External Data Volumes¶
You can access the External Data Volumes (EDV) administration screen by going to the Domino administration page and navigating to External Data Volumes: Data -> External Volumes
External data volumes must be registered with Domino before they can be used. All registered external data volumes appear in a standard table, which display the EDV name, type, description, and volume access (see Volume Properties). In addition, for each registered EDV, the Projects column indicate which projects had added the EDV.
Unless otherwise specified, all the following actions assume you are in the EDV administration page.
Domino runs on a Kubernetes cluster and EDVs must be backed by an underlying Kubernetes persistent volume (PV). More importantly, that persistent volume must be bounded to a properly labelled persistent volume claim (PVC). Here is an example PV yaml file:
apiVersion: v1 kind: PersistentVolume metadata: name: pv-nfs spec: accessModes: - ReadWriteMany capacity: storage: 30Gi nfs: path: /mnt/export server: 10.0.0.26 persistentVolumeReclaimPolicy: Retain
The creation of the PVC must include the label with a key
dominodatalab.com/external-data-volume. The value of that key represents the type of external data volume. Currently,
NFS is the only supported value. Finally, the PVC must be created in the Domino compute namespace. Here is an example PVC yaml file:
apiVersion: v1 kind: PersistentVolumeClaim metadata: name: pvc-nfs namespace: default labels: "dominodatalab.com/external-data-volume": "NFS" spec: accessModes: - ReadWriteMany resources: requests: storage: 30Gi volumeName: pv-nfs
All properly labelled PVCs will be available candidates to register in the Domino EDV administration user interface.
To register an EDV with Domino, click the Register External Volume button on the upper right hand size of the EDV administration page. This will open a modal with the EDV registration wizard. The wizard will guide administrators to registering the EDV by configuring various EDV properties (see Volume Properties).
The first step in the wizard is to select the volume type. Currently, NFS is only supported volume type.
The Available Volumes list will show all candidate volumes of the selected type. The name of these volumes is the name of the backing Kubernetes persistent volume claim (PVC).
The second step in the wizard is to configure the volume.
- Name. (Required). This field will default to the selected PVC name that was selected, but can be changeed. A good practice is to name EDV such that it is recognized by users based on the supporting use case or some organization defined convention.
- Mount Path. (Required). This specifies the relative mount path for the EDV for supported executions. This field will default to the selected PVC name that was selected, but can be changeed. This field must be unique to all registered EDVs. There are a few reserved words. See Volume Properties.
- Mount as read-only. This checkbox specifies the mount type—whether the EDV is mounted by as read-only or read-write. Default is read-only (checked). Note that this is enforced at the Domino layer. More restrictive access controls at the Kubernetes or NFS layer overrule this setting. For example, if the PVC access mode is set to read only, it does not matter this field allows for read-write; the underlying permission of read only will be enforced.
- Description. Admin defined description for EDV.
The third step in the wizard is to define the volume access. See Volume Properties and Authorization.
- Everyone. Allow EDV access to all logged-in users.
- Specific users or organizations. Limit EDV access to specific users and organizations.
Regardless of the setting here, Domino Administrators (SysAdmin) will always be able to access any external data volume.
To view a registered EDV details, click on the Name of the EDV in the admin table.
To edit the details of a registered EDV, click on the vertical three dots on the right-hand side of its entry in the admin EDV table. This will expose the Edit action. Click Edit to edit the EDV details.
A modal with editable fields appear where users can change EDV properties.
To unregister an EDV, click on the vertical three dots on the right-hand side of its entry in the admin EDV table. This will expose the Unregister action. Click Unregister to unregister the EDV.
A confirmation modal appears where users can confirm the unregistration by clicking Unregister, or cancel out of the operation altogether by clicking Cancel.
Multiple users collaborating on the same project may not all have the same level of volume access. EDVs added to the project should not be accessible to users without volume access, and under no circumstance will a user without volume access to an EDV be able to mount that EDV in a supported execution. However, we offer options to manage the visibility of the EDV in the user interface with two levels of censorship. The levels of censorship allow administrators to choose between security and discoverability needs.
- Full censorship. Only the existence of any inaccessibe EDV is made known to the user; the quantity and any metadata (such as name or description) is not made known to the user. This is the level for those that want the highest level of security.
- Inactive censorship. Inaccessible EDVs are made known to the user; the EDV metadata (such as name and description) is made known to the user. This is the level that promotes discoverability. With discoverability, users cana escalate to Domino administrators to gain volume access. This is the default level of censorship.
The level of censorship is configured by a feature flag:
falseWhen this is
true, the censorship level is full censorship.When this is
false, the censorship level is inactive censorship.