From ALICE Documentation
- 1 Best Practices
- 2 Getting a user account for ALICE
- 3 Acceptable use policy
- 4 Login to ALICE from Linux
Know when you are on a login node. You can use your Linux prompt or the command
hostname. This will tell you the name of the login node that you are currently on. Note that the ssh gateway host itself is a secure portal from the outside and serves no compute function.
- Appropriate activities on the login nodes:
- Compile code, Developing applications,
- Defining and submitting your job,
- Post-processing and managing data,
- Monitoring running applications.
- Change your user password.
- Avoid computationally intensive activity on the login nodes.
- Don't run research applications. Use an interactive session if running a job is not appropriate.
- Don't launch too many simultaneous processes. While it is fine to compile on a login node, avoid using all of the resources. For example "make -j 14" will use half of the cores.
- That script you run to monitor job status several times a second should probably run every few minutes.
- I/O activity can slow the login node for everyone, like multiple copies or "ls -l" on directories with 000's of files.
- Hyperthreading is turned off. Running multiple threads per core is generally not productive. MKL is an exception to that if it is relevant to you.
Getting a user account for ALICE
To get a user account on ALICE, mail a request to email@example.com (mail request) and provide the following information
- your name
- your ULCN or LUMC account name
- your university or institute e-mail address.
- What do you plan to do on ALICE (1 or 2 sentences are sufficient)?
- Do you plan to process sensitive data (related to persons) or other data that must be treated confidentially?
At ALICE, we will create local ALICE accounts with the same account name.
If you are a student, we need confirmation from your supervisor that you require access to ALICE.
Once we have created your account, you will receive an e-mail from firstname.lastname@example.org providing you with an initial password to log in
IMPORTANT: Make sure to change the password in our e-mail when you log in to ALICE for the first time. You can use the command
passwd for this.
IMPORTANT: Please read the section on Acceptable Use before requesting an account.
Acceptable use policy
Compliance with University policy
Users of ALICE must comply with all University ICT policies, including Acceptable Use of Computers.
ALICE represents a unique resource for the research community. The computers have special characteristics that are not found, or are of limited availability, on other central computers. Characteristics include parallel processing, large memory, and a Linux operating system. The allocation of High Performance Computing (HPC) resources requires close supervision by those charged with management of these resources.
The login nodes can be used for small, short interactive jobs and for submitting batch jobs, but are not meant for running compute jobs.
Data Storage Policy
ALICE does not provide support for any type of controlled data. No controlled data (GDPR, HIPAA, EAR, FERPA, PII, CUI, ITAR, etc.) can be analysed or stored on any HPC storage. Users must not transfer sensitive data (data related to people) to ALICE. Data must be anonymized before it can be transferred to ALICE. In case you are unsure about the contents/classification of the data, please contact the helpdesk.
ALICE is not a datamanagement system where research data can be stored for longer periods of time. All data that is transferred to ALICE must be copies of data. Users must make sure that data that is transferred to ALICE remains available somewhere else. All data with value that is generated on ALICE must be moved off ALICE as soon as this is possible after the job completed.
Data in the user’s home directory is backed up (see Backup & Restore). The home directory is intended to store scripts, software, executables etc, but is not meant to store large or temporary data sets.
Login to ALICE from Linux
SSH Gateway and login nodes
ALICE has its own ssh gateway which you have to go through first. You can only use to tunnel through to the actual login nodes. The gateway is named:
Important: For security reasons, the gateway allows only three consecutive login attempts from the current IP. If you enter the wrong login credentials three times, the IP that you used to connect to the gateway will be blocked for one hour. You will have to wait until the hour has passed before you can try to login again. If you do not remember your password, please contact the ALICE Helpdesk.
The login nodes are named:
login1.alice.universiteitleiden.nl (10.161.0.12) login2.alice.universiteitleiden.nl (10.162.0.13)
Setup ssh connection
Here, we describe how you can configure your ssh connection to connect to ALICE in the easiest possible way. We will use a feature called
ProxyJump in OpenSSH which is available in OpenSSH versions 7.3 and higher. If you have an older version of OpenSSH please have a look at SSH tunneling for older versions of OpenSSH. You can find out the version of OpenSSH by typing
ssh -V in your terminal.
In your Linux system open ~/.ssh/config in your favourite text editor (or create the file if it does not exist). Then add for instance
Host hpc1 HostName login1.alice.universiteitleiden.nl User <USERNAME> ProxyJump <USERNAME>@ssh-gw.alice.universiteitleiden.nl:22 ServerAliveInterval 60 Host hpc2 HostName login2.alice.universiteitleiden.nl User <USERNAME> ProxyJump <USERNAME>@ssh-gw.alice.universiteitleiden.nl:22 ServerAliveInterval 60
(Replace <USERNAME> by your own ULCN account name.)
Add monitoring tools
If you want to look at the monitoring tools that are running on the management node too, you could add additional tunnelling commands to the config for a specific host. Do not add tunnels to all definitions as they may produce conflicts when you use the same tunnel twice. So add the tunnel commands, for instance, to one host like:
Host hpc1tunnel HostName login1.alice.universiteitleiden.nl User <USERNAME> ProxyJump <USERNAME>@ssh-gw.alice.universiteitleiden.nl:22 ServerAliveInterval 60 LocalForward 8081 management.alice.universiteitleiden.nl:8081 LocalForward 8080 management.alice.universiteitleiden.nl:443
SSH tunneling for older versions of OpenSSH
Alternatively, if your OpenSSH server isn't that recent (version 7.2 or earlier) and doesn't recognize the ProxyJump alias, try this:
Host hpc1 HostName login1.alice.universiteitleiden.nl User <USERNAME> ProxyCommand ssh -X <USERNAME>@ssh-gw.alice.universiteitleiden.nl -W %h:%p
Adding X11 fowarding
You can even set your ssh connection to automatic X11 forwarding by adding the following setting:
Direct login to login nodes
If you completed the above steps you should be able to login to one of the login nodes by simply typing this:
You will be asked to provide your ALICE user password twice (not your ULCN or LUMC password), once for the ssh gateway and once of the login node. If you do this for the first time, you will also be asked to confirm the identity of the ssh gateway and the login node.
Password-less login using SSH keys
If you do not wish to enter you password everytime you login you can use ssh keys. If you have not yet used ssh keys before, please have a look at this page: Public key authentication from Linux
If you have an ssh key, you need to deposite it first on the ssh gateway and then on the login node. You can use
ssh-copy-id to copy your public key from your local machine to the ssh gateway, e.g.,
ssh-copy-id -i ~/.ssh/id_rsa.pub <USERNAME>@ssh-gw.alice.universiteitleiden.nl
(use your ALICE password for this). This will put your public key in ~/.ssh/authorized_keys on the ssh gateway. Then login to the ssh gateway (
ssh <USERNAME>@ssh-gw.alice.universiteitleiden.nl) to test it. If it works log out again and use ssh-copy-id to deposite the key on a login node using the ssh tunnel defined above.
ssh-copy-id -i ~/.ssh/id_rsa.pub hpc1
This will put your public key in
~/.ssh/authorized_keys in your HOME directory on the login node. Verify that this step has worked by logging in to the login node (
ssh hpc1). It is sufficient to do this for only one login node. You will also be able to login to the other login node without entering your password now.
If all was setup correctly, you should be logged in to one of the login nodes without typing your password.
Accessing monitoring tools
Having set up the ssh tunneling required to access the monitoring tools on the cluster you are now able to access port 443 (general secure web server on the management node) and port 8081 (specific port in use by the Bright Cluster Manager monitoring tools).
So in a browser, you could type:
to gain access to the management main web server, or you could type:
to gain access to the Bright Cluster Manager User Portal.