To access the HPC clusters (Baobab/Yggdrasil/bamboo) and submit jobs, you need a valid HPC account.

Access is reserved for:

1. Members of the University of Geneva (Unige)
2. Members of HES-SO GE
3. External collaborators
4. Guest

This is the default account type for Unige members. To request an account please follow fill the form on DW: https://dw.unige.ch/openentry.html?tid=hpc

To connect to the HPC cluster, you must authenticate using one of these methods:

1. Your ISIS username and password
2. An SSH key registered in your ISIS account

An external account is intended for collaborators from other institutions who are working closely with Unige researchers. (if you only need an HPC access Outsiders account is more appropriated)

How to request one:

• Ask your department administrator to register the external collaborator in the university database: https://catalogue-si.unige.ch/en/isis
• More info: https://memento.unige.ch/doc/0214/
• Once registered, follow the usual HPC account request procedure as described above.

An Outsider is a person external to Unige who has been invited by a PI specifically to use the HPC service. This lightweight account is limited to HPC access and avoids standard administrative procedures. (24h waiting time to get an account)

Key details:

1. Authentication is done via the SSH key (only) provided during the invitation process
2. SSH key can be updated at any time: Update your SSH key
3. SSH key updates are applied daily at 1:30 PM and 5:00 AM via the UNIGE Active Directory

Only PI can invite and manage Outsiders, visit: https://gestion-externe.unige.ch/main/outsider-requests

(Access requires approval — please contact us with a short motivation if you'd like it enabled.)

Once access is granted, you will be able to create an invitation, which requires:

1. The email address of the future Outsider
2. Selection of the appropriate service (High-Performance Computing)
3. Setting an expiration date (maximum 1 year)
4. An optional note for the guest
5. Acceptance of the terms of use

Once invited, the future Outsider will receive an email with detailed instructions to finalize their registration. (Tip: read it carefully!)

To renew an expired Outsider account, a new invitation must be created.

Accounts that have been inactive for a period of one year will be flagged for deletion. This is to ensure that we are not storing unused data and to avoid data being left without an owner in the event that the account is deleted from the UNIGE central user directory.

Users will receive an email notification prior to the scheduled deletion of their account, giving them the opportunity to log in and keep their account active. If no response is received within one month, the account will be deleted, along with all associated data.

Once you have received an email confirming the creation of you account, you have access to our clusters: Baobab and Yggdrasil.

You can connect to the HPC clusters only through the login nodes. The clusters are reachable from outside UNIGE as well, without the need to use a VPN.

• For Baobab : login1.baobab.hpc.unige.ch
• For Yggdrasil : login1.yggdrasil.hpc.unige.ch
• For Bamboo : login1.bamboo.hpc.unige.ch

You can access the clusters from anywhere through ssh with your ISIs account and password.

If you want to authenticate to the cluster using your ssh key:

1. Generate your ssh-key (We strongly recommend to create it with password/passphrase for more security) by following this documentation (multi-platform)

2. Update your public key to your Isis profile by updating “My SSH public key” on:

• my-account for UNIGE/external users.
• applicant for Outsider users.

Note: Make sure you copy the public ssh key linked to the private key you're going to use. If you have regenerated your ssh key, you'll need to put your public key in my-account or applicant

It is possible to register multiple SSH public keys on the authentication server. However, my-account.unige.ch does not allow this at the moment (work in progress). In the meantime, please send your request to the LDAP team directly at dl-distic-windows-team@unige.ch.

:warning: After requesting an additional sshPublicKey, if you update it via my-account, all previous references will be overwritten.

The first time you connect, your SSH client will ask you to confirm the fingerprint of the server. These are the current SSH fingerprint for both Baobab and Yggdrasil :

[root@login1 ~]# ssh-keygen -l -E md5 -f /etc/ssh/ssh_host_rsa_key.pub
2048 MD5:8f:75:c4:18:8a:75:f1:f1:19:4d:85:92:3b:b6:2a:e1 no comment (RSA)

Or this one

(yggdrasil)-[root@login1 ~]$ ssh-keygen -l -f /etc/ssh/ssh_host_rsa_key
2048 SHA256:tKqp4nljL+EGVKl8T0VF2nS36DkHVFMpLxQOPg/gKvg /etc/ssh/ssh_host_rsa_key.pub (RSA)

If you connect using x2go (at least on windows), you'll see another fingerprint:

[root@login1 ~]# for x in /etc/ssh/*.pub ; do echo $x && cut -d' ' -f2 < $x | base64 -d | openssl sha1 -c ; done ;
/etc/ssh/ssh_host_rsa_key.pub
(stdin)= 67:03:fc:6f:32:7c:19:9b:97:b9:e8:7b:12:1d:ad:a6:7b:c9:4c:9c

If you type your username/password wrong 3 times in a row, you will be banned for 15 minutes before you can try again. Please read more in the Troubleshooting section.

Connect to the login node from the terminal:

ssh youruser@clusterhostname

ssh -Y youruser@clusterhostname

N.B. : replace clusterhostname with the login node of the cluster you are willing to use.

To access Baobab or Yggdrasil in SSH from Windows, you can use :

• ssh client integrated in PowerShell. Recent versions of Window 10 offer a ssh client. You can use it the same way you would use it on Linux (see above)
• PuTTY which has been the de facto solution for years.
  • You can download it here PuTTY.
  • You will find the needed information on the screenshots below.

N.B. : replace clusterhostname with the login node of the cluster you are willing to use.

PuTTY create session :

PuTTY enter username :

PuTTY save session :

PuTTY open session :

Once you open a session with PuTTY, you will be prompted for your password.

| Password:

Unlike Windows systems, Linux and Unix systems will not display * (star character) or any other character to indicate that you've entered something/anything in a password field - it simply stays totally blank as you type. Cursor won't blink, move, etc.
Just type your password and press enter, everything will be fine.

In case you need to access the compute nodes for purpose of debugging your software, using htop or other tool directly on the node, you need to go through the login node first and connect from there using ssh.

ssh cpu001

It is important to note that you cannot access directly the compute nodes unless you have a RUNNING job on it. As soon as your job is finished, you will be logged out from the compute node.

It's possible to access Baobab or Yggdrasil using a graphical interface. We support only X2Go.

You need to install X2Go client on your computer and create a session following the screenshots below prior to connect to Baobab.

X2Go create session :

Once connected to the Linux desktop, you can launch lightweight (image viewer, etc.) applications directly.

If you need to launch a heavy graphical program such as Matlab for example, create a new interactive session (see the Interactive jobs section in the Slurm page) on a compute node. It is forbidden to use the login node for this purpose.

If you need to transfer files from your computer to Baobab or Yggdrasil, you need to use the sftp protocol (scp).

We suggest you use scp or a program like rsync

We suggest you to use FileZilla client to transfer your files.

Filezilla create session :

If you want running JupyterLab or VScodeServer you may be interested by OpenOnDemand

The login nodes have a firewall that prevent incomming connection other than ssh.

If you need to access a service from the cluster, please follow the:

1. On your local machine, Save old ssh key and create a new one

$ mkdir ~/.ssh/old
$ mv ~/.ssh/*  ~/.ssh/old
$ ssh-keygen

On the cluster, make sure you have not id_rsa key file (make a back up too)

2. Copy the rsa.pub in https://my-account.unige.ch/main/home (for Unige Account) https://applicant.unige.ch/ (for Outsider Account) and wait for 5-10 min the synchronisation with AD is done. the following command on login node should print your public ssh key registered in the AD:

(baobab)-[alberta@login1 ~]$ /usr/bin/sss_ssh_authorizedkeys $USER
ssh-rsa  [...]

Only for tunneling: Once the configured you MUST save this SSHpublicKey in your ssh_authorizedkeys on Cluster.

$ ssh-copy-id <ssh.pub> <users>@login1.<cluster>.hpc.unige.ch

3. On your local machine configure the proxyjump:

[alberta@localhost ~]$ cat .ssh/config_baobab 

host baobab
   HostName login1.baobab.hpc.unige.ch
   User alberta

Host cpu*
   HostName %h
   User alberta
   ProxyJump baobab

Host gpu*
   HostName %h
   User alberta
   ProxyJump baobab


[alberta@localhost ~]$ cat .ssh/config_yggdrasil 

host yggdrasil
   HostName login1.yggdrasil.hpc.unige.ch
   User alberta
   
Host cpu*
   HostName %h
   User alberta
   ProxyJump yggdrasil

Host gpu*
   HostName %h
   User alberta
   ProxyJump yggdrasil

4. Alloc a test job and open a new tab on your local machine and try to connect on the allocated node:

On baobab:

(baobab)-[alberta@login1 ~]$ salloc --time=00:05:00
salloc: Pending job allocation 5574654
salloc: job 5574654 queued and waiting for resources
salloc: job 5574654 has been allocated resources
salloc: Granted job allocation 5574654
salloc: Waiting for resource configuration
salloc: Nodes cpu001 are ready for job

At the same time On your local machine, connect to the compute with selecting the right ssh config file (For this example: Baobab): ( My first test was on cpu026 this is the message a i got)

[alberta@localhost .ssh]$ ssh -F .ssh/config_baobab cpu026
The authenticity of host 'cpu026 (<no hostip for proxy command>)' can't be established.
RSA key fingerprint is SHA256:tKqp4nljL+EGVKl8T0VF2nS36DkHVFMpLxQOPg/gKvg.
RSA key fingerprint is MD5:8f:75:c4:18:8a:75:f1:f1:19:4d:85:92:3b:b6:2a:e1.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added 'cpu026' (RSA) to the list of known hosts.
Last login: Tue Oct 24 10:49:29 2023
Installed: Thu Aug 17 14:40:08 CEST 2023

But working on cpu001 as well:

[alberta@localhost ~]$ ssh -F .ssh/config_baobab cpu001
Last login: Mon Oct 23 16:43:34 2023
Installed: Thu Aug 17 14:28:26 CEST 2023
(baobab)-[alberta@cpu001 ~]$

ProxyJump doesn't work with host based authentication, this is the reason why you need to use a ssh key in the previous setup. The reason is because ProxyJump doesn't open a real ssh session and thus the ssh-keysign isn't run when you connect. Instead of using ProxyJump, you can proceed as follow:

Host baobab
    HostName login1.baobab.hpc.unige.ch
    User <youruser>
    
Host cpu*
    HostName %h
    User <youruser>
    ProxyCommand ssh -tt baobab ssh %r@%h

Usage: ssh cpu001