The User Access Service (UAS) is a service that manages User Access Instances (UAIs) which are containerized services under Kubernetes that provide application developers and users with a lightweight login environment in which to create and run user applications. UAIs run on non-compute nodes (NCN), specifically Kubernetes Worker nodes.
At a high level, there are two ways to configure UAS with respect to allowing users access to UAIs.
The standard configuration involves the use of Broker UAIs through which users establish SSH login sessions.
When a login session is established to a Broker UAI the Broker UAI either locates or creates a new UAI on behalf of the user and forwards the user’s SSH connection to that UAI.
A legacy configuration requires users to create their own UAIs through the cray
CLI.
Once a UAI is created in this way, the users can use SSH to log into the UAI directly.
The legacy configuration will soon be deprecated. Sites using it should migrate to the Broker UAI based configuration.
Once logged into a UAI, users can use most of the facilities found on a User Access Node (UAN) with certain limitations. Users can also use UAIs to transfer data between the Cray system and external systems.
By default, the timezone inside the UAI container is configured to match the timezone on the host NCN on which it is running, For example, if the timezone on the host NCN is set to CDT, the UAIs on that host will also be set to CDT.
Component | Function/Description |
---|---|
User Access Instance (UAI) | An instance of UAS container. |
cray-uas-mgr |
Manages UAI life cycles. |
Container Element | Components |
---|---|
Operating system | SLES15 SP2 |
kubectl command |
Utility to interact with Kubernetes. |
cray command |
Command that allows users to create, describe, and delete UAIs. |
Administrative users use cray uas admin uais list
to list the following parameters for all existing UAIs:
NOTE: The example values below are used throughout the UAS procedures. They are used as examples only. Users should substitute with site-specific values.
Parameter | Description | Example value |
---|---|---|
uai_connect_string |
The UAI connection string | ssh user@203.0.113.0 -i ~/.ssh/id\_rsa |
uai_img |
The UAI image ID | registry.local/cray/cray-uas-sles15sp1-slurm:latest |
uai_name |
The UAI name | uai-user-be3a6770 |
uai_status |
The state of the UAI. | Running: Ready |
username |
The user who created the UAI. | user |
uai_age |
The age of the UAI. | 11m |
uai_host |
The node hosting the UAI. | ncn-w001 |
Authorized users in Legacy UAI Management use cray uas list
to see the same information on all existing UAIs owned by the user (if any).
UAS is highly configurable and it is recommended that administrators familiarize themselves with, at least, the major concepts covered in the Table of Contents below before allowing users to use UAIs. In particular, the concepts of End-User UAIs and Broker UAIs, and the procedures for setting up and customizing Broker UAIs are critical to setting up UAS properly.
Another important topic, once administrators are familiar with setting up UAS to provide basic UAIs, is customizing the UAI image to support user workflows. At the simplest level, administrators will want to create and use a UAI image that matches the booted compute nodes. This can be done by following the Customize End-User UAI Images procedure.
macvlans
Network AttachmentsContainerCreating
/etc/sssd/sssd.conf