NHR@FAU HPC-Portal Usage
New digital workflow for HPC accounts
Since January 2021, NHR@FAU is one of now nine centers of the NHR Alliance. NHR@FAU is offering support especially in the area of performance engineering and single-node performance analysis. The application focus is on atomistic simulations, i.e. molecular dynamics, chemistry, and certain areas of material sciences.
With these changes, we are discontinuing our previous and oftentimes tedious HPC account application process which required new users to first apply for an IdM account and then fill out the HPC account application form. Users where then required to wait for their activation letters to arrive and set their HPC passwords, until they were finally able to start working on our clusters.
The new HPC-Portal replaces all of the aforementioned paperwork and introduces a sleek and straightforward digital workflow for managing HPC accounts and projects. As this process is now independent from HPC support, PIs and technical contacts can add and remove users from projects on their own and users are able to directly see the absolute path to their home directory and upload SSH keys for secure remote connection to our clusters.
If any questions remain after reading this documentation on our new HPC-portal, please contact us.
On the frontpage, the login field can be found in the top right corner. Next to it, the page language, either German or English, can be selected. Single sign-on (SSO) is always used for user logins and works with the authentication and authorization infrastructure from Deutsches Forschungsnetz (DFN-AAI) and the education global authentication infrastructure (eduGAIN).
FAU-members should log in via the “Friedrich-Alexander-Universität (FAU)” button and enter their IdM-username and password. If you are not an FAU-member, please click “Another institution (DFN-AAI + eduGAIN)”, select your organization from the drop-down menu and follow your identity provider’s instructions.
In case a user sees an error page (“Your SSO-Login was successful, but one or more of the attributes required for correct account generation are missing.[…]”) after trying to log in, they should contact their local computer centre. There are certain attributes missing for correct identity transmission and only local IT support can activate them. Organizational support addresses can be found at DFN or eduGAIN.
Next to the NHR@FAU logo in the top left corner, a click on “User” loads information on the account and invitations to projects. If a user logs into the HPC-Portal for the first time, the mailing list subscription column will show up on the right side. The information here can be quite limited, depending on whether an (NHR) project has already been approved and a project invitation has been sent to the user.
When a user receives an invitation to a project, they can either accept or decline the invitation. The user can also see for which project the invitation has been sent. In case of acceptance, an HPC account is generated on the fly and will show up in the left column of the user tab. Please be aware, however, that it will usually take until the day after accepting the invitation until access to our clusters is possible and all directories like
$HPCVAULT are available. New users are encouraged to spend the waiting time getting familiar with our documentation. Of particular interest are probably the documentations on our GPU-cluster Alex, the one on our CPU-cluster Fritz, and where to store future data.
After opening the account information via the down arrow, details on the account like the path to the home directory or the state of the account are listed. Most importantly, each user should upload at least one SSH public key here. Accepted SSH key types are RSA with a length of at least 4096 bites, ECDSA with a length of 512, and ED25519.
SSH keys from the portal will be distributed automatically across HPC systems; this process, however, might take several hours (typically 2 hours), so please be patient.
Currently, the SSH keys from the portal are only distributed to Alex, Fritz, Woody, and the dialog server
cshpc. But these systems do not yet ignore the
authorized_keys file in the user’s home directory
and only accept the keys from the portal!
In case a user is unfamiliar with generating SSH keys, please visit our documentation on “SSH – Secure Shell access to HPC systems“. This page offers in-depth information on how to connect and copy data to a remote host, how to use SSH agents, and how to generate a secure SSH key. Please make sure to enter a passphrase when prompted during the process in order to encrypt your private key.
Several SSH keys can be uploaded per account and management is possible under “Show advanced options”. Here, a user can assign aliases to SSH keys, edit options like agent forwarding or having access via a graphical interface.
The user’s profile can be found by clicking on the arrow next to the user’s email address in the top right corner. The profile page shows the user’s personal data that is normally sourced from the user’s SSO Identity Provider (IdP) and cannot be changed in the portal. The transferred data comprise the user’s principal name at the home organization (username), the user’s given name and surname, the user’s affiliation at the home organization, and the user’s email address. The middle panel gives information about the role that has been assigned to the user; this role defines whether a user can see the management tab or not.
Next to the NHR@FAU logo in the top left corner, a click on “Management” offers principal investigators and technical contacts to manage their projects. After opening the project via the down arrow, project details can be seen in the left column. In the column on the right, all accounts connected to the corresponding project are listed. The middle column is dedicated to sending out invitations to projects. With this feature, the PI or contact person can assign projects to staff and co-workers.
For sending out invitations, the PI or contact person has to enter the recipient’s email address (as transmitted by the IdP) and can add a personalized message. The user will receive an email with the following subject: “New invitation for “[project name]” waiting at portal.hpc.fau.de” and message content: “Dear HPC-Portal User, [name of PI/technical contact] sent you an invitation for “[project name]” at “https://portal.hpc.fau.de/”. Please follow the link and log in via SSO using your IdM credentials to accept the invitation (‘User’ -> ‘Your Invitations’). After that, please upload a ssh public key (‘ssh-rsa’) to the corresponding account of “[project name]” (‘User’ -> ‘Your Accounts’). In case of problems, please send an e-mail with a clear description of the issue to “email@example.com”. Invitation Message: [personalized message] Regards, HPC-Support This e-mail was generated automatically [day, date, time]”.
Several users can be added in a single step which should be more convenient for PIs or technical contacts responsible for lectures and block courses. To do this, the “Invite multiple e-mail addresses” switch must be activated. E-mail addresses can either be typed separately or a comma-separated list of mail addresses can be copied into the field; to confirm the list of addresses, the “enter” button must be pressed. Invalid and duplicate mail addresses will be filtered out.
After the corresponding user accepts their invitation, PIs and contact persons can edit certain details of the user’s account. The editing button will become visible in the right column on the management page after opening the account via the down arrow. Editing options are limited to the state of the account—either pending, approved, deleted, active or inactive—and the time period in which the account should be valid. This allows PIs and contacts persons to link account lifetimes to contract of employment runtime, pre-plan switches in project affiliation, and cover medium-term user absence.
Overall, the management tab enables PIs and contact persons to independently add new users when new scientists join the project.