First of all make sure you have access to your in.tum user account/credentials as it will be used to give you access to the VM. It is the computer science specific user account that exists beside your official TUM account. If you can log in on this website: https://webmail.in.tum.de/ you are good to go. By default every computer science and mathematics student and employee has an IN-TUM account. If you forgot your credentials please contact the RBG Helpdesk to reset your password or get your account details.

After that you will have to ask your supervisor to create a VM for you. Please CC the chair administrators (admin@cm.in.tum.de) when you send your request to the supervisor.
The mail should contain some required information in order to create the VM. Copy the template from below:

IN-TUM username: - (up to 8 letters - usually your last name with some letters of your first name)
CPU-Cores: (default = 2)
RAM:       (default = 4GB)
Storage:   (default = root partition 20GB + ~TB data)
Expiration-Date: - (e.g. 2020-10-31)

As a rule of thumb for the expiration date take the submission date of your thesis/project and extend it by two-four weeks.

In case the resources provided are not sufficient for your research you can e-mail your supervisor and request more resources.
Be aware that changing the resources requires a reboot of the VM!
Stop all your services and scripts before sending the E-Mail and mention that the VM is ready for a reboot.
Ideally you will want to explain the bottleneck you are running into and how much more resources you need. Our cluster has limited resources, so please bear that in mind and be understanding if we are not able to provide the resources to the extent you are wishing for.

The VM is by default in the MWN network. You need to be in the same network in order to reach the VM. Two steps are needed:

1. Connect to the MWN network:
   • eduroam: If you are connected to the eduroam WLAN on university ground you are already inside the MWN.
   • CM LAN: If you are working on-site at the chair you can use one of the LAN ports in the student room.
   • LRZ VPN: Use the LRZ VPN to connect to the network from anywhere in the world (from home / rest of the internet). Instructions on how to use the AnyConnect client are provided by the LRZ on this website. You need to use your TUM account for this, not your in.tum account!
2. Reach the VM: Even though you are in the same network the network default settings are often not enough to access the VM address. There are a few options:
   1. It works on the first try, the network settings are correct.
   2. Disable Split Tunneling: When using the LRZ AnyConnect VPN Client you simply have to put an exclamation mark in front of your username when authenticating for the tunnel.
      The login should look like this

       !<username> | <password> 

      After establishing the VPN connection all traffic will go through the VPN and you should be able to reach your VM.

   3. Manually add the routing entry: Enter in your command line

       $ sudo ip route add 172.24.24.0/23 dev tun0  

We use the IN-TUM LDAP to give you access to the VM. Therefore login is possible with your in.tum username and your in.tum password via ssh.

ssh <user>@<vm.cm.in.tum.de>

To verify that you use the correct credentials you can test them by logging in on this website: https://webmail.in.tum.de. If you forgot your credentials please contact the RBG Helpdesk to reset your password or get your account details.

A service is active on all VMs to prevent brute-force attacks.
If you enter an invalid password a couple of times in a row you will be blocked for 5-10 minutes and a “Connection refused” will be shown.

Data must be stored in the mounted shared folder.
All other directories (including your home directory) are not fault-tolerant and data can be lost!
A folder with your username is automatically create and already mounted on the VM:

• /data/ceph/<your-username> (read-write)
• /data/ceph/datasets (read-only)

If you work on a dataset copy the according dataset from the mounted datasets folder to your own folder.

The size of the mounted folder (df -h) does not reflect the actual storage capacity as we share it with many other groups. The storage is not only limited in space but also on the number of files (inodes). You need to archive/zip/tar/merge datasets and folders with many small files (< 1MB). Also leave out folders that are easily retrieved from external services (github/gitlab). The number of files can be counted with this command:

find . -type f | wc -l

This is a very critical factor to maintain a good filesystem performance, so please keep it in mind when moving data to the shared storage.

Main Points:

• Keep all your relevant data in your shared folder!
• Keep the data you store as small as possible with the number of files as small as possible!
• Don't store data that is available on external repositories (gitlab/github)!
• Whenever possible create a small setup script that sets up a full working environment (git clone repositories, install packages, etc.)!
• Don't touch other mounted directories you do not own! Exceptions are datasets read-only or folders with the explicit permission from your supervisor (e.g. continue work on a project).
• Keep a meaningful directory structure, start with a README in your folder containing your supervisor name and if possible some short project/data description

As mentioned in the “how to connect” above, the VM is in the MWN network. All access to the internet is done through the in.tum proxy (http://proxy.in.tum.de:8080). This should already work transparently as the proxy is configured by default on all VMs through environment and apt variables (/etc/environment).
Problems that can occur:

• Service Timeouts / Network Problems: Maybe your service needs a special configuration to work with the proxy, e.g. docker proxy
• Performance critical network applications: If you do network performance measurements keep in mind that the proxy will potentially alter the results. Contact your supervisor and if you both agree that another setup is needed contact the chair administrators with your supervisor in CC.

Your are responsible for the security of the VM.

• Don't install malicious applications or packages with known security issues.
• Prevent others from accessing the VM. Don't hand your credentials to someone else and regularly change your password.

Automatic package upgrades are performed every day to ensure the latest versions are installed. This is an automatic service run in the morning. If you need special package versions and more stability or you want to exclude packages from being updated use these commands

sudo apt-mark hold <package_name>
# list all hold packages
sudo dpkg --get-selections | grep "hold"
# unhold a package
sudo apt-mark unhold package_name 

A intrusion detection service is active on all VMs to prevent brute-force attacks. If you enter an invalid password for a couple of times in a row you will be blocked for 5/10 minutes and a “Connection refused” will be shown. Wait for some time until you try again. You can test your credentials on this website to verify them before trying it again: https://webmail.in.tum.de

Our chair has three networks we can assign VMs to but only one that is set by default to the VMs. Other networks are only assigned under special circumstances.
The default network for all VMs:

1. MWN [172.24.24.0/23]: Munich Scientific Network
   Reachable via eduroam or LRZ VPN, DEFAULT network

Other available networks:

1. Intern [10.XXX.XXX.XXX/21]: Many IP addresses (for e.g. VM tests), communication only between VMs
2. Chair [131.159.24.0/23]: Globally reachable address, protected by a firewall, for server applications that must be accessible from the internet.

If you think the default network is not sufficient contact your supervisor and if you both agree that another setup/network is needed contact the chair administrators with your supervisor in CC.

You probably run into routing problems using the LRZ VPN. The VPN does not set the right routing entry to our address range, thus resulting in the connection going through your default gateway into the internet, where it gets lost.
To solve this problem, you have two options:

1. Disable Split Tunneling: When using the AnyConnect VPN Client you simply have to put an exclamation mark in front of your username when authenticating for the tunnel.
   The login should look like this

    !<username> | <password> 

   After establishing the VPN connection all traffic will go through the VPN and you should be able to reach your VM.

2. Manually add the routing entry: Enter in your command line

    $ sudo ip route add 172.24.24.0/23 dev tun0 

For VMs in the MWN network the outgoing connections are running through the RBG proxy by default and also is required to do so. This means that another issue with your application might be, that you will have to manually set the proxy settings for it, in case it does not utilize the environment proxy variable. The RBG proxy is configured as

 http://proxy.in.tum.de:8080 

If your application does not have the option to configure a proxy, you can e-mail the chair administrators with the supervisor in CC and explain your goal as well as networking requirements.

Our whole network is secured with firewalls, one for the mwn network and one for the chair/intern network. The default settings for those are the following:

1. outgoing TCP connections are successfully established
2. incoming TCP connections are getting dropped
3. all UDP connections do not work, since UDP is stateless and UDP responses get dropped by the firewall

Exceptions or new firewall entries can only be requested for the chair network. Have a look at “How can I open ports?”. Keep in mind that the in.tum proxy is configured by default on all VMs regardless the network with environment proxy variables. Interfaces in the MWN network are even required to use the proxy to get access to the internet. Try to unset the proxy variables for VMs in the chair network to resolve some network issues:

unset http_proxy HTTP_PROY https_proxy HTTPS_PROXY
# Environment variables are set on every login
# delete the according variables to persist the changes
sudo vim /etc/environment 

Ports for incoming traffic from the internet can only be opened for the chair network. E-mail the chair administrators with the port(s) and according protocol(s) you need opened and please also explain why you need them opened. They can also open up a range of ports, but only if really needed.