Connecting to Snellius/Lisa

The connection through Snellius and Lisa is made using the SSH protocol, which encrypts all the data and passwords that are exchanged between your own PC and the HPC system. The way to connect depends on the type of local system that you use.

In all cases you access Snellius and Lisa through one of the login nodes. This is a set of publicly accessible nodes that you use as stepping stone to work with the batch system and compute nodes.

Windows

First, you need to install an SSH client. The most convenient application is MobaXterm, as it also includes options for transferring files using an SFTP (SSH File Transfer Protocol) file browser and redirecting the graphical output from the HPC system to your local PC - we'll get to those options later. Alternatively, you can use Putty (a very basic SSH client) in combination with a seperate FTP client like FileZilla and a seperate X server application like xming to redirect graphical output. If you want to redirect graphical output using Putty, you also need to check the option 'Enable X11 forwarding' under Windows => Category => Tunnels.

Here, we will assume that you use MobaXterm.

Start MobaXTerm, go to Session => SSH and under remote host type fill in

snellius.surf.nl

lisa.surfsara.nl

Fill in your username and click ok (leave the port at 22). Now, a terminal window will open.

When connecting to the system for the first time, SSH will ask you to verify the ED25519 or RSA key fingerprint (for Lisa, you can find the correct fingerprint here). Then, you will be asked for your password. Note that you will not see anything as you type your password, but the terminal does in fact register your keystrokes. If you have forgotten your password, have a look here, on how to reset it. 

Apple

Open the 'Terminal' application (using the launchpad or in Finder from Application => Utilities => Terminal). In that terminal window, type

ssh <username>@snellius.surf.nl

ssh <username>@lisa.surfsara.nl

When connecting to the system for the first time, SSH will ask you to verify the ED25519 or RSA key fingerprint. Then, you will be asked for your password. Note that you will not see anything as you type your password, but the terminal does in fact register your keystrokes.

To redirect any graphics output from the HPC system to your own system, you'll need an X-server like XQuartz. Download and install it. Then, login to the HPC system using (note that X is capitalized). 

ssh -X <username>@snellius.surf.nl

ssh -X <username>@lisa.surfsara.nl

Now, if you open a graphical window on Lisa, it will display on the screen of your own PC. You can test this by executing the command

xeyes

on the HPC system, which should give you a window with two eyes following your mouse pointer. Note, you may need to Enable allow connections from clients in XQuartz (which can be enabled in Preferences → Security) as well as setting the local environment variable (export DISPLAY=:0).

Linux

Open a terminal window (for Ubuntu users: under Accessories - Terminal) and type

ssh <username>@snellius.surf.nl

ssh <username>@lisa.surfsara.nl

If the ssh command cannot be found, you need to install the ssh-client. For Ubuntu users:

sudo apt-get install openssh-client

When connecting to the system for the first time, SSH will ask you to verify the ED25519 or RSA key fingerprint (for Lisa, you can find the correct fingerprint here).Then, you will be asked for your password. Note that you will not see anything as you type your password, but the terminal does in fact register your keystrokes. To redirect any graphics output from Lisa to your own system, you'll need an X-server like XQuartz. Download and install it. Then, login to Lisa using (note that X is capitalized)

LISA GPU nodes

The GPU nodes on Lisa have their own login node. Users who have access to the GPU partition can login here directly by using the hostname

login-gpu.lisa.surfsara.nl

Password-less login

You can use an RSA key-pair for loging in to a system without using a password. You will only need to enter a passphrase once during the first session . To set this up, you need to

1. Generate a key-pair on your local machine.
2. Copy the public key to the SURFsara SURFcua portal.
3. Add the private key to the SSH agent, so you only need to add your passphrase once per session.

Generate Keys manually (Linux, Mac, Windows + WSL)

Generate key pair

First, open a terminal window on your local machine and issue the following command

ssh-keygen -t ed25519

to generate a key-pair consisting of a private and a public key. You will be asked in which file you want to store the file, just press enter to use the default (that is, the private key will be stored in $HOME/.ssh/id_ed25519 and the public key in $HOME/.ssh/id_ed25519.pub). Then, you will be asked to choose a passphrase to keep the private key safe (the public key can safely be shared - in fact, you're meant to share it).

Copy the public key to SURFsara portal

To get the public key, type on your local machine 

cat ~/.ssh/id_ed25519.pub

The key starts with ssh-rsa then contains a long string of random characters, and ends with some identification of where it was created. Copy the whole key, i.e. starting with ssh-rsa and including the indentification of where it was created. Now, login on the SURFsara portal, go to 'Public ssh keys' and click 'add key'. Paste your public key in the SSH key field, and enter the password corresponding to your login in the CUA password field.

Add private key to local SSH agent

With the key in the SURFsara portal, the HPC system will authenticate you using the key-pair, rather than your password. However, now, your local PC will ask you for the passphrase every time you want to use the private key to authenticate. That doesn't help much - yet. To have password-less login, you have two options: either you don't enter a passphrase when generating the key-pair - not the safest solution - or you use the local SSH agent to store your passphrase for the duration of the login session on your workstation.

To add the key to the local SSH agent, open a new terminal on your local machine and type

ssh-add ~/.ssh/id_ed25519

If you get an error “Could not open a connection to your authentication agent”, you may need to start the ssh-agent first (usingeval `ssh-agent -s` for a bash shell or eval `ssh-agent -c` for a c-shell).

Finally, to make your life even easier, you can add the key to the SSH agent automatically, by adding

Host *
    AddKeysToAgent yes

to the $HOME/.ssh/config file on your local machine.

Now, your local PC should only ask you for the passphrase once per session (i.e. until you logout of your local machine).

Generate key-pairs on the cluster

The use of key-pairs can also be applied on the cluster and will allow you to ssh to different nodes without the use of passwords. Besides it is needed for some programs to work over multiple nodes. After you login to the HPC system use the

ssh-keygen -t ed25519

command to generate a key-pair. You will be asked in which file you want to store the file, just press enter to use the default. Then, you will be asked to choose a passphrase, because some programs use the key-pair while connecting to other nodes, do not to enter a passphrase, and keep it empty. After the generation is complete, change your working folder by typing

cd ~/.ssh/

Next we need to copy the public key, type

cat id_ed25519.pub

and copy the whole key, starting with ssh-ed25519 including the identification. Next we are going to add the public key to a file called authorized_keys. You can do this (for example using the text editor vi) by typing

vi authorized_keys

then paste the key. Please confirm you have the whole key pasted. Press escape and then type

:wq

and press enter. Note that you have to start with the colon (:) in the last command. You can check if authorized_keys saved correctly by typing

cat authorized_keys

Generate Key Pair with MobaXterm (Windows)

MobaXterm has a very easy way for setting up connections using SSH keys. This is explained in this HOWTO: 

Creating an SSH key pair with MobaXterm in Windows

Transfer files between the HPC system and your PC

There are two ways to transfer files between the HPC systems and your PC:

1. Via the terminal, using the scp command 
2. Via a FTP file browser

Transferring files using the terminal (scp)

Scp works similar to the copy (cp) command on Linux, except that it copies data between different machines. Scp uses the ssh protocol to ensure a safe transfer of the data. The following commands are all issued from a terminal on your local machine. For MobaXterm users: you can use the plus sign to open a new tab, in which a local terminal will open.

To copy a file sourcefile to the $HOME/destinationdir folder on the HPC systems, use

scp sourcefile <username>@snellius.surf.nl:destinationdir

scp sourcefile <username>@lisa.surfsara.nl:destinationdir

Alternatively, you can rename the file on the HPC system (it will overwrite the existing destinationfile if it exists) by issuing the command

scp sourcefile <username>@snellius.surf.nl:destinationdir/destinationfile

scp sourcefile <username>@lisa.surfsara.nl:destinationdir/destinationfile

To copy a complete directory, use the -r argument, e.g.

scp -r sourcedir <username>@snellius.surf.nl:destinationdir

scp -r sourcedir <username>@lisa.surfsara.nl:destinationdir

This will create the directory destinationdir/sourcedir on the HPC system and copy the contents of your local sourcedir to that new directory.

To copy from the HPC system to your local PC, simply reverse the order of arguments. For example, to copy the file sourcefile from the remote home directory to the local home directory (~), use

scp -r <username>@snellius.surf.nl:sourcefile ~

scp -r <username>@lisa.surfsara.nl:sourcefile ~

Other remote file-copying tools

1. sftp
2. rsync

Transferring files using a file browser

FTP file browsers are generally very similar to e.g. the Windows File Explorer and Finder in MacOS. In most FTP browers, you can drag-and-drop files to copy files from your own PC to the HPC system, or vice versa. There is one difference with Windows File Explorer and Finder: folders are not automatically updated if their content is changed. So, if a file is added or removed (through a command in the terminal, or by one of your programs), this change does not show up in the FTP file browser until you refresh the folder.

Generally, FTP browsers support SFTP, i.e. the SSH File Transfer Protocol. Like scp, the use of the SFTP allows safe, encrypted transfer of data.

SFTP for MobaXterm users

MobaXterm has an integrated FTP file browser. Once you have logged in to the HPC system, you will see the file browser to the left of the terminal window, where it shows the contents of your home folder. You can browse through these folders, and drag-and-drop files and folders between this FTP file browser and the Windows File Explorer. Alternatively, you can use the download/upload buttons at the top of the FTP file browser window. A green refresh button is also located there to refresh the contents of the current folder. You can also open files in the FTP file browser to edit them directly. Upon saving, you'll be asked if you want change these files on the HPC system.

Other SFTP browsers

There are a large number of free FTP browser out there. Some examples are

1. Filezilla (Windows, MacOS, Linux)
2. Cyberduck (Windows, MacOS)
3. WinSCP (Windows)
4. gFTP (Linux)

Although you'll need to read the documentation on these specific FTP browsers to know how to use them, some aspects are generic. In each of these programs, you'll need

• The name of the host you want to connect to: snellius.surf.nl or lisa.surfsara.nl
• The protocol that should be used for connecting: SCP, SSH2, SFTP or similar
• The port number: 22 (although many ftp browsers 'guess' this automatically)

Using SFTP browsers with 2-factor authentication

If 2-factor authentication is enabled for your login, you should make sure that your SFTP client allows you to input your OTP token when connecting. Generally, that means

• you don't want your SFTP client to store your password
• you'll probably want your SFTP client configured in such a way to limit the number of connections to 1, in order to prevent it from asking your OTP token multiple times

The way to set this differs per client, but for example in FileZilla you can set the 'Logon Type' to 'Interactive' and in the 'Transfer settings' tab tick 'Limit number of simultaneous connections' (and set it to 1). Other clients probably offer similar options, but please refer to the manual of your client.

Transferring data to and from the archive

On Snellius, it is recommended to use the staging partition to copy large datasets from or to the Data Archive.  For example, to stage a file from archive to  the scratch filesystem, you can either invoke srun directly

srun -t 1:00:00 -p staging cp -r /archive/<<< your username >>>/<<< file >>> /scratch-shared/<<< your username >>>/

or submit a slurm job with the following parameters:

#!/bin/bash
#SBATCH --ntasks=1
#SBATCH --partition=staging  
#SBATCH --time=01:00:00       # estimated runtime

Please note, that only 1/4 node per job is allowed on the staging partition. It is also possible to use dmftar for optimal and archiving on nodes of the staging partition.