NGI MetaCentrum - Rules of Use
- NGI MetaCentrum is managed by the CESNET Consortium, http://www.cesnet.cz/.
- MetaCentrum's mission consists in providing computing, storage and software resources to users, who employ those resources for research, development and education. MetaCentrum services include the operation of the e-infrastructure and entrusted computing and storage resources, centralized management of hardware and software, support of user communities, development of infrastructure services, and integration with the European e-infrastructure, the EGI. Services are provided to users using such resources, and to organizations (represented by a natural person) providing such resources. The levels and essential characteristics of services are defined in technical documentation, available at http://www.metacentrum.cz.
- Only natural persons, who are currently and legally either employees or students of legal entities (organisations) conformant with the “Acceptable Use Policy of the Infrastructure (Acceptable Use Policy, AUP)” as declared by the CESNET Association (see https://www.cesnet.cz/conditions/?lang=en), may become users of MetaCentrum resources.
- Users may only use MetaCentrum resources for purposes related to science, research, development, promotion of education, culture and prosperity as described in detail in the “Access Policy (AP) for the CESNET Infrastructure”, available as an appendix to the AP, see https://www.cesnet.cz/conditions/?lang=en. Exceptional use of MetaCentrum resources for commercial computing is governed by Section Rules of Commercial Use}.
- MetaCentrum services are available free of charge on a “best effort” basis. The operator strives to maintain the availability and security of the service, and makes sure that tools and provisions used in operating and managing the service comply with applicable standards. Services are provided 24/7 with essential services run in high-availability mode and automatically monitored. Support is available during normal working hours.
- Users acknowledge that information regarding themselves and their actions is stored for the purpose of administration, operation, statistics, monitoring and security. Data collected under this provision are used to optimize computing workload, and aggregations of such data are included in public yearbooks and final reports, typically published annually. Accounting data are also available to participating sites and virtual organisations. The principles of processing and protecting personal data in e-Infrastructure are described in "Personal Data Protection in CESNET e‑infrastructure and other CESNET services" at https://www.cesnet.cz/cesnet/documents/privacy/?lang=en.
- MetaCentrum typically communicates electronically. All documentation is available at http://www.metacentrum.cz. User requests should be directed by e-mail to meta@cesnet.cz. E-mail exchanges with users are recorded in a Request Tracking system (http://rt.cesnet.cz).
Virtual Organisations
- MetaCentrum Users are members of area-specific virtual organizations (VO), which bring together user groups that need to cooperate while processing data and sharing computing workload. The extent and level of services provided to individual users depend on their membership in VOs. A single user may be a member of multiple VOs.
- VO Managers partner with MetaCentrum to negotiate conditions of use, cooperate with MetaCentrum to define VO membership rules and contact addresses for membership management and user support, define technical requirements governing resource providers, and take responsibility for communicating with MetaCentrum and resolving technical and security issues.
- MetaCentrum provides a VO management tool (Perun, http://perun.cesnet.cz). Should a VO choose a different VO management tool, it is responsible for integrating it with MetaCentrum services, including Perun. MetaCentrum, however, integrates with tools used by the EGI.
- A generic virtual organisation, MetaVO, is available to facilitate basic access and use. It is managed by MetaCentrum and populated with users who do not require their own specific VOs.
- MetaCentrum may require users to prove that they are entitled to using MetaCentrum services in line with the CESNET AUP. Confirmation is usually required annually while extending VO membership. Invitations to extend VO membership are sent out to users automatically through the VO management system, and directed to the administrative contact e-mail address they have provided. The invitation also explains how to extend VO membership. This is typically done by logging on to the system through the eduID.cz federation. Other possibilities are explained in the eduID.cz Hostel documentation (https://hostel.eduid.cz/).
- Should a person's membership in a VO expire, their account is disabled (by resetting access rights and marking the account expired). Data owned by that user may be made available to other members of the VO. It is possible to restore a disabled account later. However, after one year (or a different period defined in VO rules) the account and all its data may be deleted irrevocably. Typically, the actual deletion takes place much later if permitted by the operating status of the service.
Safe Conduct
- Users may use MetaCentrum services only for such intents and purposes that are in line with the policies of their VO and the CESNET AUP, while also observing these Rules.
- Users must not try to overcome MetaCentrum security precautions.
- Users must protect their access details. MetaCentrum accounts are strictly personal and must never be shared with other persons. Accounts must be protected with non-trivial passwords, which may neither be communicated to other persons, nor recorded.
- Any activities that could result in breaching the copyright of software owners or authors, especially copying protected software, analysing or reverse engineering code or using illegally obtained software, are strictly forbidden.
- Any attempt to gain ungranted privileges (access rights, storage capacity, computing time) in MetaCentrum sites is strictly forbidden. It is expressly forbidden to attempt to obtain the passwords or keys of other users, or to exploit system or software deficiencies to gain additional access rights. Any actions that could result in access rights being obtained by a third person, or otherwise putting the operation of MetaCentrum resources at risk, are also forbidden.
- While using MetaCentrum services, users must act considerately towards others. Computing workload is managed by a centralized scheduler and users must never bypass it. Use cases that could seriously hamper the work of other users accessing shared resources (shared file systems, interactive nodes) must be consulted with MetaCentrum system administrators beforehand and must not be executed without advance notice.
- Scientific jobs or experiments that could be identified as attacks, security breaches or other transgressions of Internet rules must not be carried out without prior consent by MetaCentrum administrators. These include especially experiments involving distributed scanning, downloading or collecting data, or testing the throughput, performance, reliability or vulnerability of resources.
- Data privacy in MetaCentrum is only provided through setting UNIX access rights in file systems. Achieving a higher level of data or software privacy is the sole responsibility of users. Better privacy may be reached by applying access rights or encryption. MetaCentrum is in no way responsible for misuse of data or software owned by individual users.
- The use of MetaCentrum hardware or software must be adequately acknowledged in publications (technical reports, articles), preferably by following acknowledgement guidelines at https://wiki.metacentrum.cz/wiki/Usage_rules/Acknowledgement. MetaCentrum reserves the right to showcase the activities of its users in annual reports and similar works.
- MetaCentrum administrators may restrict or block user access for administrative, operational or security reasons. In case of a serious breach of usage or security rules MetaCentrum administrators may deny the responsible user access permanently.
- Users acknowledge that MetaCentrum resources employ software systems and applications whose use is governed by specific license agreements. Users must get acquainted with applicable license conditions before use, and adhere with such conditions. License conditions regarding individual software packages are included in MetaCentrum documentation: https://wiki.metacentrum.cz/wiki/Kategorie:Applications.
Rules Specific to MetaVO
- MetaVO is a generic virtual organisation operated by MetaCentrum for members of education and research institutes and their coworkers. Detailed conditions one must meet to obtain an account are shown at “MetaVO Usage Rules” (https://wiki.metacentrum.cz/wiki/Usage_rules).
- User accounts are created on application (http://metavo.metacentrum.cz/en/application/index.html) and approval of the “End User Statement” (https://wiki.metacentrum.cz/wiki/MetaCentrum_end_user_statement). MetaVO members also automatically become members of the CESNET e-infrastructure. Accounts are provided for one calendar year. Accounts may be extended at the end of each year, based on a brief activity report and confirmation of affiliation with Czech academia.
- Accounts cease to exist if not extended, or if explicitly discontinued by decision of MetaVO or the user concerned. Discontinuation notices are sent by e-mail to addresses registered by affected users. Data belonging to discontinued accounts are not removed immediately, but rather kept for at least three years, should the need for continued cooperation arise.
- E-mail address meta@cesnet.cz is the primary contact for reporting issues related to MetaVO. All messages arriving at that address are kept in the Request Tracking system (RT), which opens up tickets and assigns each a tracking number. MetaCentrum Service Documentation is available at https://wiki.metacentrum.cz.
- Certain services provided by MetaVO are only provided to users who accept additional conditions -- typically where licensed software is concerned. Users register for the use of such services by applying for membership in specialized groups; group membership application are subject to approval by VO managers.
- Publications that acknowledge use of the e-infrastructure can be registered with MetaCentrum (https://metavo.metacentrum.cz/en/myaccount/pubs). Users who have registered their publications are treated preferentially by the workload scheduler.
Rules Specific to the Cloud
- The cloud environment allows users to run their own virtual machines with operating systems fully under their own control. Cloud users must therefore exercise extreme caution while managing such machines. Additionally, they are required to agree with the “Cloud Security Policy” (https://wiki.metacentrum.cz/wiki/Cloud_Security_Policy) while applying for access at (https://wiki.metacentrum.cz/wiki/MetaCloud_testbed_registration).
- Documentation for the cloud service is available at a separate Web site: https://wiki.metacentrum.cz/wiki/MetaCloud_testbed_-_quick_guide.
Rules Concerning Participating Sites
- MetaCentrum comprises resources provided by CESNET and CERIT-SC research e-infrastructures, other infrastructures and projects, as well as other computing sites at other academic institutes.
- Computing sites connected to MetaCentrum continue to operate and manage their resources. Most importantly, the connected sites make sure that adequate housing is provided, running expenses are covered, and local technical support is provided. MetaCentrum, alongside its centralized services, also provides consulting, training and essential software packages. Management of computing and storage resources is negotiated between MetaCentrum and sites on a case-by-case basis.
- Managers of connected sites must keep their information up-to-date, especially concerning contact details, extent of services provided, and long-term conditions under which their resources are made available to individual VOs.
- MetaCentrum strives to provide a uniform interface for job processing and data storage across a system of independent, individually managed clusters. Therefore providers must cooperate with MetaCentrum and run services necessary for integration with MetaCentrum. Issues are reported through the Request Tracker operated by MetaCentrum.
- Connected site managers must cooperate with MetaCentrum while resolving security incidents, and comply with MetaCentrum Security Policy (https://wiki.metacentrum.cz/wiki/MetaCentrum_security_policy).
- Owners of connected resources make sure their hardware services are operational and available. Resources are monitored by a centralized monitoring system, which collects availability details across MetaCentrum. Based on such details, or on valid complaints concerning a given set of resources, MetaCentrum may decide to make such resources inaccessible. Resource providers are invited to monitor their resources at a more detailed level and, if possible, make their monitoring data available to MetaCentrum.
- Owners of connected resources provide MetaCentrum with accounting data on user jobs and user data storage. Hence a site must be able to integrate with MetaCentrum accounting.
- Owners of resources connected to MetaCentrum undertake to provide their services to at least one VO cooperating with MetaCentrum. Owners must cooperate with VOs especially in managing software and assuring data security.
- Resource owners do not own intellectual property originating form jobs processed and data stored on their resources.
- Resource owners may request acknowledgement not only from MetaCentrum, but also from users who use their resources on a large scale.
- Resource owners can name users who shall be provided with priority access to resources provided by themselves, or even to additional MetaCentrum resources to compensate adequately for their own capacities used up by users from other institutes.
- Conditions of resource integration and responsibilities for operation and administration tasks may be specified in greater detail by an additional agreement between a provider and MetaCentrum, taking for example the form of a Memorandum of Understanding (MoU).
Rules of Commercial Use
- MetaCentrum resources are primarily intended for non-commercial use in research, development and education; licensing conditions for most of the available application software packages do not allow for any other types of use. Under very specific conditions, however, resources connected to MetaCentrum may still be available for commercial use, provided that the following rules are observed.
- Users must negotiate directly with the target site. Commercial use must always take place under a contract.
- Commercial users must always set up a dedicated virtual organization. If necessary, other sites may make their resources available to that VO. The VO profile must explicitly state that it intends to use available resources commercially. The VO (the entity that established it) is responsible for making sure that all components are used legally and in compliance with CESNET AUP. In case only the owner's own employees intend to use their resources commercially, it is sufficient to relegate them into a separate group managed by a responsible person.
- MetaCentrum itself does not make any resources available commercially, and excludes any responsibility for service quality or availability.
- MetaCentrum must be notified of all cases of commercial use; the extent of commercial use must not exceed 20% of the overall capacity available form MetaCentrum. (Based on Commission Regulation (EU) No. 651/2014, declaring certain categories of aid compatible with the internal market.)
Rules Specific to the EGI
- MetaCentrum provides support to parties providing resources into the European Grid Infrastructure (EGI -- http://www.egi.eu), and to Czech users thereof. MetaCentrum also runs services required to integrate Czech resources into the EGI, provides its own resources to the EGI, and runs services required to run a national node and supported VOs.
- To use EGI resources, users must authenticate with personal grid certificates and agree with EGI's “Acceptable Use Policy and Conditions of Use” (https://documents.egi.eu/public/ShowDocument?docid=2623). Certificates are issued by TERENA TCS (https://tcs.cesnet.cz/en/).
- Sites integrated with EGI must comply with the “EGI Security Incident Handling Procedure” and “EGI-CSIRT Critical Vulnerability Handling” (https://documents.egi.eu/public/ShowDocument?docid=710 and https://wiki.egi.eu/wiki/SEC03, respectively), and pass certification under “Resource Centre Registration and Certification” (https://wiki.egi.eu/wiki/PROC09).
Final Stipulations
- MetaCentrum administrator may change these Rules. A new version of the Rules must always be published at least one month in advance on the CESNET Web Site.
- These Rules are available in Czech and English. In case of discrepancies the Czech version takes precedence.
- These Rules were published on January 15, 2016. They become effective and succeed the previous version of the Rules on March 1, 2016.
Last changed:Mon Aug 24 14:33:25 CEST 2020