DartFS shared conda installation - permissions

Typically, you would only want one account able to change things in the conda installation directory but have many people able to use the environments in there.  Since conda is not ACL-aware (it's not unique in this respect), that means using appropriate OWNER@ and GROUP@ (and possibly EVERYONE@) ACEs for the installation.  ACLs permissions are inherited and the conda installer will not write to a directory that already exists (even if empty).  So the cleanest way to do this is to create a directory with the right inheritable permissions and then install conda to a *sub* directory of that.  It makes the path longer but users shouldn't need to type it after the initial setup.

This is best illustrated with an example.

  • "Lab" is the name of the Lab volume
  • "sharedconda" is the name of the top level directory to which we will apply permissions
  • "miniconda" is the name of the sub-directory in sharedconda to which we will install conda
  • the user doing the installation will have read-write access to the installation and can do updates, package installs, create environments, etc.
  • "rc-Lab" is the name of the group that will have read-only access to the installation
  • "rc-DartFSadmin" is Research Computing's CyberArk service account and we recommend always including it so we can provide help if asked.

Create a temporary file called perms.txt with the desired permission set.  This is rwx for the owner, includes creator/owner so that new files get an OWNER@, a read-only for rc-Lab (GROUP@) and then rwx for the service account.  Creating a file is just simpler than cramming it all onto the command line for nfs4_setfacl.


Now create the top level directory and put the right permissions on it.

$ cd /dartfs-hpc/rc/lab/L/Lab/
$ mkdir sharedconda
$ chgrp rc-Lab sharedconda
$ nfs4_setfacl -S perms.txt sharedconda

Finally  you can download the Miniconda (or Anaconda) installer and run it normally.  Override the default location (the installing user's home directory) and point it it at /dartfs-hpc/rc/lab/L/Lab/sharedconda/miniconda.  I would also suggest not letting it edit .bashrc but instead have everyone put this into their own .bashrc

$ source /dartfs-hpc/rc/lab/L/Lab/sharedconda/miniconda/etc/profile.d/conda.sh

If you wanted a shared environment where everyone in the group can write then replace "A:fd:GROUP@:rxtncy" with "A:fd:GROUP@:rwadDxtTnNcy". 



Article ID: 73076
Wed 3/6/19 10:14 AM
Mon 11/11/19 1:39 PM

Related Articles (2)

This article describes how to enable a centrally maintained installation of Anaconda/Python.