What is the policy for Virtual Machine support in CELS?
In CELS, we have defined two types of Virtual Machines (VMs): Fully Managed and Co-managed. This document outlines the configuration and management policy for each classification.
For all machines, support is during regular Argonne business hours. Issues arising out of those hours may be dealt with on a best-effort basis, but is not guaranteed.
Fully Managed
These are standard CELS linux builds. They use the GCE account system for authentication (managed at https://accounts.cels.anl.gov), and mount the CELS filesystems via NFS. Users may install software in userspace, however software requiring administrative rights is installed by CELS Systems. Users do not get administrative privileges on these machines.
The following properties are part of an Standard GCE Linux VM:
- Built from a CELS Systems-established image/configuration.
- CELS Systems has root access to the machine.
- The end user does not have root/administrative rights on the machine.
- The machine is joined to the CELS LDAP, and uses these accounts for login purposes,
- except for the local administrative account which is controlled by CELS Systems.
For more information, see our GCE pages.
Co-Managed
These VMs are used by divisional researchers who are comfortable handling some level of systems administration on their VM. The machines are moderately managed by CELS Systems, however the end user maintains administrative rights and can install software and updates on his/her own. Only researchers may request a VM of this configuration, and they must agree to the below configuration, as well as any additional TMS training that may be triggered by their having administrative control over a networked Argonne machine. The following properties are part of a Co-managed VM:
- Built from a standard image/configuration
- CELS Systems has root access to the machine.
- The end user also has root access to the VM.
- Windows VMs may be joined to the Argonne Active Directory or use AD accounts for login purposes,
- except for a local administrative account which is controlled by CELS Systems.
- the user may also have a local administrative account distinct from the AD account.
- Unless specifically requested and agreed upon beforehand, these VMs are not backed up.
- Data used by the VM should not live directly on the VM unless it is a specific requirement. Instead, separate data stores can be mounted on the VM for use. CELS Systems can back this data store up if required..
- Mandatory endpoint management software (Eracent, Jamf Self Service) is installed as part of this build.
- Any inbound external network access to the host will have to be approved by CELS Systems and Argonne Cyber Security.
- Systems reserves the right to apply mandatory patches without warning when required.
- We cannot guarantee this will not break existing custom applications or configurations.
- Systems reserves the right to remove network access/pause/shut down the VM when required.
Support Policy
What it means when we say Systems will support your VM
- For Co-managed VMs, as with any machine not under our direct control, the operator or other specified person is the primary point of support for the machine. If the primary point of support cannot solve the problem, Systems will work with the user/support contact to get it solved.
- We will do our best to solve any problem in a non-destructive manner. We will never intentionally erase any data without explicit permission from the user.
- After a reasonable amount of time trying to solve the problem, we may recommend any of the following as a solution: Reinstall the offending application, upgrade the Operating System, reinstall the Operating System, or completely rebuild the VM.
- In all cases, Systems cannot guarantee the recovery of a VM that has failed. Critical data and configurations should be saved in a location that is backed up.
What are your responsibilities as a VM Co-manager?
- If you self-administer your VM, keep it updated with the latest security patches for your operating system and installed software.
- When directed by Systems or Cyber to install urgent patches, do so in a timely manner.
- Do not install any applications you are unsure of without consulting Systems first.
- Inform Systems immediately if you believe the VM may be compromised.
- Inform Systems when the VM is no longer needed.