Virtual machines - Department of Computer Science

Request a virtual machine

To request a VM, please send an e-mail to irb[at]uni-paderborn.de

As the IRB must have a permanent contact person, VMs can only be requested from us by permanent employees of the Department of Computer Science and must have such a contact for the entire duration of their employment. In order to be able to use a VM as a student, e.g. for a Bachelor's thesis, we ask you to have the request forwarded to the IRB by your supervisor.

Form with recommended default values for completion

The fields in bold are required.

Hostname:
Purpose:
CPUs: 2
RAM: 4 GB
Additional storage (in addition to basic storage): 0 GB
Extra GPU: None
Operating system: IRB Debian
AdminC UPB Username:
TechC UPB Username:
TechC Phone number: none
Duration: 15 months
Firewall whitelist: none
Firewall justification: none
Backups: no
Docker: no
Further requirements: none

Explanations and details

Intended use of the machine
- What is the VM used for?
- Must be a specific reason
Hostname
- Please choose a suitable name for the VM.
- The VM will be accessible at .cs.uni-paderborn.de.
Required resources
- Standard resources are:
  - 2 CPU
  - 4 GB RAM
  - 64 GB disc (basic storage)
  - No dedicated GPU
- In many cases, the basic disc space is sufficient. If you need more storage space, we can provide you with an additional hard drive, which we mount under /data as standard.
- Additional resources only if the intended use requires them.
- It's possible to make use of dedicated GPUs (NVIDIA H100). When requesting a GPU, it's necessary to specify the maximum expected size of GPU memory (VRAM) in order to allow an efficient resource usage of the cluster. GPUs are reserved for a virtual machine for 45 days. The reservation can be extended when needed. Therefore, an e-mail is sent 15 days prior to the expiration to the virtual machine contacts with the option to extend the duration.
Operating system
- By default, the VMs use a current version of Debian, which we update and administer automatically.
- For VMs with our Debian version, we remind you of required restarts after updates and perform these automatically if the server is not in use. If the server may not be restarted together with other servers or may not be restarted automatically at all, this must be communicated. Tip: To temporarily prevent a server from restarting, we recommend systemd-inhibit, which is already pre-installed.
- Our Debian version comes with TLS certificates.
- We can initiate the installation for other operating systems, but cannot administer them. In particular, we do not offer any services such as backups or certificates and cannot provide any support.
Contact
- Administrator (AdminC) - is responsible for the VM; must be a permanent employee.
  - UPB account (required)
  - Desired UPB e-mail (optional)
  - Specialist group (optional)
- Technical (TechC) - technical contact of the VM (operating system, services, etc.), if different from AdminC; can be a student.
  - UPB account (required)
  - Desired UPB e-mail (optional)
  - Telephone number (only for emergencies; e.g. hacked VM; recommended but not necessary)
- Technical Abuse (AbuseC) - contact who will respond to emails regarding potential abuse of a VM if it deviates from the TechC; can be a student.
  - UPB account (required)
  - Desired UPB email (optional)
  - Phone number (only for emergencies; e.g. hacked VM; recommended but not necessary)
Term
- Standard term: 15 months
- The AdminC is informed three months before expiry and has the option to extend the VM for up to one year at a time.
Optional: Firewall releases
- Protocol(s) (TCP/UDP) and port(s)
- By default, no access to VMs from outside the university is permitted. Every global port opening must be justified to the IRB. The justification has to include the listening service for each port and notably include why using the university VPN is not an option.
- Local firewalls on the machine itself are in planning. Until then access within the VM network is open.
- If users decide to deploy a local firewall themselves, ports 5665 and 5664 must remain open on IRB-administered machines, since they are used for monitoring.
Optional: Backups
- Please specify whether backups are to be created of the VM. If yes, please note that files that change continuously cannot be backed up consistently. Please back them up via dump/snapshot within the VM and specify the directories in which the changing data is located; we will then exclude these directories from the backup.
- Backups are stored daily in encrypted form at the RWTH and are kept there for six months.
Optional: Docker
- If you want to use Docker, we can offer an optimised configuration for your VM, which avoids some common problems.
Optional: Other requirements

We will be happy to advise you individually to find the optimum VM configuration for your needs.

If you are planning to use the VM to carry out network scans of the Internet, it is essential that you follow the instructions from ZIM and mention this when applying. Please also name an AbuseC (see above).

Graphical access

We set up access for the TechC (and other users, if requested) in our vSphere Centre, which enables direct access to a graphical console of the VM as well as functions such as reboot, switching on/off, etc..

The Virtual Centre server can be accessed at https://vmc.cs.uni-paderborn.de. You can log in with your UPB login.

Backup & archiving of your data

Backup

The virtual machine itself is stored in a SAN. All SAN components are redundant, so that data loss due to a hardware error is unlikely. However, we cannot completely rule out this or other sources of error that could lead to data loss.

Attention: There is no centralised backup of the virtual machines!

If a VM is to be used productively and not just for test purposes, you should always ensure automated backups of your VM data. The Commvault backup service, which we will setup for you on request, is a good option here. This service is operated by RWTH Aachen University for Paderborn University, further Information on this can be found at the ZIM.

Archiving

All data of your VMs will be completely deleted at the latest 1 year after the expiry of your VM or upon request.

Please note that our virtual machines are not a suitable means of archiving your data. RWTH Aachen University offers suitable archive servers.

General conditions for VM operation

Securing the virtual machine

Please note that your VM is equipped with a public IP address and is located on the Internet.

Although all ports are blocked to the outside by default, it is still absolutely essential that you keep the operating system of the virtual machine itself continuously up to date and secure it. Automated updates, firewalls, conservative allocation of access rights, no password access (but only with a public key) and similar measures are recommended. We will be happy to advise you on this.

You bear full administrative responsibility for your virtual machine!

Install VMware Tools

To ensure the stability of the VMware cluster, it is necessary to install and keep up to date a system service within the VM via which vSphere can interact with the VM's operating system, the VMware Tools.

This can be done either via VMware Tools, which are provided by VMware itself, or via corresponding tools that are offered directly by the operating system provider. An example of this would be the Open VM Tools, which are included in various Linux distributions.

Instructions for installing the tools can be found directly from VMware at

https://knowledge.broadcom.com/external/article?legacyId=1014294

If VMware tools are missing or if there are problems due to outdated virtual hardware, VMs may have to be switched off during maintenance work.

Local Firewall

If a local firewall is deployed on IRB-administered virtual machines, ports 5665 and 5664 must remain open since they are used by our monitoring.

Virtual ISOs/CDs/DVDs/etc. & snapshots

Virtually inserted ISOs cause internal complications when the VMs are automatically moved between the servers in the cluster, which can significantly impair the performance of your VMs.

Also, when creating snapshots that have inserted the ISOs, a hard dependency is created on these ISOs that cannot be removed without deleting the snapshot. This severely restricts the operations you can perform on snapshots and the management of the ISOs concerned.

ISOs should be inserted as quickly as possible, and no snapshots should be taken of VMs with these.

If such ISOs or snapshots hinder necessary administrative actions, we reserve the right to unmount them hard or remove affected snapshots.