Proxy Jump

Modified

August 20, 2024

Abstract

The GSI HPC infrastructure is only accessible from local networks. This restriction requires users from outside the GSI campus network to use SSH proxy nodes to reach the Virgo computer cluster. Following section describes the configuration of SSH to the login pool nodes provided by the GSI IT department.

Overview

Requires at least OpenSSH version 7.3

Proxy jump is supported from OpenSSH 7.3¹ forward. Check the version of your local SSH client with option -V. Alternatives to the proxy jump option are described in the OpenSSH Cookbook - Proxies and Jump Hosts².

Option	Description
`-J <node>`	Connect to the target host by first making an ssh connection to the jump host described by destination and then establishing a TCP forwarding to the ultimate destination from there. This is a shortcut to specify a `ProxyJump` configuration directive.

Example of using lxlogin to SSH into a submit node:

1ssh -J $USER@lxlogin.gsi.de virgo.hpc.gsi.de

1: Connect to the target host by first making a ssh connection to the jump host. Use the login-nodes as jump host to access the HPC infrastructure. The ssh command supports the proxy jump option -J to connect with a submit node

Configuration File

Following command will append a custom configuration for the login nodes to be used as jump hosts to your local SSH client configuration file ~/.ssh/config (details are described in the ssh_config³ manual):

1cat <<EOF >> ~/.ssh/config
Host login
  User $USER
  Hostname lxlogin.gsi.de
  CheckHostIP no
  ForwardX11 yes
EOF

2ssh -J login virgo.hpc.gsi.de

1: Append a configuration for a login pool to the user SSH configuration. This example uses the lxlogin.gsi.de pool. CheckHostIP is disabled since the load-balancing service will distribute users over different nodes with individual IP-addresses.
2: Connect to a submit node using the pool name login defined in the user SSH configuration.

Further extend you SSH configuration with login for a required virtual application environment (VAE) available on the cluster:

cat <<EOF >> ~/.ssh/config
host vae24
  ProxyJump login
  User $USER
  Hostname vae24.hpc.gsi.de
  CheckHostIP no
EOF

With the configuration above login becomes as simples as ssh vae24.

Copy Files

Similar the scp command is able to copy files using a jump host by adding the SSH argument to the scp command with option -o⁴, specifically set a jump host with ProxyJump=:

# copy a file using a proxy jump
scp -o ProxyJump=login /path/to/data* files.hpc.gsi.de:/lustre/...

Footnotes

OpenSSH 7.3 Release Notes
http://www.openssh.com/txt/release-7.3 ↩︎
OpenSSH Cookbook - Proxies and Jump Hosts, Wikibooks
https://en.wikibooks.org/wiki/OpenSSH%2FCookbook%2FProxies_and_Jump_Hosts ↩︎
Manual page ssh_config, OpenBSD Foundation
https://man.openbsd.org/ssh_config ↩︎
Manual Page scp, OpenBSD Foundation
https://man.openbsd.org/scp ↩︎

--- title: Proxy Jump date-modified: 2024/08/20 abstract: > The GSI HPC infrastructure is only accessible from local networks. This restriction requires users from outside the GSI campus network to use SSH proxy nodes to reach the Virgo computer cluster. Following section describes the configuration of SSH to the login pool nodes provided by the GSI IT department. --- ### Overview ::: {.callout-note appearance="simple" title="Requires at least OpenSSH version 7.3" collapse=true} Proxy jump is supported from OpenSSH 7.3[^ssh73] forward. Check the version of your local SSH client with option `-V`. Alternatives to the proxy jump option are described in the _OpenSSH Cookbook - Proxies and Jump Hosts_[^ocpjh]. [^ssh73]: OpenSSH 7.3 Release Notes <http://www.openssh.com/txt/release-7.3> [^ocpjh]: OpenSSH Cookbook - Proxies and Jump Hosts, Wikibooks <https://en.wikibooks.org/wiki/OpenSSH%2FCookbook%2FProxies_and_Jump_Hosts> ::: Option | Description -------------|------------------------------- `-J <node>` | Connect to the target host by first making an ssh connection to the jump host described by destination and then establishing a TCP forwarding to the ultimate destination from there. This is a shortcut to specify a `ProxyJump` configuration directive. Example of using `lxlogin` to SSH into a submit node: ```bash ssh -J $USER@lxlogin.gsi.de virgo.hpc.gsi.de #<1> ``` 1. Connect to the target host by first making a ssh connection to the jump host. Use the [login-nodes][aQ4hL] as jump host to access the HPC infrastructure. The `ssh` command supports the **proxy jump option `-J` to connect with a submit node** [aQ4hL]: submit-nodes.html#login-nodes ### Configuration File Following command will append a custom configuration for the login nodes to be used as jump hosts to your local SSH client configuration file `~/.ssh/config` (details are described in the `ssh_config`[^sshcm] manual): [^sshcm]: Manual page `ssh_config`, OpenBSD Foundation <https://man.openbsd.org/ssh_config> ```sh cat <<EOF >> ~/.ssh/config #<1> Host login User $USER Hostname lxlogin.gsi.de CheckHostIP no ForwardX11 yes EOF ssh -J login virgo.hpc.gsi.de #<2> ``` 1. Append a configuration for a login pool to the user SSH configuration. This example uses the `lxlogin.gsi.de` pool. `CheckHostIP` is disabled since the load-balancing service will distribute users over different nodes with individual IP-addresses. 2. Connect to a submit node using the pool name `login` defined in the user SSH configuration. Further extend you SSH configuration with login for a required [virtual application environment][s17O6] (VAE) available on the cluster: [s17O6]: ../overview/software.html#vae ```bash cat <<EOF >> ~/.ssh/config host vae24 ProxyJump login User $USER Hostname vae24.hpc.gsi.de CheckHostIP no EOF ``` With the configuration above login becomes as simples as `ssh vae24`. ### Copy Files Similar the `scp` command is able to copy files using a jump host by adding the SSH argument to the `scp` command with option `-o`[^scpmn], specifically set a jump host with `ProxyJump=`: [^scpmn]: Manual Page `scp`, OpenBSD Foundation <https://man.openbsd.org/scp> ```bash # copy a file using a proxy jump scp -o ProxyJump=login /path/to/data* files.hpc.gsi.de:/lustre/... ```