SDS@hd/Access/NFS
Prerequisites
- Attention: To access data served by SDS@hd, You need a Service Password. See details SDS@hd/Registration.
- Additionally the access to SDS@hd is currently only available inside the belwue-Network. This means you have to use the VPN Service of your HomeOrganization, if you want to access SDS@hd from outside the bwHPC-Clusters (e.g. via eduroam or from your personal Laptop)
- The access via nfs protocol is machine-based, which means new nfs-Clients have to be registered on SDS@hd. During this registration each machine gets a keytab file, which allows mounting SDS@hd.
- Currently you have to send an email for Clientregistration to SDS@hd Team with the following information:
- hostname of the new nfs-Client
- IP address
- short description
- location
- acronym of the Speichervorhaben which should be available on this machine
Using NFSv4 for UNIX client
The authentication for data access via NFSv4 is performed using Kerberostickets. This requires a functioning Kerberos environment on the client!
Kerberos environment for SDS@hd
- For Kerberos authentication to work, a correctly synchronized system time must be set on each nfs client (e.g. via ntpdate ntp01.urz.uni-heidelberg.de or chrony)
The following parameters of kerberos tickets are set on server side:
- max. Lifetime of a Serviceticket: 10 hours
- max. Lifetime of a Userticket: 24 hours
- max. Renewaltime for Usertickets: 10 days
The properties (e.g. lifetimes, encryption, ...) of the kerberos tickets can be changed on client site with different kinit parameters (see manpages of kinit) or via /etc/krb5.conf.
First you have to install kerberos packages in your system to provide a working kerberos environment. The exact names of the packages depending on you linux distribution (see examples below).
Example RedHat/CentOS
yum install krb5-workstation
Example debian/ubuntu
apt install krb5-user
On ubuntu server: nfs-kernel-server
After installing the packages you have to use the following kerberos parameters for connecting to SDS@hd:
- Default Realm = BWSERVICES.UNI-HEIDELBERG.DE
- KDC = bwservices.uni-heidelberg.de
So your kerberos configuration file (/etc/krb5.conf) should contain the following entries:
[libdefaults] default_realm = BWSERVICES.UNI-HEIDELBERG.DE [realms] BWSERVICES.UNI-HEIDELBERG.DE= { kdc = bwservices.uni-heidelberg.de admin_server = bwservices.uni-heidelberg.de } [domain_realm] .uni-heidelberg.de = BWSERVICES.UNI-HEIDELBERG.DE uni-heidelberg.de = BWSERVICES.UNI-HEIDELBERG.DE
The keytab file of the machine, which you get from the SDS@hd Team, has to be stored as /etc/krb5.keytab in the system.
Because of caching issue with the kerberos ticket cache, you have to disable gssproxy service:
systemctl stop gssproxy.service systemctl mask gssproxy.service
After configuring kerberos, you have to install nfs packages in your system, and enable kerberized NFSv4. The exact names of the packages depending on you linux distribution (see examples below).
Example RedHat/CentOS
> yum install nfs-utils nfs4-acl-tools /etc/sysconfig/nfs: NEED_IDMAPD=yes NEED_GSSD=yes
Example debian/ubuntu
> apt install nfs-common nfs4-acl-tools nfs-server /etc/default/nfs-common: NEED_IDMAPD=yes NEED_GSSD=yes
On ubuntu server: nfs-kernel-server
SDS@hd is a central service for securely storing scientific data (Scientific Data Storage). The service is provided as a state service to researchers of higher education institutions of Baden-Württemberg. It is intended to be used for data that is frequently accessed ('hot data').
News |
|
Training & Support |
User Documentation |
|
Storage Funding |
To enable the ID-Mapping for NFSv4 mounts change the file /etc/idmapd.conf with the following lines: in /etc/idmapd.conf: [General] Domain = urz.uni-heidelberg.de Local-Realms = BWSERVICES.UNI-HEIDELBERG.DE The usual restrictions for mounting drives under Linux apply. Usually this can only be done by the superuser "root". For detailed information, please contact the system administrator of your system. After successfull configuration (s. 2.1) you can mount your SDS@hd share with the following commands: > mkdir <mountpoint> > mount -t nfs4 -o sec=krb5,vers=4.0 lsdf02.urz.uni-heidelberg.de:/gpfs/lsdf02/ <mountpoint> To enable the mounting after a restart, you have to add the following line to the file "/etc/fstab" lsdf02.urz.uni-heidelberg.de:/gpfs/lsdf02/ <mountpoint> nfs4 sec=krb5,vers=4.0 0 0 AutoFS SetupInstead of the fstab-entry you can also use the automounter "autofs".
$ yum install autofs $ systemctl enable autofs $ systemctl start autofs
$ apt install autofs $ systemctl enable autofs $ systemctl start autofs Afterwards you configure the SDS@hd Speichervorhaben in a new map file: $ cat /etc/auto.sds-hd sds-hd -fstype=nfs4,rw,sec=krb5,vers=4.0,nosuid,nodev lsdf02.urz.uni-heidelberg.de:/gpfs/lsdf02 .... You have to include the new map into the auto.master file, e.g.: $ cat /etc/auto.master [...] /mnt /etc/auto.sds-hd [...] To display all available SDS@hd shares on this machine to the users, you should enable "browser_mode": $ cat /etc/autofs.conf [...] # to display all available SDS-hd shares on this to the users browse_mode=yes [...] otherwise each share-folder will only be visible after a user has mounted. After changing the configuration, you should restart the autofs daemon, e.g.: $ systemctl restart autofs Of course you can adopt all other autofs options, like timeouts, etc. to the specific needs of your environment or use any other method for dynamically mounting the shares. access your dataAttention! The access can not be done as root user, because root uses the Kerberosticket of the machine, which does not have data access! To access your data on SDS@hd you have to fetch a valid kerberos ticket with your SDS@hd user and Servicepassword: > kinit hd_xy123 Password for hd_xy123@BWSERVICES.UNI-HEIDELBERG.DE: You can check afterwards your kerberos ticket with: > klist Ticket cache: FILE:/tmp/krb5cc_1000 Default principal: hd_xy123@BWSERVICES.UNI-HEIDELBERG.DE Valid starting Expires Service principal 20.09.2017 04:00:01 21.09.2017 04:00:01 krbtgt/BWSERVICES.UNI-HEIDELBERG.DE@BWSERVICES.UNI-HEIDELBERG.DE renew until 29.09.2017 13:38:49 Afterwards you should be able to access the mountpoint, which contain all Speichervorhaben exported to your machine: > ls <mountpoint> sd16j007 sd17c010 sd17d005 renew a kerberos ticketBecause a kerberos ticket has a limited lifetime (default: 10 hours, maximum 24 hours) for security reasons, you have to renew your ticket before it expires to prevent access loss. > kinit -R This renewal could only be done for maximum time of 10 Days and as long as the current kerberos ticket is still valid. For renewal of an expired ticket, you have to use again your Servicepassword. destroy kerberos ticketEven if kerberos tickets are only valid for a limited period of time, a ticket should be destroyed as soon as access is no longer needed to prevent misuse on multi-user systems: kdestroy automated kerberos ticketsAttention! Keep this generated Keytab safe and use it only in trusted environments! If your workflow needs a permanent access to SDS@hd for longer than 10 Days, you can use ktutil to encrypt your Service Password into a keytab file: interactive way: ktutil ktutil: addent -password -p hd_xy123@BWSERVICES.UNI-HEIDELBERG.DE -k 1 -e rc4-hmac Password for hd_xy123@BWSERVICES.UNI-HEIDELBERG.DE: ktutil: addent -password -p hd_xy123@BWSERVICES.UNI-HEIDELBERG.DE -k 1 -e aes256-cts Password for hd_xy123@BWSERVICES.UNI-HEIDELBERG.DE: ktutil: wkt xy123.keytab ktuitl: quit non-interactive way: echo -e "addent -password -p hd_xy123@BWSERVICES.UNI-HEIDELBERG.DE -k 1 -e rc4-hmac\n<your_servicepasword>\n addent -password -p hd_xy123@BWSERVICES.UNI-HEIDELBERG.DE -k 1 -e aes256-cts\n<your_servicepasword>\nwkt xy123.keytab" | ktutil With this keytab, you can fetch a kerberos ticket without an interactive password: kinit -k -t xy123.keytab hd_xy123
|