Difference between revisions of "Accessing the clusters"
(→Permission denied) |
|||
| Line 1: | Line 1: | ||
| − | == Who can access the HPC clusters | + | <noinclude>==Who can access the HPC clusters==</noinclude><includeonly>===Who can access the HPC clusters===</includeonly> |
The clusters of ID SIS HPC are open to all members of ETH and external users that have a collaboration with a research group at ETH Zurich. Members of ETH have immediate access to the clusters and can login with their [[NETHZ]] credentials. Members of other institutes who have a collaboration with a research group at ETH may use the HPC clusters for the purpose of said collaboration. Their counterpart ("sponsor") at ETH must ask the local IT support group (ISG) of the corresponding department to create a [[NETHZ]] guest account for them, including e-mail address and VPN service. Once the [[NETHZ]] guest account has been created, they can access the clusters like members of the ETH. | The clusters of ID SIS HPC are open to all members of ETH and external users that have a collaboration with a research group at ETH Zurich. Members of ETH have immediate access to the clusters and can login with their [[NETHZ]] credentials. Members of other institutes who have a collaboration with a research group at ETH may use the HPC clusters for the purpose of said collaboration. Their counterpart ("sponsor") at ETH must ask the local IT support group (ISG) of the corresponding department to create a [[NETHZ]] guest account for them, including e-mail address and VPN service. Once the [[NETHZ]] guest account has been created, they can access the clusters like members of the ETH. | ||
| − | == Legal compliance == | + | <noinclude>==Legal compliance==</noinclude><includeonly>===Legal compliance===</includeonly> |
| − | |||
The HPC clusters of ID SIS HPC are subject to ETH's acceptable use policy for IT resources (Benutzungsordnung für Telematik an der ETH Zürich, [https://www1.ethz.ch/id/documentation/rechtliches/BOTfinal-2005_EN.pdf BOT]). In particular: | The HPC clusters of ID SIS HPC are subject to ETH's acceptable use policy for IT resources (Benutzungsordnung für Telematik an der ETH Zürich, [https://www1.ethz.ch/id/documentation/rechtliches/BOTfinal-2005_EN.pdf BOT]). In particular: | ||
| Line 14: | Line 13: | ||
In case of abuse, the offender's account may be blocked temporarily or closed. System administrators are obliged by law to investigate abusive or illegal activities and report them to the relevant authorities. | In case of abuse, the offender's account may be blocked temporarily or closed. System administrators are obliged by law to investigate abusive or illegal activities and report them to the relevant authorities. | ||
| − | == Security == | + | <noinclude>==Security==</noinclude><includeonly>===Security===</includeonly> |
| + | Access to the HPC clusters of ID SIS HPC is only possible via secure protocols ([[#SSH | ssh]], sftp, scp, rsync). The HPC clusters are only accessible from inside the ETH network. If you would like to connect from a computer, which is not inside the ETH network, then you would need to establish a [[#VPN | VPN]] connection first. Outgoing connections to computers inside the ETH network are not blocked. If you would like to connect to an external service, then please use the ETH proxy service: | ||
| − | + | http://proxy.ethz.ch:3128 | |
| − | |||
| − | |||
| + | <noinclude>==First login==</noinclude><includeonly>===First login===</includeonly> | ||
On your first login, you need to accept the cluster's usage rules. Afterwards your account is created automatically. Please find below the user agreement for the Euler cluster as an example: | On your first login, you need to accept the cluster's usage rules. Afterwards your account is created automatically. Please find below the user agreement for the Euler cluster as an example: | ||
| Line 39: | Line 38: | ||
and agree to the rules and policies mentioned above. | and agree to the rules and policies mentioned above. | ||
| − | == SSH == | + | <noinclude>==SSH==</noinclude><includeonly>===SSH===</includeonly> |
| − | |||
You can connect to the HPC clusters via the SSH protocol. For this purpose it is required that you have an SSH client installed. The information required to connect to an HPC cluster, is the hostname of the cluster that you would like to connect to and your [[NETHZ]] credentials (username, password). | You can connect to the HPC clusters via the SSH protocol. For this purpose it is required that you have an SSH client installed. The information required to connect to an HPC cluster, is the hostname of the cluster that you would like to connect to and your [[NETHZ]] credentials (username, password). | ||
| Line 54: | Line 52: | ||
|} | |} | ||
| − | === Linux, Mac OS X === | + | <noinclude>===Linux, Mac OS X===</noinclude><includeonly>====Linux, Mac OS X====</includeonly> |
| − | |||
Open a shell (Terminal in OS X) and use the standard '''ssh''' command | Open a shell (Terminal in OS X) and use the standard '''ssh''' command | ||
ssh username@''hostname'' | ssh username@''hostname'' | ||
| − | where '''username''' is your [[NETHZ]] username and the hostname can be found in the table shown above. If for instance user leonhard would like to access the Euler cluster, then | + | where '''username''' is your [[NETHZ]] username and the hostname can be found in the table shown above. If for instance user leonhard would like to access the Euler cluster, then this would look like |
| − | ssh leonhard@''euler.ethz.ch' | + | leonhard@calculus:~$ '''ssh leonhard@euler.ethz.ch''' |
| + | leonhard@euler.ethz.ch's password: | ||
| + | Last login: Fri Sep 17 14:17:54 1783 from calculus.ethz.ch | ||
| + | |||
| + | ____________________ ___ | ||
| + | / ________ ___ /__/ / | ||
| + | / _____/ / / / ___ / | ||
| + | /_______/ /__/ /__/ /__/ | ||
| + | Eidgenoessische Technische Hochschule Zuerich | ||
| + | Swiss Federal Institute of Technology Zurich | ||
| + | ------------------------------------------------------------------------- | ||
| + | E U L E R C L U S T E R CentOS 6 | ||
| + | |||
| + | |||
| + | http://clusterwiki.ethz.ch/brutus/Getting_started_with_Euler | ||
| + | NEW! --> http://tinyurl.com/cluster-support | ||
| + | cluster-support@id.ethz.ch | ||
| + | |||
| + | |||
| + | [leonhard@euler04 ~]$ | ||
| + | |||
| + | <noinclude>===Windows===</noinclude><includeonly>====Windows====</includeonly> | ||
| + | Since Windows does not provide an [[#SSH | ssh]] client as part of the operating system, users need to download a third-party software in order to be able to establish [[#SSH | ssh]] connections. | ||
| + | |||
| + | Widely used [[#SSH | ssh]] clients are for instance [http://www.chiark.greened.org.uk/~sgtatham/putty/ PuTTY] and [http://www.cygwin.com Cygwin]. | ||
| + | |||
| + | [[File:Putty1.png|380px]][[File:Cygwin1.png|662px]] | ||
| − | + | When users start the [[#SSH | ssh]] client, then it is sufficient to specify the hostname of the cluster one would like to connect to and start the connection. Afterwards, the users will be prompted to enter their [[NETHZ]] credentials. | |
| − | + | <noinclude>==SSH keys==</noinclude><includeonly>===SSH keys===</includeonly> | |
| + | [[#SSH | ssh]] keys allow you to login to a cluster without having to type a password. This can be useful for file transfer and automated tasks. When you use [[#SSH | ssh]] keys properly, then this is much safer than passwords. There are always pairs of keys, a private (sotred on your local workstation) and a public (stored on the computer you want to connect to). You can generate as many key pairs as you want. In order to make the keys even more secure, you should protect them with a passphrase. | ||
| − | + | On your workstation, use <tt>ssh-keygen</tt> to generate a key pair. By default the private key is stored as <tt>$HOME/.ssh/id_rsa</tt> and the public key as <tt>$HOME/.ssh/id_rsa.pub</tt>. In order to setup passwordless access to a cluster, copy the public key to the <tt>.ssh</tt> directory on the cluster (for this example, we use the Euler cluster). | |
| − | + | cat $HOME/.ssh/id_rsa.pub | ssh ''username''@euler.ethz.ch "cat - >> .ssh/authorized_keys" | |
| − | + | Some Linux distributions provide tools for copying keys. | |
| − | === | + | <noinclude>==X11==</noinclude><includeonly>===X11===</includeonly> |
| + | The clusters of ID SIS HPC use the X window System (X11) to display a program's graphical user interface (GUI) on a users workstation. You need to install an X11 server on your workstation to siplay X11 windows. The ports used by X11 are blocked by the cluster's firewall. To circumvent this problem, you must open an '''SSH tunnel''' and redirect all X11 communication through that tunnel. | ||
| + | <noinclude>===Linux===</noinclude><includeonly>====Linux====</includeonly> | ||
Xorg (X11) is normally installed by default as part of most Linux distributions. If you are using a version newer than 1.16, then please have a look at the [[#Troubleshooting | troubleshooting]] section at the bottom of this wiki page. | Xorg (X11) is normally installed by default as part of most Linux distributions. If you are using a version newer than 1.16, then please have a look at the [[#Troubleshooting | troubleshooting]] section at the bottom of this wiki page. | ||
| − | + | ssh -Y username@''hostname'' | |
| + | <noinclude>===Mac OS X===</noinclude><includeonly>====Mac OS X====</includeonly> | ||
Since X11 is no longer included in OS X, you must install [https://www.xquartz.org/ XQuartz]. If you are using a version newer than 2.7.8, then please have a look at the [[#Troubleshooting | troubleshooting]] section at the bottom of this wiki page. | Since X11 is no longer included in OS X, you must install [https://www.xquartz.org/ XQuartz]. If you are using a version newer than 2.7.8, then please have a look at the [[#Troubleshooting | troubleshooting]] section at the bottom of this wiki page. | ||
| − | + | ssh -Y username@''hostname'' | |
| + | <noinclude>===Windows===</noinclude><includeonly>====Windows====</includeonly> | ||
X11 is not supported by Windows. Users need to install a third-party application in order to use X11 forwarding. Widely used X11 servers are for instance [http://x.cygwin.com/ Cygwin/X], [https://sourceforge.net/projects/xming/ Xming]. | X11 is not supported by Windows. Users need to install a third-party application in order to use X11 forwarding. Widely used X11 servers are for instance [http://x.cygwin.com/ Cygwin/X], [https://sourceforge.net/projects/xming/ Xming]. | ||
| − | == VPN == | + | <noinclude>==VPN==</noinclude><includeonly>===VPN===</includeonly> |
| − | + | When connecting from outside of the ETH network to one of the HPC clusters of ID SIS HPC, one first needs to establish a VPN connection. A VPN client can be downloaded from https://sslvpn.ethz.ch. The VPN client is configured to connect to the ETH network. | |
| − | When connecting from outside of the ETH network to one of the HPC clusters of ID SIS HPC, one first needs to establish a VPN connection. A VPN client can be downloaded from https://sslvpn.ethz.ch. | ||
| − | + | [[File:Vpn.png| 400px]] | |
| − | === | + | <noinclude>==Troubleshooting==</noinclude><includeonly>===Troubleshooting===</includeonly> |
| + | <noinclude>===Permission denied===</noinclude><includeonly>====Permission denied====</includeonly> | ||
If you enter 3 times a wrong password, then you will get a permission denied error: | If you enter 3 times a wrong password, then you will get a permission denied error: | ||
| Line 109: | Line 137: | ||
If you enter a wrong password too many times or in a high frequency, then we might block access to the clusters for your account, because it could be correupted. If you account has been blocked by the HPC group, then please contact cluster support. | If you enter a wrong password too many times or in a high frequency, then we might block access to the clusters for your account, because it could be correupted. If you account has been blocked by the HPC group, then please contact cluster support. | ||
| − | === Timeout === | + | <noinclude>===Timeout===</noinclude><includeonly>====Timeout====</includeonly> |
| − | |||
If you try to login and receive a timeout error, then it is very likely that you tried to connect from outside of the ETH network to one of the HPC clusters. | If you try to login and receive a timeout error, then it is very likely that you tried to connect from outside of the ETH network to one of the HPC clusters. | ||
| Line 118: | Line 145: | ||
Please either connect from the inside of the ETH network, or establish a VPN connection. | Please either connect from the inside of the ETH network, or establish a VPN connection. | ||
| − | === Indirect GLX rendering error === | + | <noinclude>===Indirect GLX rendering error===</noinclude><includeonly>====Indirect GLX rendering error====</includeonly> |
| − | |||
When using an SSH connection with X11 forwarding enabled, newer versions of the Xorg server show an error message, when the graphical user interface of an application is started: | When using an SSH connection with X11 forwarding enabled, newer versions of the Xorg server show an error message, when the graphical user interface of an application is started: | ||
| Line 135: | Line 161: | ||
https://www.phoronix.com/scan.php?page=news_item&px=Xorg-IGLX-Potential-Bye-Bye | https://www.phoronix.com/scan.php?page=news_item&px=Xorg-IGLX-Potential-Bye-Bye | ||
| − | + | Please find below some links, which address the problem for specific operating systems. | |
{|class="wikitable" border=1 style="width: 100%;" | {|class="wikitable" border=1 style="width: 100%;" | ||
Revision as of 07:28, 18 August 2016
Contents
Who can access the HPC clusters
The clusters of ID SIS HPC are open to all members of ETH and external users that have a collaboration with a research group at ETH Zurich. Members of ETH have immediate access to the clusters and can login with their NETHZ credentials. Members of other institutes who have a collaboration with a research group at ETH may use the HPC clusters for the purpose of said collaboration. Their counterpart ("sponsor") at ETH must ask the local IT support group (ISG) of the corresponding department to create a NETHZ guest account for them, including e-mail address and VPN service. Once the NETHZ guest account has been created, they can access the clusters like members of the ETH.
Legal compliance
The HPC clusters of ID SIS HPC are subject to ETH's acceptable use policy for IT resources (Benutzungsordnung für Telematik an der ETH Zürich, BOT). In particular:
- Accounts are strictly personal.
- You must not share your account (password, ssh keys) wih anyone else.
- You must not use someone else's account, with our without their consent.
- If you suspect that someone used your account, change your password and contact cluster support.
In case of abuse, the offender's account may be blocked temporarily or closed. System administrators are obliged by law to investigate abusive or illegal activities and report them to the relevant authorities.
Security
Access to the HPC clusters of ID SIS HPC is only possible via secure protocols ( ssh, sftp, scp, rsync). The HPC clusters are only accessible from inside the ETH network. If you would like to connect from a computer, which is not inside the ETH network, then you would need to establish a VPN connection first. Outgoing connections to computers inside the ETH network are not blocked. If you would like to connect to an external service, then please use the ETH proxy service:
http://proxy.ethz.ch:3128
First login
On your first login, you need to accept the cluster's usage rules. Afterwards your account is created automatically. Please find below the user agreement for the Euler cluster as an example:
Please note that the Euler cluster is subject to the "Acceptable Use Policy
for Telematics Resources" ("Benutzungsordnung fuer Telematik", BOT) of ETH
Zurich and relevant documents (http://tinyurl.com/ethz-bot), in particular:
* your Euler account (like your NETHZ account) is *strictly personal*
* you are responsible for all activities done under your account
* you must keep your password secure and may not give it to a 3rd party
* you may not share your account with anyone, including your supervisor
* you may not use someone else's account, with or without their consent
* you must comply with all civil and criminal laws (copyright, privacy,
data protection, etc.)
* any violation of these rules and policies may lead to administrative
and/or legal measures
Before you can proceed you must confirm that you have read, understood,
and agree to the rules and policies mentioned above.
SSH
You can connect to the HPC clusters via the SSH protocol. For this purpose it is required that you have an SSH client installed. The information required to connect to an HPC cluster, is the hostname of the cluster that you would like to connect to and your NETHZ credentials (username, password).
| Cluster | Hostname |
|---|---|
| Brutus | brutus.ethz.ch |
| Euler | euler.ethz.ch |
Linux, Mac OS X
Open a shell (Terminal in OS X) and use the standard ssh command
ssh username@hostname
where username is your NETHZ username and the hostname can be found in the table shown above. If for instance user leonhard would like to access the Euler cluster, then this would look like
leonhard@calculus:~$ ssh leonhard@euler.ethz.ch
leonhard@euler.ethz.ch's password:
Last login: Fri Sep 17 14:17:54 1783 from calculus.ethz.ch
____________________ ___
/ ________ ___ /__/ /
/ _____/ / / / ___ /
/_______/ /__/ /__/ /__/
Eidgenoessische Technische Hochschule Zuerich
Swiss Federal Institute of Technology Zurich
-------------------------------------------------------------------------
E U L E R C L U S T E R CentOS 6
http://clusterwiki.ethz.ch/brutus/Getting_started_with_Euler
NEW! --> http://tinyurl.com/cluster-support
cluster-support@id.ethz.ch
[leonhard@euler04 ~]$
Windows
Since Windows does not provide an ssh client as part of the operating system, users need to download a third-party software in order to be able to establish ssh connections.
Widely used ssh clients are for instance PuTTY and Cygwin.
When users start the ssh client, then it is sufficient to specify the hostname of the cluster one would like to connect to and start the connection. Afterwards, the users will be prompted to enter their NETHZ credentials.
SSH keys
ssh keys allow you to login to a cluster without having to type a password. This can be useful for file transfer and automated tasks. When you use ssh keys properly, then this is much safer than passwords. There are always pairs of keys, a private (sotred on your local workstation) and a public (stored on the computer you want to connect to). You can generate as many key pairs as you want. In order to make the keys even more secure, you should protect them with a passphrase.
On your workstation, use ssh-keygen to generate a key pair. By default the private key is stored as $HOME/.ssh/id_rsa and the public key as $HOME/.ssh/id_rsa.pub. In order to setup passwordless access to a cluster, copy the public key to the .ssh directory on the cluster (for this example, we use the Euler cluster).
cat $HOME/.ssh/id_rsa.pub | ssh username@euler.ethz.ch "cat - >> .ssh/authorized_keys"
Some Linux distributions provide tools for copying keys.
X11
The clusters of ID SIS HPC use the X window System (X11) to display a program's graphical user interface (GUI) on a users workstation. You need to install an X11 server on your workstation to siplay X11 windows. The ports used by X11 are blocked by the cluster's firewall. To circumvent this problem, you must open an SSH tunnel and redirect all X11 communication through that tunnel.
Linux
Xorg (X11) is normally installed by default as part of most Linux distributions. If you are using a version newer than 1.16, then please have a look at the troubleshooting section at the bottom of this wiki page.
ssh -Y username@hostname
Mac OS X
Since X11 is no longer included in OS X, you must install XQuartz. If you are using a version newer than 2.7.8, then please have a look at the troubleshooting section at the bottom of this wiki page.
ssh -Y username@hostname
Windows
X11 is not supported by Windows. Users need to install a third-party application in order to use X11 forwarding. Widely used X11 servers are for instance Cygwin/X, Xming.
VPN
When connecting from outside of the ETH network to one of the HPC clusters of ID SIS HPC, one first needs to establish a VPN connection. A VPN client can be downloaded from https://sslvpn.ethz.ch. The VPN client is configured to connect to the ETH network.
Troubleshooting
Permission denied
If you enter 3 times a wrong password, then you will get a permission denied error:
leonhard@calculus:~$ ssh leonhard@euler.ethz.ch leonhard@euler.ethz.ch's password: Permission denied, please try again. leonhard@euler.ethz.ch's password: Permission denied, please try again. leonhard@euler.ethz.ch's password: Permission denied (publickey,password,hostbased). leonhard@calculus:~$
In case you receive a "Permission denied" error, please check if you entered the correct password. If you think that your account has been corrupted, then please contact the service desk of IT services of ETH Zurich.
If you enter a wrong password too many times or in a high frequency, then we might block access to the clusters for your account, because it could be correupted. If you account has been blocked by the HPC group, then please contact cluster support.
Timeout
If you try to login and receive a timeout error, then it is very likely that you tried to connect from outside of the ETH network to one of the HPC clusters.
leonhard@calculus:~$ ssh -Y leonhard@euler.ethz.ch ssh: connect to host euler.ethz.ch port 22: Connection timed out
Please either connect from the inside of the ETH network, or establish a VPN connection.
Indirect GLX rendering error
When using an SSH connection with X11 forwarding enabled, newer versions of the Xorg server show an error message, when the graphical user interface of an application is started:
X Error of failed request: BadValue (integer parameter out of range for operation) Major opcode of failed request: 153 (GLX) Minor opcode of failed request: 3 (X_GLXCreateContext) Value in failed request: 0x0 Serial number of failed request: 27 Current serial number in output stream: 30
This error is cause by starting your X11 server without enabling the setting for indirect GLX rendering (iglx), that is required for X11 forwarding. Up to version 1.16 of the Xorg server, the setting iglx, has been enabled by default. With version 1.17, the default has changed from +iglx to -iglx. Now the setting needs to be enabled either in the Xorg configuration file or with a command line setting, when starting the Xorg server manually. For Xquartz versions up to 2.7.8, the iglx setting is enabled by default. If you would like to use XQuartz 2.7.9 or newer, then please make sure that you enable the iglx setting when the X-server is started.
This problem is described in the following article:
https://www.phoronix.com/scan.php?page=news_item&px=Xorg-IGLX-Potential-Bye-Bye
Please find below some links, which address the problem for specific operating systems.
| Operating system | Link |
|---|---|
| Red Hat Enterprise Linux (RHEL) | https://elrepo.org/bugs/view.php?id=610 |
| CentOS | https://www.centos.org/forums/viewtopic.php?t=57409#p244528 |
| Ubuntu | http://askubuntu.com/questions/745135/how-to-enable-indirect-glx-contexts-iglx-in-ubuntu-14-04-lts-with-nvidia-gfx |
| Mac OS X | https://bugs.freedesktop.org/show_bug.cgi?id=96260 |
