...
Code Block | ||
---|---|---|
| ||
ssh -J user1@shelluser1@jump.ecmwf.int user1@machine1 -C -N -L 4141:machine1:4141 -L 3142:machine2:3142 |
...
To access HPC job output via the logserver, you need to establish a tunnel for this as well. Here we use 'logserver' as an example (replace this with an actual logserver).
Code Block |
---|
ssh -J user1@shelluser1@jump.ecmwf.int user1@machine1 -C -N -L 4141:machine1:4141 -L 3142:machine2:3142 -L 9316:logserver:9316 |
...
In Section 2.1.1 you have also established a tunnel for forwarding logserver traffic. In order to send the the log requests from ecflow_ui to the local tunnel entrance, you need to add "127.0.0.1 logserver" alias in /etc/hosts on your laptop (replace "logserver" with an actual ECMWF logserver name).
In practice, using the Local Port Forwarding method we can only connect to a single ECMWF logserver. This is because:
...
- There is no need to manually specify port number mapping for each ecflow server
- You can use original host names in the ecFlow servers connection settigssettings, instead of 'localhost'
- You are not limited to a single logserver; there is also no need to modify /etc/hosts file.
However, to use the proxy, the client application (ecflow_ui) must be able to speak SOCKS protocol. We will show how to enable it for ecflow_ui.
...
Code Block |
---|
% ssh -v -C -N -D 9050 -J myecuser@shellmyecuser@jump.ecmwf.int myecuser@myecworkstation |
...
Applications which want to use SOCKS proxy must speak SOCKS protocol. Some applications can be SOCKS-ified using a tool called proxychains. The tool intercepts the application's network traffic, adds a protocol layer and redirects traffic to the proxy. Luckily, the ecflow_ui.x executable can be SOCKS-ified this way.
First, install proxychains in your laptop. On MacOS, you can do it with "brew install proxychains-ng
". Some Linux distributions come with proxychains
tool preinstalled.
If you are using ecflow_ui version >= 5.7.0, you can start the ui with this command:
Code Block |
---|
ecflow_ui -cmd proxychains4 |
However, if you are using an older version you need to Now comes the key part - edit the ecflow_ui lauch launch script and replace the "$exe"
with proxychains4 "$exe" at the end of the script. On my machine, ecflow_ui launch script is installed as /opt/miniconda3/bin/ecflow_ui.
...
- you can ask the ecFlow server administrator to add your laptop username to the server's whitelist, or
- you can create a new user account on your laptop, setting username to match the ECMWF username.
If you create a new user account for ecflow_ui but want to keep using your regular account, here is a handy script for running ecflow_ui as another user. It uses Dynamic Port Forwarding method, but can be easily adapted to use Local Port Forwarding.
Code Block | ||||||
---|---|---|---|---|---|---|
| ||||||
#!/bin/bash set -e # -------------------------------------------------------------- # A script for starting SSH SOCKS proxy and ecFlow UI as another user. # Prerequisites: # * User named "myecuser" must exist on the laptop # * "myecuser" has set up their Teleport client to access ECMWF. # -------------------------------------------------------------- ECMWF_USER=myecuser # your ECMWF username ECMWF_HOST=myecworkstation # your ECMWF workstation name xhost + || : sudo -i -u "$ECMWF_USER" -- sh << SUDO set -e # Starting ssh-agent for $ECMWF_USER. # Teleport service requires ssh-agent running. ssh-agent -- sh << SSH_AGENT set -e # "tsh login" will fetch SSH certificate from # shelljump.ecmwf.int and load it onto the ssh-agent. tsh login -d # "ssh -f" will start SSH tunnel in the background. # The trap will terminate the tunnel on exit. trap 'pkill -f ssh.*-f' 0 1 2 3 15 ssh -f -N -v -C -D9050 -J "$ECMWF_USER@shellUSER@jump.ecmwf.int" "$ECMWF_USER@$ECMWF_HOST" # finally, start the local ecFlow UI /Volumes/Macintosh\ HD/opt/miniconda3/bin/ecflow_ui SSH_AGENT SUDO |
...
Replace "host1" with a real ECMWF ecFlow server hostname and "myecflowuser" with your authorised ecFlow username, for which you have the password.
Known issues
...
- Sometimes ecflow_ui fails to fetch the job output, job script and .sub files from the logserver. Refreshing the tab usually fixes the issue. The initial error looks like: "Output directory: [1] Failed to fetch from logserver@9316 error: The remote host closed the connection. [2] No access to path on disk!"
- For some suites the ecflow_ui cannot retrieve job output, job script and .sub files no matter what. It happens when the log server at the centre doesn't have access to these files. ecflow_uis running at the centre have direct access to the files on disk so no problem, but remote ecflow_ui cannot access them.
...
.
...
...