U.S. CMS
Search
uscms.org  www 

Connect to LPC Cluster

The LPC cluster is a group of interactive nodes running Scientific Linux Fermi (or SL) that LPC users are able to connect to, to develop and debug their code, submit jobs, do analysis, and so on. Users connect to cmslpc-sl6.fnal.gov, running SL6, arranged in the following way:



Most operative systems with OpenSSH configured with GSSAPI and Kerberos configured for the FNAL.GOV realm should be able to connect to the LPC cluster.

It is assumed that you already have a Fermilab ID and Kerberos principal. If not visit the "Get an Account" section.

Access to the LPC cluster is controlled by a switch which redirects incoming connections to individual nodes and this page should serve as a guide on how to connect to the LPC cluster in most typical situations.

Prerequisites

Kerberos configuration file

To connect to the LPC cluster you need to have Kerberos installed on your system. This is already included in Scientific Linux and OS X. In addtion you will need to get the krb5.conf file for Fermilab that corresponds to your specific OS. You can download this file from: Fermilab Kerberos Configuration Files.

Save the appropriate file to your home directory. Note: if you already have a krb5.conf file, it is a good idea to backup it up before placing the new file. Then run (depending on your system, you will be prompted for you root or admin password):

[localMachine:Desktop localUser]$ sudo mv -v krb5.conf /etc/krb5.conf
Password:
krb5.conf -> /etc/krb5.conf

Once done, the file will be moved to the appropriate location on your system.

krb5.conf is a text file that you can review and compare to the one found on Fermilab Kerberos Configuration Files to determine whether you already have the most recent one or you need to update it.

SSH configuration file

In order to give SSH the proper configuration to login to the LPC cluster, make sure the following lines are present in your ~/.ssh/config file (depending on your OS and). Note: you may not have such a file, and you may need to create the .ssh directory and the file

- - - - - - - - Create ~/.ssh/config file  - - - - - - - - - -
[localMachine:Desktop localUser]$ cd
[localMachine:Desktop localUser]$ mkdir .ssh
[localMachine:Desktop localUser]$ touch .ssh/config
- - - - - - - - Create ~/.ssh/config file  - - - - - - - - - -


Contents of ~/.ssh/config:

[localMachine:Desktop localUser]$ more ~/.ssh/config
- - - - - - - - - - - - LINUX - - - - - - - - - - - -
Host cmslpc*.fnal.gov
    GSSAPIAuthentication yes
    GSSAPIDelegateCredentials yes
    GSSAPITrustDNS yes
- - - - - - - - - - - - LINUX - - - - - - - - - - - -

- - - - - - - - - - - - OS X - - - - - - - - - - - -
Host cmslpc*.fnal.gov
    GSSAPIAuthentication yes
    GSSAPIDelegateCredentials yes
- - - - - - - - - - - - OS X - - - - - - - - - - - -

Note: You may find some or all of these options below useful to be added to your ~/.ssh/config for OSX 10.12 and PC. Only apply them to cmslpc-sl6.fnal.gov, as they would be insecure for other hosts.

- - - - - - - - - - - - OS X - - - - - - - - - - - -
Host cmslpc*.fnal.gov
    StrictHostKeyChecking no
    UserKnownHostsFile /dev/null
- - - - - - - - - - - - OS X - - - - - - - - - - - -

Connecting to the LPC cluster

Once your system has the appropriate prerequisites to connect to the LPC cluster, do the following to login.

Get a Kerberos ticket

A valid Kerberos ticket for the FNAL.GOV Kerberos realm is needed to login to the LPC cluster, you can get one from your terminal by doing:

[localMachine:Desktop localUser]$ kinit username@FNAL.GOV
- - - - - - LINUX - - - - - -
Password for username@FNAL.GOV:
- - - - - - LINUX - - - - - -

- - - - - - OS X - - - - - -
username@FNAL.GOV's password:
- - - - - - OS X - - - - - -

if successful, there is no output to this command. You can always verify that a Kerberos ticket was created by issuing the following command:

[localMachine:Desktop localUser]$ klist
- - - - - - - - - - - - - - LINUX - - - - - - - - - - - - - -
Ticket cache: FILE:/tmp/krb5cc_500
Default principal: username@FNAL.GOV

Valid starting     Expires            Service principal
04/25/16 16:46:53  04/26/16 18:45:29  krbtgt/FNAL.GOV@FNAL.GOV
        renew until 05/02/16 16:45:29
- - - - - - - - - - - - - - LINUX - - - - - - - - - - - - - -

- - - - - - - - - - - - - - - - OS X - - - - - - - - - - - - - - - -
Credentials cache: API:123DS3AA-1554-4A12-9A08-1982938328
        Principal: username@FNAL.GOV
    
  Issued                Expires               Principal
Apr 25 16:46:53 2016  Apr 26 18:45:29 2016  krbtgt/FNAL.GOV@FNAL.GOV
- - - - - - - - - - - - - - - - OS X - - - - - - - - - - - - - - - -

Show me these two commands (β).

SSH to the LPC

With a valid Kerberos ticket, you can now login to a SL6 machine on the LPC cluster by doing:

- - - - - - - - - - - - - - LINUX - - - - - - - - - - - - - - - - 
[localMachine:Desktop localUser]$ ssh username@cmslpc-sl6.fnal.gov
- - - - - - - - - - - - - - LINUX - - - - - - - - - - - - - - - - 

- - - - - - - - - - - - - - - - OS X - - - - - - - - - - - - - - - -

[localMachine:Desktop localUser]$ ssh -Y username@cmslpc-sl6.fnal.gov
- - - - - - - - - - - - - - - - OS X - - - - - - - - - - - - - - - -

Last login: Mon Apr 25 16:57:22 2016 from localMachine.dhcp.fnal.gov NOTICE TO USERS This is a Federal computer (and/or it is directly connected to a Fermilab local network system) that is the property of the United States Government. It is for authorized use only. Users (autho- rized or unauthorized) have no explicit or implicit expectation of privacy. Any or all uses of this system and all files on this system may be intercepted, monitored, recorded, copied, audited, inspected, and disclosed to authorized site, Department of Energy and law enforcement personnel, as well as authorized officials of other agencies, both domestic and foreign. By using this system, the user consents to such interception, monitoring, recording, copy- ing, auditing, inspection, and disclosure at the discretion of authorized site or Department of Energy personnel. Unauthorized or improper use of this system may result in admin- istrative disciplinary action and civil and criminal penalties. By continuing to use this system you indicate your awareness of and consent to these terms and conditions of use. LOG OFF IMME- DIATELY if you do not agree to the conditions stated in this warning. Fermilab policy and rules for computing, including appropriate use, may be found at http://www.fnal.gov/cd/main/cpolicy.html ################################################################# # --- NOTICE: This node is running Scientific Linux (Fermi) 6 # ################################################################# cmslpc38.fnal.gov - cmslpc/production (SLF 6.8) 24-core Xeon X5650 @ 2.67GHz (PowerEdge R410); 31.34 GB RAM, 20.00 GB swap ########################################################################## For information about computing at the LPC go to: lpc.fnal.gov/computing ########################################################################## aklog: Couldn't get cern.ch AFS tickets: aklog: unknown RPC error (-1765328377) while getting AFS tickets [username@cmslpc38 ~]$

Note: the lines just above the prompt each time you login have an important message, is a quick reminder on where to go if you need to look for some information about computing at the LPC.

Note: the lines about AFS tickets are a known error you may safely ignore.

Connecting to the LPC Cluster from a Windows PC

Connecting to the LPC cluster through the round-robin queue from a Windows PC is known to work with Kerberized PuTTY. Other terminal programs such as WRQ Relection ssh only work with the direct access nodes (see above). Directions are given below for establishing a connection to the LPC cluster with Kerberized PuTTY. Directions for installing Cygwin/X or Xming, both free X servers for Windows, are also given. These packages are optional since commercial alternatives such as WRQ Reflection and Exceed exist. Also included are directions for using WinSCP and OpenAFS for Windows to access files in your account.

Kerberos and SSH:

To get your Kerberos ticket:
Select Start -> All Programs -> Kerberos for Windows -> Network Identity Manager
Enter your Kerberos principal username, password and FNAL.GOV for the realm and click Login.

To connect to the LPC cluster for the first time with PuTTY:
Double click on the PuTTY icon in the directory where you unzipped the zip file.
In the PuTTY configuration window:
select Session and enter cmslpc-sl6.fnal.gov in the HostName field
select Connection -> Data and enter your username in the Auto-login username field
select Connection -> SSH and select "2 only" for "Preferred SSH protocol version"
select Connection -> SSH -> X11 and check "Enable X11 forwarding"
select Connection -> SSH -> Auth -> GSSAPI and check both boxes
select Session and enter LPC in the Saved Sessions field and click Save
double click on LPC in the Saved Sessions list

To connect to the LPC cluster with PuTTY:
Double click the PuTTY icon.
In the PuTTY configuration window:
select Session and double click on LPC in the Saved Sessions list

Kerberos and SFTP:

WinSCP supports Kerberos authentication for SFTP on Windows can be downloaded from http://winscp.net/eng/index.php. Follow the directions here check Advanced options and under SSH -> Authentication check both boxes for GSSAPI Authentication. Use this program to transfer files to and from the LPC cluster.

X servers:

Cygwin/X and Xming are implementations of X11 on the Windows platform. With X11 forwarding enabled in PuTTY and an X server running, programs like Root and emacs can be displayed on the Windows desktop. Cygwin is documented for use at FNAL at this link

To install Cygwin/X follow the download and installation directions from the user's guide.

After installing Cygwin/X copy c:\cygwin\X11R6\bin\startxwin.bat to the desktop. Edit startxwin.bat and remove the line

   run xterm -e /usr/bin/bash -l

To start the Xserver double click on startxwin.bat.

Webmaster | Last modified: Tuesday, 07-Mar-2017 21:29:40 CST