Fed4FIRE: Difference between revisions
Line 7: | Line 7: | ||
* The Grid'5000 Aggregate Manager (am.grid5000.fr) advertises Grid'5000 resources | * The Grid'5000 Aggregate Manager (am.grid5000.fr) advertises Grid'5000 resources | ||
* Fed4FIRE users can allocate and provision Grid'5000 resources from the Aggregate Manager, using the AMv3 API. | * Fed4FIRE users can allocate and provision Grid'5000 resources from the Aggregate Manager, using the AMv3 API. | ||
* New Grid'5000 accounts are automatically created by the AM for new users for 2 month. After which Fed4FIRE users will need to complete their account to regain access (see [[Fed4FIRE# | * New Grid'5000 accounts are automatically created by the AM for new users for 2 month. After which Fed4FIRE users will need to complete their account to regain access (see [[Fed4FIRE#Extending_a_valid_or_expired_account_Grid.275000_account.2C_created_automatically_for_a_Fed4FIRE_user|Extending a valid or expired account]]). | ||
* Fed4FIRE users can login to Grid'5000 frontends and to provisioned resources via [[SSH]] using their Fed4FIRE certificate as an SSH key. | * Fed4FIRE users can login to Grid'5000 frontends and to provisioned resources via [[SSH]] using their Fed4FIRE certificate as an SSH key. | ||
* Nodes can be put in global vlans using links | * Nodes can be put in global vlans using links |
Revision as of 11:28, 10 December 2021
This page provides specific information about Grid'5000 for Fed4FIRE users.
Current Status (June 2021)
The Grid'5000 Aggregate Manager (AM) is available through the jFed suite. This allows users to perform basic tasks using only Fed4FIRE-standard APIs.
- The Grid'5000 Aggregate Manager (am.grid5000.fr) advertises Grid'5000 resources
- Fed4FIRE users can allocate and provision Grid'5000 resources from the Aggregate Manager, using the AMv3 API.
- New Grid'5000 accounts are automatically created by the AM for new users for 2 month. After which Fed4FIRE users will need to complete their account to regain access (see Extending a valid or expired account).
- Fed4FIRE users can login to Grid'5000 frontends and to provisioned resources via SSH using their Fed4FIRE certificate as an SSH key.
- Nodes can be put in global vlans using links
- The main network interface remains in the default vlan for connection purposes
- The AM does not configure or start the network interfaces, just switches them into the selected vlan
- Network-level interconnection to with other testbed is possible using `Dedicated Ext Network Connection` node in jFed-Experimenter
Using Grid'5000 as a Fed4FIRE user
Users wanting to join Fed4FIRE should refer to Fed4FIRE's documentation.
Generally users will want to create an account using Fed4FIRE's experimenter portal. And download jFed-experimenter.
Within jFed experimenter Grid'5000 resources are available can be found under physical nodes. Once the user set a physical node in their topology, they can open the node configuration window to switch node to the Grid'5000.
Technical detail
- Aggregate Manager
- Address: am.grid5000.fr
- Port: 443
- Component managers:
- urn:publicid:IDN+am.grid5000.fr+authority+am
- urn:publicid:IDN+am.grid5000.fr:<site>+authority+am
Grid'5000 Accounts
Access to any Grid'5000 resources requires a Grid'5000 account.
Linking Fed4FIRE identity to existing Grid'5000 accounts
Grid'5000 users who already have an account can link it to their Fed4FIRE identity from their account management page:
- go to the External identifiers and press the Add new identifier button,
- select Fed4FIRE as External engine and your Fed4FIRE URN as External identifier.
The Fed4FIRE URN can be found in jFed tools once logged in (Preferences > User Details
), or by parsing the Fed4FIRE user certificate using openssl.
Please not that for preexisting Grid'5000 account the AM will not add new ssh keys to your account.
Users should feel free to add their certificate key as an ssh key to their Grid'5000 account or add their ssh key to jFed experimenter.
Fed4FIRE Users
Fed4FIRE users without a existing Grid'5000, or that fail to link their existing Grid'5000 account, will have a new one created for them the first time they allocate resources. These new accounts are be valid for two month. Three emails will inform you of you account's expiry:
- one week before the account's expiry
- on the day of the account's expiry
- on the day of the account's is retired, 1 week after expiry
Extending a valid or expired account Grid'5000 account, created automatically for a Fed4FIRE user
Users are welcomed to request an account extension. To do so:
- Go to Grid'5000 password reset page to create a password for your account.
- Please note that (re)setting your password requires you to input the email associated with your account, which will be the one provided by the Fed4FIRE federation which is not always your institutional email.
- Login to the account management page.
- Complete your information :
- Use the Action buttons to Edit your Account and Affiliation
- - In the account section you will be asked to provide your name and, if you so wish, your institutional email address.
- - In the affiliation section you will be asked about your work and employer, as well as your intended usage for Grid'5000
- Request access by going to the Groups tab and using the Join a new group button.
- Join the
misc
group. In the motivation field please also indicate that you are a Fed4FIRE user. - Users involved in a Fed4FIRE opencalls should join the
fed4fire-opencalls
. - Your request will be checked by the group manager based on your account and affiliation information, so fill them as correctly.
- Users whose research team already has a Grid'5000 group (e.g. french academic) should join it instead of
misc
. - Request an extension within the
fed4fire
access group is not possible.
- Join the
Do note that users do not need to request access to misc until they reach the end of their time in the fed4fire
group.
The misc
group has lower access privileges than the fed4fire
group
Extending a closed account, created automatically for a Fed4FIRE user
Account that have been expired for more than one week are retired automatically.
Retired accounts can not be accessed from the account management interface and need to be reopened by Grid'5000 staff.
To reopen a closed account you will need to mail the support staff at support-staff @ lists.grid5000.fr.
Contact information
- Fed4FIRE contact points for Grid'5000:
- Lucas Nussbaum (lucas.nussbaum@loria.fr)
- Baptiste Jonglez (baptiste.jonglez@inria.fr)
- Grid'5000 support staff: see the Support page
FAQ
Platform Access
Grid'5000 Account Management
Grid'5000 keeps user accounts linked to your Fed4FIRE identity. These account will be automatically generated when you first attempt a node allocation for a duration of 2 month. To access Grid'5000's account management interface you will first need to set a Grid'5000 password.
- Resetting your password:
- Go To Special:G5KChangePassword
- You will need to use the email address included in the Fed4FIRE user certificate.
- Accessing your account
- Go to UMS
- From here you can:
- Add new ssh keys to your account.
- Update your affiliation information
- Request account extentions
Accessing your Grid'5000 homedirs
Grid'5000 provides home directories on every site of the testbed with ssh access. This access requires connecting through ssh gateways as described on this page.
jFed can not connect to nodes.
If when double clicking on a running nodes in jFed the opened terminal fails to connect. First check if the lack of connectivity is the result of network failure (check https://www.grid5000.fr/status/ ).
jFed usually proxies SSH connection through an SSH bastion maintained by the fedration. However connection to Grid'5000 nodes must be proxied by access.grid5000.fr (see: SSH). Recent versions of jFed should priorities proxies provided by testbeds over its default configuration. If not you can disable ssh proxies by using proxy button at the bottom right of the jFed experimenter window.
SSH keys
By default accounts created through tools such as jFed, the ssh key of the account is derived from the user's federation certificate. To connect users must provide the certificate to the ssh client as the identity file.
Users can add additional keys using the Grid'5000 account management interface. These keys will be used to connect to access gateways and nodes.
Adding your certificate key as SSH keys
By default jFed tools will try to connect to nodes using your user certificate key. For this reason the Grid'5000 AM will add this ssh key to all new account it creates, and will update your key every-time your certificate changes. Users who use a pre-existing Grid'5000 account do not benefit from this feature by default. And can instead opt to add their usual ssh-key to jFed.
Users wanting to use their certficate key with ssh can use ssh-keygen -y -f <path/to/certificate>
to derive an ssh public key from their PEM certificate.
Users wanting to benefit from the AM's automatic key update feature should append the encoded by users-api-ror from rsa cert
comment that the end of their key line.
The final result should look like : ssh-rsa AAAAB3Nyc2EADAQzaC1ABAAAA[...]+sw== encoded by users-api-ror from rsa cert
Adding your ssh key to jFed
By default jFed tools will try to connect to nodes using your user certificate key. Users can if they so wish add an other ssh key to try during ssh connections.
Ssh keys are added in Preference > SSH Authentication
section.
However at the time of writing jFed Experimenter does not recognize the latest openssh prive key format, starting with -----BEGIN OPENSSH PRIVATE KEY-----
.
If you have such a key you can work around the problem by:
- making a copy of your private key
- using
ssh-keygen -p -m PEM -f </path/to/key/copy>
- the command will prompt you for a new password, you are free to reuse the same password or leave the field blank for no password
- the copy should not have the key in the PEM format, starting with
-----BEGIN RSA PRIVATE KEY-----
The copy will now work with jFed.
Experiment limits
Limits for the duration of an experiment?
If experiment means project, there is no limit. Accounts are created with a short-term expiration date (one month or two months depending on the process used for account creation) but can be extended at will.
If experiment means resources reservation, the limits are described in the Grid'5000 Usage Policy. The philosophy behind the Usage Policy is that users should be able to find some resources to prepare experiments during the day, and then reserve resources in advance to do large-scale experiments during nights and week-ends. So the effective limits are 10 hours during the day (9h-19h), 14 hours during nights (19h-9h), and 62 hours during week-ends (Friday 19h -> Monday 9h). Users are therefore strongly encouraged to automate the setup of their experiments (using scripts or tools such as Ansible). If an experiment requires a longer reservation, a special request can be made, as described in the Grid'5000 Usage Policy.
Unable to book unspecified nodes after initial two month period ?
If your manifest rspec does not indicate a specific node (using a `component_id`), a specific cluster using a `hardware_type`, or a specific site (using a site specific `component_manager_id`), the AM will provide a node out of Nancy's production queue. If you are not in a group authorized to access the production queue you will not be able to allocate nodes without specifying at least a site.
Experiment sharing
Sharing one user account per experiment?
Even if several persons are going to collaborate on the same experiment, we strongly prefer that each person uses its own account, for traceability purposes. It is possible to share scripts etc using standard Unix mechanisms (directory permissions), or using an external Git service (which are accessible from Grid'5000 nodes).
Fed4FIRE experiment sharing and SSH key injection
It is possible to share experiments using the corresponding options in jFed. It is also possible to add SSH keys to nodes at provisioning time using the ̀ geni_users` option. However the Grid'5000 has multiple caveats:
- The new ssh keys are only installed on the provisioned node and not on the ssh access gateways. Only keys registered with your account before can be used on the access gateway. Keys registered with your account are always loaded into provisioned nodes.
- To grant access to other users they will need a Grid'5000 account to connect to the access gateway. Like with all other Fed4FIRE users this account can be created by connecting to the Aggregate Manager using the Allocate or Describe calls.
- If you grant another user access to one of the nodes you have allocated, they will gain Read/Write access to your Grid'5000 homedir for the duration of the experiment.
Networking
Public IP Address for Grid'5000 nodes?
Grid'5000 nodes are on a private network. Interconnection to the Internet is achieved to a NAT, using a 10 Gbps link to RENATER (the french NREN).
We are in the process of:
- Adding public IPv6 addresses to nodes
- Adding a configurable firewall to allow reaching Grid'5000 nodes from the Internet using IPv6
- Extending this to a set of IPv4 addresses (probably doing NAT from the public IPv4 address to the internal IPv4 addresses)
However, this is still work in progress.
Nodes in Vlans do not respond, are not configured
At this time the Grid'5000 AM can not configure the network interfaces set in vlans. You need to connect to the node's control interface using ssh. (JFed-Experimenter can do so automatically.)
And configure the interface in the vlan manually. The interfaces name are provided as part of the interface
element's component_id
.
Experiment fails with not enough Vlans ?
The AM only make use of global vlans to ensure connectivity. As such a maximum of eight vlans will be available at best. If your experiment requires more you will need to reserve and operate the site restricted vlans using Grid'5000's native API or ssh access.
How to stitch a Grid'5000 VLAN to connect into an imec VLAN ?
Prepare your experiment by building the Grid'5000 and imec part of your experiment separately. The two can be put in a single topology or in two separated topologies to be allocated independently.
To link the two parts of the experiment you will need to setup two Dedicated Ext. Network Connection
nodes. In the future, we will support automated cross-testbed stitching, but we are not quite there yet.
- On the Grid'5000 side of the experiment
- Pull a
Dedicated Ext. Network Connection
to your topology and connect it to the node or link you want to see stitched. - Open the configuration window for the Network Connection.
- In the Select testbed drop-down menu select
Grid'5000
. - Refresh testbed information using the the button opposite the Specific node: drop down menu.
- In the Specific node: drop-down menu you will be able to select the target external VLAN.
external-vlan-PARTNER-****
where PARTNER is the testbed on the other side of the stitch and **** the VLAN tag- the VLAN tag should match the one selected on the imec side
- Save the
Dedicated Ext. Network Connection
configuration.
- On the imec side of the experiment
- Pull a
Dedicated Ext. Network Connection
to your topology and connect it to the node or link you want to see stitched. - Open the configuration window for the Network Connection.
- In the Select testbed drop-down menu select
grid5000 vlan **** network edge - imec side
.- where **** is the same VLAN tag as used on the Grid'5000 side of the experiment.
- Save the
Dedicated Ext. Network Connection
configuration.
Do not trace a link between the two Dedicated Ext. Network Connection
. Such "nodes" are implicitly linked to each other, and manually linking them will cause the experiment to fail.
Using personalized disk image.
Grid'5000 public images are advertised by the AM and available through the +
button in the node configuration menu in the public image drop-down menu.
As described in Advanced Kadeploy and Environment_creation, users can deploy their own environment to Grid'5000 nodes. Although such environment are never listed in jFed-Experimenter users can invoke them by setting the correct disk image.
- To access your own environments recorded in kaenv3
- Set the disk image field to
urn:publicid:IDN+am.grid5000.fr+image+kadeploy3:
ENVIRONMENT_NAME
- (by first selecting a Grid'5000 public image jFed will set the first part of the URN for you.)
- Set the disk image field to
- To access enviroments created by other users
- Set the disk image field to
urn:publicid:IDN+am.grid5000.fr+image+kadeploy3:
ENVIRONMENT_NAME@USER_LOGIN
- Set the image disk name in the "Rspec Editor" tab, as the idalog box does not allow
@
's in the Disk image field. - The environment must be made public by the other user
- Set the disk image field to
- To deploy an environment from an environment file accessible via http or https
- Set the disk image field to the url of your environment file, including the protocol prefix (
http://
orhttps://
)
- Set the disk image field to the url of your environment file, including the protocol prefix (
Note | |
---|---|
A local path for the tarball (no leading |