From d9629b0be99dcd70731e1556b09e23bb79de7f3e Mon Sep 17 00:00:00 2001
From: Konrad Bucheli <konrad.bucheli@psi.ch>
Date: Fri, 1 Sep 2023 16:36:46 +0200
Subject: [PATCH] document mounting volumes

---
 _toc.yml                           |   1 +
 admin-guide/configuration.md       |   1 +
 admin-guide/configuration/mount.md | 107 +++++++++++++++++++++++++++++
 3 files changed, 109 insertions(+)
 create mode 100644 admin-guide/configuration/mount.md

diff --git a/_toc.yml b/_toc.yml
index b8d101c4..87669f81 100644
--- a/_toc.yml
+++ b/_toc.yml
@@ -35,6 +35,7 @@ chapters:
       - file: admin-guide/configuration
         sections:
           - file: admin-guide/configuration/icinga2
+          - file: admin-guide/configuration/mount
           - file: admin-guide/configuration/distribute_files
           - file: admin-guide/configuration/vgroot
           - file: admin-guide/configuration/xrdp
diff --git a/admin-guide/configuration.md b/admin-guide/configuration.md
index 2dd32195..ae3ea8d1 100644
--- a/admin-guide/configuration.md
+++ b/admin-guide/configuration.md
@@ -6,6 +6,7 @@ Here starts a so far small collections of configuration guides for sysadmins of
 - [Icinga2](configuration/icinga2)
 
 ## Basic Setup
+- [Mounting Volumes](configuration/mount)
 - [Distribute Files](configuration/distribute_files)
 - [RDP Remote Access with XRDP](configuration/xrdp)
 - [Resize System Volumes (volume group `vg_root`)](configuration/vgroot)
diff --git a/admin-guide/configuration/mount.md b/admin-guide/configuration/mount.md
new file mode 100644
index 00000000..29f4fac0
--- /dev/null
+++ b/admin-guide/configuration/mount.md
@@ -0,0 +1,107 @@
+# Mounting Volumes
+
+Managing mount points of local or network volumes can also be managed in Hiera.
+
+
+## Managing Mountpoints in Hiera
+
+The configuration in Hiera is done with two parts:
+1. the definition of a mountpoint (`mounter::def::$NAME`)
+2. the list of mount points actually configured on a system (`mounter::mounts`)
+
+Due to this the mountpoints can be prepared once on a high scope (e.g. for all systems in an environment), but then the individual systems pick out whatever is required for them.
+
+Example:
+```
+mounter::def::scratch:
+  ensure: 'mounted'
+  mountpoint: '/scratch'
+  device: '/dev/vg_data/lv_scratch'
+  type: 'xfs'
+
+mounter::mounts:
+  - 'scratch'
+```
+
+The directory of the mountpoint is automatically created when missing.
+
+For auto-mounts, add another option to the mountpoint definition:
+```
+  auto: true
+```
+
+## NFS
+
+Remote NFS mountpoints can be defined as in following example:
+
+```
+mounter::def::controls:
+  'ensure': 'mounted'
+  'device': 'sls-hafs:/export/sls/controls'
+  'mountpoint': '/gfa/.mounts/sls_controls'
+  'type': 'nfs'
+
+mounter::def::data1:
+  'ensure': 'mounted'
+  'device': 'x01dc-fs-1:/export/X01DC/Data1'
+  'mountpoint': '/sls/X01DC/Data1'
+  'type': 'nfs'
+  'options': 'soft,nfsvers=4,tcp,bg'
+
+
+mounter::mounts:
+  - 'controls'
+  - 'data1'
+```
+
+Ideally use NFSv4 (option `nfsvers=4.2`) and Kerberos authentication (option `sec=krb5`) is used. For Kerberos please contact the Linux Core Group for support. We managed to get it running experimentally, but it might not run yet automatically from Puppet. And of course also the NetApp side needs to be prepared accordingly.
+
+## CIFS
+
+Remote CIFS mountpoints can be defined as follows:
+
+```
+mounter::cifs::def::cifs_mpc2375:
+  ensure: 'present'
+  path: '/etc/cifs-utils'
+  cifs_username: 'allowedWindowsUser'
+  cifs_password: 'ENC[PKCS7,MIIBeQYJKoZIhvc...]'
+
+mounter::cifs::files: 
+  - 'cifs_mpc2375'
+
+mounter::def::emf: 
+  ensure: 'mounted'
+  device: '//172.23.75.16/Users'
+  mountpoint: '/emf/jeol2200fs/k2'
+  type: 'cifs'
+  options: 'credentials=/etc/cifs-utils/cifs_mpc2375,uid=35667,gid=35270,forcegid,file_mode=0660,dir_mode=0770'
+
+mounter::mounts: 
+  - 'emf'
+```
+
+In the above example, we need to create a `credentials` file with `mounter::cifs::def::$NAME`_. This file will
+be called `cifs_mpc2375` and will be located in `/etc/cifs-utils` and will contain information about the 
+username and password allowed to mount it.
+
+On the other hand, a mount `emf` is defined. You should specify in options the location of `credentials`. 
+Other optional parameters are used. `emf` is mounted with type `cifs`, which will automatically ensure that
+proper `cifs-utils` package is installed.
+
+Ideally this would also support Kerberos (option `multiuser,sec=krb5`) then we would not need to deal with a mount username and password. We got that once running, but only by chance when there was also a NFS mount with Kerberos authentication which would prepare the according Kerberos host tickets. For CIFS RedHat misses some upcall configuration to do the same. RedHat support said that this might be fixed for 8.8, but it did not happen. How to configure this upcall or to prepare the Kerberos ticket that manually outside (e.g. regulary with a timer) we have not figured out yet.
+
+## Bind Mounts
+Bind mounts can be defined as follows:
+
+```
+mounter::def::e10550:
+  'ensure': 'mounted'
+  'device': '/gpfs/perf/MX/Data10-pro/e10550'
+  'mountpoint': '/sls/MX/Data10/e10550'
+  'type': 'none'
+  'options': 'bind,_netdev,x-systemd.requires-mounts-for=/gpfs/perf/MX/Data10-pro'
+```
+Note that beside the mandatory `bind` option there is
+- `_netdev` to be set when the directory to bind (`device`) is on a network volume
+- `x-systemd.requires-mounts-for=$OTHER_MOUNTPOINT` ensures that systemd prepares the bind mount after the volume on which the directory to bind (`device`) is located