realized as Lustre parallel file system and is available from all login and computational nodes. Default stripe size is 1 MB, stripe count is 1. There are 54 OSTs dedicated for the SCRATCH file system.
!!! Note "Note"
Setting stripe size and stripe count correctly for your needs may significantly impact the I/O performance you experience.
Setting stripe size and stripe count correctly for your needs may significantly impact the I/O performance you experience.
|WORK workspace||
|---|---|
......@@ -269,16 +266,16 @@ The WORK workspace is hosted on SCRATCH file system. The SCRATCH is realized as
The TEMP workspace resides on SCRATCH file system. The TEMP workspace accesspoint is /scratch/temp. Users may freely create subdirectories and files on the workspace. Accessible capacity is 1.6 PB, shared among all users on TEMP and WORK. Individual users are restricted by file system usage quotas, set to 100 TB per user. The purpose of this quota is to prevent runaway programs from filling the entire file system and deny service to other users. >If 100 TB should prove as insufficient for particular user, please contact [support](https://support.it4i.cz/rt), the quota may be lifted upon request.
!!! Note "Note"
The TEMP workspace is intended for temporary scratch data generated during the calculation as well as for high performance access to input and output files. All I/O intensive jobs must use the TEMP workspace as their working directory.
The TEMP workspace is intended for temporary scratch data generated during the calculation as well as for high performance access to input and output files. All I/O intensive jobs must use the TEMP workspace as their working directory.
Users are advised to save the necessary data from the TEMP workspace to HOME or WORK after the calculations and clean up the scratch files.
Users are advised to save the necessary data from the TEMP workspace to HOME or WORK after the calculations and clean up the scratch files.
Files on the TEMP file system that are **not accessed for more than 90 days** will be automatically **deleted**.
The TEMP workspace is hosted on SCRATCH file system. The SCRATCH is realized as Lustre parallel file system and is available from all login and computational nodes. Default stripe size is 1 MB, stripe count is 1. There are 54 OSTs dedicated for the SCRATCH file system.
!!! Note "Note"
Setting stripe size and stripe count correctly for your needs may significantly impact the I/O performance you experience.
Setting stripe size and stripe count correctly for your needs may significantly impact the I/O performance you experience.
|TEMP workspace||
|---|---|
......@@ -291,19 +288,19 @@ The TEMP workspace is hosted on SCRATCH file system. The SCRATCH is realized as
|Number of OSTs|54|
|Protocol|Lustre|
RAM disk
--------
## RAM disk
Every computational node is equipped with file system realized in memory, so called RAM disk.
!!! Note "Note"
Use RAM disk in case you need really fast access to your data of limited size during your calculation. Be very careful, use of RAM disk file system is at the expense of operational memory.
Use RAM disk in case you need really fast access to your data of limited size during your calculation. Be very careful, use of RAM disk file system is at the expense of operational memory.
The local RAM disk is mounted as /ramdisk and is accessible to user at /ramdisk/$PBS_JOBID directory.
The local RAM disk file system is intended for temporary scratch data generated during the calculation as well as for high performance access to input and output files. Size of RAM disk file system is limited. Be very careful, use of RAM disk file system is at the expense of operational memory. It is not recommended to allocate large amount of memory and use large amount of data in RAM disk file system at the same time.
!!! Note "Note"
The local RAM disk directory /ramdisk/$PBS_JOBID will be deleted immediately after the calculation end. Users should take care to save the output data from within the jobscript.
!!! Note
The local RAM disk directory /ramdisk/$PBS_JOBID will be deleted immediately after the calculation end. Users should take care to save the output data from within the jobscript.
|RAM disk||
|---|---|
......@@ -314,8 +311,7 @@ The local RAM disk file system is intended for temporary scratch data generated
|User quota|none|
Summary
-------
## Summary
|Mountpoint|Usage|Protocol|Net|Capacity|Throughput|Limitations|Access|
|---|---|
......@@ -324,12 +320,12 @@ Summary
|/scratch/temp|job temporary data|Lustre|1.69 PB|30 GB/s|Quota 100 TB|Compute and login nodes|files older 90 days removed|
|/ramdisk|job temporary data, node local|local|120GB|90 GB/s|none|Compute nodes|purged after job ends|
CESNET Data Storage
------------
## CESNET Data Storage
Do not use shared file systems at IT4Innovations as a backup for large amount of data or long-term archiving purposes.
!!! Note "Note"
The IT4Innovations does not provide storage capacity for data archiving. Academic staff and students of research institutions in the Czech Republic can use [CESNET Storage service](https://du.cesnet.cz/).
The IT4Innovations does not provide storage capacity for data archiving. Academic staff and students of research institutions in the Czech Republic can use [CESNET Storage service](https://du.cesnet.cz/).
The CESNET Storage service can be used for research purposes, mainly by academic staff and students of research institutions in the Czech Republic.
......@@ -343,13 +339,12 @@ The procedure to obtain the CESNET access is quick and trouble-free.
(source [https://du.cesnet.cz/](https://du.cesnet.cz/wiki/doku.php/en/start "CESNET Data Storage"))
CESNET storage access
---------------------
## CESNET storage access
### Understanding CESNET storage
!!! Note "Note"
It is very important to understand the CESNET storage before uploading data. Please read <https://du.cesnet.cz/en/navody/home-migrace-plzen/start> first.
It is very important to understand the CESNET storage before uploading data. [Please read](https://du.cesnet.cz/en/navody/home-migrace-plzen/start> first)
Once registered for CESNET Storage, you may [access the storage](https://du.cesnet.cz/en/navody/faq/start) in number of ways. We recommend the SSHFS and RSYNC methods.
......@@ -407,7 +402,7 @@ Rsync is a fast and extraordinarily versatile file copying tool. It is famous fo
Rsync finds files that need to be transferred using a "quick check" algorithm (by default) that looks for files that have changed in size or in last-modified time. Any changes in the other preserved attributes (as requested by options) are made on the destination file directly when the quick check indicates that the file's data does not need to be updated.
More about Rsync at <https://du.cesnet.cz/en/navody/rsync/start#pro_bezne_uzivatele>
More about Rsync at [here](https://du.cesnet.cz/en/navody/rsync/start#pro_bezne_uzivatele)
Transfer large files to/from CESNET storage, assuming membership in the Storage VO
......
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment