Access
This page describes how to access ML Cloud resources; you will need an ML Cloud account and an ssh login key (described in the text).
Prerequisites
In order to gain access to the ML Cloud, you have to be given access to the system. To that, your group PI or Group Manager need to request one to be created for you through the User Management System. All ML-Cloud services share the same identity backend. The account/credentials can therefore be used to log into all all of them. These accounts are exclusive to the ML-Cloud.
The account will grant you access to:
- Slurm
- Openstack
- ML Cloud Gitlab
- Nextcloud as flexible cloud-storage.
- ML Cloud User Management System
SSH Login
This section describes the login procedure using the Secure Shell Protocal (SSH).
Restrictions
Due to security concerns, several restrictions have been placed on what SSH login credentials are allowed and which set of features can be used:
- You cannot log in to SLURM using username/password credentials. Instead, password free login based on public key cryptography is required.
- Your private key has to be stored in a file that is encrypted using a secure passphrase.
OpenSSH
OpenSSH is a popular and freely available SSH client (and server) for UNIX-like operating systems such as GNU/Linux and macOS.
OpenSSH Installation
OpenSSH comes pre-installed on macOS. It is also contained in the package repository of many GNU/Linux distributions, e.g. openssh-client on Debian, Ubuntu, etc. or openssh-clients on Fedora, Centos, etc. As a last resort, the OpenSSH source code can be downloaded from the OpenSSH web site.
OpenSSH Key Generation
At the ML Cloud, we do not allow logging into our systems solely with a password; rather, we require key-based authentication. As such, once you receive your initial account access to Slurm you need to deploy your SSH keys on one of the login nodes. This needs to happen within 2 days of account creation (the system administrators temporarily whitelist you for password based login).
Generating your key
It is important to generate secure key pairs. The current best key type is called Ed25519. Generate a key of this type with the following line
localhost$ ssh-keygen -a 100 -t ed25519 -f ~/.ssh/id_ed25519
The options specify the type of the key (-t), the number of key derivation function rounds (-a), and the location to place the key (-f), which is selected to be the default. Optionally, one can give a comment to the key with -C to help distinguish multiple keys.
If you still want (or have to) use RSA please make sure to use a bit length of 4096 by the following command:
localhost$ ssh-keygen -t rsa -b 4096 -o -a 100
Note
If the file ~/.ssh/id_ed25519 already exists, you probably don't want to override it as you might already be using it as credentials for another system. Instead, use a different file name, e.g. ~/.ssh/id_ed25519_mlcloud and remember to use the same file name on all subsequent command lines in this document.
Afterwards, ssh-keygen will ask for a passphrase. This passphrase is purely private and has a priori nothing to do with your University or AI Center credentials. It is imperative to provide a strong passphrase at this point, i.e. one that cannot easily be guessed or found by brute force. It needs to be entered in the future to unlock your private key. You might want to use a password manager to save your key and ease the use of complicated passphrases.
A pair of keys, one public and the other private, will be generated. The public key authentication is the most secure and flexible approach to ensure a multi-purpose transparent connection to a remote server. This approach is enforced on the ML Cloud Platforms and assumes that the public key is known by the system in order to perform an authentication based on a challenge/response protocol instead of the classical password-based protocol.
The generated keys for ed25519 are stored in the following files:
| Key | Explanation |
|---|---|
~/.ssh/id_ed25519 |
Contains private key that should be stored only on your machine. NEVER EVER TRANSMIT THIS FILE |
~/.ssh/id_ed25519.pub |
This file is the ONLY one SAFE to distribute |
and for rsa4096 are stored:
| Key | Explanation |
|---|---|
~/.ssh/id_rsa |
contains the private key. NEVER EVER TRANSMIT THIS FILE |
~/.ssh/id_rsa.pub |
This file is the ONLY one SAFE to distribute |
Keep the private part (i.e., ~/.ssh/id_ed25519) of the key-pair safe, confidential, and on your local host only. The generated public key (in the example above ~/.ssh/id_ed25519.pub) needs to be uploaded to the ML Cloud Login Node.
Deploying SSH Keys
Once you have your ssh key generated, your public key needs to be deployed on the ML Cloud. The easiest way to do that is to use the following command:
localhost$ localhost$ ssh-copy-id -i ~/.ssh/id_ed25519.pub slurm
The command ssh-copy-id copies your public key into ~/.ssh/authorized_keys on the cluster's login node.
In the event that you don’t have permission to write to ~/.ssh/authorized_keys, you have to grant yourself that permission with chmod 600 ~/.ssh/authorized_keys.
Once your key is on the cluster you may have to change its permission:
ssh slurm
chmod 600 ~/.ssh/authorized_keys
After you deployed your key you will be able to ssh into the cluster from your device without entering a password. The authentication is performed via your key.
Setting up Persistent Configuration
The "ssh" command (SSH protocol) is the standard way to connect to the ML Cloud. SSH also includes support for the file transfer utilities scp and sftp. Wikipedia is a good source of information on SSH. SSH is available within Linux and from the terminal app in the Mac OS. If you are using Windows, you will need an SSH client that supports the SSH-2 protocol: e.g. Bitvise, OpenSSH, PuTTY, or SecureCRT.
The user-side SSH configuration can be used to create shortcuts to targets / hosts and configure connections. The following entry creates a shortcut that allows you to refer to login nodes via short names by adding your short names to your ~/.ssh/config:
Host slurm
Hostname 134.2.168.52
User ml-cloud-user-id
ForwardAgent=yes
Host slurm2
Hostname 134.2.168.72
User ml-cloud-user-id
ForwardAgent=yes
Host slurm-r2
Hostname 134.2.168.241
User ml-cloud-user-id
ForwardAgent=yes
Host slurm1-r2
Hostname 134.2.168.242
User ml-cloud-user-id
ForwardAgent=yes
localhost$ ssh slurm
Troubleshooting
If you have trouble connecting to one of our systems, please run the SSH client with verbose output:
localhost$ ssh -vvv -i .ssh/id_ed25519 ml_cloud_user_id@134.2.168.52
Send the resulting output to the support team at support@mlcloud.uni-tuebingen.de with a description of your problem.
Linux Shell
The default login shell for your user account is Bash. To determine your current login shell, execute:
$ echo $SHELL
If you'd like to change your login shell to csh, sh, or zsh, submit a ticket through the ML Cloud portal.
When you start a shell on the ML Cloud, system-level startup files initialize your account-level environment and aliases before the system sources your own user-level startup scripts. You can use these startup scripts to customize your shell by defining your own environment variables, aliases, and functions. These scripts (e.g. .profile and .bashrc) are generally hidden files: so-called dotfiles that begin with a period, visible when you execute: ls -a.
Login Nodes
| Regions | Login Nodes |
|---|---|
| Region 1 | 134.2.168.52 134.2.168.72 |
| Region 2 | 134.2.168.241 134.2.168.242 |
Example
localhost$ ssh -i .ssh/id_ed25519 ml_cloud_user_id@134.2.168.52
localhost$ ssh -i .ssh/id_ed25519 ml_cloud_user_id@134.2.168.72