Proxy Jump

Modified

August 20, 2024

Abstract

The GSI HPC infrastructure is only accessible from local networks. This restriction requires users from outside the GSI campus network to use SSH proxy nodes to reach the Virgo computer cluster. Following section describes the configuration of SSH to the login pool nodes provided by the GSI IT department.

Overview

Proxy jump is supported from OpenSSH 7.31 forward. Check the version of your local SSH client with option -V. Alternatives to the proxy jump option are described in the OpenSSH Cookbook - Proxies and Jump Hosts2.

Option Description
-J <node> Connect to the target host by first making an ssh connection to the jump host described by destination and then establishing a TCP forwarding to the ultimate destination from there. This is a shortcut to specify a ProxyJump configuration directive.

Example of using lxlogin to SSH into a submit node:

1ssh -J $USER@lxlogin.gsi.de virgo.hpc.gsi.de
1
Connect to the target host by first making a ssh connection to the jump host. Use the login-nodes as jump host to access the HPC infrastructure. The ssh command supports the proxy jump option -J to connect with a submit node

Configuration File

Following command will append a custom configuration for the login nodes to be used as jump hosts to your local SSH client configuration file ~/.ssh/config (details are described in the ssh_config3 manual):

1cat <<EOF >> ~/.ssh/config
Host login
  User $USER
  Hostname lxlogin.gsi.de
  CheckHostIP no
  ForwardX11 yes
EOF

2ssh -J login virgo.hpc.gsi.de
1
Append a configuration for a login pool to the user SSH configuration. This example uses the lxlogin.gsi.de pool. CheckHostIP is disabled since the load-balancing service will distribute users over different nodes with individual IP-addresses.
2
Connect to a submit node using the pool name login defined in the user SSH configuration.

Further extend you SSH configuration with login for a required virtual application environment (VAE) available on the cluster:

cat <<EOF >> ~/.ssh/config
host vae24
  ProxyJump login
  User $USER
  Hostname vae24.hpc.gsi.de
  CheckHostIP no
EOF

With the configuration above login becomes as simples as ssh vae24.

Copy Files

Similar the scp command is able to copy files using a jump host by adding the SSH argument to the scp command with option -o4, specifically set a jump host with ProxyJump=:

# copy a file using a proxy jump
scp -o ProxyJump=login /path/to/data* files.hpc.gsi.de:/lustre/...

Footnotes

  1. OpenSSH 7.3 Release Notes
    http://www.openssh.com/txt/release-7.3↩︎

  2. OpenSSH Cookbook - Proxies and Jump Hosts, Wikibooks
    https://en.wikibooks.org/wiki/OpenSSH%2FCookbook%2FProxies_and_Jump_Hosts↩︎

  3. Manual page ssh_config, OpenBSD Foundation
    https://man.openbsd.org/ssh_config↩︎

  4. Manual Page scp, OpenBSD Foundation
    https://man.openbsd.org/scp↩︎