ComputingLogin

From Mu2eWiki
Revision as of 23:21, 3 February 2017 by Rlc (talk | contribs)
Jump to navigation Jump to search

Introduction

Fermilab maintains several machines for interactive login by Mu2e members. The full suite of Mu2e software and development tools is deployed on these machines. Mu2e members may compile, link and run Mu2e code on these machines and they may also submit grid jobs. This web page describes how to log in to these machines.

Machines

The interactive login nodes come in two groups:

  • mu2evm.fnal.gov This is a pool of virtual machines within the General Purpose Computing Farm (GPCF), the main interactive computing facility for use by the Intensity Frontier experiments. They run SL6 linux. If you login to mu2evm you will be assigned to one of the machines in the pool, currently mu2egpvm01 through 05. You can also ssh directly to one of these nodes.
  • detsim.fnal.gov This is a 32-core machine with no OS virtualization. The home disk and the scratch disk on this machine are different from those seen by the GPCF machines. Otherwise, this machine is identical to the GPCF machines, in particular they also see the mu2e bluearc disks. Currently (early 2017) this machine is still at SL5, which is obsolete and we do not support the code on this platform.

You can only log in to the above nodes if you have a Fermilab computer account. The only permitted access method is kerberized ssh.

Logging in from Linux or Mac's

From a Unix or Mac system you need to issue the following commands to log into one of the Fermilab interactive machines:

> kinit -l 6d -f
> ssh -AKX -l your_kerberos_principal mu2egpvm01.fnal.gov

The -f argument to kinit requests a forwardable kerberos ticket; this means that when you are logged in to your target machine you can request services that ask for kerberos authentication. Otherwise you just have permission to get into the machine, not to get further authorization once there. The -AK argument to ssh requests ssh to forward your forwardable ticket. The X argument might or might not be necessary: see the next section.

If your username on your desktop/laptop is he same as your kerberos principal, you may omit the "-l your_kerberos_principal".


Note on Mac's

  • 9/2015 - Users switching from OSX 10.9.5 to OSX 10.10.5 have noticed that their ticket lifetime defaults to 10h instead of the 26h that is standard at the lab. The solution is to update krb5.conf. At this time, this official source was not up-to-date, so the working conf file had to be downloaded directly from the authentication experts.
  • 1/2017: Problems logging into lab Linux machines from Sierra: the lab's official answer
  • Allowing remote nodes to Open a Window on your Linux or Mac Laptop or Desktop
  • Mac OS X users can acquire the X.Org X Window System disk image at xquartz.org.
  • If you use Scientific Linux Fermi (SLF) it is normally configured so that when you use ssh on your laptop to log in to a remote node ( like detsim or one of the GPCF nodes), software running on that remote node is permitted to open a new window on your laptop display. If this does not work, add the -X or -Y options to your ssh command:
> ssh -X -AK -l your_kerberos_principal detsim.fnal.gov
  • On some very old versions of MAC OS you must run ssh from within an XTerm. If you run it from within a Terminal it will not be possible to have windows from the remote machine appear on your display.
  • kerberos ticket lifetimes on a Mac. As a linux system, a Mac may have keberos installed. You will probably need to download a custom krb5.conf.

ssh on Very Old MAC's

There were some issues related to older MACs running MAC OS X with a version earlier than Leopard. Since Snow Leopard all of these issues are resolved. Follow this link to find an explanation of how to access Fermilab machines using Macs running OS X Panther or earlier.

If you have and Apple Mac that is still running a version of OS X that is earlier than Leopard ( ie Tiger or Panther ), then there are some tricks to login in to the Fermilab machines.

The first is that some of these MACs require you to use an XTerm instead of a Terminal; if you log in using a Terminal then the Fermilab machine will not be able to open windows that appear on your laptop.

The second issue is that the version of kerberos that comes with the older Mac OS X version is not compatible with the version of kerberos installed on the detsim and FNALU nodes. The solution is to install a second version of ssh on your Mac. This installs as scp3a and ssh3a, so it does not overwrite the native ssh.

Installation packages for both Panther and Tiger are available:

http://home.fnal.gov/~mzs/fnalssh103.dmg
http://home.fnal.gov/~mzs/fnalssh104.dmg

fnalssh103.dmg is for OS X 10.3 and fnalssh104.dmg is for OS X 10.4. I believe, but am not 100% sure, that neither Leopard nor Snow Leopard require this fix.

Just use ssh3a, scp3a, and sftp3a instead of ssh, scp, and sftp after installation to connect to hosts running older versions of sshd.

It's all explained in the README file that comes with the downloads. This is probably enough for most people.

Additional information is available at the Mac section of the FNAL strong authentication site.

Logging in From PC's

Fermilab does not officially support logging in to one of the Mu2e interactive nodes from a PC. We are trying to change this. Your options are:

  • The current recommended option is to use puTTy. CMS doc
  • One recommended option is to install cyqwin , which provides a Linux-like environment for Windows. You can install kerberized ssh in this environment. Consult with the Service Desk to learn how to configure ssh to work correctly.
  • The service desk may recommend Reflection software. You can run terminals on a remote linux host and display the terminal and other xwindows on your PC, and use ftp to move files.
  • You can install SLF as a guest virtual OS hosted by your Windows machine.
  • Purchase and install WRQ, which is X-Windows software that runs on PCs; configure it to do kerberized ssh. The Service Desk may be able to help with this configuration because they support WRQ but only for Fermilab employees. You need to pay for WRQ and non-employees are not covered by the Fermilab license.
  • You can configure your machine for dual boot and install both Linux and Windows. Boot to Linux when you wish to log in to Fermilab. This is very inconvenient if you need to switch from one OS to the other frequently.