Installing UFM Podman Rootless Container Mode
Step 1: Check Firewall Status
systemctl status firewalld
Step 2: Configure Firewall (if active)
# check if firewalld is running
systemctl status firewalld
# Permanently add port 8443 to firewalld
firewall-cmd --permanent --add-port=8443/tcp
# reload firewalld config
firewall-cmd --reload
Step 3: Create UFM Directory
mkdir -p /opt/ufm
Step 4: Create UFM Group
groupadd ufmadm -g 733
Step 5: Create UFM User
useradd -d /opt/ufm -m -u 733 -g ufmadm ufmadm
Step 6: Set Directory Ownership
chown -R ufmadm:ufmadm /opt/ufm
Step 7: Add SubUID/SubHID Configuration
echo "ufmadm:100000:65536" >> /etc/subuid
echo "ufmadm:100000:65536" >> /etc/subgid
Step 8: Enable Login Linger for UFM User
loginctl enable-linger ufmadm
Step 9: Configure Rootless Podman Storage
sudo -u ufmadm mkdir -p /opt/ufm/.config/containers
cat <<EOF | sudo -u ufmadm tee /opt/ufm/.config/containers/storage.conf > /dev/null
[storage]
driver = "overlay"
runroot = "/run/user/733"
EOF
10. Create Podman UFM Socket
cat <<EOF > /usr/lib/systemd/system/podman-ufm.socket
[Unit]
Description=Podman API Socket For Nvidia UFM
[Socket]
SocketUser=ufmadm
SocketGroup=ufmadm
ListenStream=%t/podman-ufm/podman-ufm.sock
SocketMode=0660
[Install]
WantedBy=sockets.target
EOF
11. Create Podman UFM Service
cat <<EOF > /usr/lib/systemd/system/podman-ufm.service
[Unit]
Description=Podman API Service for Nvidia UFM
Requires=podman-ufm.socket
After=podman-ufm.socket
StartLimitIntervalSec=0
[Service]
Delegate=true
Type=exec
User=ufmadm
Group=ufmadm
KillMode=process
Environment=LOGGING="--log-level=info"
ExecStart=/usr/bin/podman \$LOGGING system service
LimitMEMLOCK=infinity
[Install]
WantedBy=default.target
EOF
12. Create Podman Cleanup Service
cat <<EOF > /usr/lib/systemd/system/podman-ufm-cleanup.service
[Unit]
Description=podman-ufm-cleanup - clean stuck rootless containers at boot
After=podman-ufm.service
Before=ufm-enterprise.service
[Service]
Type=oneshot
User=ufmadm
Group=ufmadm
ExecStart=/usr/bin/podman system migrate
[Install]
WantedBy=multi-user.target
EOF
Step 13: Enable and Start Podman Services
systemctl daemon-reload
systemctl enable --now podman-ufm.socket
systemctl enable --now podman-ufm.service
systemctl enable --now podman-ufm-cleanup.service
Step 14: Create Udev Rules for InfiniBand Devices
cat <<EOF > /etc/udev/rules.d/70-umad.rules
KERNEL=="umad*", SUBSYSTEM=="infiniband_mad", MODE="0600", OWNER="ufmadm", GROUP="ufmadm"
KERNEL=="issm*", SUBSYSTEM=="infiniband_mad", MODE="0600", OWNER="ufmadm", GROUP="ufmadm"
EOF
udevadm control --reload-rules
udevadm trigger
Step 15: Clear and Create UFM Directories
rm -rf /opt/ufm/systemd
sudo -u ufmadm mkdir -p /opt/ufm/ufm_plugins_data
sudo -u ufmadm mkdir -p /opt/ufm/systemd
sudo -u ufmadm mkdir -p /opt/ufm/etc/apache2
Step 16: Load UFM Image
sudo -u ufmadm podman load -i <path to ufm*-docker.img.gz
Step 17: Run UFM Installer
sudo -u ufmadm podman run -it --rm --name=ufm_installer \
-v /run/podman-ufm/podman-ufm.sock:/var/run/docker.sock \
-v /opt/ufm/:/installation/ufm_files/ \
-v /opt/ufm/systemd:/etc/systemd_files/ \
mellanox/ufm-enterprise:latest \
--install \
--fabric-interface ib0 \
--rootless \
--plugin-path /opt/ufm/ufm_plugins_data \
--ufm-user ufmadm \
--ufm-group ufmadm
Note: Replace ib0 with your actual InfiniBand interface name, if it is not the default ib0. Note: - All other UFM install flags are supported and can be added to the command.
mv /opt/ufm/systemd/ufm-enterprise.service /etc/systemd/system/ufm-enterprise.service
systemctl daemon-reload
Step 19: Enable And Start UFM Service
systemctl start ufm-enterprise.service
Optional: Client Certificate Authentication Setup
This section provides steps to configure UFM with client certificate authentication using locally refreshed certificates. This is an optional security enhancement that can be configured after the basic UFM installation is complete.
Valid client certificates available
Local certificates directory mapped to the UFM container
Step 1: Install UFM with Local Certificates Directory (Alternative to Step 18)
If you want to use client certificates, first prepare your certificate directory with the required files, then modify step 18 to include the --local-certs-dir flag.
Important: The --local-certs-dir flag can only be used during initial installation. If UFM is already installed, you must reinstall to use this feature.
The local certificates directory must contain the following files in PEM format:
server.crt- SSL certificateserver.key- SSL keyca-intermediate.crt- CA intermediate certificate
sudo -u ufmadm podman run -it --rm --name=ufm_installer \
-v /run/podman-ufm/podman-ufm.sock:/var/run/docker.sock \
-v /opt/ufm/:/installation/ufm_files/ \
-v /opt/ufm/systemd:/etc/systemd_files/ \
mellanox/ufm-enterprise:latest \
--install \
--fabric-interface ib0 \
--mgmt-interface enp1s0 \
--rootless \
--plugin-path /opt/ufm/ufm_plugins_data \
--ufm-user ufmadm \
--ufm-group ufmadm \
--local-certs-dir /path/to/local/certs
Replace /path/to/local/certs with the actual path to your directory containing the certificate files on the host.
Step 2: Enter the UFM Container
Once the UFM service is running, enter the container:
sudo -u ufmadm podman exec -it ufm /bin/bash
Step 3: Enable Client Certificate Authentication
/opt/ufm/scripts/manage_client_authentication.sh enable-client-cert-authen
Step 4: Set Client Certificate Subject Identifier
/opt/ufm/scripts/manage_client_authentication.sh set-subject-identifier --identifier CN
Use CN or SAN.
Step 5: Associate Client Certificate with UFM User
/opt/ufm/scripts/manage_client_authentication.sh associate-user --cn <CN> --username <UFM_USER>
Replace:
<CN>: The Common Name from your client certificate<UFM_USER>: The UFM username to associate with the certificate
Step 6: Set SSL Server Certificate Hostname
/opt/ufm/scripts/manage_client_authentication.sh set-ssl-cert-hostname --hostname <hostname>
Replace <hostname> with your server's hostname.
Step 7: Restart Apache Web Server
/opt/ufm/scripts/manage_client_authentication.sh restart_ufm_websrv
Client Certificate Authentication Notes
Steps B-G should be performed after the UFM container is running
This command can be embedded in automation scripts and invoked after certificates are refreshed
Users will need valid client certificates matching the configured CN associations to access UFM
Verify certificates are properly formatted and the hostname matches your server configuration