ASAP3 : Data Access: Core FS

The Core Filesystem (/asap3/<facility|research group>/gpfs) is accessible via several methods.
Accessing the Core filesystem is only possible from within the DESY network (guest network and eduroam are external) and always requires a valid DESY account.

Access Methods

Native GPFS - via Maxwell

The Core filesystem is mounted on the Maxwell Analysis cluster. This is the fastest available solution for accessing the Core filesystem.
For more information about Maxwell, see Maxwell for Photon Science

SMB - For Windows, macOS and Linux users

For Windows, macOS and Linux users from Office networks, SMB is the recommended way to access the Core filesystem.

Linux desktop users should also access the Core filesystem via SMB, as it does not require any root permissions or configuration on the clients.
This is currently the only way to mount the Core filesystem on a DESY green desktop installation.

Each individual facility or research group has its own share:

FacilityPath on GPFSSMB Share Name

PETRA III

/asap3/petra3/gpfs

\\asap3.desy.de\petra3-core

FLASH

/asap3/flash/gpfs\\asap3.desy.de\flash-core
Special Instruments/asap3/spec.instruments/gpfs\\asap3.desy.de\spec.instruments-core
Research Groups
FS-FLASH-O/asap3/fs-flash-o/gpfs\\asap3.desy.de\fs-flash-o-core
FS-FLASH-B/asap3/fs-flash-b/gpfs\\asap3.desy.de\fs-flash-b-core
FS-DS-AGIPD/asap3/fs-ds-agipd/gpfs/\\asap3.desy.de\fs-ds-agipd-core
FS-DS-Percival/asap3/fs-ds-percival/gpfs/\\asap3.desy.de\fs-ds-percival-core
FS-PETRA/asap3/fs-petra/gpfs\\asap3.desy.de\fs-petra-core
FS-LA/asap3/fs-la/gpfs \\asap3.desy.de\fs-la-core
it-sci/asap3/it-sci/gpfs\\asap3.desy.de\it-sci-core
nanolab/asap3/nanolab/gpfs\\asap3.desy.de\nanolab-core
cfel-cmi/asap3/cfel-cmi/gpfs\\asap3.desy.de\cfel-cmi-core
FS-BMX/asap3/fs-bmx/gpfs\\asap3.desy.de\fs-bmx-core

Minimum Protocol Version

The SMB service only allows connections from machines, which implement SMB2 or higher.
SMB2 is available for recent Windows versions (Windows 7 and newer) and modern Linux distributions.
Some Linux tools might need additional configuration options to use SMB2, e.g. smbclient can be forced to use SMB2/3 by setting -m SMB3

Windows 7 EOL

Windows 7 has reached end of life on 2020-01-14 and no longer receives any security updates.
Access via SMB from Windows 7 hosts is therefore no longer supported.


See below for a manual on how to access the SMB share by mapping a network drive:

Windows 10 - Mapping a network drive
  1. Start the File Explorer
  2. Right click on Network and select Map network drive...
  3. Select the drive letter to which the share will be mapped and enter the share name you want to access

    For Windows machines administered by FS-EC, the drive letter U: is recommended.
  4. The share will be mapped and displayed in This PC, double click on the share to access the data.
  5. If you want to unmap the share, right click on the share and select Disconnect
macOS 10.15 and newer - Mapping a network drive

1. Start Finder and click on Go and select Connect to Server in the menu bar

2. In the next window, specify the SMB share name you want to access. You might need to replace backslashes with a forward slash.

3. Confirm that you want to connect to this SMB server

4. You will be prompted to authenticate, choose Connect As: Registered User and enter your DESY account and password and click connect

5. A new tab will open in the finder and you can now access the data from the Core filesystem. To unmount the filesystem, click on the eject button

Ubuntu 18.04 and newer - Mapping a network drive
  1. Open the Files or Nautilus application and click on + Other Locations
  2. Enter the SMB share prefixed with smb://, backslashes have to be converted to forward slashes
  3. Enter your DESY Account name and password
  4. The share has now been mapped and data can be accessed. To unmap the share, click on the eject button
  5. If you need to access the share from the CLI, look into /run/user/<your numeric userid>/gvfs/<share name>


    To display your numeric userid, use the id command.

NFSv4 - For Linux users

While SMB is still the recommended way to access the Core filesystem, certain use-cases require an NFS mount.

For this purpose, an NFSv4 export with and without Kerberos is available.

FacilityPath on GPFSNFS Export

PETRA III

/asap3/petra3/gpfs

asap3.desy.de:/asap3/petra3/gpfs

FLASH

/asap3/flash/gpfsasap3.desy.de:/asap3/flash/gpfs
Special Instruments/asap3/spec.instruments/gpfsasap3.desy.de:/asap3/spec.instruments/gpfs
Research Group
FS-FLASH-O/asap3/fs-flash-o/gpfsasap3.desy.de:/asap3/fs-flash-o/gpfs
FS-FLASH-B/asap3/fs-flash-b/gpfsasap3.desy.de:/asap3/fs-flash-b/gpfs
FS-DS-AGIPD/asap3/fs-ds-agipd/gpfsasap3.desy.de:/asap3/s-ds-agipd/gpfs
FS-DS-Percival/asap3/fs-ds-percival/gpfsasap3.desy.de:/fs-ds-percival/gpfs
FS-PETRA/asap3/fs-petra/gpfsasap3.desy.de:/asap3/fs-petra/gpfs
CFEL-CMI (KRB5 only)/asap3/cfel-cmi/gpfsasap3.desy.de:/asap3/cfel-cmi/gpfs
FS-BMX (KRB5 only)/asap3/fs-bmx/gpfsasap3.desy.de:/asap3/fs-bmx/gpfs


Restricted Mount Access

Access to the NFSv4 exports are either restricted by IP subnet or netgroups from LDAP.

For PETRA III, the following subnets are allowed to mount the Core filesystem with kerberos:

Subnet List for PETRA III
  • 131.169.38.0/24
  • 131.169.39.0/24
  • 131.169.45.0/24
  • 131.169.66.0/24
  • 131.169.221.0/24
  • 131.169.225.0/24
  • 131.169.232.0/24
  • 131.169.33.0/24
  • 192.168.138.0/24
  • 131.169.65.0/24
  • 192.168.132.0/22
  • 192.168.37.0/24
  • 192.168.56.0/22
  • @a3-petra3-core-krb5-hosts

For Special Instruments, the following subnets are allowed to mount the Core filesystem with kerberos:

Subnet List for Special Instruments
  • 131.169.38.0/24
  • 131.169.39.0/24
  • 131.169.45.0/24
  • 131.169.66.0/24
  • 131.169.221.0/24
  • 131.169.225.0/24
  • 131.169.232.0/24
  • 131.169.33.0/24
  • 192.168.138.0/24
  • 131.169.65.0/24
  • 192.168.132.0/22
  • 192.168.37.0/24
  • 192.168.56.0/22
  • @a3-spec.instruments-core-krb5-hosts

For FLASH, hosts in the LDAP netgroup a3-flash-core-krb5-hosts are allowed to mount the core filesystem.
To display the hosts, you can use ldapsearch on pal.desy.de: ldapsearch -x cn=a3-flash-core-krb5-hosts

For FS-FLASH-O, hosts in the LDAP netgroup a3-fs-flash-o-core-krb5-hosts are allowed to mount the core filesystem.
To display the hosts, you can use ldapsearch on pal.desy.de: ldapsearch -x cn=a3-fs-flash-o-core-krb5-hosts

For FS-FLASH-B, hosts in the LDAP netgroup a3-fs-flash-b-core-krb5-hosts are allowed to mount the core filesystem.
To display the hosts, you can use ldapsearch on pal.desy.de: ldapsearch -x cn=a3-fs-flash-b-core-krb5-hosts

For FS-BMX, hosts in the LDAP netgroup a3-fs-bmx-core-krb5-hosts are allowed to mount the core filesystem.
To display the hosts, you can use ldapsearch on pal.desy.de: ldapsearch -x cn=a3-fs-bmx-core-krb5-hosts

Mounting via NFSv4 with Kerberos

Mounting the Core filesystem via Kerberos requires root privileges on the client machine.

mount with krb5

mount -o nfsvers=4,sec=krb5,hard <NFS Export> <local mountpoint>

Example

mount -o nfsvers=4,sec=krb5,hard asap3.desy.de:/asap3/flash/gpfs /asap3/flash/gpfs

Additional configuration and a kerberos keytab is required on the client machine, the setup for this is out of scope for this documentation.

Due to the nature of Kerberos, access is only possible while you have a valid kerberos ticket. The ticket lifetime is usually limited to 24h. Afterwards, the ticket has to be renewed in order to access the data.
This is usually ok, but cumbersome for long running, non-interactive processes.

Mounting via NFSv4 without Kerberos

Mounting the Core filesystem without Kerberos requires root privileges. Due to the security implications for this type of mount, this must be explicitly requested, as the host will be included in a whitelist.
Please contact FS-EC (fs-ec@desy.de) in order to be included in the whitelist.

mount without krb5

mount -o nfsvers=4,sec=sys,hard <NFS Export> <local mountpoint>

Example

mount -o nfsvers=4,sec=sys,hard asap3.desy.de:/asap3/flash/gpfs /asap3/flash/gpfs

Additional configuration is required on the client machine, the setup for this is out of scope for this documentation.

Attachments:

finder_1.png (image/png)
finder_2.png (image/png)
finder_3.png (image/png)
finder_5.png (image/png)
ubu_1_edit.png (image/png)
ubu_2_edit.png (image/png)
ubu_3_edit.png (image/png)
ubu_4_edit.png (image/png)
ubu_5_edit.png (image/png)
win10_1_edit.png (image/png)
win10_2.png (image/png)
win10_3_edit.png (image/png)
win10_4_edit.png (image/png)
finder_2.png (image/png)
finder_3.png (image/png)