CRC Access to Shared Computing Resources

CRC Access to Shared Computing Resources


Introduction

Direct logins to our Shared Computing Resources from off-campus are prohibited. In order to login to these systems from off-campus, there are currently three methods as described below.


SSH physically on campus

Rice faculty, staff, and students may login to our Shared Computing Resources from off-campus with SSH if they have SSH login access to another system on campus which allows off-campus access. This might be an office desktop system or a department server. If this is the case, then SSH login to one of those systems first.  Once you obtain a command line prompt on this host, use SSH to login to the Shared Computing Resource. Thus it will be a two step process to login to these systems as follows:

  1. SSH login to anyhost.rice.edu where anyhost.rice.edu is the hostname of the system you are logging in to.
  2. From anyhost.rice.edu, SSH login to the Shared Compute Resource (such as nots.rice.edu, po.rice.edu, etc.)

    Substitute the host name of the campus system you are logging in to in place of anyhost.rice.edu.

If you don't have access to a campus resource that can connect to our Shared Computing Resources you may use our SSH gateway.

  1. SSH login to gw.crc.rice.edu.
  2. From gw.crc.rice.edu, SSH login to the Shared Compute Resource (such as nots.rice.edu, po.rice.edu, etc.)

SSH with VPN

Rice faculty, staff, students, and Visitors/Guests may login to Shared Computing Resources from off-campus with SSH by connecting to the Rice network with VPN. VPN (Virtual Private Network) essentially makes the off-campus computer appear as if it were on the Rice network. In order to obtain a VPN account and software, please visit the Rice VPN web site. Thus it will be a two step process to login to these systems:

  1. Connect to the Rice network with VPN using the off-campus computer. Help with that here
  2. SSH login to the Shared Computing Resource (such as nots.rice.edu, etc...).

 

VPN Software

If you are a Visitor/Guest by default you won't have access to Rice Box. You may be able to use the Microsoft, Apple, iOS, or Android stores to download the AnyConnect client and use that instead.

SSH off-campus without VPN

People who have accounts on the Shared Computing Systems will likely have SSH or VPN access to the Rice network. For all users with valid cluster logins, we automatically create an SSH Gateway account that will provide the same capability as the "SSH Only " section above. Using this account will mean that logging in to these systems will be a two-step process:

  1. SSH login to gw.crc.rice.edu from off-campus.
  2. SSH login to the Shared Computing Resource (such as po.rice.edu, nots.rice.edu, etc.) from gw.crc.rice.edu

 

Policies regarding Quotas, Data Transfers, and Out Bound Connections

For the latest information on the SSH Gateway access policy:

SSH Access In Bound Only

In order to login to the SSH Gateway, use SSH to login to the host gw.crc.rice.edu. Once there, you can use SSH to login to any of the shared computing resources. It will be a two-step process to login to a shared computing resource:

1.  SSH login to gw.crc.rice.edu from off-campus.

2.  SSH login to the shared computing resources (such as NOTS, PO, ORION) from gw.crc.rice.edu.

Once you are logged into the gateway, you will not be able to use SSH to login to any system other than a shared computing resource. SSH access is restricted to inbound connections to the gateway. Outbound connections from the SSH Gateway to systems other than the shared computing resources are not allowed. You can not login to an off-campus system from the gateway, for example.

Data Transfers and Quotas

All accounts on the gateway have a quota of 250MB enforced on home directories and we no longer recommend staging data to the gateway, but through the gateway.


How to Transfer Files from Off-Campus

We highly recommend using our Data Transfer Nodes (DTN) to transfer data to and from the clusters and RDF.

Additionally, to transfer files from a Linux or Unix machine to the Shared Computing Resources, you can use the scp command. If you are using a VPN connection, then scp will work exactly as described in our SSH FAQ as if you were on campus.

If you are not using VPN and are using an intermediate Rice host or the SSH Gateway as described earlier, then there will be a SSH ProxyJump step process to transfer files to these systems:

SSH ProxyJump scp
scp -o 'ProxyJump netID@gw.crc.rice.edu' FILENAME netID@anyhost.rice.edu:/DESTINATION/

Note about scp and gw

If you are using the SSH Gateway for the file transfer process, your home directory on the SSH Gateway has a 250MB quota. We no longer recommend staging your data on the SSH Gateway and then copying to the destination cluster as ProxyJump causes this to no longer be appropriate.

We recommend appropriately secure ssh keys to eliminate password entry as part of this workflow.


For the more experienced user:

Alternative method for transferring data through gateway

Create an SSH tunnel

The advanced method for file transfers will include the use of an ssh tunnel, an encrypted communication channel that will allow network protocols (in this case ssh/scp) to travel seamlessly between two end points over a secure channel. In order to set up and use an ssh tunnel, follow these steps:

Step 1: Open an SSH tunnel

In a terminal window on your workstation, open an ssh tunnel to the login node of the cluster that you are tying to copy data to. For example davinci.rice.edu if you are trying to transfer data to DAVinCI. Set up the tunnel exactly as shown here, substituting the cluster hostname place of hostname.rice.edu:

 

[username@workstation ~]$ ssh -L 2222:hostname.rice.edu:22 username@gw.crc.rice.edu
[username@gw ~]$

 

You will be prompted for your password on gw.crc.rice.edu. With successful login, you will have an ssh tunnel connected to the cluster identified by hostname.rice.edu. You will also have a command prompt on gw.crc.rice.edu.

Step 2: Copy data through the tunnel

Leave the above terminal window open with the ssh tunnel established. Open a new terminal on your workstation and execute these commands:


scp -o NoHostAuthenticationForLocalhost=yes \
-P 2222 filename(s) username@localhost:/shared.scratch/username

When prompted for a password, enter your cluster password.

In this example the username will be your cluster username. When prompted for a password, use your cluster password. This command will copy your files to port 2222 on your workstation. This port is connected to the ssh tunnel to gw.crc.rice.edu which is in turn connected to the cluster defined by hostname.rice.edu in the first step above. With a single scp command the files will be copied from your workstation to the cluster through the SSH Gateway via this tunnel.

 

More Information about SSH

For general instructions on how to use SSH, please see our CRC SSH FAQ.





Keywords:CRC Access to Shared Computing Resources   Doc ID:108238
Owner:Joseph G.Group:Rice University
Created:2021-01-11 10:36 CSTUpdated:2021-02-26 09:08 CST
Sites:Rice University
Feedback:  0   0