Summary
Two major changes to the Open Computing Facility (OCF) will be made during the next five months as Livermore Computing (LC) moves toward supporting a Livermore Valley Open Campus:
- Improve external access to the OCF, including allowing Sensitive Country Foreign National (SCFN) users.
- Move a subset of the OCF computing resources into a new Restricted Zone (RZ) dedicated to computing work that uses restricted files requiring additional computer security controls. The remaining OCF computing resources will be within the Collaboration Zone (CZ).
For CZ users:
- Most existing OCF resources will remain the same.
- External access to CZ systems will no longer require VPN.
- Access from CZ systems back to LLNL desktop networks will be restricted. (See the Enclave FAQ for specific details on these restrictions.)
- Desktops will no longer be able to mount LC file systems (/g, /usr, etc.)
For RZ users:
- RZ will contain a small, limited number of clusters.
- Access to Lustre and storage will exist with some restrictions.
- Access will require special approval.
- Access will require additional authentication through a gateway host.
Information
Collaboration is a key element of the Laboratory’s strategic plans, and LC facilities will play a major role in enabling collaboration with external partners. New collaborations and programs vital to the growth of LLNL necessitate a new set of technical workforce and network performance requirements. To address and support these requirements, a new model for accessing unclassified LC resources is being deployed. LC will remove its OCF resources from the LLNL Enterprise Network (known as the yellow network) and redeploy them into an independent, three-zone HPC Enclave.
HPC Enclave Design
The CZ (Collaboration Zone) will contain most of the current OCF computing platforms and will continue to serve the majority of LLNL OCF users. The RZ (Restricted Zone) will contain a number of smaller systems serving a subset of the LC user community. The shared Infrastructure Zone (IZ) will contain resources shared by both the CZ and RZ and include the Lustre file systems and OCF storage. Separate unique and independent home directories and /nfs/tmp2 file systems will be deployed in both the CZ and RZ.
Current OCF users will be given accounts on CZ systems and will continue to have full access to the services provided by systems in the IZ. Users with programmatic need to access the RZ will be granted accounts on RZ systems.
The systems to be deployed in each zone are listed below. The date (subject to change) listed next to each RZ system is when that system will be renamed and given an RZ IP address. The new names of the RZ systems will be the current name prefixed by the letters ‘rz’ (e.g., edgelet will be renamed to rzedgelet).
| Collaboration Zone | Infrastructure Zone | Restricted Zone |
|---|---|---|
| /g CZ home directories | OCF storage | /g RZ home directories |
| /nfs/tmp2 | Shared NFS directories | /nfs/tmp2 |
| Sierra | lscratcha | Edgelet (5/17) |
| uBGL | lscratchb | Stagg (5/24) |
| Hera | lscratchc | Thriller (5/24) |
| Atlas | lscratchd | Dawndev (6/7) |
| Ansel | gscratchc | Zeus (TBD) |
| Aztec | Slic (TBD) | |
| Prism | Alastor (TBD) | |
| Edge | Aker (TBD) | |
| Hive | ||
| uDawn | ||
| Oslic |
Schedule
The HPC Enclave will be created in three phases:
- The installation of the Enclave has already begun and will continue through June 29. Network and system changes are being made, and the community of users requiring access to the RZ is being identified.
- All zones will be enabled and the access rules to each zone will be enforced on August 30.
- New collaborators (including SCFNs) will be added on CZ systems beginning October 4.
Zones in the HPC Enclave will have policies and protection measures appropriate to the sensitivity of the data that can be accessed. For CZ users, SSH with PIN and OTP will be required. (VPN will no longer be required for remote access to CZ systems.) RZ access through a new gateway system will require an additional, alternative authentication method.
Users should take note of the following important dates. Because of the complexity of the deployment of the Enclave, these dates are subject to change.
| May 17 | RZ systems begin to be renamed and given new IP addresses. |
|---|---|
| June 28 | Mounting of LC file systems (e.g., home directories, /g/g*, /usr/*) to non-LC systems disabled. |
| August 30 | Enclave zone access enforced: VPN no longer required to access CZ systems, and access to RZ systems will be through the RZ gateway. |
| October 4 | SCFNs allowed to access CZ systems. |
The LC Hotline and the Web site at https://lc.llnl.gov/enclave/ will be the primary source of information concerning the HPC Enclave. An Enclave FAQ will be posted at https://lc.llnl.gov/enclave/, and additional detailed documentation will be provided. LC staff members are also available to meet with individual groups of users to explain the impact of the Enclave and to answer your questions. If you would like to schedule a meeting, please contact Tim Fahey at fahey2@llnl.gov
PDF of TB465 for download and distribution.