Information about annoying subtleties of IT services in the institute

Overview

IT constantly tries to hide complexity in its resources and infrastructure from you. E.g. you most likely do not care about the type of hard disks being used in institute file servers. However, sometimes those details cannot be hidden from users - a fact that you'll notice in form of unpleasant properties of institute infrastructure. Those properties tend to be counterintuitive. This page will try to shed some light on those.

Storage management

Why is there not just a big folder which all the data can be put into?

Permanent Link:

There are two reasons:

Scalability: Data within the institute is kept by storage services that consist of connected clusters of file servers. StorageUnified is the one currently in production, Afs is the legacy storage system. Data is kept on different servers as "storage blocks" - independent directory trees. The directory trees can be found in /data and /afs/cbs.mpg.de/projects . Here are some facts about storage management:

• There is a physical limit to the amount of data a file server can store. Manpower for storage management depends on storage per server and has a global minimum. We found the sweet spot to be somewhere between 100 Terabyte and 1 Petabyte per server - at this time.
• Any single storage block cannot be bigger than one file server. Since several research groups already handle data amounts larger than a file server, it's already mandatory to use a storage block concept and split the data up.
• When a file server is in danger of being filled up, some storage blocks have to be moved to other servers.
• Moving storage blocks between servers means downtime for the respective blocks and sometimes strange effects on computers accessing data that's on the move.

The next paragraph is related to this one and worth a read.

I just need some storage. Why the bureaucracy?

Permanent Link:

There are three main reasons:

Association:

Data has to be "owned" by some entity because from IT's perspective data is never deleted - it just grows. But storage systems exist in physical reality and cannot grow indefinitely which means data has to be removed at some point. To be able to remove or archive data later, IT has to have additional information (a.k.a. Metadata) which is provided at the storage block level upon the request for creation.

• p-Storageblocks : This type is the workhorse of the institute. Most research data resides here. "p" stands for "permission groups" and means, separate lists of users with read-, write- and administrative permissions are attached to each storage block. When all those lists are empty (e.g. because all the users left the institute), the data is removed.
• User-associated : When the user leaves the institute, these storage blocks are removed without further notice. There's a two week grace period.
• Group-associated : When the group is dissolved, these storage blocks are removed.

Scalability:

In order to provide services for a lot of researchers, IT needs to automate a lot of things. There are several thousand storage block in the institute. A lot of them require specific treatment (automatic backup, automatic archiving, automatic deletion after person X leaves the institute, ...). A model for managing this data is required. Placing a storage block outside of this model's scope means, IT can no longer rely on automated procedures which means manual intervention. This doesn't scale in light of a very small IT crew.

Protection classes

Each piece of data is assigned a Protection class. In an ideal world, all data would get maximum protection and unlimited revision control. However, protection requires resources which are limited.

This limitation is mostly visible in the split storage concept of research data: The pt_ storage block gets performance priority on the server side which makes it faster. The p_ storage block is copied to another server every night.

This means: You should write intermediate results to pt_ and store important stuff on p_ . Make use of symbolic links in pt_ to e.g. point to raw data in p_ .

Why can't I see my storage blocks in /data on Linux?

Permanent Link:

The StorageUnified base folder /data is not a regular folder - it's a program (an "Automounter") that just looks like one. This is how you enter a data folder

1. You want to go to a storage block (e.g. pt_12345 ). If you do not know the name, type this command:
   user@host > mydata
   to get a list of all storage blocks, you have access to.
2. Change into the folder manually bei either
   • Using this command:
     user@host > cd /data/pt_12345
   • or by hitting [Ctrl]+L in your file manager and entering /data/pt_12345 there.
3. The storage block magically appears as a folder and will stay there as long as it's being used.
4. When a storage block is not being used for 10 minutes, the respective folder will disappear again

Why?:

• There are thousands of storage blocks. This way, you'll see only the ones that users on the respective computer are working with.
• Some programs (e.g. file managers) tend to scan through all folders, they're seeing. There's over a billion files in /data -storage blocks!

Hints:

• It's good practice to put important storage block folders into your file manager's bookmark list.
• You'll see all storage blocks that are being used by people on the given computer. Don't worry about that. This doesn't affect permission enforcement.

I need more storage. Why am I asked "For how long?"?

Permanent Link:

There's a common misconception about data storage: It is a process - not a product. Effort is necessary that is proportional to storage size multiplied by time . It is not proportional just to the storage size. This effort consists of:

• testing and replacing hard disks
• moving data between servers to make room
• repairing servers

Compare it to your electrical connection at home: You don't pay for the thickness of the utilities' cable to your flat but for the power you consume - even if the maximum power is limited by how big the cable is.

Why are there storage limits everywhere? If storage runs out, why not just plug another external hard disk to the server?

Permanent Link:

(The "why" for eMail storage is a separate question ).

Why limits?:

1. The institute only has limited physical space, power lines and cooling capacity for servers.
2. To buy IT time when a server runs out of storage. A single storage block on a file server hitting its quota limit is not a problem. However, a file server hitting its physical storage limit is a very serious issue.
3. To protect users from each other. Users only have to watch their respective storage blocks' storage limit - not the file servers'. No user without write permissions on a given storage block can exhaust the respective storage block's space which means: You'll not suffer from another users' careless use of storage if he/she is not <acronym title="e.g. by working on the same research projectrelated to you.

Why not just add a USB hard disk to one of the servers?:

1. File server storage in the institute is a high quality service (Level 1 or higher). All the hard disks in the world fail at some point. Data on file servers always resides intertwined on multiple redundant hard disks to protect data from being affected by broken hard disks. Free space cannot be extended by a single disk while keeping the storage quality IT guarantees. Storage could be increased by adding 8 disks at once but to save maintenance time, IT always adds 40 or 88 disks at once (which equals one file server).
2. External hard drives are slower, less reliable, and cannot be operated in close proximity to each other. Plus they need two specific sockets each.
   Nobody does that. Economy of scale dictates using servers with internal hard disks.
3. (BTW: Yes, IT was asked that question once.)

What is "apparent" data volume? OR: I have a lot of very small files with little actual data volume. Why do I hit the storage limit anyway?

Permanent Link:

Storage is managed in blocks for performance reasons. Common block sizes are 4kiB, 1kiB or 512 Byte. This means that the smallest possible file containing any data (1 Byte) requires at least one block of storage. This is usually not a problem. But as soon as a lot of very small files are to be stored, the difference between net storage volume and the actual storage requirement tends to increase dramatically. Since your AnnoyingItDetails keeps track of the used storage , you might hit its limit counterintuitively early when handling lots of small files.

Solution:

• Avoid keeping lots of small files.
• Consider putting collections of small files into archives (.zip, .tgz, .7z, ...).

Why is my home directory so small?

Permanent Link:

Rule of thumb: Do not store useful data in your home directory! If you need storage for research, please request per study storage.

If you need permanent personal storage for papers, pictures, etc., please create per user storage via self-service, or contact IT.

Here are the reasons:

• Graphical user interfaces need configuration data (e.g. "where is which window", "which programs are automatically started", ...) in your home directory to function. No graphical login is possible without that.
  For that reason the server containing home directories is equipped with hard disks that are highest quality, very stable, very fast - but also small (regarding storage space) and expensive. 10GB is what we can guarantee for each user on this server.
• If IT needs to move home directories for some reason, it must be done quickly since no user is able to work without it. The smaller a folder, the less transfer time over the network is required.
• There were incidents at the institute when students or interns stored valuable information in their respective home directory. A home directory is deleted when the associated users leaves the institute. Since home directories are so small and basically all data handled at the institute is very huge, a mistake like storing MRI data in a home directory will immediately cause a request to IT which will be replied to with this explanation.
• Sometimes software misbehaves, tries to store data in your home folder instead of asking beforehand. A small home folder will immediately catch such a problem.

Why do I see 10GB more available storage in /data than I can use?

Permanent Link:

This is a really annoying one. Long story short: It is a little hack added to the StorageUnified service to increase write performance by more than an order of magnitude .

One of the components that make up this service - the filesystem driver on the servers - needs to watch over storage limits. To ensure those limits, the driver slows down write commands to storage blocks when their quota limit is almost reached. Unfortunately this slowing down affects all storage blocks on the respective file server and some storage blocks are basically always completely filled up.

IT had to weight performance against the precision of quota information and chose performance. Now the storage block quota is the maximum size shown in your file manager minus 10GiB which means, the available space reported by file managers is off by 10GiB.

Why is there no local storage on institute computers?

Permanent Link:

From the user's perspective:

• Local storage is less reliable than server based storage by several orders of magnitude. An workstation being turned off or a hard disk being broken will render data inaccessible.
• Local storage is not accessible from compute servers, terminal servers, Condor Compute nodes and Slurm Cluster servers because workstations can be turned off by users - which would have a negative impact on the users working with these machines.
• Managed storage never just goes away but local storage will - e.g. when the computer breaks. These situations are known to trigger complex problems if there are dependencies against data on such a hard disk - e.g. in ~/.bashrc or computation scripts..

From IT's perspective:

• Local storage requires extra time during workstation upgrades because measures have to be taken to not harm data on it. Since IT is critically understaffed (October 2021), saving time is necessary.
• Local storage is not part of the institute's Storagemanagement. Data accumulates on these disks even when users don't need it anymore or when they leave the institute.

Why is /nobackup and /scr not accessible on servers?

Permanent Link:

The storage network connecting /NOBACKUP and /SCR data partitions of workstations cannot be accessed from Compute- , Terminal- and Cluster-Servers. This restriction is necessary to prevent servers from blocking upon storage becoming unavailable - e.g. because a workstation containing local storage is being shut down. Possible Workarounds:

• Use SFTP. Example:
  user@host > sftp somecomputer:/NOBACKUP
• Use a Gateway server.
• Connect to a workstation and copy files from local storage to a fileserver. Example:
  user@host > ssh somecomputer
user@somecomputer > cd /NOBACKUP
user@somecomputer > cp somefile /data/pt_12345

I deleted a lot of files but storage is not freed. What's happening?

Permanent Link:

Most operating systems and programs are designed with private use in mind. Private computers do not have storage restrictions (apart from the physical ones) or professional IT maintaining backups which is why a delete buffer ("virtual trash bin") is designed into file managers. This basically means that files are not deleted but move to a hidden location.

To actual remove deleted files, find the trash bin icon in your file manager and use the "Empty trash" function in the context menu or clear the delete buffer using this command:

user@host > trash-empty

Why can't I change file permissions? Why are there no custom subfolder-permissions?

Permanent Link:

Permissions to storage resources are defined centrally. Changing those in file property dialogs or via chmod/chown won't work or won't work as expected. The institute's storage permission model looks like this:

• All permissions are granted at the level of storage blocks. No diverging permission is ever granted below this level.
  • Example: Read/write/admin permissions can be set for /data/pt_12345 but /data/pt_12345/somefolder always inherits the same ones.
• Depending on the flags in the storage folder base name (e.g. pt_012345 , u_someuser ) all data belong to either a user (only the user has access), a group (all members of the group have full access) or to a project/study in which case an arbitrary number of users or groups can be assigned read/write/administrative permissions.
• No permissions can be set by tools like chmod , chown or chgrp in the file system on folders or files! They are set at a central location
  • Type cbsdata -s [storageblockname] to find out how.
  • You might succeed changing mode bits, ACLs, file ownership, group memberships. But: Processes are in place to treat such changes as deviations and change them back. These processes run once a week on all storage blocks in StorageUnified .

Advantages for users:

• Since permissions are defined at a central location, the mydata command knows instantly, which storage you have access to.
• The institute is able to give "... and noone else has access"-style guarantees for all storage blocks. This is important considering the sensitivity of data handled here.
• There are no surprises (like "User A has access top /data/X but not to /data/X/Y"). The cbsdata -s [Storageblock] command shows, who has access to what.
• Changing permissions to resources can be done quickly - no matter if 5 or 50 Million files' access must be changed.

After copying files from my home folder to some other /data-Folder, noone else can access the files.

Permanent Link:

Copying from your Linux home directory to a storage block without an u before the first _ -sign (e.g. /data/tu_someuser_cloud to /data/pt_12345 ) is an unfortunate permission edge case. It happens when your file manager tries to be smart and copies file permissions which conflicts with the institute's centralized permission management model.

Solutions:

• This problem can be corrected by IT upon request - a simple chat massage including the storage block name suffices.
• Try to work (as a group) directly on the respective p or pt -storage block(s). Use subdirectories on the respective research storage block instead of personal storage blocks.

I'm admin on a storageblock but can't access it. Why?

Permanent Link:

It's good practise to always work with as little permissions as possible for two reason:

• Self-restriction is a protection layer against attacks. Each program you run (you word processor, your scripts, this cool downloaded unchecked shady tool, ...) is allowed to do everything, that you're allowed to do.
• Every piece of data, you have write access to, could accidentally be removed by a single push of the "Del" key.

To give esp. department heads and data managers a wide range of control over storage permissions without increasing risks, admin permissions do not automatically include write permissions. However, it's easy to grant write (or read) permissions, if you have admin permission on a given storage block - even to yourself. Use the Userportal for that.

Why are my computations blocked after three days?

Permanent Link:

Fileservers of the institute contain a lot of sensitive data. It is common practice to make access to it volatile which means: Once you're logged in, you have access for a limited amount of time (3days). After that, you have to re-prove your identity (e.g. by unlocking your screensaver or by re-connecting to a running RemoteLinux sessions).

Find solutions here: Kerberos

Why won't IT grant access to data although they're able to and I need it?

Permanent Link:

IT is like a bank safely storing data for customers on file servers. We will allow access to other customers data, if we're authorized by the respective owner. That's basically it: We'll never grant access to something, if the owner didn't authorize it. However:

• A simple email from the owner to us asking for a permission change is enough for IT to make it happen.
  However: The email has to come directly from the owner and must be sent via his/her institute mail account.
• The concept of "owner" is more abstract than in a bank: On a p -Storageblock, every user holding administrative permissions is authorized to do permission changes.
• People with adminstrative permissions may grant "just read", "read+write" or in turn administrative permissions for the respective storage block.
  • This can be done at this internal Website.
  • You might need RemoteLinux to access this website when you're not at the institute.

Communication

Why can't I send/receive .doc/.xls -files via eMail?

Permanent Link:

Running programs from other people on your computer is a security risk. While most people know about the security implications of .exe files, it's not as widely known that there are other file types that contain custom programs. .doc and .xls files are two of them. Find more information at BlockedAttachments.

Solution: Either use different file types (if you tried to send the email) or ask the sender to use different file types (if someone else tried to send an email to you).

Why do I receive Spam/Phishing/Scam mails? Why doesn't IT filter those out?

Permanent Link:

IT has to balance two things:

1. Protecting users and IT infrastructure from harm.
2. Minimize false positives when filtering mails.

Deciding, which mail is legit and which isn't can only be done reliably by a human and might even be dependent on the context. This problem is complicated by the fact that it's quite the legal issue to not deliver an email in Germany when there's a chance, the user might have wanted to receive it. IT will therefor only filter mails centrally that are a threat to the infrastructure on a technical level. These are the measures, currently in place

• Graylisting: Only mail servers that are "persistent" are able to send mails to our mail server. Unknown mail servers will have to try multiple times to send an email to the institute to actually send it. This is a common security measure and perfectly covered by the protocols behind internet email delivery.
• File type based blocking: Several types of Attachments are blocked to prevent attackers from smuggling harmful programs into the institute.
• Per-user trainable filters: All users can put known spam into a personal "Spam" folder to train a filter and have similar mails automatically hidden in the future. This training is handled strictly per-user.

Why can't I send fancy (HTML-/Rich text)-eMails via Zimbra?

Permanent Link:

It is a security decision to encourage text-only eMails.

Why: Almost all phishing eMails will use HTML emails to disguise embedded links and in turn prevent users from getting suspicious. Since there's are no objective downside in text-only eMails, the HTML mail editor component is disabled in the mail server's Webgui.

Why is my mailbox so small?

Permanent Link:

Mail quota per user at the institute is 5 GiB (December 2021). There are four reasons for having tight limits for mailbox content:

1. A mail service is a highly integrated entity. Calendars, Mails and Todo lists are shared among users, caching accelerates access to all data there, backup mechanisms have millisecond granularity, there's a multi-level un-delete mechanism and a web interfaces grants safe access from everywhere. This is why mail servers are singleton systems (one server per service) that are difficult to scale.
   In contrast: The StorageUnified storage service of the institute is a cluster of servers that can be extended simply by adding additional machines to the network.
2. The mail server needs upgrades from time to time. Downtime for upgrades depends on the sum of all mailbox content's sizes. The more database content, the longer it takes.
3. Backup retention time is a function of the data volume on the mail server. More data in mailboxes means less time for restoring backups. At this time, mails from 6 months ago can be restored.
4. The mail server was designed, approved and configured for a specific amount of storage per user plus some spare for emergencies.

An easy solution is to store attachments (which are always the culprits when free storage is low on mail servers) somewhere else and remove them from their respectiv mails.

1. Get storage for attachments here in self-service .
2. Find information on how to move the attachments here.

I changed my password. Why am I suddenly unable to connect to the mailserver?

Permanent Link:

When you use mail or calendar client software on your computer(s) or mobile device(s), they might still know your old password after you set a new one. And they will try to access the mail server with it. From the mail server's perspective, unsuccessful login attempts are attacks which are mitigated by blocking the respective IP address for a while after 4 attempts. The institute is whitelisted - it will never be blocked. But if you're at home, a single device trying to login unsuccessfully repeatedly will cause your home internet connection to be blocked - for 10 minutes at a time.

Solution: You'll have to identify the responsible devices by yourself and change passwords there.

Why?: Passwords are use to distinguish valid users from bad guys trying to impersonate these users. For passwords to be of any use, it must be very hard to brute force them by trying different passwords over and over. For that the Mailserver watches failed login attempts and blocks computers in the internet that try too often.

Why is IT hiding behind a ticket system? A phone call would be so much faster...

Permanent Link:

The ticket system enables IT to function. There are several reasons for that:

1. When a request from a user arrives, IT has to translate it into a technical solution while keeping all the special requirements of the institute in mind. It's a rare problem that can really be solved on the phone.
2. IT is extremely understaffed. When an IT technician works on a problem, synchronous communication (e.g. phone) is a time consuming distraction which further increases our response times.
3. IT is not just user support but central IT as well. We're responsible for a lot of servers and roam the server rooms of the institute quite often.
4. Tickets keep all communication regarding a single problem well-arranged together for reference in the future. This cannot be achieved with simple emails or phone calls.
5. A ticket system prevents requests from being forgotten.

Here are some facts about how the ticket system works from IT's perspective that might be interesting to you:

1. Every single request arriving as a ticket is automatically sent to all IT service personnel. This includes core IT members and additional staff (student helpers, students, interns).
2. Every single request is read by all IT members.
3. Anyone feeling responsible for a ticket, tries to "grab" it with the first one winning.
4. Grabbed tickets are show in every IT staff member's personal overview. Tickets are never forgotten!
5. Tickets containing multiple requests usually have a higher reaction time since we have to take the apart first.
   Hint: Put every request/problem into a single ticket.
6. A reply sent by a user to a message of IT is routed to the correct IT staff member by the ticket system. It is counterproductive to reply directly to an IT staff member because the ticket system cannot assign this message to the problem - neither can IT staff a week later.
7. If a ticket is clearly in the area of expertise of a single person, that ticket can be given to him by another person. This might happen directly after a ticket was "grabbed" or later - e.g. when the problem is related multiple services in IT.
8. If a ticket is not "grabbed" on Tuesday during the weekly IT meeting, it is assigned to someone by the Head of IT.
9. We close a ticket immediately when we think, the problem is solved. If you disagree with that assessment, just reply to the ticket. The former responsible IT staff member will receive a note and the ticket gets re-opened. This is a regular process. It's not bad faith of us to close the ticket - it's just getting a clearer view of the amount of things to attend to.
10. If a user didn't reply to a message of IT, we close the associated ticket after a while. If the request in the ticket still matters, just reply to a message related to the ticket and it will be reopened.

I want to open a ticket by sending a mail to it-support. Why doesn't this work (anymore)?

Permanent Link:

The TicketSystem uses a mail interface via which you can receive messages from IT and reply to those. Although it was previously possible to open tickets by just sending an email to this address ( it-support@cbs.mpg.de ), we had to disable this way for various reasons:

1. The address was often considered a IT contact address for e.g. sending generic information to - which then created tickets.
2. The address receives the same amount of SPAM as other addresses do - creating one ticket per SPAM mail.
3. Tickets being opened via eMail often lack critical information (Name of the computer, Phone number, ...).
4. The address was repeatedly used as feedback mail in other organisations' (e.g. software vendors) ticket systems. Those ticket systems then started to play automatic ping-pong via mail - creating one ticket per mail.

However:

• You'll be informed via mail that no ticket was created and you'll be shown options.
• Handling open tickets hasn't changed from your perspective.

My problem had not been solved. Why is my ticket being closed?

Permanent Link:

If you think, IT made a mistake by closing your ticket, don't worry. It's as easy as replying to the last message of the ticket to re-open it.

There are several reasons for tickets being closed without the problem being solved:

• The interpretation of if a request's is solved might diverge between IT and a user.
• It happens quite often that problems are solved and users stop caring about the ticket - which is totally understandable. If a users doesn't reply to questions, we send regarding the ticket, IT will assume that the problem no longer exists, close the ticket and mark it as solved successfully.
• It might not be possible for IT to solve the problem. There are several possible reasons for that:
  • The problem might be outside of IT's scope (e.g. a web service unrelated to the MPG is not working properly).
  • The problem might exceed IT's resources. If a ticket's time constraint is too tight for IT to solve it in time (e.g. "I need to lend a Laptop today" and IT has none in stock) or the problem has too low of a priority to have a prospect of ever being handled (e.g. "I need a special software to communicate with this special personal device of mine.").

Software

Why am I not allowed to install software on my computer?

Permanent Link:

The institute's computers are part of an enterprise network (more details). This basically means

• Division of labor: Users use computers, IT staff members manage computers. IT is obligated to ensure computers' and the network's security which requires management permissions to be exclusive and updates to be applied all the time.
• All users are protected from each other. Example: You run 1000 computations spread over a week. IT guarantees that no user is able to replace this important software of yours by a different version which handles half of your jobs differently after some days.

But there's hope:

• A lot of software is already installed. have a look at this Automatically updated list
• You can still copy software to a folder and use it there. This is OK since it doesn't affect other users. Go to https://userportal.cbs.mpg.de/storageunified/request/user to request storage for that.
• If you have questions or need a more complex piece of software, please use our TicketSystem .

Why do I have to use command line tools all the time?

Permanent Link:

A lot of commands were written by MPI/CBS's IT to tackle institute specific tasks. You might expect these task to be handled by a web portal or at least some graphical application.

There are several reasons to use command line tools instead:

• Testing command line tools automatically is very easy. Testing is particularly necessary is an every-changing environment like the one research demands.
• There's very little staff in IT and writing/debugging/updating command line tools is way more efficient (which means, it needs less time).
• Automation is made possible - even if it's not intended by the program's author. Command line tools can e.g. easily be told to iterate over a lot of parameters. This is not possible with graphical tools, if they're not designed particularly for that purpose.
  Even if you do not feel confident to automate things on your own, someone else (e.g. IT or your department's technician) can do it for you easily.

Why do I have to use Firefox as a Browser although Chrome has much higher market share?

Permanent Link:

There two main reasons:

1. Chrome is very difficult to separate from the mothership "Google". Since the institute works with sensitive patient date, having data automatically transmitted to a company outside of EU jurisdiction is a no-go.
2. Firefox is way more enterprise friendly. This basically means that IT is able to pre-configure a lot of settings for you.

How to get a new release of a linux software package? The installed release is ancient!

Permanent Link:

Institute linux computers (Workstations, Compute servers, Terminal servers, ...) are equipped with an operating system based on a Linux distribution (currently "Ubuntu"). Since we don't have the resources to re-install all computers once a year, "Long term support" releases are being used which only change their contained software packages releases once every five years. Those packages are e.g.: Python, Python-packages, R, GCC, Libboost . This is part of the concept to keep surprising incompatible changes to a minimum.

However, research sometimes requires more recent software. There are several way to get fresh software at the institute:

1. Several software packages were pre-installed by IT as "frozen" releases. Popular examples are Matlab, R and SPM. Find more information about the concept at SoftwareServiceLinux .
2. In Linux it's pefectly OK to install your own software packages - if they do not require special permissions (administrative privileges). It is implied that you require Get a storage block to put Software into using This form. Popular examples for software being used like that are Python packages like Numpy and Matplotlib.
3. Using "software containers". This is basically creating a small operating system incl. scientific software for a specific task. Please contact us via the TicketSystem and describe, what you need. Popular examples are: FSL, AFNI.

Software X is not working correctly although it was installed by IT professionals. Why?

Permanent Link:

There are several factors that sometimes cause software not working properly in the institute.

1. IT in most cases doesn't use the software but only installs it.
   • We therefor do not have that much personal contact with research related software packages.
   • We are not really able to test specialized software packages since we don't know, which behavior to expect from research software exactly.
2. Really good software includes functional tests that can tell, if a software is properly installed and works correctly. Since research software is often written by researchers and not by professional software developers, the hope for functional tests is usually in vain.
3. Software is usually created with private users on personal computers in mind. The institute on the other hand is an Enterprise environment. Authors often do not have such an environment in mind.
   Example: Software X requires administrative permissions. This usually makes developing the software a little easier but is a no-go in the institute.

There's a problem with software X. IT tells me to contact the author. Why doesn't IT do that for me?

Permanent Link:

To avoid an effect we like to call "proxy friction".

IT doesn't know your environment (the kind of data you use, the specific scientific problem you try to solve, ...) and would only be a middleman forwarding messages between you and the author. This would increase the necessary time to solve the problem and workload on IT - without any net positive effect on the problem solving. Please contact the respective author by yourself. We'll happily assist

Security

Remote desktop is nice but I need SSH/File server access to the institute from the outside. How does it work?

Permanent Link:

Interactive servers and file servers of the institute are shielded from internet access by a firewall.

There is no SSH or VPN access from the outside! This is not a technical problem but a design feature and consequence of the sensitivity of data handled in the institute in light of today's ransomware threats. More precisely:

• A possible patient/test subject data leak by attackers who try to extort money. Such a leak would cause a severe PR problem not just for our institute but for the whole MPS and would cripple our ability to acquire test subjects.
• The institute provides remote access via RemoteLinux which restricts handling sensitive data to well maintained computer systems. From a legal perspective it is very difficult to find good arguments for increasing the risk of a data leak by providing world-wide access (e.g. via VPN, SFTP or SCP) to sensitive data if a solution like RemoteLinux exists.

The only way to access data from outside the institute is to work with it via RemoteLinux or RemoteWindows sessions.

Hardware

Why did my Linux computer suddenly re-start without prior notification? I need it to run continuously!

Permanent Link:

This answer is about crashes/sudden reboot (e.g. loosing the connection to a computer or even not being able to connect to it anymore). It's not about buggy behavior (e.g. not having permissions to to connect to a certain storage or an application not running correctly). From IT's point of view, crashes do not happen often and we'll never just ignore crashes and reboot - we're interested in the causes. However, we're unable to monitor all workstations 100% of the time and will therefor be biased regarding their apparent reliability.

Please help us by reporting crashes on your workstation.

There are several possible reasons:

1. The computer crashed because running programs had used up too much memory. Linux will give users the benefit of a doubt when requesting huge amounts of memory. However, at some point every program will find itself in the physical reality of limited memory hardware. Problem is, the computer might crash because another user requested all the memory which is counterintuitive from your idle application's perspective.
   It is a delicate balancing act to keep computers stable while not restricting users too much. IT fine tunes the respective variables from time to time and got quite good at it. However, this can never be perfect!
2. The computer just crashed. Very few crashes are completely random. 90% is main memory running out. 9.9% is hardware failure which IT fixes ASAP. The rest is very rare.
3. Some computers (esp. very central ones like compute servers and terminal servers ) are re-booted once a month automatically. This fact is shown in the MOTD when logging into these computers via SSH.
4. All internal Linux computers are subject to tight patch/update management. IT watches a lot of security feeds. If there's a serious security problem in the operating system, we might be forced to update it and re-start computers immediately. Depending on the thread level, we might be able to notify users beforehand, however: There's no guarantee!

Digest: Make sure to save your data from time to time. The institute's file servers are exceptionally good at protecting your data. If something seems to be missing or a file is defective, contact us ASAP. Make sure to have your computations save intermediate results from time to time. It's very unlikely that computations will run for months without interruption.

Why do I have to work on a huge desktop computer instead of a stylish Laptop?

Permanent Link:

Whenever the goal is to work at a certain place, desktop computers have huge advantages:

• They have a longer life expectancy.
• ... which means, they need way less resources because they have to be replaced less often.
• They can be repaired easily and quickly. Since desktop computers contain standard components, it's possible to
  • ... have spare parts for all of them in stock.
  • ... use IT knowledge gained from one computer for all the others. This is not possible for different Laptop models.
• Less compromises have to be made between performance, repair-ability, reliability and noise.
• Desktop computers cost less money which is why IT is able to have several in stock and replace defective ones instantly (repairing them later).

Administrative

Why is IT refusing to extend my Account?

Permanent Link:

IT is a technical service provider. Yes, we are providing the technical basis for the institute's user database. However, we do not know anything (and we're actually not allowed to!) about your contract details (which includes the end date).

It is of no use to ask IT for an account extension. We cannot and will not do that because the institute could get into serious legal trouble if we would.

Extending an account is a human resources matter. If you have a contract and your account is still timed out, the extension might have been forgotten by administration. You can contact them at personal@cbs.mpg.de .