How to connect to the CEDAR cluster

Authentication :

Authentication is done via a private, public key pair. If you need to know more about SSH key authentication, you can read this page.

Once you have your private, public key pair, you can open a ticket and give an agent your public key so it gets activated through the Helpdesk.

If your machine is connected physically to INRIA network, you have to first connect to ssh.saclay.inria.fr over SSH. Once there, in order to connect to CEDAR research cluster nodes, you’ll have to connect to the front node : cedarfront.saclay.inria.fr over SSH and from there connect to the nodes : cedar0xx.saclay.inria.fr where xx is the node identifier (from 1 to 10) : cedar001, cedar002, … cedar010.

If your machine is not in the INRIA physical network, first you will have to either connect to ssh.saclay.inria.fr over SSH or use the VPN connection and from there you can use the instructions as if your machine was in the INRIA physical network.

How to ?

First of all, you need to add the following lines to the configuration file under : ~/.ssh/config

LogLevel quiet
UserKnownHostsFile /dev/null
StrictHostKeyChecking no

Host *.inria.fr
 User LDAP_LOGIN
 ForwardAgent yes

Host cedar*
 User LDAP_LOGIN
 ForwardAgent yes

Host cedarfront
 Hostname cedarfront.saclay.inria.fr

Host cedar0*
 Hostname %h.saclay.inria.fr
 ProxyCommand ssh cedarfront nc %h 22

Where LDAP_LOGIN is your actual LDAP login.

FOR MAC USERS :

You need to load your RSA/DSA identities first before connecting to the nodes using :

$ ssh-add -K

FOR WINDOWS USERS:

You may encounter the following issue if you execute the ssh-add command:

Could not open a connection to your authentication agent.

To solve this, you need first to start an agent using the command:

ssh-agent -s

Then execute

ssh-add

If you’re connected to INRIA’s physical network :

Connect to cedarfront.saclay.inria.fr using SSH :

$ ssh cedarfront

Add the following lines to the config files under ~/.ssh/config :

LogLevel quiet
UserKnownHostsFile /dev/null
StrictHostKeyChecking no

Host *.inria.fr
 User LDAP_LOGIN
 ForwardAgent yes

Host cedar*
 User LDAP_LOGIN
 ForwardAgent yes

Host cedarfront
 Hostname cedarfront.saclay.inria.fr

Host cedar0*
 Hostname %h.saclay.inria.fr
 ProxyCommand ssh cedarfront nc %h 22

Connect to cedar0xx using SSH :

$ ssh cedar0xx

If you’re not connected to INRIA’s physical network :

• Use a VPN connection
  OR
• Connect to the SSH gateway

$ ssh ssh.saclay.inria.fr

Add the following lines to the configuration file under : ~/.ssh/config (on ssh.saclay.inria.fr)

LogLevel quiet
UserKnownHostsFile /dev/null
StrictHostKeyChecking no

Host *.inria.fr
 User LDAP_LOGIN
 ForwardAgent yes

Host cedarfront
 Hostname cedarfront.saclay.inria.fr

• Now connect to cedarfront.saclay.inria.fr using SSH:

$ ssh cedarfront

Add the following lines to the config files under ~/.ssh/config :

LogLevel quiet
UserKnownHostsFile /dev/null
StrictHostKeyChecking no

Host *.inria.fr
 User LDAP_LOGIN
 ForwardAgent yes

Host cedar*
 User LDAP_LOGIN
 ForwardAgent yes

Host cedarfront
 Hostname cedarfront.saclay.inria.fr

Host cedar0*
 Hostname %h.saclay.inria.fr
 ProxyCommand ssh cedarfront nc %h 22

Connect to cedar0xx.saclay.inria.fr using SSH :

$ ssh cedar0xx

Now that the configuration is done, you can connect directly to all the nodes from your computer without connecting to the cedarfront node first.

Just type :

$ ssh cedar0xx

And don’t forget to press enter!!!

Troubleshooting :

If you enter error ssh_exchange_identification: Connection closed by remote host, one possible reason could be the new ssh gateway (after February 25th, 2019).

The solution to this problem is simply removing the line corresponding to ssh.saclay.inria.fr from your ~/.ssh/known_hosts file.

Connect directly to a remote host on a specific port :

As shown previously, now you can connect directly to a node on the CEDAR cluster, but it only works for ssh connections that uses the port 22.

What if you’d like to connect to a database server on cedar0xx node without passing by the front node ?

You can do that using a tunnel and a remote port forwarding. But unfortunately, you should either be connected to INRIA’s physical network, or using a VPN network to make it work.

How to ?

Assuming you have already done the configuration in the ~/.ssh/config file.

The instructions are the same whether you’re connected to the physical network or the VPN network.

FOR MAC USERS :

Since SCP is based on the SSH protocol, You need to load your RSA/DSA identities first :

$ ssh-add -K

Use this script to create a tunnel :

#!/usr/bin/env bash
#
# Create a tunnel between a remote host and the localhost
#
# Usage :
# tunnel REMOTE_HOST REMOTE_PORT [LOCAL_PORT]
#
# Ahmed Abdelkafi - June 2017
#

p="$(basename "$0")"

usage() {
 echo ""
 echo "Starts a tunnel between the localhost and cedar002.saclay.inria.fr on port 5432"
 echo "Usage : ${p} REMOTE_HOST REMOTE_PORT [LOCAL_PORT]"
 echo ""
 exit 1
}

if [[ "$#" -gt 3 ]] || [[ "$#" -lt 2 ]]
then
 usage
fi

# Node you want to create a tunnel to
NODE="$(cut -d'.' -f1 <<< "$1").saclay.inria.fr"
# Port number of the node you want to connect to
REMOTE_PORT="$2"
# Local PORT
PORT="$3"
# If the user didn't mention a local port then choose an unused one randomly
if [[ "${PORT}" == "" ]]
then
 # Getting a random free port
 LPORT=32768
 UPORT=60999
 while true
 do
 PORT=$[$LPORT + ($RANDOM % $UPORT)]
 (echo "" >/dev/tcp/127.0.0.1/${PORT}) >/dev/null 2>&1
 if [ $? -ne 0 ]; then
 break
 fi
 done
fi

# Add the identities to the agent
ssh-add -K # May request a the passphrase
# Create a tunnel between ssh.saclay.inria.fr
ssh -L "${PORT}":"${NODE}":"${REMOTE_PORT}" cedarfront.saclay.inria.fr -N &
# Wait for the tunnel to be create
sleep 5
# Get the PID of the background process
PID="$!"

echo ""
echo "Tunnel successfully created!"
echo "You can connect to your remote node ${NODE} on the port ${REMOTE_PORT}
using the port ${PORT} on your localhost."
echo ""
# Pause
read -p "Press [Enter] key to exit"
# Kill the SSH tunnel process
kill -9 $PID

$ chmod +x script.sh

Assuming that you saved the script code to a file name script.sh, you want to connect to the node cedar001.saclay.inria.fr on the port 5432 (PostgreSQL server). You can do the following

$ ./script.sh cedar001 5432 # OR 
$ ./script.sh cedar001.saclay.inria.fr 5432

In this case, the script will choose a random unused port and create a tunnel from the remote host to the computer on that port. The output would be:

Tunnel successfully created!
You can connect to your remote node cedar001.saclay.inria.fr on the port 5432
using the port 41556 on your localhost.

Or the user can specify a local port as follows:

$ ./script.sh cedar001 5432 9001 # OR 
$ ./script.sh cedar001.saclay.inria.fr 5432 9001

In this case, the script will create a tunnel from the remote node on port 5432 to the localhost on port 9001.

Transfer data to the cluster :

You want to transfer some data files from your local computer to the CEDAR cluster ?

No problem ! The CEDAR server has a NFS server (Network File System) with 12 TB of available data space (RAID5) where you can store your data.
This storage is mounted under /export on the front node (cedarfront.saclay.inria.fr), and under /data on the cedar0xx.saclay.inria.fr nodes.

Since you can’t directly connect to the cedar0xx.saclay.inria.fr nodes, you can copy your files to cedarfront.saclay.inria.fr under /export and you will find them on all the nodes under /data.

$ mkdir /export/LDAP_LOGIN

How to ?

Assuming you have already done the configuration in the ~/.ssh/config file.

If you’re connected to INRIA’s physical network :

• You’re copying a single file

$ scp /path/to/file cedarfront.saclay.inria.fr:/export/LDAP_LOGIN/

• You’re copying a directory

$ scp -r /path/to/directory cedarfront.saclay.inria.fr:/export/LDAP_LOGIN/

Where LDAP_LOGIN is your actual LDAP login.

FOR MAC USERS :

Since SCP is based on the SSH protocol, You need to load your RSA/DSA identities first :

$ ssh-add -K

If you’re not connected to INRIA’s physical network :

• Connect to the INRIA VPN and use the instructions as if you were connected to INRIA’s physical network.
  OR
• Use this script to create a tunnel and copy your files :

#!/bin/bash
#
# Copy files from local computer to cedarfront.saclay.inria.fr
#
# Usage :
# transfer LDAP_LOGIN /path/to/source /path/to/dest
#
# Ahmed Abdelkafi - Mars 2017
#

p=`basename $0`

usage() {
 echo ""
 echo "$p LDAP_LOGIN /path/to/source /path/to/dest"
 echo ""
 exit 1
}

if [ ! $# -eq 3 ]; then
 usage
fi

USER=$1
SRC=$2
DEST="/export/$USER$3"
SCP_ARGS=""

# Getting a random free port
LPORT=32768
UPORT=60999
while true
do
 PORT=$[$LPORT + ($RANDOM % $UPORT)]
 (echo "" >/dev/tcp/127.0.0.1/${PORT}) >/dev/null 2>&1
 if [ $? -ne 0 ]; then
  break
 fi
done

# Check if SRC isn't a file
if [ ! -f $SRC ]; then
 # Check if SRC isn't a directory
 if [ ! -d $SRC ]; then
  echo "$p: $SRC doesn't exist !"
  exit 2
 else
  # SRC is a directory, so we need to add -r argument (recursive)
  SCP_ARGS="-r"
 fi
fi
# Add the identities to the agent
ssh-add # May request a passphrase
# Add the port argument to SCP
SCP_ARGS="$SCP_ARGS -P $PORT"
# Create a tunnel between ssh.saclay.inria.fr
ssh -L $PORT:cedarfront.saclay.inria.fr:22 ssh.saclay.inria.fr -N &
# Wait for the tunnel to be create
sleep 5
# Get the PID of the background process
PID=$!
# Create the /export/username directory
ssh -p $PORT $USER@127.0.0.1 mkdir -p /export/$USER
# Copy the files from SRC to DEST
scp $SCP_ARGS $SRC $USER@127.0.0.1:$DEST
# Kill the SSH tunnel process
kill -9 $PID

$ chmod +x script.sh

Assuming that you saved the script code to a file name script.sh, your LDAP identifier is LDAP_USER and you want to copy the file test.txt on your desktop to the NFS server under /export/LDAP_USER.

You can run the script as follows :

$ ./script.sh LDAP_USER ~/Desktop/test.txt /