It is possible to connect local ecflow_ui running on your mac/pc to the remote servers running at the Centre via the Centre's Teleport gateway.
| Table of Contents |
|---|
Setting up Teleport access
You will need to install Teleport client on your laptop. Follow instructions on the Centre's User Documentation pages how to install and set up the client.
...
You may be asked for your ECMWF login credentials. If you already have a valid certificate, the authentication prompt will be skipped.
Connecting with ecFlow servers at the Centre
Here we describe two methods of connecting ecflow_ui via Teleport gateway with ecFlow servers running at the Centre.toc
Method 1: Local Port Forwarding
Once you have installed and set up Teleport client, you can start the SSH local port forwarding session. The session will tunnel network traffic between your ecflow_ui and the Centre's servers:
...
- In practice we can only connect to a single remote log server. This is because different log servers at the Centre use the same port number (9316).
- The timeline and server load functionality currently does not work.
Method 2: Dynamic Port Forwarding
SSH offers Dynamic Port Forwarding, i.e. it can act as a SOCKS proxy. This method has some advantages over Local Port Forwarding:
...
- The timeline and server load functionality currently doesn't work
Connecting to restricted ecFlow servers
Servers with username-based access control
Many ecFlow servers at the Centre use a whitelist to only allow authorized users in. This creates a problem when connecting remotely. Typically, your username on the laptop will be different from your ECMWF username and these servers will not be visible in your ecflow_ui.
...
| Code Block | ||
|---|---|---|
| ||
#!/bin/bash
set -e
# --------------------------------------------------------------
# A script for starting SSH SOCKS proxy and ecFlow UI as another user.
# Prerequisites:
# * User named "myecuser" must exist on the laptop
# * "myecuser" has set up their Teleport client to access ECMWF.
# --------------------------------------------------------------
ECMWF_USER=myecuser # your ECMWF username
ECMWF_HOST=myecworkstation # your ECMWF workstation name
xhost + || :
sudo -i -u "$ECMWF_USER" -- sh << SUDO
set -e
# Starting ssh-agent for $ECMWF_USER.
# Teleport service requires ssh-agent running.
ssh-agent -- sh << SSH_AGENT
set -e
# "tsh login" will fetch SSH certificate from
# shell.ecmwf.int and load it onto the ssh-agent.
tsh login -d
# "ssh -f" will start SSH tunnel in the background.
# The trap will terminate the tunnel on exit.
trap 'pkill -f ssh.*-f' 0 1 2 3 15
ssh -f -N -v -C -D9050 -J "$ECMWF_USER@shell.ecmwf.int" "$ECMWF_USER@$ECMWF_HOST"
# finally, start the local ecFlow UI
/Volumes/Macintosh\ HD/opt/miniconda3/bin/ecflow_ui
SUDO
SSH_AGENT |
Servers with password-based access control
As an alternative to username-based access control, ecFlow offers password-based access control. See: Security(custom user).
...
Replace "myecworkstation" with a real ecFlow server hostname and "myecflowuser" with your authorised ecFlow username.
Known issues
...
- Sometimes ecflow_ui fails to fetch the job output, job script and .sub files from the logserver. Refreshing the tab fixes the issue. The initial error looks like:
"Output directory: [1] Failed to fetch from cca-log@9316 error: The remote host closed the connection. [2] No access to path on disk!" - For some suites the ecflow_ui cannot retrieve job output, job script and .sub files no matter what. It happens when the log server at the centre doesn't have access to these files. ecflow_uis running at the centre have direct access to the files on disk so no problem, but remote ecflow_ui cannot access them.
...