# Data questions

How to generate and upload ssh keys?

In order to access the JSC computer systems you need to generate an ssh key pair. This pair consists of a public and a private part. Here we briefly describe how to generate and upload such a pair.

# On Linux/UNIX

In order to create a new ssh key pair login to your local machine from where you want to connect to the JSC computer systems. Open a shell and use the following command

ssh-keygen -b 2048 -t rsa

You are asked for a file name and location where the key should be saved. Unless you really know what you are doing, please simply take the default by hitting the enter key. This will generate the ssh key in the .ssh directory of your home directory ($HOME/.ssh). Next, you are asked for a passphrase. Please, choose a secure passphrase. It should be at least 8 characters long and should contain numbers, letters and special characters like !@#$%^&*().

Important: You are NOT allowed to leave the passphrase empty!

You will be asked to upload the public part of your key ($HOME/.ssh/id_rsa.pub) on the JSC web site when you apply for an account. You must keep the private part ($HOME/.ssh/id_rsa) confidential.

Important: Do NOT remove it from this location and do NOT rename it!

ssh <yourid>@<machine>.fz-juelich.de

where 'yourid' is your user id on the JSC system 'machine' (i.e. you have to replace 'machine' by the corresponding JSC system). You will be prompted for your passphrase of the ssh key which is the one you entered when you generated the key (see above).

# On Windows

You can generate the key pair using for example the PuTTYgen tool, which is provided by the PuTTy project. Start PuTTYgen and choose SSH-2 RSA at the bottom of the window and set the 'number of bits in the generated key' to 2048 and press the 'Generate' button.

PuTTYgen will prompt you to generate some randomness by moving the mouse over the blank area. Once this is done, a new public key will be displayed at the top of the window.

Enter a secure passphrase. It should be at least 8 characters long and should contain numbers, letters and special characters like !@#$%^&*(). Important: You are NOT allowed to leave the passphrase empty! Save the public and the private key. We recommend to use 'id_rsa.pub' for the public and 'id_rsa' for the private part. You will be asked to upload the public part of your key (id_rsa.pub) on a JSC web site when you apply for an account. You must keep the private part (id_rsa) confidential. You will be notified by email once your account is created and your public key is installed. To login, please use an ssh client for Windows, use authentication method 'public-key', import the key pair you have generated above and login to the corresponding JSC system with your user id. If you are using the PuTTy client you can import the key in the configuration category 'Connection', subcategory 'ssh' -> Auth. Once this is done you will be prompted for your passphrase of the ssh-key which is the one you entered when you generated the key (see above). ## Adding additional keys If you would like to connect to your account from more than one computer, you can create and use additionals pairs of public and private keys: After creating a pair of public/private keys there are two ways of installing the public key on the target machine: Method 1 (Linux/Mac): Use the ssh-copy-id command to simultaneously upload and add the public key file 'public_key.pub' to the account 'user' on the target machine 'target': ssh-copy-id -i public_key.pub user@targetmachine Please refer to the man-page of ssh-copy-id for further information. Method 2 (all operating systems): ii) upload the public key file to your account at the HPC-target system ii-a) In case the public key was created under Windows (e.g. in Putty) it has to be converted. This is done on the target HPC-system by the command ssh-keygen -i -f original_public_key_file.pub > new_public_key_file.pub iii) open the (new) keyfile and copy the whole line iv) append the line as a new line to the file ~/.ssh/authorized_keys v) Make sure the private key sits in the correct place on your private computer. ## Replace SSH Key In case the ssh key has to be replaced, use the following link: Upload of ssh-key Note: This will replace ALL public keys by the new public key. If you use more than one key pair you will have to add your additional public keys as described above. ## Connection problem after creating a new key It can happen that the new key is not loaded automatically by your local SSH agent (you will receive a permission denied error after you try to connect to the JSC computer system). To update your SSH agent manually you can use the command: ssh-add <your private key-file> # Data questions How to restore a file from the archive directory? All files within the user's archive directory ($ARCH) for long term storage are automatically backed up by TSM (Tivoli Storage Manager) function. To restore a file, use

on the login-nodes of a HPC system (e.g. JUQUEEN, JURECA, DEEP, JUROPA3 partition) or the Data Access System (JUDAC). If the option -type is not specified, the user will be prompted for the type of filesystem

Which type of filesystem should be restored? Enter: {home | arch | data}

This command grants access to the correct backup data of the user's assigned archive directory.

 Restore -> View -> Display active/inactive files
 File level -> archX -> group -> userid -> ...
 Select files or directories to restore
 Press [Restore] buttom

If the data should be restored to original location then choose within the Restore Destination window:

• Original location

Otherwise select

• Following location + <path> + Restore complete path

Don't use the native dsmj-command which will not show any archive data

How can I see which data is migrated?

There are two file systems which hold migrated data: /arch and /arch2

• These are so called archive file systems.
• In principle all data in the file systems will be migrated to TSM-HSM tape storage in tape libraries.
• Data is copied to TSM backup storage prior to migration.
• Every user owns a personal archive directory that can be specified by the $ARCH variable. • Data are not quoted by storage but by the number of files per group/project. This is done because UNIX is still not able to handle millions of files in a file system with an acceptable performance. The TSM-HSM native command dsmls, which shows if a file is migrated, is not available on any HPC system (e.g. JUQUEEN, JURECA, DEEP, JUROPA3 partitions) nor on the Data Access System (JUDAC). This command is only supported on the TSM-HSM node of the JUST storage cluster, that hosts the file systems for the HPC systems. However JUST is not open for user access. Please use ls -ls [mask | filename] to list the files. Migrated files can be identified by a block count of 0 in the first column (-s option) and an arbitrary number of bytes in the sixth column (-l option). 0 -rw-r----- 1 user group 513307 Jan 22 2008 log1 0 -rw-r----- 1 user group 114 Jan 22 2008 log2 0 -rw-r----- 1 user group 273 Jan 22 2008 log3 0 -rw-r----- 1 user group 22893504 Jan 23 2008 log4 How to restore a file from the home directory? All files within the users home directories ($HOME) are automatically backed up by TSM (Tivoli Storage Manager) function. To restore a file, use

on the login-nodes of a HPC system (e.g. JUQUEEN, JURECA, DEEP, JUROPA3 partition) or the Data Access System (JUDAC). If the option -type is not specified, the user will be prompted for the type of filesystem

Which type of filesystem should be restored? Enter: {home | arch | data}

This command grants access to the correct backup data of the user's assigned home directory.

 Restore -> View -> Display active/inactive files
 File level -> homeX -> group -> userid -> ...
 Select files or directories to restore
 Press [Restore] buttom

If the data should be restored to original location then choose within the Restore Destination window

• Original location

Otherwise select:

• Following location + <path> + Restore complete path

Don't use the native dsmj-command which will not show any home data.

How can I recall migrated data?

Normally migrated files are automatically recalled from TSM-HSM tape storage when the file is accessed on the login nodes of the HPC systems (e.g.. JUQUEEN, JURECA, DEEP, JUROPA3 partitions) or the Data Access System (JUDAC).

For an explicit recall the native TSM-HSM command dsmrecall is not available. Please use

tail <filename>
or:

to start the recall process. These commands will not change any file attribute and the migrated version of the file as well as the backup version stay valid.

It is strongly recommended NOT to use

touch <filename>

because this changes the timestamp of the file, so a new backup copy must be created and the file has to be migrated again. These are two additional processes that waste compute ressources, if the file is used read only by further processing.

What data quotas do exist and how to list usage?

Disk quota limitations in $HOME and$WORK file systems are in effect since end of October 2007. This had to be done because in the past file systems were blocked by creating millions of files by single users which caused performance for system commands (ls, du) to be degraded. Also migration for $HOME data didn't work successfully any longer and therefore the new type of archive file system$ARCH was introduced. The following limitations apply in general since December 2009. The numbers are regularly updated according to the actual capacity in the file systems.

Data quota per group/project within GPFS file systems

File System

Disk Space

Number of Files

Soft LimitHard Limit Soft LimitHard Limit
$HOME10 TB11 TB3 Mio3.1 Mio$WORK30 TB35 TB4 Mio4.4 Mio
$ARCH- (see note)2 Mio2.2 Mio Note: No hard disk space limit for$ARCH exists but if more than 100 TB will be requested please contact the supercomputing support at JSC ( sc@fz-juelich.de ) to discuss optimal data processing particularly with regard to the end of the project. Furthermore for some projects there may exist special guidelines.

File size limit

Although the file size limit on operation system level e.g. at JUQUEEN or JURECA is set to unlimited (ulimit -f) the maximum file size can only be the GPFS group quota limit for the correspondig file system. The actual limits can be listed by q_dataquota.

List data quota and usage by group and user

Members of a group/project can display the hard limits, quotas (soft limit) and usage by each user of the group in a group special file (/homex/group/usage.quota) that is updated every six hours (see timestamp at the top of the file). Since End of January 2013 for easy reading the unit of measure is set to GB instead of KB. This causes that the displayed values are always rounded up to the next GB-value. If less then 1 GB are used e.g. 256 KB or 128 MB there will be always 1 GB to be seen.

more $HOME/../usage.quota This file can also be listed in a short and long format by the command q_dataquota [-l] The short format will display the group quota limits and group data usage for each file system followed by the usage of the user herself/himself. The long listing includes the data usage of all users of the group in descending order. Notes: • Although no quota limits for a group may be listed for the$WORK file system quotas are set! Counting quotas will start with the first file created by a user of the group.
• If the message Cannot exceed the user or group quota is displayed when writing data to a file the sum of used and in_doubt blocks has exceeded the hard limit. Please be aware of that not only the used blocks are taken into account!
• The column grace reports the status of the quota

none - no quota exceeded
xdays - remaining grace period to clean up after the soft limit is exceeded
expired - no data can be written before cleanup

List in time data quota and usage by group

A prompt update of the group's data usage and limits can be displayed with:

mmlsquota [--block-size {m|g|t|auto}] -g <group> [ <FS_without_leading_/> | -C justgss.fz-juelich.de ]

The output for the specified file system or all file systems of the JUST storage cluster will show the usage summary of the specified group (not the members) in KByte units by default. For better reading a unit of measure can be specified or GPFS can select the best that fits. To do so specify the option --block-size (with GPFS 3.5.x and later).

System actions when limits are exceeded

• Soft limit
If any soft limit is exceeded a grace period of 14 days starts to count down. If no data will be deleted to be under the limit the quota will be expired after the grace period and no files can be created or expanded any longer. If in the meantime the hard limit is exceeded the quota is expired directly.
• Hard limit
If any hard limit is exceeded (sum of used and in_doubt are taken into account) the users in the group cannot create any new files or expand existing files in the correponding file system until the number of files or disk space allocated is less than the limit.

Recommendation for users with a lot of small files

Users with applications that create a lot of relatively small files should reorganize the data by collecting these files within tar-archives using the

tar -cvf archive-filename ...

command. The problem is really the number of files (inodes) that have to be managed by the underlaying operating system and not the space they occupy in total. On the other hand please keep in mind the recomendations under File size limit.

How to share files by using ACLs?

ACLs (Access Control Lists) provide a means of specifying access rights on files. GPFS access control lists allow the definition of access rights for other users or groups.

## Create or change a GPFS access control list

mmeditacl <filename>

which will open the ACL-definition of <filename> with an editor.

Note that for this command to work the EDITOR environment variable must contain a complete path name, for example on JUQUEEN: export EDITOR=/usr/bin/vim

Example:
Set read and execute permission for user user1 and execute permission only for user2 to directory dir1:

 mmeditacl dir1
 .... (append 3 lines to the displayed lines) ....
 mask::r-x-
 user:user1:r-x-
 user:user2:--x-

Note that mask must have the maximum permission compared to any user permission of this ACL and that access must be granted to every directory in the hierarchy (esp. the home directory). The 4th character stands for the GPFS specific control permission.

When the file is saved, the following has to be answered:

mmeditacl: 6027-967 Should the modified ACL be applied? (yes) or (no)

## Which files have an access control list?

The command

ls -l

will show a "+" for every file that has ACL set, eg.

drwx------+ 2 user group 32768 Feb 21 09:25 dir1

## Delete a GPFS access control list

mmdelacl <filename>

or remove the added lines by mmeditacl.

## Apply a GPFS ACL recursively

Example:
Apply ACL to all subsequent files and directories below dir1, use:

 for i in find dir1
 do
 mmgetacl dir1 | mmputacl \$i
 done

## Documentation

Please see the man pages or IBM documentation for further commands:

mmdelacl, mmgetacl, mmputacl