Accessing a task through SSH

‍

Secure Shell (SSH) keys are a pair of cryptographic keys used to authenticate a user on remote systems securely. They enhance security by eliminating the need for password-based logins, making unauthorized access more challenging. This tutorial will guide you through the process of creating and using SSH keys on both Windows and Linux systems, with a focus on using PuTTY for Windows users.

Using it on Qarnot can enable you to log in a running instance and use it as a worker.

Prerequisites

Before we begin, ensure you have the following:

• For Windows Users:
  • PuTTY and PuTTYgen installed. You can download them from the official PuTTY website.
• For Linux Users:
  • Access to the terminal with ssh-keygen installed (commonly pre-installed on most distributions).

Generating SSH Keys

Generating SSH Keys on Linux

‍Open the Terminal‍

• Locate and open the terminal application on your Linux system‍

‍Generate the SSH Key Pair: Type the following command and press Enter:‍

• Run ssh-keygen -t ed25519
  
  • -t ed25519 specifies the ed25519 algorithm.
• When prompted with:
  
  • Enter file in which to save the key (/home/yourusername/.ssh/id_rsa):
    
    • Press Enter to accept the default location or specify a different path if desired.
  • Set a Passphrase
    
    • You'll be prompted to enter a passphrase:
    • Enter passphrase (empty for no passphrase):
      
      • It's recommended to set a passphrase for added security. Type your passphrase and press Enter. You'll need to confirm it by typing it again.‍
• Completion - Upon success, you'll see a message similar to:
  
  • Your identification has been saved in /home/yourusername/.ssh/id_rsa
  • Your public key has been saved in /home/yourusername/.ssh/id_rsa.pub

Generating SSH Keys on Windows Using PuTTY

‍Install PuTTY and PuTTYgen:

• Download and install the PuTTY package from the official website. Ensure both PuTTY and PuTTYgen are installed.‍

Open PuTTYgen:

• Locate and open puttygen.exe.‍

Configure Key Parameters:

• In the PuTTY Key Generator window:
  
  • Ensurersa (you can alos use EdDSA) is selected.
  • Set the number of bits to2048

‍

‍Generate the Key:

• Click the "Generate" button.
  
• Move your mouse randomly within the window to provide entropy until the progress bar completes.

‍

‍Save the Keys:

• Once generated:‍
  
  • Private Key: Click "Save private key". Choose a secure location and save the file with a.ppk extension.‍
  • Public Key: Select and copy the text in the "Public key for pasting into OpenSSH authorized_keys file" box. Save this text to a file namedid_rsa.pub or similar.‍

Set a Passphrase:

• For added security, set a passphrase when saving the private key (this is optional).

Connecting to your Cluster

After generating your SSH keys, you can connect to your cloud HPC cluster to manage your simulation.

Using a simulation software (Ansys Fluent, Star-CCM+...) profile

‍During the simulation set up‍

• To use SSH, you must select a SSH-compatible profile. Those will often have the explicit “ssh” mention in their name.
• Provide the public key in the designated field of the form (generally DOCKER_SSH )
  
  • Note: the public key should look like “ssh-rsa AAAABBBBEEEE333EZEZ ….

‍

‍Get the SSH Command:

• Once your simulation is running, navigate to the SSH quick access tab in the monitoring features. (be carreful it may require some times before the ssh information connexion is displaed)

• Copy the provided SSH command, which will be in the following format:
  
  • ssh -p {port number} root@forward01.qarnot.net
• The{port number}will be automatically filled with your simulation’s exposed port.

Execute the SSH Command:

• ‍Using linux or windows terminal‍
  
  • Open your terminal and run the copied SSH command.
  • This will establish a secure connection to your cluster, granting you root access.‍
  • Verify Your Connection:
    
    • Once connected, you should see a prompt indicating you are now inside your cluster environment.
    • You can now manage your simulations, execute commands, and perform system configurations as needed.‍
• Using Putty‍
  
  • Open putty.exe or PuTTY in your windows start menu.
  • Enterroot@forward01.qarnot.net (or root@forward02.qarnot.net) in the Host Name field.
  • Enter the {port number} in the Port field.
    
  • (Optional) save your session information. Connect to your ssh session.
  • Go to Connection>SSH>Auth and click “Allow agent forwarding".
  • Go to Connection>SSH>Auth>Credentials and “Browse” to your private_key.ppk file.
  • Click Open to start the session and work on you Qarnot cluster.

Using a Docker Profile

In addition to using docker-network-ssh profile, you must:

• Fill in the constant DOCKER_SSH with your ssh public key (which is typically ~/.ssh/id_rsa.pub, see help for Linux, Windows and macOS). This will be used to authenticate you without needing a password.
• Retrieve the forwarder host and the forward port that are linked to your instance. The sample below shows how to do it. You can also get it from Tasq in the JSON tab.
• At its start, every instance must add your public key (stored in DOCKER_SSH) in the authorized keys file and start the ssh daemon.

Here is a basic example. The following script will print the ssh command that you should run to connect to the instance. You can also run it automatically into a sub-process.

Python

#!/usr/bin/env python

import qarnot

conn = qarnot.Connection(client_token = '<<<MY_SECRET_TOKEN>>>')
task = conn.create_task('ssh-example', 'docker-network-ssh')

task.constants['DOCKER_SSH'] = '<<<MY_SSH_PUBLIC_KEY>>>'

task.constants['DOCKER_CMD'] = "/bin/bash -c 'mkdir -p ~/.ssh /run/sshd ;" \
                               "echo \"${DOCKER_SSH}\" >> ~/.ssh/authorized_keys ;" \
                               "/usr/sbin/sshd -D'"
task.submit()

last_state = ''
ssh_tunneling_done = False
while not ssh_tunneling_done:
    if task.state != last_state:
        last_state = task.state
        print("** {}".format(last_state))

    # Wait for the task to be FullyExecuting
    if task.state == 'FullyExecuting':
        # If the ssh connexion was not done yet and the list active_forward is available (len!=0)
        forward_list = task.status.running_instances_info.per_running_instance_info[0].active_forward
        if not ssh_tunneling_done and len(forward_list) != 0:
            ssh_forward_port = forward_list[0].forwarder_port
            ssh_forward_host = forward_list[0].forwarder_host
            cmd = f"ssh -o StrictHostKeyChecking=no root@{ssh_forward_host} -p {ssh_forward_port}"
            print(cmd)
            ssh_tunneling_done = True

    # Display errors on failure
    if task.state == 'Failure':
        print("** Errors: %s" % task.errors[0])
        ssh_tunneling_done = True

‍

Bash

#Note that you have to install the jq JSON processor package installed in order to run the script.

export QARNOT_CLIENT_TOKEN = "<<<QARNOT_CLIENT_TOKEN>>>"

TASK_UUID=$(./qarnot task create \
  --profile docker-network-ssh \
  --name "Hello World - CLI" \
  --instance 1 \
  --constants DOCKER_SSH='YOUR_SSH_KEY' \
  --constants DOCKER_CMD="/bin/bash -c 'mkdir -p ~/.ssh /run/sshd ; echo ${DOCKER_SSH} >> ~/.ssh/authorized_keys ;/usr/sbin/sshd -D'" \
  --format JSON | tee /dev/tty | jq -r '.Task')

LAST_STATE=$(qarnot task info --id "$TASK_UUID" | jq -r .[].State)
SSH_TUNNELING_DONE='False'

while [ "$SSH_TUNNELING_DONE" != "True" ]
do
	NEW_STATE=$(qarnot task info --id "$TASK_UUID" | jq -r .[].State)
	sleep 15
    
    if [ "$NEW_STATE" != "$LAST_STATE" ]
        then
        echo "Task state: $NEW_STATE"
        LAST_STATE="$NEW_STATE"
        sleep 120
	fi
     # Wait for the task to be FullyExecuting
    if [ "$NEW_STATE" == "FullyExecuting" ]
        then
        # If the ssh connexion was not done yet and the list active_forward is available (len!=0)
		sleep 10
		FORWARD_LIST=$(qarnot task info --id "$TASK_UUID" | qarnot task info --id "$TASK_UUID" | jq '.[].Status.RunningInstancesInfo.PerRunningInstanceInfo | .[].ActiveForwards')

		if [ "$SSH_TUNNELING_DONE" != "True" ] && [ "$FORWARD_LIST" != "[]" ]
        then
            	ssh_forward_port=$(qarnot task info --id "$TASK_UUID" | jq '.[].Status.RunningInstancesInfo.PerRunningInstanceInfo | .[].ActiveForwards | .[].ForwarderPort')
            	ssh_forward_host=$(qarnot task info --id "$TASK_UUID" | jq '.[].Status.RunningInstancesInfo.PerRunningInstanceInfo | .[].ActiveForwards | .[].ForwarderHost')
            	CMD="ssh -o StrictHostKeyChecking=no root@$ssh_forward_host -p $ssh_forward_port"

	            echo $CMD

	            SSH_TUNNELING_DONE="True"
		fi
	fi

    # Display errors on failure
	if [ "$NEW_STATE" == "Failure" ]
    then
        echo "** Errors **"
        SSH_TUNNELING_DONE='True'
	fi 
done

‍

Don't forget to delete the instance when you are done. Otherwise, you will be invoiced for time that you did not spend on computing. To do so, use Tasq or the SDK functions task.abort or task.delete

Bringing your own image

If you want to use your own image, make sure to install the openssh-server package and to create the /run/sshd folder.

In addition, if you want to ssh as a user that is not root make sure that the ~/.ssh folder is owned by the user, that its private key is not readable by other users (rights should be 600) and that the user's password is set (otherwise ssh won't allow you to connect because it will consider the user incompletely set).

Accessing a specific port

If you need to communicate with your worker through a specific port instead of just using ssh, you will need to create a tunnel between the instance's port and yours.

For example, if you are using a Qarnot instance as a runner for a jupyter notebook, you will need to access to the worker's port 8888 in your browser. To do that, you simply need to create a tunnel so that your port 8888 is redirected to the worker's one. The following schema shows the appropriate ssh command: