Administrator guide

Welcome to the systems administrator guide to the ELIXIR Cloud. Whether you would like to onboard your data or compute center, set up your own GA4GH-based cloud or simply play around with our compute and storage solutions, this is the right place to get you off the ground.

General deployment notes

Most of our services (see our GitHub organization for a comprehensive list) come with Helm charts for deployment on Cloud Native infrastructure and Docker Compose configurations for testing/development deployments. If you do not have experience with these technologies, please find some brief primers with references to additional documentation below.

Using Helm

Helm is an IaC tool that is described as the "package manager for Kubernetes". It allows the management of the lifecycle of a Kubernetes application, i.e., its deployment, configuration, upgrade, retiring, etc. Applications ara packaged into "Charts". Using Helm Charts allows us to version control an application and therefore follow its evolution over time, make identical copies (e.g., development, staging, production), make predictable upgrades, and share/publish the application.

Some useful Helm commands to manage a Chart are:

helm create: Create a Helm Chart
helm install: Install an application
helm upgrade: Upgrade an application
helm uninstall: Uninstall an application

Using Docker Compose

Most of our services provide a Docker Compose configuration file for easy deployment of the software on a local machine. If the Docker Engine and Docker Compose are already installed on your system, it is as simple as cloning the service's Git repository, changing into the folder where the Docker Compose file resides (typically docker-compose.yml in a repository's root directory) and running the following:

docker-compose up -d

Non-standard name or location of config file

The command will be different if the Docker Compose config file is not in the current working directory and/or is not called docker-compose.yml.

This will bring the service up. The argument -d (or --detach) starts the app in daemonized mode, i.e., all launched containers that compose creates run in the background.

In order to stop the deployment, simply run:

docker-compose down

Onboarding your compute center

Follow the instructions below to onboard your compute node with the ELIXIR Cloud. Afterwards, your compute cluster will be accessible through the GA4GH Task Execution Service (TES) API and, optionally, available in the ELIXIR Cloud compute network.

Deploying compute

Depending on whether you have a Native Cloud cluster or an HPC/HTC, you will need to follow the instructions for deploying TESK or Funnel below, respectively.

Deploying TESK

TESK uses the Kubernetes Batch API (Jobs) to schedule execution of TES tasks. This means that it should be possible to deploy TESK in any flavor of Kubernetes, but tests are currently only performed with Kubernetes, OpenShift, and Minikube. Follow these instructions if you wish to deploy a TES endpoint on your Native Cloud cluster, and please let us know if you deploy TESK in any new and interensting platform.

TESK currently does not use any other storage (DB) than Kubernetes itself. Persistent Volume Claims are used as a temporary storage to handle input and output files of a task and pass them over between executors of a task. Note that PVCs are destroyed immediately after task completion! This means your cluster will need to provide a ReadWriteMany StorageClass. Commonly used storage classes are NFS and CephFS.

Here is an overview of TESK's architecture:

A Helm chart is provided for the convenient deployment of TESK. The chart is available in the TESK code repository.

Follow these steps:

Install Helm

Clone the TESK repository:

git clone https://github.com/elixir-cloud-aai/TESK.git

Find the Helm chart at charts/tesk
Edit file values.yaml (see notes below)
Log into the cluster and install TESK with:

helm install -n TESK-NAMESPACE TESK-DEPLOYMENT-NAME . \
  -f secrets.yaml \
  -f values.yaml

Replace TESK-NAMESPACE with the name of the namespace where you want to install TESK. If the namespace is not specified, the default namespace will be used.
The argument provided for TESK-DEPLOYMENT-NAME will be used by Helm to refer to the deployment, for example when upgrading or deleting the deployment. You can choose whichever name you like.

You should now have a working TESK isntance!

Notes for editing chart values

In the TESK deployment documentation documentation there is a description of every value. Briefly, the most important are:

host_name: Will be used to serve the API.
storageClass: Specify the storage class. If left empty, TESK will use the default one configred in the Kubernetes cluster.
auth.mode: Enable (auth) or disable (noauth; default) authentication. When enabled, an OIDC client must be in a file ./secrets.yaml, with the following format:

auth:
    client_id: <client_id>
    client_secret: <client_secret>

ftp: Which FTP credentials mode to use. Two options are supported: .classic_ftp_secret for basic authentication (username and password) or .netrc_secret for using a .netrc file.

For the classic approach, you must write in values.yaml:

ftp:
    classic_ftp_secret: ftp-secret

And in a file .secrets.yaml write down the username and password as:

ftp:
    username: <username>
    password: <password>

For the .netrc approach, create a .netrc file in the ftp folder with the connections details in the correct format.

clusterType: Type of Kubernetes flavor. Currently supported: kubernetes (default) and openshift.

Careful

When creating a .secrets.yaml file, ensure that the file is never shared or committed to a code repository!

Deploying Funnel

Follow these instructions if you wish to deploy a TES endpoint in front of your HPC/HTC cluster (currently tested with Slurm and OpenPBS.

Make sure the build dependencies make and Go 1.11+ are installed, GOPATH is set and GOPATH/bin is added to PATH.

For example, in Ubuntu this can be achieved via:

sudo apt update
sudo apt install make golang-go
export GOPATH=/your/desired/path
export PATH=$GOPATH/bin:$PATH
go version

Clone the repository:

git clone https://github.com/ohsu-comp-bio/funnel.git

Build Funnel:

cd funnel
make

Test the installation by starting the Funnel server with:

funnel server run

If all works, Funnel should be ready for deployment on your HPC/HTC.

Slurm

For the use of Funnel with Slurm, make sure the following conditions are met:

The funnel binary must be placed in a server with access to Slurm.
A config file must be created and placed on the same server. This file can be used as a starting point.
If we would like to deploy Funnel as a Systemd service, this file can be used as a template. Set the correct paths to the funnel binary and config file.

If successfull Funnel should be listening on port 8080.

OpenPBS

Under construction

More info coming soon...

Deploying storage

Follow the instructions below to connect your TES endpoint to one or more ELIXIR Cloud cloud storage solutions. The currently supported solutions are:

MinIO (Amazon S3)
vsftpd (FTP)

Deploying MinIO (Amazon S3)

In order to deploy the MinIO server, follow the official documentation. It is very simple

If you are deploying Minio to OpenShift, you may find this Minio-OpenShift template useful.

Deploying `vsftpd` (FTP)

There are a lot of guides available online to deploy vsftpd, for example this one. There are only two considerations:

It is required to activate secure FTP support with ssl_enable=YES.
For onboarding with the ELIXIR Cloud, currently the server should have one account with a specific username and password created. Please contact us for details.

Registering your TES service

We are currently working on implementing access control mechanisms and providing a user interface for the ELIXIR Cloud Registry. Once available, we will add registration instructions here. For now, please let us know about your new TES endpoint by email.

Custom cloud deployments