SSH tunnelling: Difference between revisions
No edit summary |
(Marked this version for translation) |
||
| Line 2: | Line 2: | ||
<translate> | <translate> | ||
=What is SSH tunneling?= | =What is SSH tunneling?= <!--T:1--> | ||
<!--T:2--> | |||
SSH tunnelling is a method to use a gateway computer to connect two | SSH tunnelling is a method to use a gateway computer to connect two | ||
computers that cannot connect directly. | computers that cannot connect directly. | ||
<!--T:3--> | |||
In the context of Compute Canada, SSH tunneling is necessary in certain cases, | In the context of Compute Canada, SSH tunneling is necessary in certain cases, | ||
because compute nodes on [[Niagara]] and [[Graham]] do not have direct access to | because compute nodes on [[Niagara]] and [[Graham]] do not have direct access to | ||
the internet, nor can the compute nodes be contacted directly from the internet. | the internet, nor can the compute nodes be contacted directly from the internet. | ||
<!--T:4--> | |||
The following use cases require SSH tunnels: | The following use cases require SSH tunnels: | ||
<!--T:5--> | |||
# Running commercial software on a compute node that needs to contact a license server over the internet. | # Running commercial software on a compute node that needs to contact a license server over the internet. | ||
# Running [[Visualization|visualization software]] on a compute node that needs to be contacted by client software on a user's local computer. | # Running [[Visualization|visualization software]] on a compute node that needs to be contacted by client software on a user's local computer. | ||
| Line 18: | Line 22: | ||
# Connecting to cedar database server from somewhere other than cedar head node, e.g., your desktop | # Connecting to cedar database server from somewhere other than cedar head node, e.g., your desktop | ||
<!--T:6--> | |||
In the first case, the license server is situated outside of | In the first case, the license server is situated outside of | ||
the compute cluster and is rarely under a user's control, whereas | the compute cluster and is rarely under a user's control, whereas | ||
| Line 24: | Line 29: | ||
consider these two kind of cases separately. | consider these two kind of cases separately. | ||
= Contacting a license server from a compute node = | = Contacting a license server from a compute node = <!--T:7--> | ||
<!--T:8--> | |||
{{Panel | {{Panel | ||
|title=What's a port? | |title=What's a port? | ||
| Line 37: | Line 43: | ||
}} | }} | ||
<!--T:9--> | |||
Certain commercially-licensed programs must connect to a license server machine | Certain commercially-licensed programs must connect to a license server machine | ||
somewhere on the internet via a predetermined port. If the compute node where | somewhere on the internet via a predetermined port. If the compute node where | ||
| Line 44: | Line 51: | ||
an ''SSH tunnel''. Such an arrangement is also called ''port forwarding''. | an ''SSH tunnel''. Such an arrangement is also called ''port forwarding''. | ||
<!--T:10--> | |||
In most cases, creating an SSH tunnel in a batch job requires just two or | In most cases, creating an SSH tunnel in a batch job requires just two or | ||
three commands in your job script. You will need the following information: | three commands in your job script. You will need the following information: | ||
<!--T:11--> | |||
# The IP address, or the name, of the license server. Let's call this LICSERVER. | # The IP address, or the name, of the license server. Let's call this LICSERVER. | ||
# The port number of the license service. Let's call this LICPORT. | # The port number of the license service. Let's call this LICPORT. | ||
<!--T:12--> | |||
You should obtain this information from whoever maintains the license server. | You should obtain this information from whoever maintains the license server. | ||
That server also must allow connections from the login nodes; for | That server also must allow connections from the login nodes; for | ||
Niagara, the outgoing IP address will either be 142.150.188.131 or 142.150.188.132. | Niagara, the outgoing IP address will either be 142.150.188.131 or 142.150.188.132. | ||
<!--T:13--> | |||
With this information, one can now setup the SSH tunnel. For | With this information, one can now setup the SSH tunnel. For | ||
Graham, an alternative resolution is to request a firewall exception | Graham, an alternative resolution is to request a firewall exception | ||
for the license server LICSERVER and its specific port LICPORT. | for the license server LICSERVER and its specific port LICPORT. | ||
<!--T:14--> | |||
The gateway server on Niagara will be called nia-gw, but for now, use nia-dm1 or nia-dm2. On Graham, you need | The gateway server on Niagara will be called nia-gw, but for now, use nia-dm1 or nia-dm2. On Graham, you need | ||
to pick one of the login nodes (gra-login1, 2, ...). Let us call the | to pick one of the login nodes (gra-login1, 2, ...). Let us call the | ||
| Line 63: | Line 75: | ||
compute node to use. Let's call the latter COMPUTEPORT. | compute node to use. Let's call the latter COMPUTEPORT. | ||
<!--T:15--> | |||
The ssh command to issue in the job script is then: | The ssh command to issue in the job script is then: | ||
<!--T:16--> | |||
<source lang="bash"> | <source lang="bash"> | ||
ssh GATEWAY -L COMPUTEPORT:LICSERVER:LICPORT -n -N -f | ssh GATEWAY -L COMPUTEPORT:LICSERVER:LICPORT -n -N -f | ||
</source> | </source> | ||
<!--T:17--> | |||
In this command, the string following the -L parameter specifies the port forwarding information, the parameter -n prevents ssh to read input (it couldn't in a compute job anyway), the | In this command, the string following the -L parameter specifies the port forwarding information, the parameter -n prevents ssh to read input (it couldn't in a compute job anyway), the | ||
parameter -N tells ssh not to open a shell on the GATEWAY, and the | parameter -N tells ssh not to open a shell on the GATEWAY, and the | ||
| Line 74: | Line 89: | ||
script to proceed past this ssh command. | script to proceed past this ssh command. | ||
<!--T:18--> | |||
A further command to add to the job script should tell the software | A further command to add to the job script should tell the software | ||
that the license server is on port COMPUTEPORT on the server | that the license server is on port COMPUTEPORT on the server | ||
| Line 83: | Line 99: | ||
the job script like | the job script like | ||
<!--T:19--> | |||
<source lang="bash"> | <source lang="bash"> | ||
export MLM_LICENSE_FILE=COMPUTEPORT@localhost | export MLM_LICENSE_FILE=COMPUTEPORT@localhost | ||
</source> | </source> | ||
== Example job script== | == Example job script== <!--T:20--> | ||
<!--T:21--> | |||
The following job script sets up an ssh tunnel to contact a | The following job script sets up an ssh tunnel to contact a | ||
license server licenseserver.institution.ca at port 9999: | license server licenseserver.institution.ca at port 9999: | ||
<!--T:22--> | |||
<source lang="bash"> | <source lang="bash"> | ||
#!/bin/bash | #!/bin/bash | ||
| Line 98: | Line 117: | ||
#SBATCH --time 3:00:00 | #SBATCH --time 3:00:00 | ||
<!--T:23--> | |||
ssh nia-dm1 -L 9999:licenseserver.institution.ca:9999 -N -f | ssh nia-dm1 -L 9999:licenseserver.institution.ca:9999 -N -f | ||
export MLM_LICENSE_FILE=9999@localhost | export MLM_LICENSE_FILE=9999@localhost | ||
<!--T:24--> | |||
module load thesoftware/2.0 | module load thesoftware/2.0 | ||
mpirun thesoftware ..... | mpirun thesoftware ..... | ||
</source> | </source> | ||
= Contacting a visualization, Jupyterhub, database or other server running on compute node= | = Contacting a visualization, Jupyterhub, database or other server running on compute node= <!--T:25--> | ||
<!--T:26--> | |||
SSH tunnelling can also be used in the context of Compute Canada to allow a user's computer to connect to a compute node on a cluster through an encrypted tunnel that is routed via the login node of this cluster. This technique allows graphical output of applications like a [[Jupyter | Jupyter notebook]] or [[Visualization|visualization software]] to be displayed transparently on the user's local workstation even while they are running on a compute node of a cluster. In case of connecting to a database server where the connection is possible though the head node only the SSH tunneling can be used to move an arbitrary port number of a compute network to head node of a cluster and bind it to the database server. | SSH tunnelling can also be used in the context of Compute Canada to allow a user's computer to connect to a compute node on a cluster through an encrypted tunnel that is routed via the login node of this cluster. This technique allows graphical output of applications like a [[Jupyter | Jupyter notebook]] or [[Visualization|visualization software]] to be displayed transparently on the user's local workstation even while they are running on a compute node of a cluster. In case of connecting to a database server where the connection is possible though the head node only the SSH tunneling can be used to move an arbitrary port number of a compute network to head node of a cluster and bind it to the database server. | ||
== Example for a job == | == Example for a job == <!--T:27--> | ||
<pre> | <pre> | ||
# License | # License | ||
| Line 115: | Line 137: | ||
export CDLMD_LICENSE_FILE=1999@localhost | export CDLMD_LICENSE_FILE=1999@localhost | ||
<!--T:28--> | |||
# Start the SSH tunnel | # Start the SSH tunnel | ||
ssh -n -N -L 1999:flex.cd-adapco.com:1999 gra-login1 & | ssh -n -N -L 1999:flex.cd-adapco.com:1999 gra-login1 & | ||
| Line 121: | Line 144: | ||
SSH2=$! | SSH2=$! | ||
<!--T:29--> | |||
# Launch the code | # Launch the code | ||
<whatever> | <whatever> | ||
<!--T:30--> | |||
# Stop the SSH tunnel | # Stop the SSH tunnel | ||
kill -9 $SSH1 | kill -9 $SSH1 | ||
| Line 129: | Line 154: | ||
</pre> | </pre> | ||
<!--T:31--> | |||
There is NAT on both Graham and Cedar allowing users to access the Internet from the compute nodes. On Graham, however, access is blocked by default at the firewall. A user (or an analyst) would need to submit submit a request to have a specific port/IP open. | There is NAT on both Graham and Cedar allowing users to access the Internet from the compute nodes. On Graham, however, access is blocked by default at the firewall. A user (or an analyst) would need to submit submit a request to have a specific port/IP open. | ||
== From Linux or MacOS X == | == From Linux or MacOS X == <!--T:32--> | ||
<!--T:33--> | |||
On a Linux or MacOS X system, we recommend using the [https://sshuttle.readthedocs.io sshuttle] Python package. | On a Linux or MacOS X system, we recommend using the [https://sshuttle.readthedocs.io sshuttle] Python package. | ||
<!--T:34--> | |||
On your computer, open a new terminal window and run the following sshuttle command to create the tunnel. | On your computer, open a new terminal window and run the following sshuttle command to create the tunnel. | ||
<!--T:35--> | |||
{{Command | {{Command | ||
|prompt=[name@my_computer $] | |prompt=[name@my_computer $] | ||
|sshuttle --dns -Nr userid@machine_name}} | |sshuttle --dns -Nr userid@machine_name}} | ||
<!--T:36--> | |||
Then, copy and paste the provided URL into your browser. In the above example, this would be | Then, copy and paste the provided URL into your browser. In the above example, this would be | ||
<pre> | <pre> | ||
| Line 146: | Line 176: | ||
</pre> | </pre> | ||
== From Windows == | == From Windows == <!--T:37--> | ||
<!--T:38--> | |||
An SSH tunnel can be created from Windows using [https://docs.computecanada.ca/wiki/Connecting_with_MobaXTerm MobaXTerm] as follows. | An SSH tunnel can be created from Windows using [https://docs.computecanada.ca/wiki/Connecting_with_MobaXTerm MobaXTerm] as follows. | ||
<!--T:39--> | |||
Open two sessions in MobaXTerm. | Open two sessions in MobaXTerm. | ||
<!--T:40--> | |||
*Session 1 should be a connection to a cluster. Follow the instructions in section ''Starting Jupyter Notebook''. | *Session 1 should be a connection to a cluster. Follow the instructions in section ''Starting Jupyter Notebook''. | ||
<!--T:41--> | |||
*Session 2 should be a local terminal in which we will set up the SSH tunnel. Run the following command, substituting the node name from the URL you received in Session 1. Follow the instructions in section ''Starting Jupyter Notebook''. | *Session 2 should be a local terminal in which we will set up the SSH tunnel. Run the following command, substituting the node name from the URL you received in Session 1. Follow the instructions in section ''Starting Jupyter Notebook''. | ||
<!--T:42--> | |||
{{Command | {{Command | ||
|prompt=[name@my_computer ]$ | |prompt=[name@my_computer ]$ | ||
| ssh -L 8888:cdr544.int.cedar.computecanada.ca:8888 someuser@cedar.computecanada.ca}} | | ssh -L 8888:cdr544.int.cedar.computecanada.ca:8888 someuser@cedar.computecanada.ca}} | ||
<!--T:43--> | |||
This command performs local port forwarding (-L). It forwards local port 8888 to <code>cdr544.int.cedar.computecanada.ca:8888</code>, which is the host name given when Jupyter Notebook was started. | This command performs local port forwarding (-L). It forwards local port 8888 to <code>cdr544.int.cedar.computecanada.ca:8888</code>, which is the host name given when Jupyter Notebook was started. | ||
<!--T:44--> | |||
Open your browser and go to | Open your browser and go to | ||
<pre> | <pre> | ||
| Line 167: | Line 204: | ||
</pre> | </pre> | ||
<!--T:45--> | |||
Replace the token in this example with the one given to you in Session 1. You can also type <code>http://localhost:8888</code> and there will be a prompt asking you for the token, which you can then copy and paste. | Replace the token in this example with the one given to you in Session 1. You can also type <code>http://localhost:8888</code> and there will be a prompt asking you for the token, which you can then copy and paste. | ||
== Example for connecting to a database server on cedar from your desktop == | == Example for connecting to a database server on cedar from your desktop == <!--T:46--> | ||
<!--T:47--> | |||
Commands to connect to PostgreSQL and MySQL respectively are: | Commands to connect to PostgreSQL and MySQL respectively are: | ||
<pre> | <pre> | ||
| Line 177: | Line 216: | ||
</pre> | </pre> | ||
<!--T:48--> | |||
These commands move your localhost:PORT to cedar.computecanada.ca:PORT and bind it with cedar-pgsql-vm.int.cedar.computecanada.ca:5432. "someuser" in this example is your username on computecanada. By running one of these commands you will be connected to cedar (like any other ssh connection). The only difference between this connection and an ordinary ssh connection is that you can now use another terminal to connect to the database server directly from your desktop. Here are commands for PostgreSQL and MySQL connection respectively: | These commands move your localhost:PORT to cedar.computecanada.ca:PORT and bind it with cedar-pgsql-vm.int.cedar.computecanada.ca:5432. "someuser" in this example is your username on computecanada. By running one of these commands you will be connected to cedar (like any other ssh connection). The only difference between this connection and an ordinary ssh connection is that you can now use another terminal to connect to the database server directly from your desktop. Here are commands for PostgreSQL and MySQL connection respectively: | ||
<!--T:49--> | |||
<pre> | <pre> | ||
psql -h 127.0.0.1 -P PORT -U <your username> -W | psql -h 127.0.0.1 -P PORT -U <your username> -W | ||
| Line 184: | Line 225: | ||
</pre> | </pre> | ||
<!--T:50--> | |||
The connection requires a password for both MySQL and PostgreSQL. However, for PostgreSQL the password is your computecanada password and for MySQL the password is stored in your ".my.cnf" located in your home directory on cedar. The connections will remain open as long as your have the ssh connection. In this example "PORT" is an arbitrary number and it should be opened in firewall of cedar head node. So, please before running this command send a request to support@computecanada.ca and we will assign a port number for you. | The connection requires a password for both MySQL and PostgreSQL. However, for PostgreSQL the password is your computecanada password and for MySQL the password is stored in your ".my.cnf" located in your home directory on cedar. The connections will remain open as long as your have the ssh connection. In this example "PORT" is an arbitrary number and it should be opened in firewall of cedar head node. So, please before running this command send a request to support@computecanada.ca and we will assign a port number for you. | ||
</translate> | </translate> | ||
Revision as of 17:18, 8 May 2018
What is SSH tunneling?
SSH tunnelling is a method to use a gateway computer to connect two computers that cannot connect directly.
In the context of Compute Canada, SSH tunneling is necessary in certain cases, because compute nodes on Niagara and Graham do not have direct access to the internet, nor can the compute nodes be contacted directly from the internet.
The following use cases require SSH tunnels:
- Running commercial software on a compute node that needs to contact a license server over the internet.
- Running visualization software on a compute node that needs to be contacted by client software on a user's local computer.
- Running a Jupyter notebook on a compute node that needs to be contacted by the web browser on a user's local computer.
- Connecting to cedar database server from somewhere other than cedar head node, e.g., your desktop
In the first case, the license server is situated outside of the compute cluster and is rarely under a user's control, whereas in the other cases, the server is on the compute node but the challenge is to connect to it from the outside. We will therefore consider these two kind of cases separately.
Contacting a license server from a compute node
A port is a number used to distinguish different streams of communication from one another. You can think of it as loosely analogous to a radio frequency or a channel. Many port numbers are reserved, by rule or by convention, for certain types of traffic. See List of TCP and UDP port numbers for more.
Certain commercially-licensed programs must connect to a license server machine somewhere on the internet via a predetermined port. If the compute node where the program is running has no access to the internet, then a gateway server which does have access must be used to forward communications, on that port, from the compute node to the license server. To enable this one must set up an SSH tunnel. Such an arrangement is also called port forwarding.
In most cases, creating an SSH tunnel in a batch job requires just two or three commands in your job script. You will need the following information:
- The IP address, or the name, of the license server. Let's call this LICSERVER.
- The port number of the license service. Let's call this LICPORT.
You should obtain this information from whoever maintains the license server. That server also must allow connections from the login nodes; for Niagara, the outgoing IP address will either be 142.150.188.131 or 142.150.188.132.
With this information, one can now setup the SSH tunnel. For Graham, an alternative resolution is to request a firewall exception for the license server LICSERVER and its specific port LICPORT.
The gateway server on Niagara will be called nia-gw, but for now, use nia-dm1 or nia-dm2. On Graham, you need to pick one of the login nodes (gra-login1, 2, ...). Let us call the gateway node GATEWAY. You also need to choose the port number on the compute node to use. Let's call the latter COMPUTEPORT.
The ssh command to issue in the job script is then:
ssh GATEWAY -L COMPUTEPORT:LICSERVER:LICPORT -n -N -f
In this command, the string following the -L parameter specifies the port forwarding information, the parameter -n prevents ssh to read input (it couldn't in a compute job anyway), the parameter -N tells ssh not to open a shell on the GATEWAY, and the parameter -f tells ssh to run in the background, allowing the job script to proceed past this ssh command.
A further command to add to the job script should tell the software that the license server is on port COMPUTEPORT on the server 'localhost'. Here, 'localhost' is not a placeholder, rather, it is the literal name to use - 'localhost' is a standard hostname pseudonym by which a computer can refer to itself. Exactly how to informl your software to use this port on 'localhost' will depend on the specific application and the type of license server, but often it is simply a matter of setting an environment variable in the job script like
export MLM_LICENSE_FILE=COMPUTEPORT@localhost
Example job script
The following job script sets up an ssh tunnel to contact a license server licenseserver.institution.ca at port 9999:
#!/bin/bash
#SBATCH --nodes 1
#SBATCH --ntasks 40
#SBATCH --time 3:00:00
ssh nia-dm1 -L 9999:licenseserver.institution.ca:9999 -N -f
export MLM_LICENSE_FILE=9999@localhost
module load thesoftware/2.0
mpirun thesoftware .....
Contacting a visualization, Jupyterhub, database or other server running on compute node
SSH tunnelling can also be used in the context of Compute Canada to allow a user's computer to connect to a compute node on a cluster through an encrypted tunnel that is routed via the login node of this cluster. This technique allows graphical output of applications like a Jupyter notebook or visualization software to be displayed transparently on the user's local workstation even while they are running on a compute node of a cluster. In case of connecting to a database server where the connection is possible though the head node only the SSH tunneling can be used to move an arbitrary port number of a compute network to head node of a cluster and bind it to the database server.
Example for a job
# License export LM_PROJECT= export CDLMD_LICENSE_FILE=1999@localhost # Start the SSH tunnel ssh -n -N -L 1999:flex.cd-adapco.com:1999 gra-login1 & SSH1=$! ssh -n -N -L 2099:flex.cd-adapco.com:2099 gra-login1 & SSH2=$! # Launch the code <whatever> # Stop the SSH tunnel kill -9 $SSH1 kill -9 $SSH2
There is NAT on both Graham and Cedar allowing users to access the Internet from the compute nodes. On Graham, however, access is blocked by default at the firewall. A user (or an analyst) would need to submit submit a request to have a specific port/IP open.
From Linux or MacOS X
On a Linux or MacOS X system, we recommend using the sshuttle Python package.
On your computer, open a new terminal window and run the following sshuttle command to create the tunnel.
[name@my_computer $] sshuttle --dns -Nr userid@machine_name
Then, copy and paste the provided URL into your browser. In the above example, this would be
http://cdr544.int.cedar.computecanada.ca:8888/?token=7ed7059fad64446f837567e32af8d20efa72e72476eb72ca
From Windows
An SSH tunnel can be created from Windows using MobaXTerm as follows.
Open two sessions in MobaXTerm.
- Session 1 should be a connection to a cluster. Follow the instructions in section Starting Jupyter Notebook.
- Session 2 should be a local terminal in which we will set up the SSH tunnel. Run the following command, substituting the node name from the URL you received in Session 1. Follow the instructions in section Starting Jupyter Notebook.
[name@my_computer ]$ ssh -L 8888:cdr544.int.cedar.computecanada.ca:8888 someuser@cedar.computecanada.ca
This command performs local port forwarding (-L). It forwards local port 8888 to cdr544.int.cedar.computecanada.ca:8888, which is the host name given when Jupyter Notebook was started.
Open your browser and go to
http://localhost:8888/?token=7ed7059fad64446f837567e32af8d20efa72e72476eb72ca
Replace the token in this example with the one given to you in Session 1. You can also type http://localhost:8888 and there will be a prompt asking you for the token, which you can then copy and paste.
Example for connecting to a database server on cedar from your desktop
Commands to connect to PostgreSQL and MySQL respectively are:
ssh -2 -L 127.0.0.1:PORT:cedar-pgsql-vm.int.cedar.computecanada.ca:5432 someuser@cedar.computecanada.ca ssh -2 -L 127.0.0.1:PORT:cedar-mysql-vm.int.cedar.computecanada.ca:3306 someuser@cedar.computecanada.ca
These commands move your localhost:PORT to cedar.computecanada.ca:PORT and bind it with cedar-pgsql-vm.int.cedar.computecanada.ca:5432. "someuser" in this example is your username on computecanada. By running one of these commands you will be connected to cedar (like any other ssh connection). The only difference between this connection and an ordinary ssh connection is that you can now use another terminal to connect to the database server directly from your desktop. Here are commands for PostgreSQL and MySQL connection respectively:
psql -h 127.0.0.1 -P PORT -U <your username> -W mysql -h 127.0.0.1 -P PORT -u <your username> -p
The connection requires a password for both MySQL and PostgreSQL. However, for PostgreSQL the password is your computecanada password and for MySQL the password is stored in your ".my.cnf" located in your home directory on cedar. The connections will remain open as long as your have the ssh connection. In this example "PORT" is an arbitrary number and it should be opened in firewall of cedar head node. So, please before running this command send a request to support@computecanada.ca and we will assign a port number for you.