SHS user documentation

docs/access/project.md

@@ -39,7 +39,7 @@ Please visit the [our web pages](https://edinburgh-international-data-facility.e
 
 Please note, costs are correct at the time of publication, but will change.
 
-To get a detailed, full cost to include in a any grant application or for an estimate, you can 
+To get a detailed, full cost to include in a any grant application or for an estimate, you can
 begin a new project application which gives you access to pricing calculator.
 
 ### Create a new project application
@@ -69,11 +69,11 @@ Fill in each section of the application as required:
 #### Case for Support
 
 Please include here how you intend to pay for services on EIDF
-You *must* include reference to either a 
+You *must* include reference to either a
 
 * UKRI Grant number
 
-OR a 
+OR a
 
 * Purchase Order to the University of Edinburgh
 

docs/safe-haven-services/overview.md

@@ -1,13 +1,39 @@
-# Safe Haven Services
+# Safe Haven Services Overview
+
+## The EIDF TRE
 
 The EIDF [Trusted Research Environment (TRE)](https://zenodo.org/record/4594704) hosts several Safe Haven services that enable researchers to work with sensitive data in a secure environment. These services are operated by EPCC in partnership with Safe Haven controllers who manage the Information Governance (IG) appropriate for the research activities and the data access of their Safe Haven service.
 
+The TRE service offers secure data sharing and analysis environments allowing researchers access to sensitive data under the terms and conditions prescribed by the Data Providers. The service prioritises the requirements of the Data Provider over the demands of the Researcher, and is an academic TRE operating under the guidance of the [Five Safes framework](https://core.ac.uk/download/pdf/323894811.pdf).
+
+The TRE has dedicated, private cloud infrastructure at EPCC's Advanced Computing Facility (ACF) data centre and has its own high-performance file systems. When a new Safe Haven service is commissioned in the TRE, it is created in a new virtual private cloud providing the Safe Haven service controller with an independent IG domain separate from other Safe Havens in the TRE. All TRE service infrastructure and all TRE project data are hosted at ACF.
+
+Safe Haven services include all services provided under the EIDF TRE umbrella, such as dedicated HPC and GPU clusters.
+
+## Roles and responsibilities
+
+### Safe Haven operator
+
 It is the responsibility of EPCC as the Safe Haven operator to design, implement and administer the technical controls required to deliver the Safe Haven security regime demanded by the Safe Haven controller.
 
+### Safe Haven controller
+
 The role of the Safe Haven controller is to satisfy the needs of the researchers and the data suppliers. The controller is responsible for guaranteeing the confidentiality needs of the data suppliers and matching these with the availability needs of the researchers.
 
-The service offers secure data sharing and analysis environments allowing researchers access to sensitive data under the terms and conditions prescribed by the data providers. The service prioritises the requirements of the data provider over the demands of the researcher and is an academic TRE operating under the guidance of the [Five Safes framework](https://core.ac.uk/download/pdf/323894811.pdf).
+Typically Safe Haven controllers will have research project co-ordination teams and will assign a research coordinator to a project as the main contact.
+
+### Researcher
+
+Users of Safe Haven services must be researchers approved by the Safe Haven controller according to their IG requirements.
+
+Users have a responsibility to use the service within the technical and IG constraints and regulations as defined by a user agreement between them and the Safe Haven controller.
+
+## Contact
+
+All user queries and requests must be directed to the Safe Haven controller who manages user access and communications to their Safe Haven service according to their specific IG requirements.
+
+If you are a researcher looking for access to a Safe Haven, please contact the Safe Haven controller.
 
-The TRE has dedicated, private cloud infrastructure at EPCC's Advanced Computing Facility (ACF) data centre and has its own HPC cluster and high-performance file systems. When a new Safe Haven service is commissioned in the TRE it is created in a new virtual private cloud providing the Safe Haven service controller with an independent IG domain separate from other Safe Havens in the TRE. All TRE service infrastructure and all TRE project data are hosted at ACF.
+If you are an existing user of the Safe Haven services and are facing any issues, want to request access to additional services, or have any questions, please contact your assigned research coordinator.
 
-If you have any questions about the EIDF TRE or about Safe Haven services, [please contact us](https://epcced.github.io/eidf-docs/overview/contacts/).
+For any general enquiries about the EIDF TRE or the Safe Haven services, [please contact EPCC](https://epcced.github.io/eidf-docs/overview/contacts/).

docs/safe-haven-services/safe-haven-access.md

@@ -1,33 +1,49 @@
-# Safe Haven Service Access
+# Safe Haven Services Access
 
-Safe Haven services are accessed from a registered network connection address using a browser. The service URL will be "[https://shs.epcc.ed.ac.uk/<service\>](https://shs.epcc.ed.ac.uk/<service\>)" where <service\> is the Safe Haven service name.
+## Safe Haven Network Access Controls
 
-The Safe Haven access process is in three stages from multi-factor authentication to project desktop login.
+The TRE Safe Haven services are protected against open, global access by IPv4 source address filtering. These network access controls ensure that connections are permitted only from Safe Haven controller partner networks and collaborating research institutions.
 
-Researchers who are active in many research projects and in more than one Safe Haven will need to pay attention to the service they connect to, the project desktop they login to, and the accounts and identities they are using.
+Network access controls for each Safe Haven are managed by the Safe Haven service controllers who instruct EPCC to add and remove the IPv4 addresses allowed to connect to the service gateway.
+
+!!! note "Requirement"
+      Users must connect to the Safe Haven service by first connecting to their institution or corporate VPN. If the institution or corporate VPN is not already allowed to access the Safe Haven service, research coordinators will ask researchers to provide an IP range to be added to the allow list.
+
+Safe Haven services are accessed from a registered network connection address using a browser. The service URL will be "[https://shs.epcc.ed.ac.uk/<service\>](https://shs.epcc.ed.ac.uk/<service\>)" where `<service>` is the Safe Haven service name.
 
 ## Safe Haven Login
 
+The Safe Haven login process has three stages:
+
+1. Multi-factor authentication
+1. Remote Desktop Gateway login
+1. Project Desktop login
+
+Researchers who are active in many research projects and in more than one Safe Haven will need to pay attention to the service they connect to, the project desktop they login to, and the accounts and identities they are using.
+
+### 1. Multi-Factor Authentication
+
 The first step in the process prompts the user for a Safe Haven username and then for a session PIN code sent via SMS text to the mobile number registered for the username.
 
-Valid PIN code entry allows the user access to all of the Safe Haven service remote desktop gateways for up to 24 hours without entry of a new PIN code. A user who has successfully entered a PIN code once can access shs.epcc.ed.ac.uk/haven1 and shs.epcc.ed.ac.uk/haven2 without repeating PIN code identity verification.
+Valid PIN code entry allows the user access to all of the Safe Haven service remote desktop gateways for up to 24 hours without entry of a new PIN code. A user who has successfully entered a PIN code once can access `shs.epcc.ed.ac.uk/haven1` and `shs.epcc.ed.ac.uk/haven2` without repeating PIN code identity verification.
 
 When a valid PIN code is accepted, the user is prompted to accept the service use terms and conditions.
 
-Registration of the user mobile phone number is managed by the Safe Haven IG controller and research project co-ordination teams by submitting and confirming user account changes through the dedicated service help desk via email.
+!!! note "Requirement"
+      As part of the user registration process, research coordinators will ask users to provide their mobile numbers for Multi-Factor Authentication setup.
 
-## Remote Desktop Gateway Login
+### 2. Remote Desktop Gateway login
 
-The second step in the access process is for the user to login to the Safe Haven service remote desktop gateway so that a project desktop connection can be chosen. The user is prompted for a Safe Haven service account identity.
+The second step in the access process is for the user to login to the Safe Haven service Remote Desktop Gateway so that a project Desktop connection can be chosen. The user is prompted for a Safe Haven service account identity.
 
    ![VDI-Safe-Haven-Login-Page](../images/access/UoE-Data-Safe-Haven-VDI-Login.png)
    *VDI Safe Haven Service Login Page*
 
-Safe Haven accounts are managed by the Safe Haven IG controller and research project co-ordination teams by submitting and confirming user account changes through the dedicated service help desk via email.
+Safe Haven accounts are managed by the Safe Haven IG controller and research project co-ordination teams.
 
-## Project Desktop Connection
+### 3. Project Desktop login
 
-The third stage in the process is to select the virtual connection from those available on the account's home page. An example home page is shown below offering two connection options to the same virtual machine. Remote desktop connections will have an \_rdp suffix and SSH terminal connections have an \_ssh suffix. The most recently used connections are shown as screen thumbnails at the top of the page and all the connections available to the user are shown in a tree list below this.
+The third stage in the process is to select the virtual connection from those available on the account's home page. An example home page is shown below offering two connection options to the same virtual machine. Remote desktop connections will have an `_rdp` suffix and SSH terminal connections have an `_ssh` suffix. The most recently used connections are shown as screen thumbnails at the top of the page and all the connections available to the user are shown in a tree list below this.
 
    ![VDI-Connections-Available-Page](../images/access/vdi-home-screen.png)
    *VM connections available home page*
@@ -36,4 +52,30 @@ The remote desktop gateway software used in the Safe Haven services in the TRE i
 
 A remote desktop or SSH connection is used to access data provided for a specific research project. If a researcher is working on multiple projects within a Safe Haven they can only login to one project at a time. Some connections may allow the user to login to any project and some connections will only allow the user to login into one specific project. This depends on project IG restrictions specified by the Safe Haven and project controllers.
 
-Project desktop accounts are managed by the Safe Haven IG controller and research project co-ordination teams by submitting and confirming user account changes through the dedicated service help desk via email.
+Project desktop accounts are managed by the Safe Haven IG controller and research project co-ordination teams.
+
+#### First Time Login and Account Password Changes
+
+!!! warning "Account Password Changes"
+    Note that first time account login cannot be through RDP as a password change is required. Password reset logins must be SSH terminal sessions as password changes can only be made through SSH connections.
+
+#### Connecting to a Remote SSH Session
+
+When a VM SSH connection is selected, the browser screen becomes a text terminal. The user is prompted to "Login as: " with a project account name, and then prompted for the account password. This connection type is equivalent to a standard xterm SSH session.
+
+!!! warning "Symbols and shortcuts"
+    Note that Apache Guacamole translates keyboard input from your browser to the remote desktops. Sometimes this mapping is not compatible due to a difference in operating systems or keyboard layouts, causing certain symbols and shortcuts to be different. Passwords typed in an SSH terminal are often hidden for privacy reasons. If you are unsure about what you are typing, test this as your username without pressing enter.
+
+#### Connecting to a Remote Desktop Session
+
+Remote desktop connections work best by first placing the browser in Full Screen mode and leaving it in this mode for the entire duration of the Safe Haven session.
+
+When a VM RDP connection is selected the browser screen becomes a remote desktop presenting the login screen shown below.
+
+   ![VM-VDI-connection-login](../images/access/vm-vdi-connection-login.png)
+   *VM virtual desktop connection user account login screen*
+
+Once the project account credentials have been accepted, a remote dekstop similar to the one shown below is presented. The default VM environment in the TRE is Ubuntu 22.04 with the Xfce desktop.
+
+   ![VM-VDI-connection](../images/access/vm-vdi-connection.png)
+   *VM virtual desktop*

docs/safe-haven-services/software-management.md

@@ -0,0 +1,50 @@
+# Software Management in Safe Haven Services
+
+## System software and user software
+
+All system-level software installed and configured in the Safe Haven is managed by the TRE admin team.
+
+Users are given access to Safe Haven controller-approved online sources such as PyPy and CRAN to install and manage additional software specific to their projects.
+
+Users can also import packaged or containerised code via a request to their research coordinator. For more details on how to prepare containers for Safe Havens, check the [Safe Haven container service](./tre-container-user-guide/introduction.md) documentation.
+
+## System maintenance
+
+Minor system-level software changes and patches will be made as soon as admin effort can be allocated. Major changes and patches are likely to be scheduled for the TRE monthly maintenance session including all Safe Haven services on **the first Thursday of each month**.
+
+Depending on the type of maintenance, the service may be at risk and inaccessible during this period. The type of maintenance will be announced in advance via email.
+
+### Managing R packages post-maintenance
+
+During some Safe Haven maintenance windows, the version of R is upgraded.  When this happens, there are some additional steps required by the user to get some packages (such as Tidyverse) to work correctly.  If you have not logged in since the last maintenance period when R was upgraded or are having issues with R package installations, please follow the instructions below in the first instance.
+
+   ![R maintenance decision tree](../images/shs/r_maintenance.png)
+   *R maintenance decision tree*
+
+If you are currently using R and have installed any libraries since the last R version upgrade and have not yet logged in, or tried to reinstall packages, you need to carry out the following two steps.
+
+If R has been upgraded to a newer version or if you have just started using R you can skip to Step 2. 
+
+#### STEP 1: Removing existing installed R packages
+
+* Either via a command line or the file manager open the R folder within your home directory, and then open `x86_64-pc-linux-gnu-library` directory.
+* Inside this directory you should see a list of version numbers, these match the versions of R you have previously used.
+* Locate the directory with the current version of R and rename it if using the GUI, or move (`mv`) if using the command line. This will prevent R from loading these libraries and next time it opens it will create a new directory. 
+
+#### STEP 2: Installing dependencies
+
+!!! warning "This step should be completed by all R/RStudio users."
+
+* Open R or R Studio.
+* You need to install the following packages before anything else:
+    * `Rcpp`
+    * `Rcpp11`
+    * `progress`
+
+This can be done by running the following R command:
+
+```r
+install.packages("Rcpp", "Rcpp11","progress")
+```
+
+* We recommend restarting R/R Studio prior to beginning to install your other packages.

docs/safe-haven-services/superdome-flex-tutorial/L1_Accessing_the_SDF_Inside_the_EPCC_TRE.md

@@ -1,4 +1,4 @@
-# Accessing the Superdome Flex inside the EPCC Trusted Research Environment
+# The Safe Haven HPC Service - Superdome Flex
 
 ## What is the Superdome Flex?
 
@@ -15,9 +15,8 @@ The software specification of the SDF are:
 - Access to local copies of R (CRAN) and python (conda) repositories
 - [Singularity](https://docs.sylabs.io/guides/3.5/user-guide/introduction.html) container platform
 
-### Key Point
-
-`The SDF is within the TRE. Therefore, the same restrictions apply, i.e. the SDF is isolated from the internet (no downloading code from public GitHub repos) and copying/recording/extracting anything on the SDF outside of the TRE is strictly prohibited unless through approved processes.`
+!!! warning "Network access controls"
+    The SDF is within the TRE, therefore, the same restrictions apply, i.e. outside access is limited by Safe Haven IG controls, and copying/recording/extracting code or data outside of the TRE is strictly prohibited unless through approved processes.
 
 ## Accessing the SDF
 

docs/safe-haven-services/tre-container-user-guide/introduction.md

@@ -1,6 +1,6 @@
-# Introduction
+# The Safe Haven Container Execution Service - CES
 
-## Overview
+## What is the CES?
 
 The Container Execution Service (CES) has been introduced to allow project code developed and tested by researchers outside the Trusted Research Environment (TRE) in personal development environments to be imported and run on the project data inside the TRE using a well-documented, transparent, secure workflow.
 The primary role of the TRE is to store and share data securely; it is not intended to be a software development and testing environment. The CES helps researchers perform software development tasks in their chosen environment, rather than the restricted one offered in the TRE.

mkdocs.yml

@@ -108,18 +108,16 @@ nav:
       - "Gitlab Quickstart": services/gitlab/quickstart.md
   - "Safe Haven Services":
      - "Overview": safe-haven-services/overview.md
-     - "Network Access Controls": safe-haven-services/network-access-controls.md
-     - "Safe Haven Access": safe-haven-services/safe-haven-access.md
-     - "Virtual Desktop Connections": safe-haven-services/virtual-desktop-connections.md
-     - "Using the HPC Cluster": safe-haven-services/using-the-hpc-cluster.md
-     - "Superdome Flex Tutorial":
-       - "Accessing the SDF Inside the EPCC TRE": safe-haven-services/superdome-flex-tutorial/L1_Accessing_the_SDF_Inside_the_EPCC_TRE.md
+     - "Access": safe-haven-services/safe-haven-access.md
+     - "Software Management": safe-haven-services/software-management.md
+     - "HPC Service":
+       - "Accessing HPC in Safe Havens": safe-haven-services/superdome-flex-tutorial/L1_Accessing_the_SDF_Inside_the_EPCC_TRE.md
        - "Running R/Python Scripts": safe-haven-services/superdome-flex-tutorial/L2_running_R_Python_analysis_scripts.md
        - "Submitting Scripts to Slurm": safe-haven-services/superdome-flex-tutorial/L3_submitting_scripts_to_slurm.md
        - "Parallelised Python Analysis": safe-haven-services/superdome-flex-tutorial/L4_parallelised_python_analysis.md
        - "Parallelised R Analysis": safe-haven-services/superdome-flex-tutorial/L5_parallelised_r_analysis.md
-     - "TRE Container User Guide":
-       - "Introduction": safe-haven-services/tre-container-user-guide/introduction.md
+     - "Container Service":
+       - "Accessing and running containers in Safe Havens": safe-haven-services/tre-container-user-guide/introduction.md
        - "Development Workflow": safe-haven-services/tre-container-user-guide/development-workflow.md
        - "Workflow Examples": safe-haven-services/tre-container-user-guide/workflow-examples.md
        - "Container Examples": safe-haven-services/tre-container-user-guide/container-examples.md