NVIDIA UFM Enterprise User Manual
NVIDIA UFM Enterprise User Manual
Breadcrumbs

Installing UFM Podman Rootless Container Mode

Step 1: Check Firewall Status

systemctl status firewalld

Step 2: Configure Firewall (if active)

# check if firewalld is running
   systemctl status firewalld
   # Permanently add port 8443 to firewalld
   firewall-cmd --permanent --add-port=8443/tcp
   # reload firewalld config
   firewall-cmd --reload

Step 3: Create UFM Directory

mkdir -p /opt/ufm

Step 4: Create UFM Group

groupadd ufmadm -g 733

Step 5: Create UFM User

useradd -d /opt/ufm -m -u 733 -g ufmadm ufmadm

Step 6: Set Directory Ownership

chown -R ufmadm:ufmadm /opt/ufm

Step 7: Add SubUID/SubHID Configuration

echo "ufmadm:100000:65536" >> /etc/subuid
echo "ufmadm:100000:65536" >> /etc/subgid

Step 8: Enable Login Linger for UFM User

loginctl enable-linger ufmadm

Step 9: Configure Rootless Podman Storage

sudo -u ufmadm mkdir -p /opt/ufm/.config/containers
cat <<EOF | sudo -u ufmadm tee /opt/ufm/.config/containers/storage.conf > /dev/null
[storage]
driver = "overlay"
runroot = "/run/user/733"
EOF

10. Create Podman UFM Socket

cat <<EOF > /usr/lib/systemd/system/podman-ufm.socket
[Unit]
Description=Podman API Socket For Nvidia UFM

[Socket]
SocketUser=ufmadm
SocketGroup=ufmadm
ListenStream=%t/podman-ufm/podman-ufm.sock
SocketMode=0660

[Install]
WantedBy=sockets.target
EOF

11. Create Podman UFM Service

cat <<EOF > /usr/lib/systemd/system/podman-ufm.service
[Unit]
Description=Podman API Service for Nvidia UFM
Requires=podman-ufm.socket
After=podman-ufm.socket
StartLimitIntervalSec=0

[Service]
Delegate=true
Type=exec
User=ufmadm
Group=ufmadm
KillMode=process
Environment=LOGGING="--log-level=info"
ExecStart=/usr/bin/podman \$LOGGING system service
LimitMEMLOCK=infinity

[Install]
WantedBy=default.target
EOF

12. Create Podman Cleanup Service

cat <<EOF > /usr/lib/systemd/system/podman-ufm-cleanup.service
[Unit]
Description=podman-ufm-cleanup - clean stuck rootless containers at boot
After=podman-ufm.service
Before=ufm-enterprise.service

[Service]
Type=oneshot
User=ufmadm
Group=ufmadm
ExecStart=/usr/bin/podman system migrate

[Install]
WantedBy=multi-user.target
EOF

Step 13: Enable and Start Podman Services

systemctl daemon-reload
systemctl enable --now podman-ufm.socket
systemctl enable --now podman-ufm.service
systemctl enable --now podman-ufm-cleanup.service

Step 14: Create Udev Rules for InfiniBand Devices

cat <<EOF > /etc/udev/rules.d/70-umad.rules
KERNEL=="umad*", SUBSYSTEM=="infiniband_mad", MODE="0600", OWNER="ufmadm", GROUP="ufmadm"
KERNEL=="issm*", SUBSYSTEM=="infiniband_mad", MODE="0600", OWNER="ufmadm", GROUP="ufmadm"
EOF

udevadm control --reload-rules
udevadm trigger

Step 15: Clear and Create UFM Directories

rm -rf /opt/ufm/systemd
sudo -u ufmadm mkdir -p /opt/ufm/ufm_plugins_data
sudo -u ufmadm mkdir -p /opt/ufm/systemd
sudo -u ufmadm mkdir -p /opt/ufm/etc/apache2

Step 16: Load UFM Image

sudo -u ufmadm podman load -i <path to ufm*-docker.img.gz

Step 17: Run UFM Installer

sudo -u ufmadm podman run -it --rm --name=ufm_installer \
                          -v /run/podman-ufm/podman-ufm.sock:/var/run/docker.sock \
                          -v /opt/ufm/:/installation/ufm_files/ \
                          -v /opt/ufm/systemd:/etc/systemd_files/ \
                          mellanox/ufm-enterprise:latest \
                          --install \
                          --fabric-interface ib0 \
                          --rootless \
                          --plugin-path /opt/ufm/ufm_plugins_data \
                          --ufm-user ufmadm \
                          --ufm-group ufmadm


Note: Replace ib0 with your actual InfiniBand interface name, if it is not the default ib0. Note: - All other UFM install flags are supported and can be added to the command.

Step 18: Install UFM Enterprise Service Files 

mv /opt/ufm/systemd/ufm-enterprise.service /etc/systemd/system/ufm-enterprise.service
systemctl daemon-reload

Step 19: Enable And Start UFM Service

systemctl start ufm-enterprise.service

Optional: Client Certificate Authentication Setup

This section provides steps to configure UFM with client certificate authentication using locally refreshed certificates. This is an optional security enhancement that can be configured after the basic UFM installation is complete.

Prerequisites for Client Certificate Setup

  • Valid client certificates available

  • Local certificates directory mapped to the UFM container

Client Certificate Configuration Steps

Step 1: Install UFM with Local Certificates Directory (Alternative to Step 18)

If you want to use client certificates, first prepare your certificate directory with the required files, then modify step 18 to include the --local-certs-dir flag.

Important: The --local-certs-dir flag can only be used during initial installation. If UFM is already installed, you must reinstall to use this feature.

The local certificates directory must contain the following files in PEM format:

  • server.crt - SSL certificate

  • server.key - SSL key

  • ca-intermediate.crt - CA intermediate certificate

sudo -u ufmadm podman run -it --rm --name=ufm_installer \
                          -v /run/podman-ufm/podman-ufm.sock:/var/run/docker.sock \
                          -v /opt/ufm/:/installation/ufm_files/ \
                          -v /opt/ufm/systemd:/etc/systemd_files/ \
                          mellanox/ufm-enterprise:latest \
                          --install \
                          --fabric-interface ib0 \
                          --mgmt-interface enp1s0 \
                          --rootless \
                          --plugin-path /opt/ufm/ufm_plugins_data \
                          --ufm-user ufmadm \
                          --ufm-group ufmadm \
                          --local-certs-dir /path/to/local/certs


Replace /path/to/local/certs with the actual path to your directory containing the certificate files on the host.

Step 2: Enter the UFM Container

Once the UFM service is running, enter the container: 

sudo -u ufmadm podman exec -it ufm /bin/bash


Step 3: Enable Client Certificate Authentication 

/opt/ufm/scripts/manage_client_authentication.sh enable-client-cert-authen


Step 4: Set Client Certificate Subject Identifier 

/opt/ufm/scripts/manage_client_authentication.sh set-subject-identifier --identifier CN


Use CN or SAN.

Step 5: Associate Client Certificate with UFM User 

/opt/ufm/scripts/manage_client_authentication.sh associate-user --cn <CN> --username <UFM_USER>


Replace:

  • <CN>: The Common Name from your client certificate

  • <UFM_USER>: The UFM username to associate with the certificate

Step 6: Set SSL Server Certificate Hostname 

/opt/ufm/scripts/manage_client_authentication.sh set-ssl-cert-hostname --hostname <hostname>


Replace <hostname> with your server's hostname.

Step 7: Restart Apache Web Server 

/opt/ufm/scripts/manage_client_authentication.sh restart_ufm_websrv

Client Certificate Authentication Notes

  • Steps B-G should be performed after the UFM container is running

  • This command can be embedded in automation scripts and invoked after certificates are refreshed

  • Users will need valid client certificates matching the configured CN associations to access UFM

  • Verify certificates are properly formatted and the hostname matches your server configuration

Last updated: