Mount the Nexus filesystem on a cloud server

This guide to assumes you have already created a VM running Ubuntu 20.04 and noted its IP address (e.g. 10.186.xx.xx). For details about how to launch a new VM and connect as root, see the general documentation.

Additionally you will need to know the project directory assigned in Nexus-Posix and the Linux group the project was created with. These values will be used in the following configuration to ensure the NFS mount points are correctly configured and that the VM users have access to the mounted Nexus-Posix filesystem.

Procedure

1. Initial setup to be performed by an admin of the VM:

   a. Install the necessary nfs client software packages:

   apt update
   apt upgrade -y
   apt install -y nfs-client
   

   b. Configure uid and gid mapping:

   sed -i.bak 's/# Domain = localdomain/Domain = mpcdf.mpg.de/' /etc/idmapd.conf
   echo "options nfs nfs4_disable_idmapping=N" >> /etc/modprobe.d/nfs.conf
   

   Now reboot the VM.

   c. Request a Nexus-Posix project directory and dedicated network. Use the dashboard to attach a second interface (not floating ip) in the nexus-private-… network to the VM.

   echo "nexus-posix0.hpccloud.mpcdf.mpg.de:/nexus/posix0/PROJECT_DIR /nexus/posix0/PROJECT_DIR nfs _netdev" >> /etc/fstab
   mkdir -p /nexus/posix0/PROJECT_DIR
   mount /nexus/posix0/PROJECT_DIR
   

   where PROJECT_DIR is the name of the project in Nexus-Posix.

   d. Install sssd for user identities:

   apt install -y sssd 
   

   e. Create the sssd configuration (/etc/sssd/sssd.conf)

   [sssd]
   config_file_version = 2
   domains = CUSTOM
   
   [nss]
   filter_users = root
   filter_groups = root
   
   [pam]
   offline_credentials_expiration = 3
   
   [domain/CUSTOM]
   id_provider = ldap
   access_provider = ldap
   ldap_search_base = ou=general-u,ou=ua,o=rzg,c=de
   ldap_access_filter = (gidNumber=GROUP_ID)
   ldap_uri = ldap://directory1.hpccloud.mpcdf.mpg.de/,ldap://directory2.hpccloud.mpcdf.mpg.de/
   auth_provider = krb5
   krb5_realm = IPP-GARCHING.MPG.DE
   krb5_server = kerberos.mpcdf.mpg.de,kerberos1.mpcdf.mpg.de,kerberos2.mpcdf.mpg.de,kerberos3.mpcdf.mpg.de
   cache_credentials = true
   enumerate = true
   min_id = 1000
   override_homedir = /home/%u
   

   where GROUP_ID is the ID of the Linux group the Nexus-Posix project was created with.

   Note: for some Operating systems and variants (e.g. CentOS, AlmaLinux) the sssd pam and nss responder services need to be explicitly started by sssd, by adding them to the config file, or socket activation needs to be enabled.

   [sssd]
   services = nss, pam
   ...
   

   or

   systemctl enable sssd-nss.socket 
   systemctl start sssd-nss.socket 
   systemctl enable sssd-pam.socket
   systemctl start sssd-pam.socket
   

   f. Complete the sssd configuration

   chmod -R 0600 /etc/sssd/*
   
   systemctl restart sssd
   
   pam-auth-update --enable mkhomedir
   

   Note: The over riding the home dir to /home/ is useful for login nodes/workstations.

   g. Re-boot the VM

   shutdown -r now
   

   A re-boot of a VM, once initially deployed, helps ensure that the configuration is correct and that the VM will correctly re-start in case of any outages.

2. Users may now read and write to the project directory from both the VM and Raven.