# Persistent Storage for FPGA tools

This notebook shows how to create, re-create, renew and use a slice with a VM connected to FABNetv4 network on EDC on which you can store FPGA tool packages - the transfer of Xilinx tools into VMs can take a substantial amount of time, so it is recommended that projects using FPGAs put their tools into a peristent volume either on a selected site or on centrally-located EDC. The tools are licensed, so it is not advisable to put them in open access. This notebook shows how to deploy an instance of NGINX webserver that adds a password protection to static content retrieved from the node. 

Once this slice is created, it can persist or even go away, however since the volume is persistent, any packages or files you put on it will be preserved and you can always use this notebook to re-attach a new VM to the storage and continue storing those file. You can transfer the packages into this slice using SSH tunnels, and then use a simple curl tool from any VM in FABRIC attached to fabnet to get the packages again and again over high-bandwidth internal dataplane.

Depending on what you want to do with the slice (create/recreate/renew), you may execute all or a subset of the steps below. 

<div>
    <img src="figs/storage-slice.png" width=500>
</div>


## Import the FABlib Library

In [None]:
from fabrictestbed_extensions.fablib.fablib import FablibManager as fablib_manager

fablib = fablib_manager()
                         
fablib.show_config();

## Initialize slice parameters

You always want to execute this cell for any of the cells below to work. Some cells below can be skipped depending on what you are trying to do.

In [None]:
# Replace with your project's volume name and site
site = "EDC"
storage_name = "ejfat-data"
node_name = "Storage"
slice_name = "Xilinx Tools Storage Slice"
mount_point = "ejfat-data"

# this is the username, password to be used when downloading packages from this node. Change the password!
nginx_user = "fpga_tools"
nginx_password = "changemenow123"

##  Create the Storage Slice

Create the new slice with a single VM attached to storage and with FABNetv4 auto-configured.

In [None]:
# Create a slice
slice = fablib.new_slice(name=slice_name)

# Add a node with storage and FABNetv4
node = slice.add_node(name=node_name, site=site)
node.add_storage(name=storage_name)
node.add_fabnet()

# Submit the slice
slice.submit();

## Step 3: Inspect the slice and get IP address information

If slice already exists, you can just execute this cell assuming Steps 0 and 1 have been executed.

In [None]:
slice = fablib.get_slice(slice_name)

node = slice.get_node(name=node_name)              

node_addr = node.get_interface(network_name=f'FABNET_IPv4_{node.get_site()}').get_ip_addr()

slice.show()
slice.list_nodes()
slice.list_networks()
print(f'Node FABNetV4Ext IP Address is {node_addr}')

## Format the Volume (only run this the first time you attach the volume, skip otherwise)

The first time you use your persistent volume it will be a raw block device that needs to be formated.

In [None]:
node = slice.get_node(node_name)

storage = node.get_storage(storage_name)

print(f"Storage Device Name: {storage.get_device_name()}")  

stdout,stderr = node.execute(f"sudo mkfs.ext4 {storage.get_device_name()}")

## Mount the Volume

After you format you volume, you can mount it.  The data in the volume is persisent.  On subseqent uses of the volume, you can mount it and access perviously stored data without formating.

In [None]:
node = slice.get_node(node_name)
storage = node.get_storage(storage_name)

stdout,stderr = node.execute(f"sudo mkdir /mnt/{mount_point}; "
                     f"sudo mount {storage.get_device_name()} /mnt/{mount_point}; "
                     f"df -h")

## Install and configure NGINX

Now we install and configure NGINX with a password-protected static content directory. You can transfer the files into this VM via e.g. the bastion host or in some other way, place them into the directory and then from any host within FABRIC with a fabnet network service you can reach this host to retrieve the files. 

In [None]:
command = "sudo dnf install -y nginx httpd-tools"

print('Installing NGINX and apache tools')
stdout, stderr = node.execute(command)

command = "sudo systemctl enable nginx"
print('Enabling NGINX on reboot')
stdout, stderr = node.execute(command)

Create a user with a password to protect the download directory

In [None]:
command = f"sudo htpasswd -bc2 /etc/nginx/htpasswd {nginx_user} {nginx_password}"

print('Setting username and password for downloads')
stdout, stderr = node.execute(command)

Configure NGINX to use SSL with a self-signed cert for static downloads from the mount point where the storage is mounted to.

In [None]:
# install SSL server configuration
node.upload_file('config/ssl-server.conf', 'ssl-server.conf')
command = "sudo mv ssl-server.conf /etc/nginx/conf.d/; sudo chown nginx:nginx /etc/nginx/conf.d/ssl-server.conf"
stdout, stderr = node.execute(command)

# generate a self-signed key/cert
command = 'sudo openssl req -x509 -nodes -days 3650 -newkey rsa:2048 -keyout /etc/nginx/server.key -out /etc/nginx/server.crt ' \
          '-subj="/C=US/ST=NC/L=Chapel Hill/O=UNC/OU=FABRIC/CN=fabric-testbed.net"; ' \
          'sudo chown nginx:nginx /etc/nginx/server.crt /etc/nginx/server.key'
stdout, stderr = node.execute(command)

# install location configuration
nginx_config = """
location /ejfat-data/ {
      alias /mnt/""" + mount_point + """/static/;
      auth_basic "Restricted Access!";     
      auth_basic_user_file htpasswd;
      autoindex on;
      autoindex_format json;
      
      
      dav_methods PUT DELETE MKCOL COPY MOVE;
      dav_access user:rw group:rw all:rw;
      client_max_body_size 0;
      create_full_put_path on;
      client_body_temp_path /tmp/nginx-uploads;
}
"""
# transfer the config to the node
command = f"echo '{nginx_config}' | sudo tee /etc/nginx/default.d/static.conf"
stdout, stderr = node.execute(command)

# create a /mnt/ejfat-data/static/ directory if it doesn't exist already for staging files
command =f"sudo mkdir -p /mnt/{mount_point}/static; sudo chown rocky:rocky /mnt/{mount_point}/static; chmod go+w /mnt/{mount_point}/static"
stdout, stderr = node.execute(command)

# create a /mnt/ejfat-data/static/smartnic-docker-images direcory for ESnet workflow files
command =f"sudo mkdir -p /mnt/{mount_point}/static/smartnic-docker-images; sudo chown rocky:rocky /mnt/{mount_point}/static/smartnic-docker-images; chmod go+w /mnt/{mount_point}/static/smartnic-docker-images"
stdout, stderr = node.execute(command)

# create top-level directory for user artifacts
command =f"sudo mkdir -p /mnt/{mount_point}/static/artifacts; sudo chown rocky:rocky /mnt/{mount_point}/static/artifacts; chmod go+w /mnt/{mount_point}/static/artifacts"
stdout, stderr = node.execute(command)

By default SELinux does not want to let NGINX read files from the attached persistent volume. So we need to make it a bit more permissive. The references to the process are here:
- https://www.nginx.com/blog/using-nginx-plus-with-selinux/
- https://relativkreativ.at/articles/how-to-compile-a-selinux-policy-package 

In [None]:
# transfer SELinux policy module file to the node, compile and install it
# the file was originally created using `grep nginx /var/log/audit/audit.log | audit2allow -m nginx > nginx.te` 
# To see if SELinux is causing problems try 'grep nginx /var/log/audit.log | grep denied' and see if it returns anything.
# This policy allows nginx to read files and directories in general locations, including the attached storage
# Note that if you have issues with nginx not being able to read files, SELinux is likely to blame
# change `error_log /var/log/nginx/error.log;` to `error_log /var/log/nginx/error.log debug;` in /etc/nginx/nginx.conf
# and then restart NGINX to see what the problem may be
nginx_te = """

module nginx 1.0;

require {
        type init_t;
        type httpd_t;
        type httpd_tmp_t;
        type unlabeled_t;
        class file { create getattr open read rename unlink write };
        class dir { add_name remove_name rmdir write read};
}

#============= httpd_t ==============
allow httpd_t unlabeled_t:dir { add_name remove_name write read};
allow httpd_t unlabeled_t:file getattr;
allow httpd_t unlabeled_t:file { create open read rename unlink write };

#============= init_t ==============
allow init_t httpd_tmp_t:dir rmdir;

"""

command = f"echo '{nginx_te}' | sudo tee /etc/nginx/nginx.te"
stdout, stderr = node.execute(command)

# compile and install
command = """
sudo checkmodule -M -m -o /etc/nginx/nginx.mod /etc/nginx/nginx.te;
sudo semodule_package -o /etc/nginx/nginx.pp -m /etc/nginx/nginx.mod;
sudo semodule -i /etc/nginx/nginx.pp;
sudo semodule -l | grep nginx
"""
stdout, stderr = node.execute(command)

# add ability to access user home directories
command = "sudo setsebool -P httpd_read_user_content 1"
stdout, stderr = node.execute(command)

(RE)Start NGINX

In [None]:
command = "sudo systemctl restart nginx; sudo systemctl status nginx"

stdout, stderr = node.execute(command)

## Use the storage

You can move the data into the storage in a number of ways, for example as described in [this page](https://learn.fabric-testbed.net/knowledge-base/transferring-data-to-and-from-your-vms/). Download the tools from Xilinx or other locations and then SCP them into the node using its management IP:

`mylaptop$ scp -F ~/path/to/fabric_ssh_config -i ~/path/to/sliver/private/key Xilinx_Tools/* rocky@[2620:0:c80:1234:f816:3eff:fe7b:2ca1]:/mnt/ejfat-data/static/artifacts/`

Then from any VM in FABRIC with fabnet network service you can simply curl (or wget) the contents (and it will be very fast) into a new VM:

`newvm$ curl -k -u fpga_tools:secret-password https://<FABNetv4 IP address of the storage VM>/ejfat-data/static/artifacts/Vivado-Labtools/Xilinx_Vivado_Lab_Lin.tar.gz > Xilinx_Vivado_Lab_Lin.tar.gz` 

or

`newvm$ wget --no-check-certificate --user=fpga_tools --password=secret-password https://<FABNetv4 IP address of the storage VM>/ejfat-data/static/artifacts/Vivado-Labtools/Xilinx_Vivado_Lab_Lin.tar.gz`

You can also list directories - they will be returned in JSON format (for scripting convenience; `efat-data/` URL path maps to `/mnt/fejfat-data/static/` file path):

`curl -k -u fpga_tools:secret-password https://<FABNetv4 IP address of the storage VM>/ejfat-data/`

You can write back into the storage also using curl:

`curl -k -u fpga_tools:secret-password -T filename-to-transfer.tar https://fpga-tools-host/ejfat-data/artifacts/`

## Extend the slice

If you need to extends the storage slice, you can just execute the following two cells. They display the slice expiration date and optionally extend by 2 weeeks. 

In [None]:
slice = fablib.get_slice(name=slice_name)
slice.show()

Renew the slice by 14 days

In [None]:
from datetime import datetime
from datetime import timezone
from datetime import timedelta

# Set end host to now plus 14 days
end_date = (datetime.now(timezone.utc) + timedelta(days=14)).strftime("%Y-%m-%d %H:%M:%S %z")

try:
    slice = fablib.get_slice(name=slice_name)

    slice.renew(end_date)
except Exception as e:
    print(f"Exception: {e}")

## Delete the Slice

Please delete your slice when you are done with your experiment.

In [None]:
slice = fablib.get_slice(name=slice_name)
slice.delete()