{{METATOC 1-5}}
====== Access the clusters ======

===== Account =====

You need an account on the HPC clusters to be able to access them and to submit jobs on them.

To request an account please follow the procedure [[https://catalogue-si.unige.ch/en/hpc|on this page]] (Section: Related service).

In principle Baobab/Yggdrasil are reserved for the members of the University of Geneva via their ISIs account (cf. https://catalogue-si.unige.ch/isis ) and to HES-SO GE users via a specific HPC account (cf. the procedure at https://catalogue-si.unige.ch/en/hpc ).

But if you collaborate tightly with a researcher from another institution, the PI can provide him/her an access as an //independent contractor// (also called an //external collaborator// ) by following the next two steps:
  * Ask your [[https://memento.unige.ch/download_file/230/374|administrator]] to register the external member in the University database (cf. https://catalogue-si.unige.ch/en/isis )
    * For more information about external accounts: https://memento.unige.ch/doc/0214/
  * Proceed with the account request procedure as described in the preceding question.



==== Standard account ====

If you have a standard account (not external nor outsider), you can connect to the cluster and authenticate yourself by two mechanism:

  * you provide your ISIS user and password
  * you setup an ssh key in your [[https://my-account.unige.ch/|ISIS account]] and authenticate using your ssh key.



==== Outsider account ====

The users having an **outsider** account on the HPC cluster are requested to connect with the ssh key they provided during the invitation procedure described in the  [[hpc:access_the_hpc_clusters#account|Account section]].

You can update your ssh key here by using this [[https://applicant.unige.ch/main/outsider-info/update|link]].

The UNIGE active directory synchronize itself with this application everyday at 1:30PM and 5:00AM. Your ssh key will be updated at these times.


===== Inactivity Notice and Account Deletion Policy =====

Accounts that have been inactive for a period of **one year** will be flagged for deletion. This is to ensure that we are not storing unused data and to avoid data being left without an owner in the event that the account is deleted from the active directory.

Users will receive an email notification prior to the scheduled deletion of their account, giving them the opportunity to log in and keep their account active or delete it if no longer needed. If no response is received within one month, the account will be deleted, along with all associated data.

In the future, this process will be fully automated, so we advise all users to follow the instructions provided in the email to prevent their account from being deleted.

If you have any questions or concerns regarding this policy or your account; please do not hesitate to post on hpc-community (for general questions) or send us an email (for private questions)

===== Cluster connection =====
Once you have received an email confirming the creation of you account, you have access to our clusters: Baobab and Yggdrasil.

You can connect to the HPC clusters only through the login nodes. 
The clusters are reachable from outside UNIGE as well, without the need to use a VPN.

==== login nodes ====

  * **For Baobab** : ''login2.baobab.hpc.unige.ch''
  * **For Yggdrasil** : ''login1.yggdrasil.hpc.unige.ch''

==== Connect using SSH ====


You can access the clusters from anywhere through ''ssh'' with your [[https://catalogue-si.unige.ch/isis|ISIs]] account and password.

=== ssh key ===
If you want to authenticate to the cluster using your ssh key:


<WRAP center round info 80%>
1. For security mesure AuthorizedKeyFile has been disabled to prevent any non registered at unige to log In. \\
2. The SshPublicKey must be registered in Active Directory. (it's like the AuthorizedKeyFile is binded to your Unige identity )  \\
3. The UNIGE active directory synchronize the ssh key every 10/15 min. \\
4. More information on [[https://hpc-community.unige.ch/t/authentication-modification-sshpublickey-managment/3011]]  
</WRAP>


**1. Generate your ssh-key** (We strongly recommand create it with password/passprhase for more security) by following this documentation (multiplatform):
[[https://helpdeskgeek.com/how-to/how-to-generate-ssh-keys-on-windows-mac-and-linux/]]


**2. Update your public** key to your Isis profile by uptdating "My SSH public key" on:
  * [[https://my-account.unige.ch|my-account]] for Unige/external users.
  * [[https://applicant.unige.ch/main/outsider-info/update|applicant]] for Outsider users.

**Note**: Make sure you copy the public ssh key linked to the private key you're going to use. If you have regenerated your ssh key, you'll need to put your public key in [[https://my-account.unige.ch|my-account]] or [[https://applicant.unige.ch/main/outsider-info/update|applicant]]




The first time you connect, your SSH client will ask you to confirm the **fingerprint** of the server. These are the current SSH fingerprint for both Baobab and Yggdrasil : <code console>
[root@login2 ~]# ssh-keygen -l -E md5 -f /etc/ssh/ssh_host_rsa_key.pub
2048 MD5:8f:75:c4:18:8a:75:f1:f1:19:4d:85:92:3b:b6:2a:e1 no comment (RSA)
</code>

Or this one
<code console>
(yggdrasil)-[root@login1 ~]$ ssh-keygen -l -f /etc/ssh/ssh_host_rsa_key
2048 SHA256:tKqp4nljL+EGVKl8T0VF2nS36DkHVFMpLxQOPg/gKvg /etc/ssh/ssh_host_rsa_key.pub (RSA)
</code>

If you connect using x2go (at least on windows), you'll see another **fingerprint**:

<code console>
[root@login2.cluster ~]# for x in /etc/ssh/*.pub ; do echo $x && cut -d' ' -f2 < $x | base64 -d | openssl sha1 -c ; done ;
/etc/ssh/ssh_host_rsa_key.pub
(stdin)= 67:03:fc:6f:32:7c:19:9b:97:b9:e8:7b:12:1d:ad:a6:7b:c9:4c:9c
</code>


If you type your username/password **wrong 3 times** in a row, you will be **banned for 15 minutes** before you can try again. Please read more in the [[hpc/access_the_hpc_clusters#troubleshooting|Troubleshooting]] section.


=== From Linux and Mac OS===

Connect to the login node from the terminal:

<code console>
ssh youruser@clusterhostname
</code>

<note tip>add ''-Y'' if you need X forwarding
<code console>
ssh -Y youruser@clusterhostname
</code>
</note>

N.B. : replace ''clusterhostname'' with the [[hpc:access_the_hpc_clusters#login_nodes|login node]] of the cluster you are willing to use.

=== From Windows ===

To access Baobab or Yggdrasil in SSH from Windows, you can use :
  * ssh client integrated in PowerShell. Recent versions of Window 10 offer a ssh client. You can use it the same way you would use it on Linux (see [[hpc:access_the_hpc_clusters#from_linux_and_mac_os|above]])
  * PuTTY which has been the //de facto// solution for years.
    * You can download it here [[http://www.chiark.greenend.org.uk/~sgtatham/putty/latest.html|PuTTY]].
    * You will find the needed information on the screenshots below.


N.B. : replace ''clusterhostname'' with the [[hpc:access_the_hpc_clusters#login_nodes|login node]] of the cluster you are willing to use.


PuTTY create session :
{{ hpc:1-putty-create-session.png | PuTTY create session }}

PuTTY enter username :
{{ hpc:2-putty-enter-username.png | PuTTY enter username }}

PuTTY save session :
{{ hpc:3-putty-save-session.png | PuTTY save session }}

PuTTY open session :
{{ hpc:4-putty-open-session.png | PuTTY open session }}


Once you open a session with PuTTY, you will be prompted for your password.
<code console>
| Password:
</code>

Unlike Windows systems, Linux and Unix systems will **not display** **''*''** (star character) or any other character to indicate that you've entered something/anything in a password field - it simply stays totally blank as you type. Cursor won't blink, move, etc.
\\
Just type your password and press enter, everything will be fine.






==== Access to the compute nodes ====

In case you need to access the compute nodes for purpose of debugging your software, using ''htop'' or other tool directly on the node, you need to go through the login node first and connect from there using ssh.

<code>
ssh cpu001
</code>

It is important to note that you **cannot** access directly the compute nodes unless you have a **RUNNING job** on it.
As soon as your job is finished, you will be logged out from the compute node.



===== GUI access / Desktop with X2Go =====

It's possible to access Baobab or Yggdrasil using a graphical interface. We support only ''X2Go''.

You need to install [[http://wiki.x2go.org/doku.php/download:start|X2Go client]] on your computer and create a session following the screenshots below prior to connect to Baobab.

X2Go create session :
{{ hpc:1-x2go-client-session.png | X2Go create session }}

Once connected to the Linux desktop, you can launch lightweight (image viewer, etc.) applications directly.

If you need to launch a heavy graphical program such as Matlab for example, create a new interactive 
session (see the [[hpc:slurm#interactive_jobs|Interactive jobs]] section in the Slurm page) 
on a compute node. It is [[hpc:best_practices#rules_and_etiquette|forbidden]] to use the login node for this purpose.

===== File transfer =====

If you need to transfer files from your computer to Baobab or Yggdrasil, you need to use the ''sftp'' protocol (''scp'').

==== From Linux ====

We suggest you use ''scp'' or a program like ''rsync''

==== From Windows ====

We suggest you to use [[https://filezilla-project.org/download.php?type=client|FileZilla client]] to transfer your files.

Filezilla create session :
{{ hpc:1-filezilla-create-session.png | Filezilla create session }}

===== SSH tunnel and socks proxy =====
If you want running JupyterLab or VScodeServer you may be interested by  [[hpc:how_to_use_openondemand|OpenOnDemand]]




The **login** nodes have a firewall that prevent incomming connection other than ssh.

If you need to access a service from the cluster, please follow the:



**1.** On your local machine, Save old ssh key and create a new one
<code>
$ mkdir ~/.ssh/old
$ mv ~/.ssh/*  ~/.ssh/old
$ ssh-keygen
</code>

On the cluster, make sure you have not id_rsa key file (make a back up too)

**2.** Copy the rsa.pub in [[https://my-account.unige.ch/main/home]] (for Unige Account) [[https://applicant.unige.ch/]] (for Outsider Account) and wait for 5-10 min the synchronisation with AD is done. 
the following command on login node should print your public ssh key registered in the AD:

  (baobab)-[alberta@login2 ~]$ /usr/bin/sss_ssh_authorizedkeys $USER
  ssh-rsa  [...]

**3.** On your local machine configure the proxyjump:
<code>
[alberta@localhost ~]$ cat .ssh/config_baobab 

host baobab
   HostName login2.baobab.hpc.unige.ch
   User alberta

Host cpu*
   HostName %h
   User alberta
   ProxyJump baobab

Host gpu*
   HostName %h
   User alberta
   ProxyJump baobab


[alberta@localhost ~]$ cat .ssh/config_yggdrasil 

host yggdrasil
   HostName login1.yggdrasil.hpc.unige.ch
   User alberta
   
Host cpu*
   HostName %h
   User alberta
   ProxyJump yggdrasil

Host gpu*
   HostName %h
   User alberta
   ProxyJump yggdrasil

</code>


**4.** Alloc a test job and open a new tab on your local machine and try to connect on the allocated node: 

**On baobab:**
<code>
(baobab)-[alberta@login2 ~]$ salloc --time=00:05:00
salloc: Pending job allocation 5574654
salloc: job 5574654 queued and waiting for resources
salloc: job 5574654 has been allocated resources
salloc: Granted job allocation 5574654
salloc: Waiting for resource configuration
salloc: Nodes cpu001 are ready for job
</code>

At the same time On your local machine, connect to the compute with selecting the right ssh config file (For this example: Baobab):
( My first test was on cpu026 this is the message a i got)


<code>
[alberta@localhost .ssh]$ ssh -F .ssh/config_baobab cpu026
The authenticity of host 'cpu026 (<no hostip for proxy command>)' can't be established.
RSA key fingerprint is SHA256:tKqp4nljL+EGVKl8T0VF2nS36DkHVFMpLxQOPg/gKvg.
RSA key fingerprint is MD5:8f:75:c4:18:8a:75:f1:f1:19:4d:85:92:3b:b6:2a:e1.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added 'cpu026' (RSA) to the list of known hosts.
Last login: Tue Oct 24 10:49:29 2023
Installed: Thu Aug 17 14:40:08 CEST 2023
</code>


But working on cpu001 as well:


<code>
[alberta@localhost ~]$ ssh -F .ssh/config_baobab cpu001
Last login: Mon Oct 23 16:43:34 2023
Installed: Thu Aug 17 14:28:26 CEST 2023
(baobab)-[alberta@cpu001 ~]$
</code>

<note>
More Information on HPC-community forum:

[[https://hpc-community.unige.ch/t/tutorial-ssh-tunneling-and-socks-proxy/1795]]
[[https://hpc-community.unige.ch/t/proxyjump-ssh-not-working-on-baobab/3078/15]]
</note>
===== Troubleshooting =====

==== X11 forwarding not working on mac ====
If you try to connect to the cluster from a mac using ''ssh -Y'' and you get an error like the following when 
launching a graphical application:

<code>
Can't connect to X11
</code>

The reason seems that Xorg isn't anymore provided natively and you need to install XQuartz.

https://stackoverflow.com/questions/50035949/macos-high-sierra-and-x11-forwarding/50182736#50182736

==== "I cannot type my password" ====

Unlike Windows systems, Linux and Unix systems will **not display** * (star character) or any other character to indicate that you have entered something/anything in a password field - it simply stays totally blank. Cursor won't blink, move, etc.
\\
Just type your password and press enter, everything will be fine.

Be careful not to type your password wrong too many times, or you will be blocked temporarily (see below).

==== Banned after typing the wrong password 3 times ====

We use ''fail2ban'' on the clusters to make it more difficult for hackers to try all possible password (brute force attack).

If you type the wrong password 3 times in a row, you will be banned for 15 minutes (''fail2ban'' will blacklist your IP address). After 15 minutes you can try again.

If you are still not able to connect to the cluster after 15 minutes, please contact us with the following:

  * your username
  * your ip adress. You can get it for example using [[https://whatismyipaddress.com|this web service]]
  * on which cluster you try to connect

==== Connection refused ====

When you try to connect to Baobab or Yggdrasil using ''ssh'' or ''sftp'', if you see the message:

<code>
Connection refused
</code>

It may happens because you tried to connect many time with wrong credentials (wrong password or wrong username) and your IP address was blacklisted. Your IP will be unblocked automatically after 15 minutes.

Your Baobab/Yggdrasil password is your ISIS password and we don't manage it. If you forgot your password or you want to check if it is correct, you may use the following service : [[https://mdp.unige.ch|mdp.unige.ch]]


==== "I forgot my password, can you reset it ?" ====

Absolutely not. Your Baobab/Yggdrasil password is your ISIS password and we don't manage it.

If you **forgot your password** or you want to check if it is correct, you may use the following service :
  * [[https://mdp.unige.ch|mdp.unige.ch]]
==== Impossible to connect ====

Sometimes, some users cannot connect. There are 3 possible scenarios :
  * The cluster is under maintenance.
    * We do it every couple of months, please check your email (and junk/spam folder) for announcements.
  * Your network is blocking the access to our clusters or to the SSH protocol.
    * We are using a public IP address for the login nodes, so if you cannot connect, please contact your local network administrator. Ask them if there is any restrictions for accessing ''login2.baobab.hpc.unige.ch'' or ''login1.yggdrasil.hpc.unige.ch'', or if the port 22 is blocked.
  * The login node is down
    * That's very unlikely, but if it happens, just wait a little bit or send us an email if it's not fixed within 15 minutes.


==== Check the "current issues" ====

Please check this post which is updated whenever we encounter a problem that is worth mentioning and when we cannot fix it quickly : 
* https://hpc-community.unige.ch/t/current-issues-on-baobab/787

==== Cannot change locale (UTF-8) (Mac users) ==== 

If you have this message when connecting with SSH from a Mac terminal:

<code console>
-bash: warning: setlocale: LC_CTYPE: cannot change locale (UTF-8): No such file or directory
</code>
You can solve the issue by following the steps #1 [[https://www.cyberciti.biz/faq/os-x-terminal-bash-warning-setlocale-lc_ctype-cannot-change-locale/|here]]

Do not forget to close all the open terminal on your Mac and relaunch.

==== Keyboard issue (Mac users) ====

If you have a Keyboard issue using a mac, please see [[https://stackoverflow.com/questions/7018775/keymap-issues-with-nx-from-mac-os-x-lion-to-ubuntu/42094562#42094562|keymap-issues-with-nx-from-mac-os-x]] for a possible solution.

==== Switch edu-ID login issue ====

If you get an error message from Switch edu-ID, while trying to access :
  - https://hpc-community.unige.ch/
  - https://baobabmaster.unige.ch/iface

Please follow those links to get support :
  - [[https://plone.unige.ch/distic/pub/compte-switch-edu-id/compte-switch-edu-id-accueil#EN|SWITCH edu-ID account - Welcome]]
  - [[https://plone.unige.ch/distic/pub/compte-switch-edu-id/comment-creer-compte-switch-edu-id#EN|How to create or verify your SWITCH edu-ID account and link it to UNIGE]]

Make sure you are using the email account you have linked to your Switch edu-ID account.

Please also remember your ISIs (UNIGE) password and your Switch edu-ID password are not supposed to be the same. Make sure you are using the correct password when connecting.