...

ssh -J user1@shelluser1@jump.ecmwf.int user1@machine1 -C -N -L 4141:machine1:4141 -L 3142:machine2:3142

...

To access HPC job output via the logserver, you need to establish a tunnel for this as well. Here we use 'logserver' as an example (replace this with an actual logserver).

ssh -J user1@shelluser1@jump.ecmwf.int user1@machine1 -C -N -L 4141:machine1:4141 -L 3142:machine2:3142 -L 9316:logserver:9316

...

In Section 2.1.1 you have also established a tunnel for forwarding logserver traffic. In order to send the the log requests from ecflow_ui to the local tunnel entrance, you need to add "127.0.0.1 logserver" alias in /etc/hosts on your laptop (replace "logserver" with an actual ECMWF logserver name).

In practice, using the Local Port Forwarding method we can only connect to a single ECMWF logserver. This is because:

...

• There is no need to manually specify port number mapping for each ecflow server
• You can use original host names in the ecFlow servers connection settigssettings, instead of 'localhost'
• You are not limited to a single logserver; there is also no need to modify /etc/hosts file.

However, to use the proxy, the client application (ecflow_ui) must be able to speak SOCKS protocol. We will show how to enable it for ecflow_ui.

...

% ssh -v -C -N -D 9050 -J myecuser@shellmyecuser@jump.ecmwf.int myecuser@myecworkstation

...

Applications which want to use SOCKS proxy must speak SOCKS protocol. Some applications can be SOCKS-ified using a tool called proxychains. The tool intercepts the application's network traffic, adds a protocol layer and redirects traffic to the proxy. Luckily, the ecflow_ui.x executable can be SOCKS-ified this way.

First, install proxychains in your laptop. On MacOS, you can do it with "brew install proxychains-ng". Some Linux distributions come with proxychains tool preinstalled.

If you are using ecflow_ui version >= 5.7.0, you can start the ui with this command:

ecflow_ui -cmd proxychains4

However, if you are using an older version  you need to Now comes the key part - edit the ecflow_ui lauch launch script and replace the "$exe" with proxychains4 "$exe" at the end of the script. On my machine, ecflow_ui launch script is installed as /opt/miniconda3/bin/ecflow_ui.

...

• you can ask the ecFlow server administrator to add your laptop username to the server's whitelist, or
• you can create a new user account on your laptop, setting username to match the ECMWF username.

If you create a new user account for ecflow_ui but want to keep using your regular account, here is a handy script for running ecflow_ui as another user. It uses Dynamic Port Forwarding method, but can be easily adapted to use Local Port Forwarding.

#!/bin/bash
set -e
# --------------------------------------------------------------
# A script for starting SSH SOCKS proxy and ecFlow UI as another user.
# Prerequisites:
#   * User named "myecuser" must exist on the laptop
#   * "myecuser" has set up their Teleport client to access ECMWF.
# --------------------------------------------------------------

ECMWF_USER=myecuser              # your ECMWF username
ECMWF_HOST=myecworkstation       # your ECMWF workstation name

xhost + || :
sudo -i -u "$ECMWF_USER" -- sh << SUDO

    set -e

    # Starting ssh-agent for $ECMWF_USER.
    # Teleport service requires ssh-agent running.

    ssh-agent -- sh << SSH_AGENT

        set -e

        # "tsh login" will fetch SSH certificate from
        # shelljump.ecmwf.int and load it onto the ssh-agent.

        tsh login -d

        # "ssh -f" will start SSH tunnel in the background.
        # The trap will terminate the tunnel on exit.

        trap 'pkill -f ssh.*-f' 0 1 2 3 15
        ssh -f -N -v -C -D9050 -J "$ECMWF_USER@shellUSER@jump.ecmwf.int" "$ECMWF_USER@$ECMWF_HOST"

        # finally, start the local ecFlow UI
        /Volumes/Macintosh\ HD/opt/miniconda3/bin/ecflow_ui
SSH_AGENT
SUDO

...

Replace "host1" with a real ECMWF ecFlow server hostname and "myecflowuser" with your authorised ecFlow username, for which you have the password.

Known issues

...

• Sometimes ecflow_ui fails to fetch the job output, job script and .sub files from the logserver. Refreshing the tab usually fixes the issue. The initial error looks like: "Output directory: [1] Failed to fetch from logserver@9316 error: The remote host closed the connection. [2] No access to path on disk!"
• For some suites the ecflow_ui cannot retrieve job output, job script and .sub files no matter what. It happens when the log server at the centre doesn't have access to these files. ecflow_uis running at the centre have direct access to the files on disk so no problem, but remote ecflow_ui cannot access them.

...

.

...

...