Fed4FIRE

From Grid5000
Revision as of 11:38, 19 November 2020 by Lbertot (talk | contribs) (Nodes in Vlans do not respond)

(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to: navigation, search

This page provides specific information about Grid'5000 for Fed4FIRE users.

Current Status (November 2020)

The Grid'5000 Aggregate Manager (AM) will soon be added to Fed4FIRE's jFed suite. Although integration is not complete yet this will allow users to perform basic tasks using only Fed4FIRE-standard APIs.

  • The Grid'5000 Aggregate Manager (am.grid5000.fr) advertises Grid'5000 resources
  • Fed4FIRE users can allocate and provision Grid'5000 resources from the Aggregate Manager, using the AMv3 API.
  • New Grid'5000 accounts are automatically created by the AM for new users for 1 month. After which Fed4FIRE users will need to complete their account to regain access (see Extending a valid or expired account).
  • Fed4FIRE users can login to Grid'5000 frontends and to provisioned resources via SSH using their Fed4FIRE certificate private key.
  • Nodes can be put in global vlans using links
    • The main network interface remains in the default vlan for connection purposes
    • The AM does not configure or start the network interfaces, just switches them into the selected vlan
  • Network-level interconnection to with other testbed is possible using `Dedicated Ext Network Connection` node in jFed-Experimenter

Technical detail

  • Aggregate Manager
    • Address: am.grid5000.fr
    • Port: 443
    • Component managers:
      • urn:publicid:IDN+am.grid5000.fr+authority+am
      • urn:publicid:IDN+am.grid5000.fr:<site>+authority+am

Grid'5000 Accounts

Access to any Grid'5000 resources requires a Grid'5000 account.

Linking Fed4FIRE identity to existing Grid'5000 accounts

Grid'5000 users who already have an account can link it to their Fed4FIRE identity from their account management page:

  • go to the External identifiers and press the Add new identifier button,
  • select Fed4FIRE as External engine and your Fed4FIRE URN as External identifier.

The Fed4FIRE URN can be found in jFed tools once logged in, or by parsing the Fed4FIRE user certificate using openssl. Please not that for preexisting Grid'5000 account the AM will not add new ssh keys to your account. Users should feel free to add their certificate key as an ssh key to their Grid'5000 account or add their ssh key to jFed experimenter.

Fed4FIRE Users

Fed4FIRE users without a existing Grid'5000, or that fail to link their existing Grid'5000 account, will have a new one created for them the first time they allocate resources. These new accounts are be valid for a single month. Three emails will inform you of you account's expiry:

  • one week before the account's expiry
  • on the day of the account's expiry
  • on the day of the account's is retired, 1 week after expiry

Extending a valid or expired account Grid'5000 account, created automatically for a Fed4FIRE user

Users are welcomed to request an account extension. To do so:

  1. Go to Grid'5000 password reset page to create a password for your account.
    Please note that (re)setting your password requires you to input the email associated with your account, which will be the one provided by the Fed4FIRE federation and not your institutional email.
  2. Login to the account management page.
  3. Complete your information :
    Use the Action buttons to Edit your Account and Affiliation
    - In the account section you will be asked to provide your name and, if you so wish, your institutional email address.
    - In the affiliation section you will be asked about your work and employer, as well as your intended usage for Grid'5000
  4. Request access by going to the Groups tab and using the Join a new group button.
    Join the open-access group.
    Your request will be checked by the group manager based on your account and affiliation information, so fill them as correctly.
    INRIA members can try to join a group relevant to their research teams instead of open-access.
    Do NOT request an extension within the Fed4FIRE access group. It will not be granted.

Extending a closed account, created automatically for a Fed4FIRE user

Account that have been expired for more than one week are retired automatically.

Retired accounts can not be accessed from the account management interface and need to be reopened by Grid'5000 staff.

To reopen a closed account you will need to mail the support staff at support-staff @ lists.grid5000.fr.

Contact information

  • Fed4FIRE contact points for Grid'5000:
    • Lucas Nussbaum (lucas.nussbaum@loria.fr)
    • David Margery (david.margery@inria.fr)
    • Luke Bertot (luke.bertot@inria.fr)
  • Grid'5000 support staff: see the Support page

FAQ

Platform Access

Grid'5000 Account Management

Grid'5000 keeps user accounts linked to your Fed4FIRE identity. These account will be automatically generated when you first attempt a node allocation for a duration of 1 month. To access Grid'5000's account management interface you will first need to set a Grid'5000 password.

  • Resetting your password:
  • Accessing your account
    • Go to UMS
    • From here you can:
      • Add new ssh keys to your account.
      • Update your affiliation information
      • Request account extentions

Accessing your Grid'5000 homedirs

Grid'5000 provides home directories on every site of the testbed with ssh access. This access requires connecting through ssh gateways as described on this page.

SSH keys

By default accounts created though through tools such as jFed, the ssh key of the account is derived from the user's federation certificate. To connect users must provide the certificate to the ssh client as the identity file.

Users can add additional keys using the Grid'5000 account management interface. These keys will be used to connect to access gateways and nodes.

Adding your certificate key as SSH keys

By default jFed tools will try to connect to nodes using your user certificate key. For this reason the Grid'5000 AM will add this ssh key to all new account it creates, and will update your key every-time your certificate changes. Users who use a pre-existing Grid'5000 account do not benefit from this feature by default. And can instead opt to add their usual ssh-key to jFed.

Users wanting to use their certficate key with ssh can use ssh-keygen -y -f <path/to/certificate> to derive an ssh public key from their PEM certificate. Users wanting to benefit from the AM's automatic key update feature should append the encoded by users-api-ror from rsa cert comment that the end of their key line. The final result should look like : ssh-rsa AAAAB3Nyc2EADAQzaC1ABAAAA[...]+sw== encoded by users-api-ror from rsa cert

Adding your ssh key to jFed

By default jFed tools will try to connect to nodes using your user certificate key. Users can if they so wish add an other ssh key to try during ssh connections. Ssh keys are added in Preference > SSH Authentication section.

However at the time of writing jFed Experimenter does not recognize the latest openssh prive key format, starting with -----BEGIN OPENSSH PRIVATE KEY-----. If you have such a key you can work around the problem by:

  1. making a copy of your private key
  2. using ssh-keygen -p -m PEM -f </path/to/key/copy>
    • the command will prompt you for a new password, you are free to reuse the same password or leave the field blank for no password
  3. the copy should not have the key in the PEM format, starting with -----BEGIN RSA PRIVATE KEY-----

The copy will now work with jFed.


Experiment limits

Limits for the duration of an experiment?

If experiment means project, there is no limit. Accounts are created with a short-term expiration date (one month or two months depending on the process used for account creation) but can be extended at will.

If experiment means resources reservation, the limits are described in the Grid'5000 Usage Policy. The philosophy behind the Usage Policy is that users should be able to find some resources to prepare experiments during the day, and then reserve resources in advance to do large-scale experiments during nights and week-ends. So the effective limits are 10 hours during the day (9h-19h), 14 hours during nights (19h-9h), and 62 hours during week-ends (Friday 19h -> Monday 9h). Users are therefore strongly encouraged to automate the setup of their experiments (using scripts or tools such as Ansible). If an experiment requires a longer reservation, a special request can be made, as described in the Grid'5000 Usage Policy.

Unable to book unspecified nodes after initial one month period ?

If your manifest rspec does not indicate a specific node (using a `component_id`), a specific cluster using a `hardware_type`, or a specific site (using a site specific `component_manager_id`), the AM will provide a node out of Nancy's production queue. If you are not in a group authorized to access the production queue you will not be able to allocate nodes without specifying at least a site.

Experiment sharing

Sharing one user account per experiment?

Even if several persons are going to collaborate on the same experiment, we strongly prefer that each person uses its own account, for traceability purposes. It is possible to share scripts etc using standard Unix mechanisms (directory permissions), or using an external Git service (which are accessible from Grid'5000 nodes).

Fed4FIRE experiment sharing and SSH key injection

It is possible to share experiments using the corresponding options in jFed. It is also possible to add SSH keys to nodes at provisioning time using the ̀ geni_users` option. However the Grid'5000 has multiple caveats:

  • The new ssh keys are only installed on the provisioned node and not on the ssh access gateways. Only keys registered with your account before can be used on the access gateway. Keys registered with your account are always loaded into provisioned nodes.
  • To grant access to other users they will need a Grid'5000 account to connect to the access gateway. Like with all other Fed4FIRE users this account can be created by connecting to the Aggregate Manager using the Allocate or Describe calls.
  • If you grant another user access to one of the nodes you have allocated, they will gain Read/Write access to your Grid'5000 homedir for the duration of the experiment.

Networking

Public IP Address for Grid'5000 nodes?

Grid'5000 nodes are on a private network. Interconnection to the Internet is achieved to a NAT, using a 10 Gbps link to RENATER (the french NREN).

We are in the process of:

  • Adding public IPv6 addresses to nodes
  • Adding a configurable firewall to allow reaching Grid'5000 nodes from the Internet using IPv6
  • Extending this to a set of IPv4 addresses (probably doing NAT from the public IPv4 address to the internal IPv4 addresses)

However, this is still work in progress.

Nodes in Vlans do not respond, are not configured

At this time the Grid'5000 AM can not configure the network interfaces set in vlans. You need to connect to the node's control interface using ssh. (JFed-Experimenter can do so automatically.) And configure the interface in the vlan manually. The interfaces name are provided as part of the interface element's component_id.

Experiment fails with not enough Vlans ?

The AM only make use of global vlans to ensure connectivity. As such a maximum of eight vlans will be available at best. If your experiment requires more you will need to reserve and operate the site restricted vlans using Grid'5000's native API or ssh access.

How to stitch a Grid'5000 VLAN to connect into an imec VLAN ?

Prepare your experiment by building the Grid'5000 and imec part of your experiment separately. The two can be put in a single topology or in two separated topologies to be allocated independently.

To link the two parts of the experiment you will need to setup two Dedicated Ext. Network Connection nodes. In the future, we will support automated cross-testbed stitching, but we are not quite there yet.

On the Grid'5000 side of the experiment
  • Pull a Dedicated Ext. Network Connection to your topology and connect it to the node or link you want to see stitched.
  • Open the configuration window for the Network Connection.
  • In the Select testbed drop-down menu select Grid'5000.
  • Refresh testbed information using the the button opposite the Specific node: drop down menu.
  • In the Specific node: drop-down menu you will be able to select the target external VLAN.
    • external-vlan-PARTNER-**** where PARTNER is the testbed on the other side of the stitch and **** the VLAN tag
    • the VLAN tag should match the one selected on the imec side
  • Save the Dedicated Ext. Network Connection configuration.


On the imec side of the experiment 
  • Pull a Dedicated Ext. Network Connection to your topology and connect it to the node or link you want to see stitched.
  • Open the configuration window for the Network Connection.
  • In the Select testbed drop-down menu select grid5000 vlan **** network edge - imec side.
    • where **** is the same VLAN tag as used on the Grid'5000 side of the experiment.
  • Save the Dedicated Ext. Network Connection configuration.

Do not trace a link between the two Dedicated Ext. Network Connection. Such "nodes" are implicitly linked to each other, and manually linking them will cause the experiment to fail.

Using personalized disk image.

Grid'5000 public images are advertised by the AM and available through the + button in the node configuration menu in the public image drop-down menu. As described in Advanced Kadeploy and Environment_creation, users can deploy their own environment to Grid'5000 nodes. Although such environment are never listed in jFed-Experimenter users can invoke them by setting the correct disk image.

  • To access your own environments recorded in kaenv3
    • Set the disk image field to urn:publicid:IDN+am.grid5000.fr+image+kadeploy3:ENVIRONMENT_NAME>
    (by first selecting a Grid'5000 public image jFed will set the first part of the URN for you.)
  • To access enviroments created by other users
    • Set the disk image field to urn:publicid:IDN+am.grid5000.fr+image+kadeploy3:ENVIRONMENT_NAME@USER_LOGIN
    • The environment must be made public by the other user
  • To deploy an environment from an environment file accessible via http or https
    • Set the disk image field to the url of your environment file, including the protocol prefix (http:// or https://)