Authentication :
Authentication is done via a private, public key pair. If you need to know more about SSH key authentication, you can read this page.
Once you have your private, public key pair, you can open a ticket and give an agent your public key so it gets activated through the Helpdesk.
If your machine is connected physically to INRIA network, you have to first connect to ssh.saclay.inria.fr over SSH. Once there, in order to connect to CEDAR research cluster nodes, you’ll have to connect to the front node : cedarfront.saclay.inria.fr over SSH and from there connect to the nodes : cedar0xx.saclay.inria.fr where xx is the node identifier (from 1 to 10) : cedar001, cedar002, … cedar010.
If your machine is not in the INRIA physical network, first you will have to either connect to ssh.saclay.inria.fr over SSH or use the VPN connection and from there you can use the instructions as if your machine was in the INRIA physical network.
Warning!
cedarfront.saclay.inria.fr is the only entry point to the CEDAR research cluster nodes, you cannot connect directly to the nodes.
How to ?
First of all, you need to add the following lines to the configuration file under : ~/.ssh/config
LogLevel quiet UserKnownHostsFile /dev/null StrictHostKeyChecking no Host *.inria.fr User LDAP_LOGIN ForwardAgent yes Host cedar* User LDAP_LOGIN ForwardAgent yes Host cedarfront Hostname cedarfront.saclay.inria.fr Host cedar0* Hostname %h.saclay.inria.fr ProxyCommand ssh cedarfront nc %h 22
Where LDAP_LOGIN is your actual LDAP login.
FOR MAC USERS :
You need to load your RSA/DSA identities first before connecting to the nodes using :
$ ssh-add -K
Warning!
The ssh-add command may ask you to enter the passphrase you used to generate your public/private keys.FOR WINDOWS USERS:
You may encounter the following issue if you execute the ssh-add command:
Could not open a connection to your authentication agent.
To solve this, you need first to start an agent using the command:
ssh-agent -s
Then execute
ssh-add
If you’re connected to INRIA’s physical network :
Connect to cedarfront.saclay.inria.fr using SSH :
$ ssh cedarfront
Add the following lines to the config files under ~/.ssh/config :
LogLevel quiet UserKnownHostsFile /dev/null StrictHostKeyChecking no Host *.inria.fr User LDAP_LOGIN ForwardAgent yes Host cedar* User LDAP_LOGIN ForwardAgent yes Host cedarfront Hostname cedarfront.saclay.inria.fr Host cedar0* Hostname %h.saclay.inria.fr ProxyCommand ssh cedarfront nc %h 22
Connect to cedar0xx using SSH :
$ ssh cedar0xx
If you’re not connected to INRIA’s physical network :
- Use a VPN connection
OR - Connect to the SSH gateway
$ ssh ssh.saclay.inria.fr
Add the following lines to the configuration file under : ~/.ssh/config (on ssh.saclay.inria.fr)
LogLevel quiet UserKnownHostsFile /dev/null StrictHostKeyChecking no Host *.inria.fr User LDAP_LOGIN ForwardAgent yes Host cedarfront Hostname cedarfront.saclay.inria.fr
- Now connect to cedarfront.saclay.inria.fr using SSH:
$ ssh cedarfront
Add the following lines to the config files under ~/.ssh/config :
LogLevel quiet UserKnownHostsFile /dev/null StrictHostKeyChecking no Host *.inria.fr User LDAP_LOGIN ForwardAgent yes Host cedar* User LDAP_LOGIN ForwardAgent yes Host cedarfront Hostname cedarfront.saclay.inria.fr Host cedar0* Hostname %h.saclay.inria.fr ProxyCommand ssh cedarfront nc %h 22
Connect to cedar0xx.saclay.inria.fr using SSH :
$ ssh cedar0xx
Now that the configuration is done, you can connect directly to all the nodes from your computer without connecting to the cedarfront node first.
Just type :
$ ssh cedar0xx
And don’t forget to press enter!!!
Troubleshooting :
If you enter error ssh_exchange_identification: Connection closed by remote host, one possible reason could be the new ssh gateway (after February 25th, 2019).
The solution to this problem is simply removing the line corresponding to ssh.saclay.inria.fr from your ~/.ssh/known_hosts file.
Connect directly to a remote host on a specific port :
As shown previously, now you can connect directly to a node on the CEDAR cluster, but it only works for ssh connections that uses the port 22.
What if you’d like to connect to a database server on cedar0xx node without passing by the front node ?
You can do that using a tunnel and a remote port forwarding. But unfortunately, you should either be connected to INRIA’s physical network, or using a VPN network to make it work.
How to ?
Assuming you have already done the configuration in the ~/.ssh/config file.
The instructions are the same whether you’re connected to the physical network or the VPN network.
FOR MAC USERS :
Since SCP is based on the SSH protocol, You need to load your RSA/DSA identities first :
$ ssh-add -K
Warning!
The ssh-add command may ask you to enter the passphrase you used to generate your public/private keys.Use this script to create a tunnel :
#!/usr/bin/env bash # # Create a tunnel between a remote host and the localhost # # Usage : # tunnel REMOTE_HOST REMOTE_PORT [LOCAL_PORT] # # Ahmed Abdelkafi - June 2017 # p="$(basename "$0")" usage() { echo "" echo "Starts a tunnel between the localhost and cedar002.saclay.inria.fr on port 5432" echo "Usage : ${p} REMOTE_HOST REMOTE_PORT [LOCAL_PORT]" echo "" exit 1 } if [[ "$#" -gt 3 ]] || [[ "$#" -lt 2 ]] then usage fi # Node you want to create a tunnel to NODE="$(cut -d'.' -f1 <<< "$1").saclay.inria.fr" # Port number of the node you want to connect to REMOTE_PORT="$2" # Local PORT PORT="$3" # If the user didn't mention a local port then choose an unused one randomly if [[ "${PORT}" == "" ]] then # Getting a random free port LPORT=32768 UPORT=60999 while true do PORT=$[$LPORT + ($RANDOM % $UPORT)] (echo "" >/dev/tcp/127.0.0.1/${PORT}) >/dev/null 2>&1 if [ $? -ne 0 ]; then break fi done fi # Add the identities to the agent ssh-add -K # May request a the passphrase # Create a tunnel between ssh.saclay.inria.fr ssh -L "${PORT}":"${NODE}":"${REMOTE_PORT}" cedarfront.saclay.inria.fr -N & # Wait for the tunnel to be create sleep 5 # Get the PID of the background process PID="$!" echo "" echo "Tunnel successfully created!" echo "You can connect to your remote node ${NODE} on the port ${REMOTE_PORT} using the port ${PORT} on your localhost." echo "" # Pause read -p "Press [Enter] key to exit" # Kill the SSH tunnel process kill -9 $PID
Warning!
Once you saved the source code to a script file, don’t forget to make the script executable :$ chmod +x script.sh
Assuming that you saved the script code to a file name script.sh, you want to connect to the node cedar001.saclay.inria.fr on the port 5432 (PostgreSQL server). You can do the following
$ ./script.sh cedar001 5432 # OR $ ./script.sh cedar001.saclay.inria.fr 5432
In this case, the script will choose a random unused port and create a tunnel from the remote host to the computer on that port. The output would be:
Tunnel successfully created! You can connect to your remote node cedar001.saclay.inria.fr on the port 5432 using the port 41556 on your localhost.
Or the user can specify a local port as follows:
$ ./script.sh cedar001 5432 9001 # OR $ ./script.sh cedar001.saclay.inria.fr 5432 9001
In this case, the script will create a tunnel from the remote node on port 5432 to the localhost on port 9001.
Transfer data to the cluster :
You want to transfer some data files from your local computer to the CEDAR cluster ?
No problem ! The CEDAR server has a NFS server (Network File System) with 12 TB of available data space (RAID5) where you can store your data.
This storage is mounted under /export on the front node (cedarfront.saclay.inria.fr), and under /data on the cedar0xx.saclay.inria.fr nodes.
Since you can’t directly connect to the cedar0xx.saclay.inria.fr nodes, you can copy your files to cedarfront.saclay.inria.fr under /export and you will find them on all the nodes under /data.
Warning!
In order to be organized, we suggest that you create a directory under /export named as your LDAP_LOGIN so that you can put all your files there.$ mkdir /export/LDAP_LOGIN
Where LDAP_LOGIN is your actual LDAP login.
How to ?
Assuming you have already done the configuration in the ~/.ssh/config file.
If you’re connected to INRIA’s physical network :
- You’re copying a single file
$ scp /path/to/file cedarfront.saclay.inria.fr:/export/LDAP_LOGIN/
- You’re copying a directory
$ scp -r /path/to/directory cedarfront.saclay.inria.fr:/export/LDAP_LOGIN/
Where LDAP_LOGIN is your actual LDAP login.
FOR MAC USERS :
Since SCP is based on the SSH protocol, You need to load your RSA/DSA identities first :
$ ssh-add -K
Warning!
The ssh-add command may ask you to enter the passphrase you used to generate your public/private keys.
If you’re not connected to INRIA’s physical network :
- Connect to the INRIA VPN and use the instructions as if you were connected to INRIA’s physical network.
OR - Use this script to create a tunnel and copy your files :
#!/bin/bash # # Copy files from local computer to cedarfront.saclay.inria.fr # # Usage : # transfer LDAP_LOGIN /path/to/source /path/to/dest # # Ahmed Abdelkafi - Mars 2017 # p=`basename $0` usage() { echo "" echo "$p LDAP_LOGIN /path/to/source /path/to/dest" echo "" exit 1 } if [ ! $# -eq 3 ]; then usage fi USER=$1 SRC=$2 DEST="/export/$USER$3" SCP_ARGS="" # Getting a random free port LPORT=32768 UPORT=60999 while true do PORT=$[$LPORT + ($RANDOM % $UPORT)] (echo "" >/dev/tcp/127.0.0.1/${PORT}) >/dev/null 2>&1 if [ $? -ne 0 ]; then break fi done # Check if SRC isn't a file if [ ! -f $SRC ]; then # Check if SRC isn't a directory if [ ! -d $SRC ]; then echo "$p: $SRC doesn't exist !" exit 2 else # SRC is a directory, so we need to add -r argument (recursive) SCP_ARGS="-r" fi fi # Add the identities to the agent ssh-add # May request a passphrase # Add the port argument to SCP SCP_ARGS="$SCP_ARGS -P $PORT" # Create a tunnel between ssh.saclay.inria.fr ssh -L $PORT:cedarfront.saclay.inria.fr:22 ssh.saclay.inria.fr -N & # Wait for the tunnel to be create sleep 5 # Get the PID of the background process PID=$! # Create the /export/username directory ssh -p $PORT $USER@127.0.0.1 mkdir -p /export/$USER # Copy the files from SRC to DEST scp $SCP_ARGS $SRC $USER@127.0.0.1:$DEST # Kill the SSH tunnel process kill -9 $PID
Warning!
Once you saved the source code to a script file, don’t forget to make the script executable :$ chmod +x script.sh
Assuming that you saved the script code to a file name script.sh, your LDAP identifier is LDAP_USER and you want to copy the file test.txt on your desktop to the NFS server under /export/LDAP_USER.
You can run the script as follows :
$ ./script.sh LDAP_USER ~/Desktop/test.txt /
Warning!
I wrote “/” on purpose and it’s not a mistake !!The script will automatically understand and will append the /export/LDAP_USER to the destination path !!