Workspaces/Advanced Features: Difference between revisions

This document covers advanced features and detailed configuration options for the HPC workspace tools. For basic daily usage, see the main Workspaces guide.

Almost Complete Command Reference

Multiple Filesystem Locations

Some clusters offer multiple filesystem locations for workspaces with different characteristics:

bwUniCluster 3.0:

• Default workspace filesystem (Lustre)
• Flash-based workspace filesystem (ffuc) - for KIT/HoreKa users only
  • Lower latency and better performance for small files
  • SSDs instead of hard disks
  • Shared between bwUniCluster 3.0 and HoreKa

Example creating workspace on flash filesystem:

  $ ws_allocate -F ffuc myworkspace 60

Use ws_list -l or ws_find -l to see available filesystem locations on your cluster.

ws_allocate - Create and Extend Workspaces

Basic Usage

Execution of:

  $ ws_allocate myWs 30

e.g. returns:

  Workspace created. Duration is 720 hours. 
  Further extensions available: 3
  /work/workspace/scratch/username-myWs-0

The command returns the path to the new directory, which can be captured in a variable:

  $ SCRDIR=$(ws_allocate myWs 10)

Important: Creating a workspace a second time with the same command is a no-operation - it always returns the same path. This makes it safe and encouraged to use such a line in batch jobs which are part of a series of jobs working on the same data, no matter if the job was running before or not.

All Options and When to Use Them

Duration Settings

If you do not specify a lifetime, a default lifetime will be used (see the Cluster-Specific Workspace Limits)). The maximum lifetime may be limited by the operations team. If you specify a longer lifetime, it will be capped to the maximum, and you will see a message that it was changed.

For more information read the program's help: $ ws_allocate -h or man ws_allocate

ws_list - List Workspaces

Beyond the basic options shown in the main Workspaces guide, ws_list supports additional sorting and filtering:

• -N - Sort by name (alphabetical)
• -C - Sort by creation date
• -t - Terse format
• -v - Verbose format with all metadata
• -r - Reverse sort order
• -F <location> - List workspaces on specific filesystem only
• -g - List group workspaces (if you're in the same group)
• -l - List available filesystem locations

Example listing group workspaces:

  $ ws_list -g

This shows all workspaces that were created with -g or -G flags by members of your group.

Note: To list expired workspaces that can be restored, use ws_restore -l. See ws_restore for details.

For more information: $ ws_list -h or man ws_list

ws_find - Find Workspace Path

ws_find can search workspaces on specific filesystems:

• -F <filesystem> - Search workspace on specific filesystem
• -l - List valid filesystem names

ws_extend - Extend Workspace Lifetime

Beyond the basic extension shown in the main Workspaces guide:

• -F filesystem - Extend workspace on specific filesystem
• ws_allocate -x - Alternative command for extension
• You can shorten workspace lifetime even if no extensions are available
• Group members can extend group workspaces. Requires group write access ws_allocate -G:

  ws_allocate -x -u <username> <workspace_id> <days>

Update reminder only (without extending):

  $ ws_allocate -r <days> -x <workspace> 0                 # Update reminder time
  $ ws_allocate -r <days> -u <username> -x <workspace> 0   # Update reminder time and take over
                                                           # another user's workspace reminders

Getting Reminders

Email reminders: Sent automatically using email addresses from your identity provider. You can customize the reminder timing with -r <days>:

  $ ws_allocate -r 7 myWs 30                          # Reminder 7 days before expiry
  $ ws_allocate -r 3 -m custom@example.com myWs 30    # Custom timing and different email address

Calendar reminder (bwUniCluster 3.0, Helix):

  $ ws_send_ical <workspace> <email>

~/.ws_user.conf Configuration File

You can set defaults in ~/.ws_user.conf (YAML format) to avoid typing the same options repeatedly:

duration: 30              # Default workspace lifetime (first line must not start with #!)
reminder: 5               # Days before expiration to send reminder
groupname: projectgroup   # Default group for -G option (e.g., bw11a000)
# mail: custom@example.com  # Optional - only to override email from identity provider

Important: Some versions mistakenly interpret a leading # comment as email. First line must be a setting, not a comment. Inline comments are fine.

Benefits:

• Simplifies commands: ws_allocate myWs instead of ws_allocate -r 5 -G groupname myWs 30
• Ensures consistent settings across all operations
• Automatic group collaboration when groupname is set

Cooperative Usage (Group Workspaces and Sharing)

When working in teams, workspaces can be shared in multiple ways.

Important: Not all sharing methods are available on all clusters. The availability depends on:

• Filesystem type and ACL support
• Cluster-specific workspace tool configuration
• Unix group setup and permissions

If one sharing method doesn't work on your cluster, try an alternative approach. The -g and -G flags are most widely supported.

Group Workspaces

When a workspace is created with -g it becomes a group workspace that is visible to others with ws_list -g (if in same group), and is group readable:

  $ ws_allocate -g myWs 30

When created with -G <groupname> the workspace becomes writable as well, and gets group sticky bit:

  $ ws_allocate -G projectgroup myWs 30

The group can be specified in the ~/.ws_user.conf file as well.

Important: Group members can extend group-writable workspaces (created with -G) even if the original creator is absent:

  $ ws_allocate -x -u <username> <workspace_id> <days>

This requires group write access to the workspace. This is useful when the workspace owner is unavailable and the workspace needs to be extended.

Recommendations:

• Use -g when team members only need to read your results
• Use -G for collaborative work where everyone writes data
• Set groupname in ~/.ws_user.conf if you always work with the same group

Sharing with ws_share

With ws_share you can share workspaces with users outside your group, using ACLs (if supported by underlying filesystem).

Note: This feature requires ACL support on the filesystem. If ws_share doesn't work on your cluster, use manual ACL commands (setfacl) or fall back to Unix group permissions.

Share workspace with users:

  $ ws_share share myWs username1 username2    # Grant read access to one or more users
  $ ws_share share -F filesystem myWs user1    # Share on specific filesystem

Unshare workspace from users:

  $ ws_share unshare myWs username1            # Remove access from specific user(s)
  $ ws_share unshare-all myWs                  # Remove access from all users

List users with access:

  $ ws_share list myWs                         # Show all users with read access

These operations are applied to all files and directories in the workspace.

Options:

• -F <filesystem>, --filesystem: Specify the workspace filesystem
• -h, --help: Show help message

Recommendation: Use ws_share for selective sharing with individual users, especially when they are not in your Unix group.

ACLs: Access Control Lists

ACLs (Access Control Lists) provide fine-grained permission control beyond standard Unix permissions. They allow sharing with specific users and groups, and support default ACLs that new files automatically inherit.

Note: ACL support varies by filesystem. Not all clusters support ACLs on workspace filesystems. If ACL commands fail, use regular Unix permissions instead.

Key advantages:

• Share with specific users (not just groups)
• Default ACLs - new files automatically inherit permissions
• More flexible than Unix permissions

Note: ACLs take precedence over standard Unix permissions. View ACLs with ls -l (shown as "+" after permissions).

Quick Examples

Set workspace path in variable:

  $ DIR=$(ws_find my_workspace)

View current ACLs:

  $ getfacl "$DIR"

Important note on syntax: In all commands below, user: and group: are setfacl keywords. Replace username with the actual user login name (e.g., alice, jdoe) and groupname with the actual Unix group name (e.g., bw11a000).

Grant read-only access to a user:

  $ setfacl -Rm user:username:rX,default:user:username:rX "$DIR"
  
  # Example with actual username:
  $ setfacl -Rm user:alice:rX,default:user:alice:rX "$DIR"

Grant read-write access to a user:

  $ setfacl -Rm user:username:rwX,default:user:username:rwX "$DIR"
  
  # Example with actual username:
  $ setfacl -Rm user:jdoe:rwX,default:user:jdoe:rwX "$DIR"

Grant read-only access to a group:

  $ setfacl -Rm group:groupname:rX,default:group:groupname:rX "$DIR"
  
  # Example with actual groupname:
  $ setfacl -Rm group:bw11a000:rX,default:group:bw11a000:rX "$DIR"

Remove all ACLs:

  $ setfacl -Rb "$DIR"

Key Options

• -R: Apply to all files and subdirectories
• -m: Modify (add or change ACL entries)
• -b: Remove all ACL entries
• user:username:rwX: Set permissions for specific user (replace username with actual login)
• group:groupname:rwX: Set permissions for specific group (replace groupname with actual group)
• default: prefix: New files inherit these ACLs automatically
• r: Read permission
• w: Write permission
• X: Execute only on directories and already-executable files (capital X)

Important: Always use the default: prefix to ensure new files get the correct permissions automatically.

Recommendation

Always prefer ws_allocate -G or ws_share first. Use manual ACLs only for complex scenarios like:

• Sharing with specific users outside your group
• Different permissions for different users
• Fine-grained control not possible with -G or ws_share

Regular Unix Permissions

Use standard Unix permissions with chmod and chgrp when you and your collaborators share a common Unix group.

CRITICAL WARNING:

• NEVER use chmod 777 or a+rwx - makes your data accessible to everyone on the system
• NEVER use chmod o+rwx or chmod o+w - allows anyone to modify or delete your files
• Only set group permissions (g+r, g+w) for your specific research group

Quick Examples

Set workspace path in variable:

  $ DIR=$(ws_find my_workspace)

Read-only access for group:

  $ chgrp -R mygroup "$DIR"
  $ chmod -R g+rX "$DIR"

Read-write access for group:

  $ chgrp -R mygroup "$DIR"
  $ chmod -R g+rswX "$DIR"

Key Options

• -R: Apply to all files and subdirectories
• g+r: Group read permission
• g+w: Group write permission
• g+x: Group execute permission
• X: Execute only on directories and already-executable files (capital X)
• s: Setgid bit (set-group-ID) - new files inherit the directory's group ownership

Important: The setgid bit (g+s) ensures new files belong to the correct group, but their permissions depend on your umask. With the default umask (0022), new files will NOT be group-writable automatically. You must either:

• Set umask 0002 in your shell so new files are group-writable by default, OR
• Manually run chmod g+w on new files, OR
• Use ACLs with default: entries (which override umask and handle permissions automatically)

Recommendation

Always prefer ws_allocate -G groupname over manual Unix permissions. It handles everything automatically and correctly, including the sticky bit and proper permissions on all new files.

Use manual chmod/chgrp only when -G is not available on your cluster or for fixing permissions on existing data.

ws_release - Release (Delete) Workspace

To release a workspace, use:

  $ ws_release myWs

Syntax: ws_release [options] workspace_name

What happens when you release:

• The workspace ID can be reused immediately
• The directory becomes inaccessible to the user
• The data is not deleted immediately - it is moved to a deleted area
• Released workspaces: Can be recovered using ws_restore for a short grace period (typically 1 hour after release)
• Expired workspaces: Can be recovered for a longer period (system-dependent, typically 7-30 days after expiration, configured via keeptime in /etc/ws.conf)
• Final deletion happens automatically during cleanup runs (usually nighttime)
• Important: Released workspace data may still count toward your quota until final deletion occurs

Options

Immediate Deletion (Free Quota Instantly)

If you need to free quota immediately instead of waiting for the grace period, you have two options:

Option 1: Use --delete-data flag (recommended if available on your cluster):

  $ ws_release --delete-data myWs

Availability: Check if this flag is available on your cluster with ws_release -h.

Option 2: Manual deletion before release (works on all clusters):

See the section on using rm for manual deletion below for the safe method.

CRITICAL WARNING: Both methods permanently delete data that cannot be recovered, even by system administrators.

When to use immediate deletion:

• ✓ You're certain you don't need the data anymore
• ✓ You've already backed up important results to permanent storage
• ✓ You're hitting quota limits and need space immediately
• ✗ Don't use if there's any chance you might need the data
• ✗ Don't use if you haven't verified your backup worked

Best practice: Use regular ws_release myWs (without immediate deletion) as your default. Only use immediate deletion when you're absolutely certain and need immediate quota relief.

Using rm for Manual Deletion

If ws_release --delete-data is not available on your cluster, you can manually delete data before releasing:

  $ rm -rf -- "$(ws_find myWs)"
  $ ws_release myWs

Why this is safe:

• -- prevents path from being interpreted as option (even if it starts with -)
• Quotes around $(ws_find myWs) handle paths with spaces safely
• If ws_find fails or returns empty, rm fails with "missing operand" (no deletion occurs)
• Direct and simple - no complex patterns or subshells needed

ws_restore - Restore Expired Workspace

For a certain (system-specific) grace time following workspace expiration, a workspace can be restored.

Syntax: ws_restore [options] workspace_name target_name | -l

Restore Procedure

(1) Display restorable workspaces:

  $ ws_restore -l

This will list all workspaces that can still be recovered. You can use -b or --brief to hide the unavailability date in the list.

(2) Create a new workspace as the target for the restore:

  $ ws_allocate restored 60

(3) Restore the expired workspace:

  $ ws_restore <full_name_of_expired_workspace> restored

Important:

• The expired workspace must be specified using the full name as printed by ws_restore -l (not as printed by ws_list!), including username prefix and timestamp suffix (otherwise it cannot be uniquely identified)
• The target workspace must be given with just its short name as listed by ws_list, without the username prefix
• ws_restore can only work on the same filesystem. Ensure the new workspace is on the same filesystem as the expired workspace. Use -F <filesystem> flag if needed

Example:

  $ ws_restore username-myWs-0 restored

Options

If Workspace Cannot Be Restored

If the workspace is not visible/restorable, it has been permanently deleted and cannot be restored, not even by system administrators.

Helix-specific - Workspace Snapshots:

On Helix, if the workspace can't be restored anymore using ws_restore, you can check the snapshots under:

  /work/.snapshots/<timepoint>/ws/

Important notes about snapshots:

• Snapshots are point-in-time copies of the workspace filesystem
• Changes that happened since the last snapshot was created are lost
• Browse available snapshot timepoints in /work/.snapshots/
• Caution: The Helix team tries to keep the latest snapshots, but they cannot guarantee that snapshots will be available at all times
• Snapshots are a last resort when ws_restore no longer works

How to use snapshots:

  $ ls /work/.snapshots/                    # List available snapshot timepoints
  $ cd /work/.snapshots/2025-11-15_00.00.00/ws/
  $ ls                                      # Find your old workspace directory
  $ cp -r username-myWs-0 /path/to/active/workspace/  # Copy data to active workspace

Contact Helix support if you need assistance with snapshot recovery.

Please remember: Workspaces are intended solely for temporary work data, and there is no backup of data in the workspaces.

Recommendation: Email reminders are sent automatically. You can optionally customize reminder timing with -r option to be notified earlier, giving you time to extend the workspace or backup important data to appropriate permanent storage.

Cluster-Specific Information

Grace periods for expired/released workspaces vary by cluster and are configured via the keeptime parameter in /etc/ws.conf:

Note:

• Expired workspaces (reached end of lifetime) are kept for keeptime days configured in /etc/ws.conf
• Released workspaces (via ws_release) are deleted faster - typically within 1 hour
• Actual deletion happens during automated cleanup runs, typically during nighttime
• This allows users to recover accidentally released workspaces quickly, while giving more time for expired workspaces

Cluster-Specific Workspace Limits

Different clusters have different workspace policies configured in /etc/ws.conf. Below is an overview of typical settings:

Configuration parameters in /etc/ws.conf:

• duration - Maximum lifetime in days
• maxextensions - Number of times a workspace can be extended
• keeptime - Days to keep expired workspaces before final deletion (typically 7-30 days)
• Released workspaces have a shorter grace period (~1 hour) regardless of keeptime

Note: Check your specific cluster documentation for current quotas and settings, as they may change. Use ws_list -l to see available filesystems and their properties on your cluster.

Checking Workspace Quotas

The command to check workspace quota usage varies by cluster and filesystem:

Lustre-based clusters (bwUniCluster 3.0, JUSTUS 2):

  $ lfs quota -uh $(whoami) /lustre/work    # or appropriate workspace path
  $ lfs quota -uh $(whoami) /pfs/work9      # bwUniCluster 3.0

NEMO2 (Weka filesystem):

  $ nemoquota                                # Shows HOME and workspace quotas
  $ df --si $(ws_find workspace_name)        # Check specific workspace

Helix (IBM Spectrum Scale):

  $ workquotainfo                            # Shows workspace quota info

BinAC2:

• No quota limits enforced on workspaces
• Check available space with df command

General tip: Always check disk usage before large data operations to ensure sufficient space is available.

ws_register - Register Workspace Links

The ws_register command creates or updates symbolic links to your workspaces in a directory of your choice. This provides a convenient way to access all your workspaces from a single location.

Syntax: ws_register [-h] [--version] [-F FILESYSTEM] directory

Usage:

  $ ws_register ~/workspaces

This will create symbolic links to all your workspaces in the ~/workspaces directory. The command creates subdirectories for each filesystem (e.g., scratch/) and places workspace links inside them.

Example:

  $ mkdir -p ~/my_workspaces
  $ ws_register ~/my_workspaces
  $ ls -l ~/my_workspaces/scratch/
  lrwxrwxrwx 1 user group 45 Nov 17 10:30 user-myWs -> /work/workspace/scratch/user-myWs-0
  lrwxrwxrwx 1 user group 48 Nov 17 10:30 user-project1 -> /work/workspace/scratch/user-project1-0

Note: Links use the full workspace names (including username prefix), organized by filesystem subdirectory.

Options

When to use:

• Recommended if you work with multiple workspaces and want quick access
• Use in your ~/.bashrc or login scripts to automatically update links at login
• Useful for organizing workspaces by project or purpose

Example in login script:

# In ~/.bashrc or ~/.profile
# Only run in interactive shells to avoid issues with scp, rsync, etc.
if [ -t 0 ] && [ -z "$SSH_ORIGINAL_COMMAND" ] && command -v ws_register >/dev/null 2>&1; then
    mkdir -p ~/workspaces >/dev/null 2>&1
    ws_register ~/workspaces >/dev/null 2>&1
fi