Wiki DIFA

Strumenti Utente

Strumenti Sito

Ti trovi qui: start » oph » cluster » access
oph:cluster:access

Differenze

Queste sono le differenze tra la revisione selezionata e la versione attuale della pagina.

Link a questa pagina di confronto

Entrambe le parti precedenti la revisioneRevisione precedente
Prossima revisione		Revisione precedente
oph:cluster:access [2023/04/12 08:10] marco.baldi5@unibo.itoph:cluster:access [2025/02/20 11:31] (versione attuale) – Rimosso ophfe3 dall'esempio di configurazione di ~/.ssh/config mario.petroli@unibo.it
Linea 1: Linea 1:
-====== Acessing the cluster =======+====== Accessing the cluster =======
  
 ===== Step 0: Getting an account ===== ===== Step 0: Getting an account =====
Linea 5: Linea 5:
 All DIFA staff members have the right to access the OPH computing cluster. However, the access must be explicitly requested in order to obtain a valid account.  All DIFA staff members have the right to access the OPH computing cluster. However, the access must be explicitly requested in order to obtain a valid account. 
  
-More specifically, DIFA staff members should direct an **access request email** to the computing responsible of their research sector:+More specifically, DIFA staff members should direct an **access request email** to the computing responsible for their research sector:
  
-  ; applicata : Claudia Sala <claudia.sala3@unibo.it>+  ; applicata : Nico Curti <nico.curti2@unibo.it>
   ; astro : Marco Baldi <marco.baldi5@unibo.it>   ; astro : Marco Baldi <marco.baldi5@unibo.it>
   ; atmos : Paolo Ruggieri <paolo.ruggieri2@unibo.it>   ; atmos : Paolo Ruggieri <paolo.ruggieri2@unibo.it>
Linea 16: Linea 16:
   ; terra : Filippo Zaniboni <filippo.zaniboni@unibo.it>   ; terra : Filippo Zaniboni <filippo.zaniboni@unibo.it>
   ; esterni (INFN) : Daniele Cesini <daniele.cesini3@unibo.it>   ; esterni (INFN) : Daniele Cesini <daniele.cesini3@unibo.it>
 +
  
 For **students** the request must be submitted by their thesis supervisor. For **external users** (i.e. non-DIFA staff members) the request must be submitted by a DIFA-staff reference person.  For **students** the request must be submitted by their thesis supervisor. For **external users** (i.e. non-DIFA staff members) the request must be submitted by a DIFA-staff reference person. 
Linea 23: Linea 24:
 New users will be able to access the cluster after 7.00am of the day after the one they have been added to the access group. The home folder of every new user is **automatically created at the time of the first access** to the cluster. New users will be able to access the cluster after 7.00am of the day after the one they have been added to the access group. The home folder of every new user is **automatically created at the time of the first access** to the cluster.
  
-Individual **accounts remain valid until termination of the conditions granting access rights** to the cluster (as e.g. until termination of DIFA affiliation, end of the Master/Phd thesis, end of the research collaboration for external users) and the computing responsibles of each sector have the duty to remove users from the respective access groups upon expiration of such access rights.+Individual **accounts remain valid until termination of the conditions granting access rights** to the cluster (as e.g. until termination of DIFA affiliation, end of the Master/PhD thesis, end of the research collaboration for external users) and the computing responsibles of each sector have the duty to remove users from the respective access groups upon expiration of such access rights.
  
 __**In any case, the home folders and all the stored data of inactive users will be automatically deleted after 6 months from their last modification time without any further notice.**__ __**In any case, the home folders and all the stored data of inactive users will be automatically deleted after 6 months from their last modification time without any further notice.**__
Linea 29: Linea 30:
 ===== Step 1: Connecting to the cluster ===== ===== Step 1: Connecting to the cluster =====
  
-The cluster can be **accessed remotely through a Frontend Login node**, through the ''ssh'' secure connection protocol, using UniBo institutional credentials (i.e. username and password used for all UniBo IT services).+The cluster can be **accessed remotely through a Frontend Login node via a bastion host**, through the ''ssh'' secure connection protocol, using UniBo institutional credentials (i.e. username and password used for all UniBo IT services)
 + 
 +There are **multiple independent Frontend Login Nodes:** 
 +  * ophfe1 (137.204.165.41) 
 +  * ophfe2 (137.204.165.42) 
 +  * ophfe3 (137.204.165.43) **reserved -- VM for some special tasks** 
 + 
 +The **connection procedure** requires the use of the bastion, that allows 'mediated' ssh access to resources on the department's network, avoiding direct external exposure of services and drastically improving network security. To connect from the terminal use the following syntax: 
 + 
 +  *** STAFF MEMBERS** with e.g. UniBo email address ''donald.duck7@unibo.it'' can connect to the cluster with the command:<code> 
 +  ssh -J donald.duck7@bastion-nav.difa.unibo.it donald.duck7@ophfe1 
 +</code> 
 + 
 +  *** STUDENTS** with e.g. UniBo email address ''mickey.mouse4@studio.unibo.it'' can connect to the cluster with the **same command**:<code> 
 +  ssh -J mickey.mouse4@bastion-nav.difa.unibo.it mickey.mouse4@ophfe1 
 +</code> 
 +followed by their UniBo institutional password (twice). 
 + 
 +This will do a two-step connection, first to bastion-nav.difa.unibo.it (137.204.165.34) which is the **bastion host**, then to the specified cluster frontend. To avoid specifying it every time, you can simply add the following lines to ''~/.ssh/config'': 
 +  Host bastion-nav 
 +    Hostname bastion-nav.difa.unibo.it 
 +    User     your.loginname 
 +   
 +  Host ophfe1 ophfe2 
 +    User      your.loginname 
 +    ProxyJump bastion-nav 
 + 
 +After having added such lines, you can simply use ''ssh ophfe1''.
  
-There are **two independent Frontend Login Nodes, with static IP address** ''137.204.50.71'' (ophfe1) and ''137.204.50.177'' (ophfe2), respectively+<WRAP round important 100%>For some users in PERSONALE their account does not match the mail address (so called "cambio UPN"). It's always possible to use: 
 +  ssh -l mail.address@unibo.it ophfe1 
 +or even: 
 +  ssh mail.address@unibo.it@ophfe1 
 +</WRAP> 
 +'Userline in ''~/.ssh/config'' also accepts the mail address.
  
-The **connection procedure** is slightly different for __**staff members**__ (i.e. users having a UniBo email address ending with ''@unibo.it''and for __**students**__ (i.e. users having a UniBo email address ending with ''@studio.unibo.it'')In particular:+Graphic windows require a connection with X11 forwarding, which can be established with the ''ssh'' options ''-X'' and/or ''-Y'' (rarely needed, **might expose your client to attacks**:!:)In general, connecting with
 +<WRAP center 40%>''ssh -X albert.einstein9@ophfe1''</WRAP> 
 +is enough to use graphical tools.
  
-  *** STAFF MEMBERS** with e.g. UniBo email address ''donald.duck7@unibo.it'' can connect to the cluster with the command: <WRAP center 40%>''ssh donald.duck7@137.204.50.177''</WRAP> followed by their UniBo institutional password+<WRAP center round help> 
 +If you see a message like: 
 +  @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ 
 +  @    WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED!     @ 
 +  @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ 
 +  IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY! 
 +  Someone could be eavesdropping on you right now (man-in-the-middle attack)! 
 +  It is also possible that a host key has just been changed. 
 +  The fingerprint for the ECDSA key sent by the remote host is 
 +  SHA256:uR0mI0jPbLhSd/1HISczCCpoK9OZLOs+uqQx9b1CDjU. 
 +it's probably because you connected to the old Str957-cluster (replaced by ophfe1) and server'ssh key have been changed (or you connected to the old bastion and are now connecting to bastion-nav).
  
-  *** STUDENTS** with e.g. UniBo email address ''mickey.mouse4@studio.unibo.it'' can connect to the cluster with the command<WRAP center 50%>''ssh mickey.mouse4@studio.unibo.it@137.204.50.177''</WRAP> or with the command<WRAP center 50%>''ssh STUDENTI#mickey.mouse4@137.204.50.177''</WRAP> followed by their UniBo institutional password.+**CHECK** that the displayed key **for bastion-nav** is one of these: 
 +  * **ECDSA**: D5hNeP9NbU/OFjPyxlp7nsryHq9Sl9WKC3ef7rUaQg4 
 +  * **ED25519**uR0mI0jPbLhSd/1HISczCCpoK9OZLOs+uqQx9b1CDjU 
 +  * **RSA**: NUJz6tcBoz+xxOroOUeQnqQrvH99RpmS5e9io/KwYm4 
 +then 
 +  ssh-keygen -R bastion-nav.difa.unibo.it 
 +to remove old fingerprint from your PC.
  
-Graphic windows require a connection with X11 forwarding, which can be established with the ''ssh'' options ''-X'' and/or ''-Y''. In general, connecting with+Keys for ophfe1 and ophfe2 have not been changed and their hashes are
-<WRAP center 40%>''ssh -XY albert.einstein9@137.204.50.177''</WRAP> +  * ophfe1: 
-ensures X11 forwarding.+    * **ECDSA**: aoqtNWk0OvSDuWAMV1y7l3E9ofdI6TKBEJxpGpPoYH4 
 +    * **ED25519**: J7k3kS0BWspWcPNdq0Dkyuhoj3z1gnrZOCT0r+BWx2Q 
 +    * **RSA**: bgydnQeWV3puQNHJ9hjEKo2ziLriWC/ypVWNTp1C6/k 
 +  * ophfe2: 
 +    * **ECDSA**: aoqtNWk0OvSDuWAMV1y7l3E9ofdI6TKBEJxpGpPoYH4 
 +    * **ED25519**: J7k3kS0BWspWcPNdq0Dkyuhoj3z1gnrZOCT0r+BWx2Q 
 +    * **RSA**: bgydnQeWV3puQNHJ9hjEKo2ziLriWC/ypVWNTp1C6/k
  
 +Now you can retry the ssh connection: it will tell you that it can't verify server's identity and show key hash. **Verify (again)** that the key hash is from the list above, and accept it (iif it matches).
 +</WRAP>
  
oph/cluster/access.1681287050.txt.gz · Ultima modifica: 2023/04/12 08:10 da marco.baldi5@unibo.it
Donate Powered by PHP Valid HTML5 Valid CSS Driven by DokuWiki