Skip to main content

Vault Storage User Guide

Overview

RDS Vault storage can be accessed using a number of different protocols and services. These include:

  • Windows shares (SMB)
  • NFS
  • SFTP
  • rsync
  • Aspera
  • Globus

Once a Vault share has been mapped to a machine, it can be accessed similarly to local storage and will support standard actions like copying and deleting files. SFTP and rsync shares are usually accessed via the command line or through a client depending upon the operating system and user preferences.

Windows shares / SMB

SMB is widely used and shares can be mapped on most operating systems. Access is controlled by one or more secure access groups, each of which contains a list of authorised users. Access groups can be updated by group owners via Monash’s GroupAdmin Tool. Because users must enter their Monash account credentials when mapping a share, it is recommended that users only mount SMB shares on their own machines rather than on shared devices such as instrument PCs. If a share does need to be mounted on a shared machine, then the RDS team can provide support and determine the most appropriate options.

NFS shares

NFS is natively supported on Mac and Linux machines, but can also be used on some versions of Windows. NFS is often used on dedicated servers such as virtual machines (VMs) and shares are only accessible to devices with specific hostnames or IP addresses. Because NFS shares do not require user-based authentication, they are often used to make remote storage available to machines hosting services or web applications.

SFTP

SFTP (Secure File Transfer Protocol or SSH File Transfer Protocol) allows data to be managed over SSH. Once a secure connection has been established, data can be transferred between the Vault and another machine using SFTP or SSH-FS. SFTP is commonly used by Linux and Mac machines and also by the M3 HPC service. Linux and Mac machines natively support SFTP and the protocol can be accessed in Windows using a client application. Depending on the requirements, each user may have access to the entire share or only a specific path within the folder structure.

rsync

rsync is a commandline tool that runs natively on Linux and Mac but can also be used on Windows using client applications such as Cygwin. It is primarily used to replicate file and folder structures and to synchronise backup copies. Access to Vault shares is available using rsync over SSH, however rsync modules are not currently supported.

rclone

rclone is similar to rsync and has the ability to perform multi-threaded writes as well as write directly to SMB shares. Writing directly via SMB (Vault or Market shares) avoids the need to mount the storage locally and may result in faster transfer speeds. The application is available on Windows, Mac and Linux or via the website or through package installers such as yum. rclone can be accessed on M3 HPC using module add rclone.

Accessing Vault Shares

The process for accessing Vault storage depends upon the storage type and the operating system being used. Note that NFS shares can be mounted on some versions of Windows such as Windows 10 and 11, but additional adjustments may be required. If NFS is required for a Windows device, please contact the RDS team.

Mapping Vault shares on Windows via SMB

  • Open the Windows Explorer.
  • Right-click on "Computer" on the left-hand side.
  • Select "Add a network location" and then click on "Next".
  • Select "Choose a custom network location" and then click on "Next".
  • Enter the provided URL (e.g. \\vault-v2.erc.monash.edu.au\<SomeShare>) and then click on "Next".
  • Enter your Monash ID and password (if prompted). Note that if you are not using a Monash SOE (Monash-supplied and configured) machine, you may need to add "MONASH" to your Monash username (e.g. MONASH\jsmith).
  • Enter a name of your choice, e.g. "RDS SomeShare" and click on "Next".
  • Review the information presented and then "Finish".
  • The newly-mapped share will then appear as a folder in the Windows Explorer.

Accessing Vault shares on Mac via SMB

  • Access the "Go" menu which is available at the top of the screen from the desktop.
  • Click on "Connect to Server".
  • Enter the provided URL (e.g. smb://vault-v2.erc.monash.edu.au/<SomeShare>) into the textbox.
  • Click on "Connect".
  • Enter your Monash ID and password details (if required) and click on "Connect". Note that if you are not using a Monash SOE (Monash-supplied and configured) machine, you may need to add "MONASH" to your Monash username (e.g. MONASH\jsmith).
  • The newly-mapped share will then appear as a folder in the Mac Finder.

Accessing Vault shares on Linux via SMB

Linux SMB Using X

  • The mapping process via X is essentially the same as Mac.

Linux SMB from the command line

  • SMB shares can be mapped using the "mount" command which uses the following syntax: mount -t cifs //vault-v2.erc.monash.edu/<SomeShare> /<LocalDirectory> -o user=<Username>,domain=MONASH,vers=3.0.
  • Note that the each share needs to be mapped to a local directory (/<LocalDirectory> above) which should be created before the above command is used.
  • Enter your Monash password and press Enter.
  • Unless an error message is displayed, the share has been mapped properly and will be available via the nominated directory (/<LocalDirectory>).
  • The above command should work for most Linux distributions, but there are other commands that can be used such as smbmount. If you encounter any issues, please contact the RDS team.
  • Shares can be removed by using the following command: umount /<LocalDirectory>.

Mapping Vault shares on Windows via NFS

  • If NFS access on Windows is required, please contact the RDS team.

Accessing Vault shares on Mac via NFS

  • Access the "Go" menu which is available at the top of the screen from the desktop.
  • Click on "Connect to Server".
  • Enter the provided URL (e.g. nfs://vault-v2.erc.monash.edu:/<SomeShare>) into the textbox.
  • Click on "Connect".
  • The newly-mapped share will then appear as a folder in the Mac Finder.

Accessing Vault shares on Linux via NFS

Linux NFS Using X

  • The mapping process via X is essentially the same as Mac.

Linux NFS from the command line

  • NFS shares can be mounted using the "mount" command which uses the following syntax: mount -t nfs //vault-v2.erc.monash.edu:/<SomeShare> /<LocalDirectory>.
  • Note that the each share needs to be mapped to a local directory (/<LocalDirectory> above) which should be created before the above command is used.
  • Unless an error message is displayed, the share has been mapped properly and will be available via the nominated directory (<LocalDirectory>). If you encounter any issues, contact the RDS team.
  • Shares can be removed by using the following command: umount /<LocalDirectory>.

Accessing Vault shares via rsync or SFTP

An SSH key is required in order to gain access to a Vault share via rsync or SFTP. If you don't have an SSH key please see below. Once you have an SSH key, email the RDS team, provide the share name and the Monash ID that should be granted access and attach your public SSH key.

For users that need to browse content from the desktops, at least two GUI clients are known to work effectively. This approach is generally good enough to support browsing folder structures and uploading/downloading desktop files. Users of wireless connections should take their connection speed into account when moving large quantities of data.

Additional steps need to be performed by the RDS Team in order to ensure that Vault shares appear correctly when they are accessed via SFTP or rsync. The owner of the storage allocation should contact the RDS team in order to enable access for each new account. By default users are generally granted access to the entire share, but access can be restricted to a specific sub-folder tree within the fileset if preferred. Please ensure that the sub-folder already exists if restricted access is required and that the full path is specified. The SFTP/rsync service on the Vault runs within a captive shell and as such, attempting a SSH command line session will not function as expected. It is therefore important to use the correct protocol and the recommended clients.

Security restrictions implemented on the Vault storage include authentication failure lockout (Fail2Ban) that may be triggered by the users client presenting a series of bad passwords or multiple SSH keys when none have been set up.

While off campus, Monash users are required to use SSH keys and/or the Monash VPN.

For routine and repeated access beyond the Monash domain, external users need to have their sites explicit IP Address added to the "White List" of permitted sites. The Owner/PI of the storage allocation should contact the RDS team to enable this.

FileZilla

Settingvalue
ProtocolSFTP
Hostvault-v2.erc.monash.edu
Port22
UserMONASH\<MonashID>

WinSCP

File protocol : SFTP Host name : vault-v2.erc.monash.edu Port number: 22 User name : MONASH\\<MonashID> Password: <SSH key>

Linux Command Line

Users with SSH access to Linux hosts, including the M3 DTN and login nodes or NeCTAR VMs, can use the command line interactively to launch SFTP or rsync applications and use scripts to archive, locate and recall large quantities of data. These methods have slightly different syntax depending on the OS version of Linux.

The SFTP/rsync service on the Vault runs within a captive shell and as such attempting a SSH command line session on Vault WILL NOT work as you expect. Users should keep to the requested protocol.

There are issues around the use of the backslash character as part of the MONASH domain declaration because the backslash is also used as a text escape character. There are examples below that use one, two and even three backslash characters in a row to get the desired folder/file path interpreted properly.

Linux SFTP application command line examples

Note that because the required separator between the MONASH domain and the account name is a backslash "\", it is necesary to escape this for the terminal.

Start SFTP session with the Vault

(requires two backslashes MONASH\\<MonashID>)

LocalHost:~ $ sftp MONASH\\<MonashID>@vault-v2.erc.monash.edu

SFTP put data to Vault from M3 login or dtn node

sftp> put <local-files> /home/MONASH\\<MonashID>/<share>/vault/<path>/

SFTP get data from Vault to M3 login or DTN node

(requires three backslashes MONASH\<MonashID>)

sftp> get /home/MONASH\\\<MonashID>/<sharename>/vault/<path>/

Using SSH Keys

Accounts created for SFTP and rsync on the Vault should be accessed through the use of SSH keys.

SSH keys have a number of advantages and are considered to be more secure than passwords.

In particular, SSH keys allow you to run scripts on your local terminal that will speed up repetitive actions.

Creating SSH Keys

Users should generate a specific key pair (public and private). eg. ssh-keygen -t rsa

The public key (e.g.: id_rsa.pub) is to be placed in the authorized_keys file in the .ssh folder in their accounts home directory. That allows login and use of any collection they have linked using the corresponding undisclosed private key.

The authorized_keys file in the .ssh folder of the users home directory is a special case that can be uploaded and downloaded by the user for their autonomous management of secure public keys.

Start SFTP session with the Vault

LocalHost:~ $ sftp MONASH\\<MonashID>@vault-v2.erc.monash.edu

SFTP get current authorized_keys file

sftp> cd .ssh
sftp> pwd
Remote working directory: /home/MONASH\<MonashID>/.ssh
sftp> ls

authorized_keys

sftp> get /home/MONASH\\<MonashID>/.ssh/authorized_keys
Fetching /home/MONASH\<MonashID>/.ssh/authorized_keys to authorized_keys
/home/MONASH\<MonashID>/.ssh/authorized_keys 100% 403 194.0KB/s 00:00

SFTP put updated current authorized_keys file

sftp> cd .ssh
sftp> pwd
Remote working directory: /home/MONASH\<MonashID>/.ssh
sftp> ls

authorized_keys

sftp> put authorized_keys

Uploading authorized_keys to /home/MONASH\<MonashID>/.ssh/authorized_keys

authorized_keys 100% 403 310.9KB/s 00:00}

If you are unable to access your home directory and .ssh folder, your public key should be emailed in plain text or uploaded as an attachment to RDS Support either through an existing ticket in Freshdesk or via the Data Dashboard Support Ticket function.

Linux rsync Examples

  • Push to Vault using rsync** (generic, requires two backslashes MONASH\\<MonashID>)

rsync -aHWv --stats --progress /<local-folder-path>/ MONASH\\<MonashID>@vault-v2.erc.monash.edu:<sharename>/vault/<path>

  • RSync Push to Vault from QNAP

rsync -aHWv --stats --progress /share/CACHEDEV1\_DATA/ MONASH\\sdar0001@vault-v2.erc.monash.edu:sensilab/vault/

  • RSync Pull from Vault to QNAP

rsync -aHWv --stats --progress MONASH\\sdar0001@vault-v2.erc.monash.edu:sensilab/vault/sensiLab/Media/Photo/SensiLab/RawMedia/2018\_09\_27/ /share/CACHEDEV1\_DATA/Public/Restored/

  • RSync Pull from Vault to m3-dtn

rsync -aHWv --stats --progress MONASH\\sdar0001@vault-v2.erc.monash.edu:sensilab/vault/sensiLab/Media/Photo/SensiLab/RawMedia/2018_09_21/ /scratch/rdsmtest/2018_09_29

  • Using rsync with ssh key pairs

rsync -aHWv -e "ssh -i /home/ubuntu/.ssh/id\_rsa" --stats --progress /<local-folder-path>/ MONASH\\<MonashID>@vault-v2.erc.monash.edu:<sharename>/vault/<path>

Example: rsync -aHWv -e "ssh -i /home/ubuntu/.ssh/id\_rsa" rsynctest MONASH\\dlam@vault-v2.erc.monash.edu:BMH-archive/vault/<path>

Accessing Vault shares using SSH Keys

Users with SFTP or rsync shares on Vault-v2 can request access to their shares through the use of SSH keys. SSH keys can be used to authorise access to Vault shares and can be used in place of Monash ID and password authentication, which is useful for things like cronjobs or scripts which need to run without any user interaction.

  • Vault-v2 SSH key access configuration setup

When access to the Vault service via SSH key is requested, the following should be noted:

  1. The account you use to login to Vault-v2 must have an associated home directory in order that you can log in and see the home directory contents. Your home directory is not a location to which you can write directly like your Vault share.
  2. A link to the requested share is placed in your home directory, so you can use the same account and any valid key contained therein for several shares.
  3. The configuration is replicated to the four nodes of the cluster, so even if your session is load-balanced for performance it will work normally.
  4. The account used must have rights to the share and root must be a member of the secure access group (RDS-$group-vault) that has rights to the share. Accounts can be added using the Group Admin tool by Owners on the Group.
  5. Changes to the Vault configuration (e.g. new shares and new users) require the service to restart and all shares are automatically re-linked (using bind) to the home directories that they are configured to access. This may interrupt a session in progress so we recommend planning ahead.
  • Process

The first step is to generate a SSH key pair (public and private) if they do not already exist. One method is to use the commandline tools in Linux/Mac (ssh-keygen -t rsa) but there are other methods. Once generated, the public key (e.g.: id_rsa.pub) must be added to the authorized_keys file in the .ssh folder in the relebant account's home directory. Doing so will allow users to log in and access any collection that has been linked to the corresponding key and upload/download data through the use of autonomous secure public key management.

  • SFTP "get" current authorized_keys file
sftp> cd .ssh
sftp> pwd
Remote working directory: /home/MONASH\\<MonashID>/.ssh

sftp> ls

authorized_keys

sftp> get /home/MONASH\\<MonashID>/.ssh/authorized_keys

Fetching /home/MONASH\<MonashID>/.ssh/authorized_keys to authorized_keys

/home/MONASH\<MonashID>/.ssh/authorized_keys                      100% 403 194.0KB/s 00:00

SFTP "put" updated current authorized_keys file

sftp> cd .ssh

sftp> pwd

Remote working directory: /home/MONASH\<MonashID>/.ssh

sftp> ls

authorized_keys

sftp> put authorized_keys

Uploading authorized_keys to /home/MONASH\<MonashID>/.ssh/authorized_keys

authorized_keys

100% 403 310.9KB/s  00:00

If you are unable to access your home directory and .ssh folder, the public key will need to be emailed in plain text or uploaded as an attachment to RDS Support either through an existing ticket in Fresh Desk or via the Data Dashboard "Support Ticket" function.

  • Push to Vault using ssh key pairs

rsync -aHWv -e "ssh -i /home/ubuntu/.ssh/id\_rsa" --stats --progress /<local-folder-path>/ MONASH\\<MonashID>@vault-v2.erc.monash.edu:<sharename>/vault/<path>

Example: rsync -aHWv -e "ssh -i /home/ubuntu/.ssh/id\_rsa" rsynctest MONASH\\dlam@vault-v2.erc.monash.edu:BMH-archive/vault/<path>

rsync interaction with SMB and NFS shares

Owing to the way that the permissions are managed on the vault filesystems there are edge cases where data written via one protocol cannot be read by another. The most common case is data written over a Windows fileshare and causing problems when being read via rsync(1). Folders can end up being created with Unix permissions "000", makeing them unwritable. A workaround for this can be to use the following options to rsync to force the permissions on the destination:

--no-p --no-g --chmod=ugo=rwX

(for detailed explanation search for "--perms" in the rsync(1) man page)

NCI rsync transfers

Due to security restrictions, external SFTP/rsync is only possible from specifically allowed hosts. The following hosts at NCI are in the allow list and should be able to connect to the vault:

gadi.nci.org.au
gadi-dm.nci.org.au

The information we have from NCI is that "In order for users to access the copyq they will need to submit an interactive job on the copyq nodes. They will then have the time limit they set on the job, up to 10 hours".

Accessing Vault shares via rclone

rclone can be used to copy files to and from Vault storage without requiring the storage to be mounted. It is available for Windows, Mac and Linux platforms either through the local package manager or from https://rclone.org. M3 HPC users should use it from one of the m3-dtn systems and access it via module add rclone. Configuration and use is via the command line and a typical configuration will be generated via the command rclone config create vault smb --all then answering the following prompts. Note that options "port" and "spn" can be left at their defaults and that your Monash account name and password should be used.

Option host.
SMB server hostname to connect to.
E.g. "eample.com".
Enter a value.
host> vault.erc.monash.edu
Option user.
SMB username.
Enter a string value. Press Enter for the default (fred).
user> jsmith

Option pass.
SMB password.
Choose an alternative below. Press Enter for the default (n).
y) Yes, type in my own password
g) Generate random password
n) No, leave this optional password blank (default)
y/g/n> y
Enter the password:
password:
Confirm the password:
password:

Option domain.
Domain name for NTLM authentication.
Enter a string value. Press Enter for the default (WORKGROUP).
domain> MONASH

:
[market]
type = smb
host = vault.erc.monash.edu
user = jsmith
pass = \*\*\* ENCRYPTED \*\*\*
domain = MONASH

The fileshares can then be accessed via commands such as rclone lsf vault:Share-Name, eg rclone ls market:R-Eng-xyz or rclone copy vault:Cat-Videos/Experiment1.

Last updated on by Ben Couldrey