Shared Storage: Difference between revisions
IA migration §6: light polish (drop redundant H1, fix typos, add See also) (via update-page on MediaWiki MCP Server) |
|||
| (29 intermediate revisions by 6 users not shown) | |||
| Line 1: | Line 1: | ||
If you work in a group or team, it is sometimes useful to work within a shared space. Users can thus share inputs to their models and make their outputs easily available to each other. This article explains how to do so within the Lustre filesystem and the home or archive folders (NFS). | |||
There are two main methods available to you: Access Control List (ACL) access, which you administer yourself, and group access using AD or Anunna groups, which are centrally administered. Below we split out the options for each method. | |||
== ACL shared directories == | |||
=== ACL shared directories on Lustre === | |||
You may create a folder that can be accessed by yourself and someone else in the following manner: | |||
= | <pre>cd /lustre/shared | ||
mkdir shared_folder | |||
chmod 700 shared_folder | |||
user=$USER | |||
setfacl -R -m u:${user}:rwx,d:u:${user}:rwx shared_folder</pre> | |||
Then, for each person who you want to have access to this: | |||
<pre> | |||
user=username001 | |||
setfacl -R -m u:${user}:rwx,d:u:${user}:rwx shared_folder | |||
</pre> | |||
Note that the command above grants read, write and execute access to '''username001'''; if you just want to grant read access, substitute '''rwx''' with '''r-x'''. | |||
For groups, replace the "u" with "g", like so: | |||
<pre>group=my_group | |||
setfacl -R -m g:${group}:rwx,d:g:${group}:rwx shared_folder</pre> | |||
If you only want to add read rights to the folder, remove the "w" above. Do not remove the "x" (for execute), as folders need that set for access. | |||
< | To see the settings, use getfacl: | ||
<pre> | |||
getfacl shared_folder | |||
</pre> | |||
Adding users or groups later can be done using the same method, but it might be hard. You may have trouble updating ACLs on files that aren't yours, and you cannot change ownership of files to yourself. Each user with files in the folder will need to update their ACLs appropriately themselves, or you can contact your sysadmins to assist. | |||
=== | === ACL shared directories on NFS folders === | ||
The Lustre | {{Warning|Due to a misconfiguration, ACL permissions are currently disabled in our NFS shares, which includes the directories at /home and /shared. This will be addressed at the next downtime.}} | ||
If you want to share e.g. your home folder with another user, follow these steps: | |||
==== Set access rights on folder ==== | |||
If you want to e.g. allow somebody (as identified by their user id) full read access on your home folder, run this: | |||
<pre> | |||
setfacl --recursive --modify u:haars001:r-x $HOME | |||
</pre> | |||
== Group shared directories == | |||
Users access the Anunna cluster with their WUR-wide (Active Directory) or Anunna-only account. This means that all the membership information of the AD is also available on Anunna. To check which groups your user is a member of, use the following command: | |||
<pre>groups <username></pre> | |||
This can result in a rather long list, reflecting permissions in the system. Within these groups you must then identify the one that most closely matches the team or group with which you wish to collaborate. | |||
For instance, if I wish to work together with colleagues at ISRIC, I can search within my groups for an appropriate match: | |||
<pre>groups duque004 | grep isric</pre> | |||
In my case the group des-isric-users looked appropriate. The next step is to confirm that the other users in my team are also members of the group. | |||
If a group isn't available (cooperation with people outside WUR), please ask the administrators for help; they can then set up a group for you. | |||
=== Creating a shared Lustre folder with correct permissions === | |||
The Lustre filesystem is accessible in the <code>/lustre</code> folder and then divided into the <code>/backup</code> and <code>/nobackup</code> sections (corresponding to the different usage plans). Inside each of these folders there is a sub-folder named <code>SHARED</code> in which users are to create their own assets. | |||
You start by creating a folder in this space; it is probably better if it matches the name of your group or team, e.g.: | You start by creating a folder in this space; it is probably better if it matches the name of your group or team, e.g.: | ||
< | <pre>mkdir /lustre/nobackup/SHARED/myTeamWorkspace</pre> | ||
Or | Or alternatively: | ||
< | <pre> | ||
cd /lustre/nobackup/SHARED | |||
mkdir myTeamWorkspace</ | mkdir myTeamWorkspace | ||
</pre> | |||
=== Setting permissions === | === Setting permissions === | ||
Three basic steps are involved in | Three basic steps are involved in setting permissions correctly: | ||
1. Pass the ownership of the group to the team. In the example below it is applied recursively to all sub-folders and files that may exist: | |||
<pre>chgrp -R my-team-group myTeamWorkspace</pre> | |||
2. Concede read/write permissions to the group. This allows other members of the group to read and write in the shared folder. If you wish other team members to only read from the folder, then remove the <code>w</code> character from the <code>+rw</code> bit: | |||
< | <pre>chmod -R g+rw myTeamWorkspace</pre> | ||
3. Set default ownership within the group. This guarantees that any new files or folders created within the shared folder are by default owned by your team group: | |||
< | <pre>chmod -R g+s myTeamWorkspace</pre> | ||
In case the contents of the shared folder are sensitive or private, and should only be accessed by your team, you can block access from any other users with the following command: | |||
< | <pre>chmod -R o-rw myTeamWorkspace</pre> | ||
== See also == | |||
* [[Storage Systems Overview]] | |||
* [[Compute Storage]] | |||
* [[Home Directory]] | |||
== Further reading == | |||
* [https://www.digitalocean.com/community/tutorials/an-introduction-to-linux-permissions An Introduction to Linux Permissions] | |||
* [https://www.linode.com/docs/tools-reference/linux-users-and-groups/ Linux Users and Groups] | |||
* [https://www.digitalocean.com/community/tutorials/linux-permissions-basics-and-how-to-use-umask-on-a-vps#types-of-permissions Linux Permissions Basics and How to Use Umask on a VPS] | |||
* [http://www.yolinux.com/TUTORIALS/LinuxTutorialManagingGroups.html Linux Tutorial - Managing Group Access on Linux and UNIX] | |||
Latest revision as of 11:46, 18 June 2026
If you work in a group or team, it is sometimes useful to work within a shared space. Users can thus share inputs to their models and make their outputs easily available to each other. This article explains how to do so within the Lustre filesystem and the home or archive folders (NFS).
There are two main methods available to you: Access Control List (ACL) access, which you administer yourself, and group access using AD or Anunna groups, which are centrally administered. Below we split out the options for each method.
ACL shared directories
ACL shared directories on Lustre
You may create a folder that can be accessed by yourself and someone else in the following manner:
cd /lustre/shared
mkdir shared_folder
chmod 700 shared_folder
user=$USER
setfacl -R -m u:${user}:rwx,d:u:${user}:rwx shared_folder
Then, for each person who you want to have access to this:
user=username001
setfacl -R -m u:${user}:rwx,d:u:${user}:rwx shared_folder
Note that the command above grants read, write and execute access to username001; if you just want to grant read access, substitute rwx with r-x.
For groups, replace the "u" with "g", like so:
group=my_group
setfacl -R -m g:${group}:rwx,d:g:${group}:rwx shared_folder
If you only want to add read rights to the folder, remove the "w" above. Do not remove the "x" (for execute), as folders need that set for access.
To see the settings, use getfacl:
getfacl shared_folder
Adding users or groups later can be done using the same method, but it might be hard. You may have trouble updating ACLs on files that aren't yours, and you cannot change ownership of files to yourself. Each user with files in the folder will need to update their ACLs appropriately themselves, or you can contact your sysadmins to assist.
ACL shared directories on NFS folders
⚠️ Warning: Due to a misconfiguration, ACL permissions are currently disabled in our NFS shares, which includes the directories at /home and /shared. This will be addressed at the next downtime.
If you want to share e.g. your home folder with another user, follow these steps:
Set access rights on folder
If you want to e.g. allow somebody (as identified by their user id) full read access on your home folder, run this:
setfacl --recursive --modify u:haars001:r-x $HOME
Group shared directories
Users access the Anunna cluster with their WUR-wide (Active Directory) or Anunna-only account. This means that all the membership information of the AD is also available on Anunna. To check which groups your user is a member of, use the following command:
groups <username>
This can result in a rather long list, reflecting permissions in the system. Within these groups you must then identify the one that most closely matches the team or group with which you wish to collaborate.
For instance, if I wish to work together with colleagues at ISRIC, I can search within my groups for an appropriate match:
groups duque004 | grep isric
In my case the group des-isric-users looked appropriate. The next step is to confirm that the other users in my team are also members of the group.
If a group isn't available (cooperation with people outside WUR), please ask the administrators for help; they can then set up a group for you.
Creating a shared Lustre folder with correct permissions
The Lustre filesystem is accessible in the /lustre folder and then divided into the /backup and /nobackup sections (corresponding to the different usage plans). Inside each of these folders there is a sub-folder named SHARED in which users are to create their own assets.
You start by creating a folder in this space; it is probably better if it matches the name of your group or team, e.g.:
mkdir /lustre/nobackup/SHARED/myTeamWorkspace
Or alternatively:
cd /lustre/nobackup/SHARED mkdir myTeamWorkspace
Setting permissions
Three basic steps are involved in setting permissions correctly:
1. Pass the ownership of the group to the team. In the example below it is applied recursively to all sub-folders and files that may exist:
chgrp -R my-team-group myTeamWorkspace
2. Concede read/write permissions to the group. This allows other members of the group to read and write in the shared folder. If you wish other team members to only read from the folder, then remove the w character from the +rw bit:
chmod -R g+rw myTeamWorkspace
3. Set default ownership within the group. This guarantees that any new files or folders created within the shared folder are by default owned by your team group:
chmod -R g+s myTeamWorkspace
In case the contents of the shared folder are sensitive or private, and should only be accessed by your team, you can block access from any other users with the following command:
chmod -R o-rw myTeamWorkspace