Differences

This shows you the differences between two versions of the page.

--- hpc:access_the_hpc_clusters [2025/04/23 09:30] – [Outsider account] Adrien Albert
+++ hpc:access_the_hpc_clusters [2025/07/10 14:42] (current) – [Outsider Account] Adrien Albert
@@ Line 4: / Line 4: @@
 ===== Account =====
-You need an account on the HPC clusters to be able to access them and to submit jobs on them.
+To access the HPC clusters (Baobab/Yggdrasil/bamboo) and submit jobs, you need a valid HPC account.
-To request an account please follow the procedure [[https://catalogue-si.unige.ch/en/hpc|on this page]] (Section: Related service).
+Access is reserved for:
+  - Members of the University of Geneva (Unige)
+  - Members of HES-SO GE
+  - External collaborators
+  - Guest
-In principle Baobab/Yggdrasil are reserved for the members of the University of Geneva via their ISIs account (cf. https://catalogue-si.unige.ch/isis ) and to HES-SO GE users via a specific HPC account (cf. the procedure at https://catalogue-si.unige.ch/en/hpc ).
+<note important>
+Each HPC account in linked to a Primary Investigator (PI)(=repondant = responsable (different terms but same purpose)). A PI  is a member of the University of Geneva (Unige) who invites and takes responsibility for an user’s access to the HPC service. The PI(repondant) ensures that the access is justified, appropriate, and compliant with university policies.
+</note>
-But if you collaborate tightly with a researcher from another institution, the PI can provide him/her an access as an //independent contractor// (also called an //external collaborator// ) by following the next two steps:
-  * Ask your [[https://memento.unige.ch/download_file/230/374|administrator]] to register the external member in the University database (cf. https://catalogue-si.unige.ch/en/isis )
-    * For more information about external accounts: https://memento.unige.ch/doc/0214/
-  * Proceed with the account request procedure as described in the preceding question.
+==== Standard Account ====
+This is the default account type for Unige members. To request an account please follow fill the form on DW: https://dw.unige.ch/openentry.html?tid=hpc
-==== Standard account ====
+To connect to the HPC cluster, you must authenticate using one of these methods:
+  - Your [[https://catalogue-si.unige.ch/en/isis|ISIS]] username and password
+  - An SSH key registered in your [[https://my-account.unige.ch/|ISIS account]]
-If you have a standard account (not external nor outsider), you can connect to the cluster and authenticate yourself by two mechanism:
+==== External Account ====
-  * you provide your ISIS user and password
+An **external account** is intended for collaborators from other institutions who are working closely with Unige researchers. (if you only need an HPC access [[hpc:access_the_hpc_clusters#outsider_account|Outsiders account]] is more appropriated)
-  * you setup an ssh key in your [[https://my-account.unige.ch/|ISIS account]] and authenticate using your ssh key.
+**How to request one:**
+  * Ask your [[https://memento.unige.ch/download_file/230/374|department administrator]] to register the external collaborator in the university database: [[https://catalogue-si.unige.ch/en/isis]]
+  * More info: [[https://memento.unige.ch/doc/0214/]]
+  * Once registered, follow the usual HPC account request procedure as described above.
-==== Outsider account ====
+==== Outsider Account ====
-An **Outsider** is someone external to the University of Geneva (Unige) who has been invited by a **repondant** to use only the High-Performance Computing (HPC) service. They are given limited access, specifically created for this purpose, without going through the usual heavy administrative procedures.
+An **Outsider** is a person external to Unige who has been invited by a **PI** specifically to use the HPC service. This lightweight account is limited to HPC access and avoids standard administrative procedures. (24h waiting time to get an account)
-Users with an **Outsider** account on the HPC cluster must connect using the SSH key they provided during the invitation process.
+**Key details:**
+  - Authentication is done via the SSH Public Key (only) provided during the invitation process  (Authentication with password is disabled)
+  - SSH key can be updated at any time: [[https://applicant.unige.ch/main/outsider-info/update|Update your SSH key]]
+  - SSH key updates are applied daily at 1:30 PM and 5:00 AM via the UNIGE Active Directory
-You can update your SSH key here: [[https://applicant.unige.ch/main/outsider-info/update|Update your SSH key]].
-The UNIGE Active Directory synchronizes with this application daily at 1:30 PM and 5:00 AM. Your SSH key will be updated during these times.
+Only PI can invite and manage Outsiders, visit: https://gestion-externe.unige.ch/main/outsider-requests
-=== Repondant ===
-A **repondant** is a member of the University of Geneva (Unige) who invites and takes responsibility for an Outsider’s access to the HPC service. The repondant ensures that the access is justified, appropriate, and compliant with university policies. (Maximum 24h wait time to get an account)
-To invite and manage Outsiders, visit: https://gestion-externe.unige.ch/main/outsider-requests
 (**Access requires approval — please contact us with a short motivation if you'd like it enabled.**)
@@ Line 47: / Line 52: @@
   -   The email address of the future Outsider
-  -   Selection of the appropriate service (*High-Performance Computing*)
+  -   Selection of the appropriate service (**High-Performance Computing**)
   -   Setting an expiration date (maximum 1 year)
   -   An optional note for the guest
@@ Line 53: / Line 58: @@
 Once invited, the future Outsider will receive an email with detailed instructions to finalize their registration.
-(*Tip: read it carefully!*)
+(**Tip: read it carefully!**)
+**To renew an expired Outsider account, a new invitation must be created.**
-To renew an expired account, you must send a new invitation to the person.
+{{:hpc:pasted:20250423-084947.png?800}}
-{{:hpc:pasted:20250423-084947.png}}
@@ Line 103: / Line 110: @@
 **Note**: Make sure you copy the public ssh key linked to the private key you're going to use. If you have regenerated your ssh key, you'll need to put your public key in [[https://my-account.unige.ch|my-account]] or [[https://applicant.unige.ch/main/outsider-info/update|applicant]]
+=== multiple ssh key ===
+It is possible to register multiple SSH public keys on the authentication server. However, [[https://my-account.unige.ch/|my-account.unige.ch]] does not allow this at the moment (work in progress). In the meantime, please send your request to the LDAP team directly at dl-distic-windows-team@unige.ch.
+<WRAP center round important 60%>
+After requesting an additional sshPublicKey, if you update it via my-account, all previous references will be overwritten.
+</WRAP>
@@ Line 258: / Line 273: @@
   (baobab)-[alberta@login1 ~]$ /usr/bin/sss_ssh_authorizedkeys $USER
   ssh-rsa  [...]
+Only for tunneling: Once the configured you MUST save this SSHpublicKey in your ssh_authorizedkeys on Cluster.
+  $ ssh-copy-id <ssh.pub> <users>@login1.<cluster>.hpc.unige.ch
 **3.** On your local machine configure the proxyjump:
@@ Line 335: / Line 354: @@
 (baobab)-[alberta@cpu001 ~]$
 </code>
+===== Alternative to using ProxyJump =====
+ProxyJump doesn't work with host based authentication, this is the reason why you need to use a ssh key in the previous setup. The reason is because ProxyJump doesn't open a real ssh session and thus the ssh-keysign isn't run when you connect. Instead of using ProxyJump, you can proceed as follow:
+<code>
+Host baobab
+    HostName login1.baobab.hpc.unige.ch
+    User <youruser>
+Host cpu*
+    HostName %h
+    User <youruser>
+    ProxyCommand ssh -tt baobab ssh %r@%h
+</code>
+Usage: ssh cpu001
 <note>
 More Information on HPC-community forum: