Student cluster

From Rost Lab Open
(Redirected from Account expired)

User Management

  1. Find a free ID that is not used either for a group or a user:
    1. Log in as root@i12r-studfilesrv.informatik.tu-muenchen.de
      • $ getent group | sort -k 3 -t : -g|less -I
      • $ getent passwd | sort -k 3 -t : -g|less -I
    2. ID ranges to avoid:
      • 257-499 - Rost Lab access control groups
      • 500-998 - new Rost Lab projects
      • 1000-1499 - new Kramer Lab projects
      • 33000-33300 - Kramer Lab access control groups
      • 40001-40012 - Rost Lab users
      • 53709-53999 - new Rost Lab users
      • 71680-399360 - PredictProtein users
    3. ID ranges to use:
      • 31000-32999 - new students
  2. Decide on user name (also primary group name):
    • Burkhard likes: 'surname'
  3. Open user and group manager
  4. Click Groups
  5. Click New group
  6. Select student group in from the drop down list on the right and click Load profile
  7. Fill in:
    • Group name
    • GID number
    • Optional: Description
    • Leave the Samba 3 tab alone
    • Click Save
  8. Click Users
  9. Click New user
  10. Select student user in from the drop down list on the right and click Load profile
  11. Fill in the required fields:
    1. First name
    2. Last name
    3. Click the Unix tab
    4. User name: same as primary group name you have above
    5. Common name: first name and surname, e.g.: Laszlo Kajan
    6. UID number: same as primary group number you have above
    7. Primary group: the primary group you created above
    8. Leave the Samba 3 tab alone
    9. Click Save
  12. Create user home directory, execute:
    ssh root@i12r-studfilesrv.informatik.tu-muenchen.de /root/bin/mkhomedir.sh student [username]
  13. Activate user account by setting the password:
    ssh root@i12r-studfilesrv.informatik.tu-muenchen.de passwd [username]

Reactivating expired accounts

  1. Set a new password:
    ssh root@i12r-studfilesrv.informatik.tu-muenchen.de passwd [username]

Access control lists (ACL)

ACLs must be set on i12r-studfilesrv.

Look at this simple example:

setfacl -R -m u:gyachdav:rwX,u:lkajan:rwX,u:schmidb:rwX,d:u::rwX,d:u:gyachdav:rwx,d:u:lkajan:rwx,d:u:schmidb:rwx,d:g::rwX /some/dir

Current status

  • There are 32bit and 64 bit machines.
  • The individual machines have been installed from a common boot image (with PXE boot) but have been individually changed (slightly?) since then.
  • The names of the student machines are lxkramerNN (there might be aliases in future).
  • The student machines use the Kramer LDAP server.
  • Home directories are mounted from the Kramer file server (mounted to /home/loginName)
  • Software is installed locally or in /usr/local/stud, which is mounted on every machine.
  • Student accounts can exist for a long time, e.g. from the 3rd semester until graduation.
  • Students may use the machines for their work (e.g. during diploma theses)
  • The machines are visible externally and remote login is possible.

Planned status

  • The machines from the student cluster have their own LDAP server and their own file server (i12r-studfilesrv).
  • The student LDAP server is synchronized with the Kramer and Rostlab LDAP servers such that teachers have their usual logins (and numeric UIDs) on the student machines. When adding new accounts adminstrators must take care to adhere to the agreed ID ranges (??? for Kramer, ??? for Rostlab, ??? for students)
  • Teaches create the accounts for their students.
  • Home directories are mounted from the Kramer and student file servers. Locally stores home directories are available on /mnt/home/kramer/$USER, /mnt/home/rost/$USER, /mnt/home/student/$USER.
  • Student accounts expire as soon as possible. (There still needs to be a discussion about the exact policy.)
  • Non-packaged software is already installed into /opt
  • Shared non-package software must be installed into /mnt/opt/softwareName/ - use --prefix=/mnt/opt during package configuration.
  • Packages are installed ... ?
  • The machines stay visible externally and remote login is possible. -- However, most of the machines might be rebooted if a practical requires it. Jobs run on the machines should be configured such that they can be restarted from an intermediary result if necessary.

Migration path

  • The Kramer LDAP information is copied into the student LDAP server (possibly weeding out unused accounts).
  • The student machines are switched to the new student LDAP.
  • New mounts from the student file server are added to the machines.
  • Old accounts will stay on the Kramer file server (lxkramer10) and will still be mounted on the old mount point.
  • New student accounts will be located on the student file server and on the new mount points.