Differences

This shows you the differences between two versions of the page.

--- hpc:access_the_hpc_clusters [2025/04/23 11:03] – [Account] Adrien Albert
+++ hpc:access_the_hpc_clusters [2025/07/10 14:42] (current) – [Outsider Account] Adrien Albert
@@ Line 3: / Line 3: @@
 ===== Account =====
----
 To access the HPC clusters (Baobab/Yggdrasil/bamboo) and submit jobs, you need a valid HPC account.
-To request an account, please follow the procedure described [[https://catalogue-si.unige.ch/en/hpc|on this page]] under "Related service."
 Access is reserved for:
@@ Line 18: / Line 13: @@
 <note important>
-Each HPC account in linked to a Primary Investigator (PI)/repondant or responsable (different terms but same purpose). A PI  is a member of the University of Geneva (Unige) who invites and takes responsibility for an user’s access to the HPC service. The PI(repondant) ensures that the access is justified, appropriate, and compliant with university policies.
+Each HPC account in linked to a Primary Investigator (PI)(=repondant = responsable (different terms but same purpose)). A PI  is a member of the University of Geneva (Unige) who invites and takes responsibility for an user’s access to the HPC service. The PI(repondant) ensures that the access is justified, appropriate, and compliant with university policies.
 </note>
-The following sections describe the different accounts type.
 ==== Standard Account ====
@@ Line 33: / Line 27: @@
 ==== External Account ====
-An **external account** is intended for collaborators from other institutions who are working closely with Unige researchers. (if you only need an HPC access Outsiders account is more appropriated)
+An **external account** is intended for collaborators from other institutions who are working closely with Unige researchers. (if you only need an HPC access [[hpc:access_the_hpc_clusters#outsider_account|Outsiders account]] is more appropriated)
 **How to request one:**
@@ Line 43: / Line 37: @@
 ==== Outsider Account ====
-An **Outsider** is a person external to Unige who has been invited by a **PI** (repondant or researcher) specifically to use the HPC service. This lightweight account is limited to HPC access and avoids standard administrative procedures. (24h waiting time to get an account)
+An **Outsider** is a person external to Unige who has been invited by a **PI** specifically to use the HPC service. This lightweight account is limited to HPC access and avoids standard administrative procedures. (24h waiting time to get an account)
 **Key details:**
-  - Authentication is done via the SSH key (only) provided during the invitation process
+  - Authentication is done via the SSH Public Key (only) provided during the invitation process  (Authentication with password is disabled)
   - SSH key can be updated at any time: [[https://applicant.unige.ch/main/outsider-info/update|Update your SSH key]]
   - SSH key updates are applied daily at 1:30 PM and 5:00 AM via the UNIGE Active Directory
@@ Line 58: / Line 52: @@
   -   The email address of the future Outsider
-  -   Selection of the appropriate service (*High-Performance Computing*)
+  -   Selection of the appropriate service (**High-Performance Computing**)
   -   Setting an expiration date (maximum 1 year)
   -   An optional note for the guest
@@ Line 64: / Line 58: @@
 Once invited, the future Outsider will receive an email with detailed instructions to finalize their registration.
-(*Tip: read it carefully!*)
+(**Tip: read it carefully!**)
 **To renew an expired Outsider account, a new invitation must be created.**
-{{:hpc:pasted:20250423-084947.png}}
+{{:hpc:pasted:20250423-084947.png?800}}
----
-You need an account on the HPC clusters to be able to access them and to submit jobs on them.
-To request an account please follow the procedure [[https://catalogue-si.unige.ch/en/hpc|on this page]] (Section: Related service).
-In principle Baobab/Yggdrasil are reserved for the members of the University of Geneva via their ISIs account (cf. https://catalogue-si.unige.ch/isis ) and to HES-SO GE users via a specific HPC account (cf. the procedure at https://catalogue-si.unige.ch/en/hpc ).
-But if you collaborate tightly with a researcher from another institution, the PI can provide him/her an access as an //independent contractor// (also called an //external collaborator// ) by following the next two steps:
-  * Ask your [[https://memento.unige.ch/download_file/230/374|administrator]] to register the external member in the University database (cf. https://catalogue-si.unige.ch/en/isis )
-    * For more information about external accounts: https://memento.unige.ch/doc/0214/
-  * Proceed with the account request procedure as described in the preceding question.
-==== Standard account ====
-If you have a standard account (not external nor outsider), you can connect to the cluster and authenticate yourself by two mechanism:
-  * you provide your ISIS user and password
-  * you setup an ssh key in your [[https://my-account.unige.ch/|ISIS account]] and authenticate using your ssh key.
-==== Outsider account ====
-An **Outsider** is someone external to the University of Geneva (Unige) who has been invited by a **repondant** to use only the High-Performance Computing (HPC) service. They are given limited access, specifically created for this purpose, without going through the usual heavy administrative procedures.
-Users with an **Outsider** account on the HPC cluster must connect using the SSH key they provided during the invitation process.
-You can update your SSH key here: [[https://applicant.unige.ch/main/outsider-info/update|Update your SSH key]].
-The UNIGE Active Directory synchronizes with this application daily at 1:30 PM and 5:00 AM. Your SSH key will be updated during these times.
-=== PI (Repondant) ===
-A PI (**repondant**) is a member of the University of Geneva (Unige) who invites and takes responsibility for an Outsider’s access to the HPC service. The PI(repondant) ensures that the access is justified, appropriate, and compliant with university policies. (Maximum 24h wait time to get an account)
-To invite and manage Outsiders, visit: https://gestion-externe.unige.ch/main/outsider-requests
-(**Access requires approval — please contact us with a short motivation if you'd like it enabled.**)
-Once access is granted, you will be able to create an invitation, which requires:
-  -   The email address of the future Outsider
-  -   Selection of the appropriate service (*High-Performance Computing*)
-  -   Setting an expiration date (maximum 1 year)
-  -   An optional note for the guest
-  -   Acceptance of the terms of use
-Once invited, the future Outsider will receive an email with detailed instructions to finalize their registration.
-(*Tip: read it carefully!*)
-To renew an expired account, you must send a new invitation to the person.
-{{:hpc:pasted:20250423-084947.png}}
@@ Line 172: / Line 110: @@
 **Note**: Make sure you copy the public ssh key linked to the private key you're going to use. If you have regenerated your ssh key, you'll need to put your public key in [[https://my-account.unige.ch|my-account]] or [[https://applicant.unige.ch/main/outsider-info/update|applicant]]
+=== multiple ssh key ===
+It is possible to register multiple SSH public keys on the authentication server. However, [[https://my-account.unige.ch/|my-account.unige.ch]] does not allow this at the moment (work in progress). In the meantime, please send your request to the LDAP team directly at dl-distic-windows-team@unige.ch.
+<WRAP center round important 60%>
+After requesting an additional sshPublicKey, if you update it via my-account, all previous references will be overwritten.
+</WRAP>
@@ Line 327: / Line 273: @@
   (baobab)-[alberta@login1 ~]$ /usr/bin/sss_ssh_authorizedkeys $USER
   ssh-rsa  [...]
+Only for tunneling: Once the configured you MUST save this SSHpublicKey in your ssh_authorizedkeys on Cluster.
+  $ ssh-copy-id <ssh.pub> <users>@login1.<cluster>.hpc.unige.ch
 **3.** On your local machine configure the proxyjump:
@@ Line 404: / Line 354: @@
 (baobab)-[alberta@cpu001 ~]$
 </code>
+===== Alternative to using ProxyJump =====
+ProxyJump doesn't work with host based authentication, this is the reason why you need to use a ssh key in the previous setup. The reason is because ProxyJump doesn't open a real ssh session and thus the ssh-keysign isn't run when you connect. Instead of using ProxyJump, you can proceed as follow:
+<code>
+Host baobab
+    HostName login1.baobab.hpc.unige.ch
+    User <youruser>
+Host cpu*
+    HostName %h
+    User <youruser>
+    ProxyCommand ssh -tt baobab ssh %r@%h
+</code>
+Usage: ssh cpu001
 <note>
 More Information on HPC-community forum: