Difference between revisions of "Fed4FIRE"

From Grid5000
Jump to: navigation, search
(Using personalized disk image.)
m (SSH keys: fix typo)
Line 106: Line 106:
  
 
=== SSH keys ===
 
=== SSH keys ===
By default accounts created though through tools such as jFed, the ssh key of the account is derived from the user's federation certificate. To connect users must provide the certificate to the ssh client as the identity file.
+
By default accounts created through tools such as jFed, the ssh key of the account is derived from the user's federation certificate. To connect users must provide the certificate to the ssh client as the identity file.
  
 
Users can add additional keys using the Grid'5000 [[Fed4FIRE#Grid.275000_Account_Management|account management interface]]. These keys will be used to connect to access gateways and nodes.
 
Users can add additional keys using the Grid'5000 [[Fed4FIRE#Grid.275000_Account_Management|account management interface]]. These keys will be used to connect to access gateways and nodes.
Line 129: Line 129:
 
# the copy should not have the key in the PEM format, starting with <code>-----BEGIN RSA PRIVATE KEY-----</code>
 
# the copy should not have the key in the PEM format, starting with <code>-----BEGIN RSA PRIVATE KEY-----</code>
 
The copy will now work with jFed.
 
The copy will now work with jFed.
 
  
 
=== Experiment limits ===
 
=== Experiment limits ===

Revision as of 07:47, 21 October 2021

This page provides specific information about Grid'5000 for Fed4FIRE users.

Current Status (June 2021)

The Grid'5000 Aggregate Manager (AM) is available through the jFed suite. This allows users to perform basic tasks using only Fed4FIRE-standard APIs.

Using Grid'5000 as a Fed4FIRE user

Users wanting to join Fed4FIRE should refer to Fed4FIRE's documentation.
Generally users will want to create an account using Fed4FIRE's experimenter portal. And download jFed-experimenter.

Within jFed experimenter Grid'5000 resources are available can be found under physical nodes. Once the user set a physical node in their topology, they can open the node configuration window to switch node to the Grid'5000.

Technical detail

  • Aggregate Manager
    • Address: am.grid5000.fr
    • Port: 443
    • Component managers:
      • urn:publicid:IDN+am.grid5000.fr+authority+am
      • urn:publicid:IDN+am.grid5000.fr:<site>+authority+am

Grid'5000 Accounts

Access to any Grid'5000 resources requires a Grid'5000 account.

Linking Fed4FIRE identity to existing Grid'5000 accounts

Grid'5000 users who already have an account can link it to their Fed4FIRE identity from their account management page:

  • go to the External identifiers and press the Add new identifier button,
  • select Fed4FIRE as External engine and your Fed4FIRE URN as External identifier.

The Fed4FIRE URN can be found in jFed tools once logged in (Preferences > User Details), or by parsing the Fed4FIRE user certificate using openssl. Please not that for preexisting Grid'5000 account the AM will not add new ssh keys to your account. Users should feel free to add their certificate key as an ssh key to their Grid'5000 account or add their ssh key to jFed experimenter.

Fed4FIRE Users

Fed4FIRE users without a existing Grid'5000, or that fail to link their existing Grid'5000 account, will have a new one created for them the first time they allocate resources. These new accounts are be valid for two month. Three emails will inform you of you account's expiry:

  • one week before the account's expiry
  • on the day of the account's expiry
  • on the day of the account's is retired, 1 week after expiry

Extending a valid or expired account Grid'5000 account, created automatically for a Fed4FIRE user

Users are welcomed to request an account extension. To do so:

  1. Go to Grid'5000 password reset page to create a password for your account.
    Please note that (re)setting your password requires you to input the email associated with your account, which will be the one provided by the Fed4FIRE federation which is not always your institutional email.
  2. Login to the account management page.
  3. Complete your information :
    Use the Action buttons to Edit your Account and Affiliation
    - In the account section you will be asked to provide your name and, if you so wish, your institutional email address.
    - In the affiliation section you will be asked about your work and employer, as well as your intended usage for Grid'5000
  4. Request access by going to the Groups tab and using the Join a new group button.
    Join the misc group. In the motivation field please also indicate that you are a Fed4FIRE user.
    Users involved in a Fed4FIRE opencalls should join the fed4fire-opencalls.
    Your request will be checked by the group manager based on your account and affiliation information, so fill them as correctly.
    Users whose research team already has a Grid'5000 group (e.g. french academic) should join it instead of misc.
    Request an extension within the fed4fire access group is not possible.

Do note that users do not need to request access to misc until they reach the end of their time in the fed4fire group. The misc group has lower access privileges than the fed4firegroup

Extending a closed account, created automatically for a Fed4FIRE user

Account that have been expired for more than one week are retired automatically.

Retired accounts can not be accessed from the account management interface and need to be reopened by Grid'5000 staff.

To reopen a closed account you will need to mail the support staff at support-staff @ lists.grid5000.fr.

Contact information

  • Fed4FIRE contact points for Grid'5000:
    • Lucas Nussbaum (lucas.nussbaum@loria.fr)
    • Luke Bertot (luke.bertot@inria.fr)
  • Grid'5000 support staff: see the Support page

FAQ

Platform Access

Grid'5000 Account Management

Grid'5000 keeps user accounts linked to your Fed4FIRE identity. These account will be automatically generated when you first attempt a node allocation for a duration of 2 month. To access Grid'5000's account management interface you will first need to set a Grid'5000 password.

  • Resetting your password:
  • Accessing your account
    • Go to UMS
    • From here you can:
      • Add new ssh keys to your account.
      • Update your affiliation information
      • Request account extentions

Accessing your Grid'5000 homedirs

Grid'5000 provides home directories on every site of the testbed with ssh access. This access requires connecting through ssh gateways as described on this page.

jFed can not connect to nodes.

If when double clicking on a running nodes in jFed the opened terminal fails to connect. First check if the lack of connectivity is the result of network failure (check https://www.grid5000.fr/status/ ).

jFed usually proxies SSH connection through an SSH bastion maintained by the fedration. However connection to Grid'5000 nodes must be proxied by access.grid5000.fr (see: SSH). Recent versions of jFed should priorities proxies provided by testbeds over its default configuration. If not you can disable ssh proxies by using proxy button at the bottom right of the jFed experimenter window.

SSH keys

By default accounts created through tools such as jFed, the ssh key of the account is derived from the user's federation certificate. To connect users must provide the certificate to the ssh client as the identity file.

Users can add additional keys using the Grid'5000 account management interface. These keys will be used to connect to access gateways and nodes.

Adding your certificate key as SSH keys

By default jFed tools will try to connect to nodes using your user certificate key. For this reason the Grid'5000 AM will add this ssh key to all new account it creates, and will update your key every-time your certificate changes. Users who use a pre-existing Grid'5000 account do not benefit from this feature by default. And can instead opt to add their usual ssh-key to jFed.

Users wanting to use their certficate key with ssh can use ssh-keygen -y -f <path/to/certificate> to derive an ssh public key from their PEM certificate. Users wanting to benefit from the AM's automatic key update feature should append the encoded by users-api-ror from rsa cert comment that the end of their key line. The final result should look like : ssh-rsa AAAAB3Nyc2EADAQzaC1ABAAAA[...]+sw== encoded by users-api-ror from rsa cert

Adding your ssh key to jFed

By default jFed tools will try to connect to nodes using your user certificate key. Users can if they so wish add an other ssh key to try during ssh connections. Ssh keys are added in Preference > SSH Authentication section.

However at the time of writing jFed Experimenter does not recognize the latest openssh prive key format, starting with -----BEGIN OPENSSH PRIVATE KEY-----. If you have such a key you can work around the problem by:

  1. making a copy of your private key
  2. using ssh-keygen -p -m PEM -f </path/to/key/copy>
    • the command will prompt you for a new password, you are free to reuse the same password or leave the field blank for no password
  3. the copy should not have the key in the PEM format, starting with -----BEGIN RSA PRIVATE KEY-----

The copy will now work with jFed.

Experiment limits

Limits for the duration of an experiment?

If experiment means project, there is no limit. Accounts are created with a short-term expiration date (one month or two months depending on the process used for account creation) but can be extended at will.

If experiment means resources reservation, the limits are described in the Grid'5000 Usage Policy. The philosophy behind the Usage Policy is that users should be able to find some resources to prepare experiments during the day, and then reserve resources in advance to do large-scale experiments during nights and week-ends. So the effective limits are 10 hours during the day (9h-19h), 14 hours during nights (19h-9h), and 62 hours during week-ends (Friday 19h -> Monday 9h). Users are therefore strongly encouraged to automate the setup of their experiments (using scripts or tools such as Ansible). If an experiment requires a longer reservation, a special request can be made, as described in the Grid'5000 Usage Policy.

Unable to book unspecified nodes after initial two month period ?

If your manifest rspec does not indicate a specific node (using a `component_id`), a specific cluster using a `hardware_type`, or a specific site (using a site specific `component_manager_id`), the AM will provide a node out of Nancy's production queue. If you are not in a group authorized to access the production queue you will not be able to allocate nodes without specifying at least a site.

Experiment sharing

Sharing one user account per experiment?

Even if several persons are going to collaborate on the same experiment, we strongly prefer that each person uses its own account, for traceability purposes. It is possible to share scripts etc using standard Unix mechanisms (directory permissions), or using an external Git service (which are accessible from Grid'5000 nodes).

Fed4FIRE experiment sharing and SSH key injection

It is possible to share experiments using the corresponding options in jFed. It is also possible to add SSH keys to nodes at provisioning time using the ̀ geni_users` option. However the Grid'5000 has multiple caveats:

  • The new ssh keys are only installed on the provisioned node and not on the ssh access gateways. Only keys registered with your account before can be used on the access gateway. Keys registered with your account are always loaded into provisioned nodes.
  • To grant access to other users they will need a Grid'5000 account to connect to the access gateway. Like with all other Fed4FIRE users this account can be created by connecting to the Aggregate Manager using the Allocate or Describe calls.
  • If you grant another user access to one of the nodes you have allocated, they will gain Read/Write access to your Grid'5000 homedir for the duration of the experiment.

Networking

Public IP Address for Grid'5000 nodes?

Grid'5000 nodes are on a private network. Interconnection to the Internet is achieved to a NAT, using a 10 Gbps link to RENATER (the french NREN).

We are in the process of:

  • Adding public IPv6 addresses to nodes
  • Adding a configurable firewall to allow reaching Grid'5000 nodes from the Internet using IPv6
  • Extending this to a set of IPv4 addresses (probably doing NAT from the public IPv4 address to the internal IPv4 addresses)

However, this is still work in progress.

Nodes in Vlans do not respond, are not configured

At this time the Grid'5000 AM can not configure the network interfaces set in vlans. You need to connect to the node's control interface using ssh. (JFed-Experimenter can do so automatically.) And configure the interface in the vlan manually. The interfaces name are provided as part of the interface element's component_id.

Experiment fails with not enough Vlans ?

The AM only make use of global vlans to ensure connectivity. As such a maximum of eight vlans will be available at best. If your experiment requires more you will need to reserve and operate the site restricted vlans using Grid'5000's native API or ssh access.

How to stitch a Grid'5000 VLAN to connect into an imec VLAN ?

Prepare your experiment by building the Grid'5000 and imec part of your experiment separately. The two can be put in a single topology or in two separated topologies to be allocated independently.

To link the two parts of the experiment you will need to setup two Dedicated Ext. Network Connection nodes. In the future, we will support automated cross-testbed stitching, but we are not quite there yet.

On the Grid'5000 side of the experiment
  • Pull a Dedicated Ext. Network Connection to your topology and connect it to the node or link you want to see stitched.
  • Open the configuration window for the Network Connection.
  • In the Select testbed drop-down menu select Grid'5000.
  • Refresh testbed information using the the button opposite the Specific node: drop down menu.
  • In the Specific node: drop-down menu you will be able to select the target external VLAN.
    • external-vlan-PARTNER-**** where PARTNER is the testbed on the other side of the stitch and **** the VLAN tag
    • the VLAN tag should match the one selected on the imec side
  • Save the Dedicated Ext. Network Connection configuration.


On the imec side of the experiment 
  • Pull a Dedicated Ext. Network Connection to your topology and connect it to the node or link you want to see stitched.
  • Open the configuration window for the Network Connection.
  • In the Select testbed drop-down menu select grid5000 vlan **** network edge - imec side.
    • where **** is the same VLAN tag as used on the Grid'5000 side of the experiment.
  • Save the Dedicated Ext. Network Connection configuration.

Do not trace a link between the two Dedicated Ext. Network Connection. Such "nodes" are implicitly linked to each other, and manually linking them will cause the experiment to fail.

Using personalized disk image.

Grid'5000 public images are advertised by the AM and available through the + button in the node configuration menu in the public image drop-down menu. As described in Advanced Kadeploy and Environment_creation, users can deploy their own environment to Grid'5000 nodes. Although such environment are never listed in jFed-Experimenter users can invoke them by setting the correct disk image.

  • To access your own environments recorded in kaenv3
    • Set the disk image field to urn:publicid:IDN+am.grid5000.fr+image+kadeploy3:ENVIRONMENT_NAME
    (by first selecting a Grid'5000 public image jFed will set the first part of the URN for you.)
  • To access enviroments created by other users
    • Set the disk image field to urn:publicid:IDN+am.grid5000.fr+image+kadeploy3:ENVIRONMENT_NAME@USER_LOGIN
    • Set the image disk name in the "Rspec Editor" tab, as the idalog box does not allow @'s in the Disk image field.
    • The environment must be made public by the other user
  • To deploy an environment from an environment file accessible via http or https
    • Set the disk image field to the url of your environment file, including the protocol prefix (http:// or https://)
Note.png Note

A local path for the tarball (no leading server://) will not work with the AM. If you want to use the AM, you may want to put your tarball in the public directory of your home and specify the path with HTTP (eg: http://public.site.grid5000.fr/~username/mydebian11-x64-base.env)