From bb0c2f683825273b82168e06385f8fa2f06b241c Mon Sep 17 00:00:00 2001 From: Mikael Simberg Date: Wed, 12 Mar 2025 16:17:51 +0100 Subject: [PATCH 1/5] Add internet access page --- docs/alps/hardware.md | 1 + docs/guides/internet-access.md | 52 ++++++++++++++++++++++++++++++++++ mkdocs.yml | 1 + 3 files changed, 54 insertions(+) create mode 100644 docs/guides/internet-access.md diff --git a/docs/alps/hardware.md b/docs/alps/hardware.md index 27f4d3e6..f9ad3cce 100644 --- a/docs/alps/hardware.md +++ b/docs/alps/hardware.md @@ -21,6 +21,7 @@ This approach to cooling provides greater efficiency for the rack-level cooling, * Maximum of 64 quad-blade compute blades * Maximum of 64 Slingshot switch blades +[](){#ref-alps-hsn} ## Alps High Speed Network !!! todo diff --git a/docs/guides/internet-access.md b/docs/guides/internet-access.md new file mode 100644 index 00000000..500a126a --- /dev/null +++ b/docs/guides/internet-access.md @@ -0,0 +1,52 @@ +[](){#ref-guides-internet-access} +# Internet Access on Alps + +The [Alps network][ref-alps-hsn] is mostly configured with private IP addresses (`172.28.0.0/16`). +Login nodes have public IP addresses which means that they can directly access the internet, while a proxy server provides internet access for compute nodes. + +??? info "Compute node proxy configuration" + + Compute nodes are configured with the following environment variables to use the proxy server: + + ```bash + https_proxy=http://proxy.cscs.ch:8080 + http_proxy=http://proxy.cscs.ch:8080 + no_proxy=.local, .cscs.ch, localhost, 148.187.0.0/16, 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16 + HTTPS_PROXY=http://proxy.cscs.ch:8080 + HTTP_PROXY=http://proxy.cscs.ch:8080 + NO_PROXY=.local, .cscs.ch, localhost, 148.187.0.0/16, 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16 + ``` + +## Using SSH through the proxy server + +While use of the proxy server is transparent for most use cases, e.g. cloning git repositories from GitHub over SSH requires additional configuration for compute nodes. +Cloning over https works without additional configuration. +To make SSH use the proxy server, add the following to your `~/.ssh/config` file: + +```bash +Match Host *,!148.187.0.0/16,!192.168.0.0/16,!172.16.0.0/12,!10.0.0.0/8 exec "hostname -I | grep -vqF 148.187." + ProxyCommand nc -X connect -x proxy.cscs.ch:8080 %h %p +``` + +This configuration takes into account that login and compute nodes require a different setup. + +!!! info "Error message when cloning without the proxy set up for SSH" + When cloning a git repository without the correct SSH configuration, cloning will time out as follows: + ```bash + [daint][@daint-ln001 ~]$ git clone git@github.com:open-mpi/ompi.git + Cloning into 'ompi'... + ssh: connect to host github.com port 22: Connection timed out + fatal: Could not read from remote repository. + + Please make sure you have the correct access rights + and the repository exists. + ``` + +## Accessing the public IP of a node + +When on a login node configured with a public IP address, you can retrieve the public IP address for example as follows: + +```bash +[daint][@daint-ln001 ~]$ curl api.ipify.org +148.187.6.19 +``` diff --git a/mkdocs.yml b/mkdocs.yml index e668f6c3..6ab0fd8c 100644 --- a/mkdocs.yml +++ b/mkdocs.yml @@ -83,6 +83,7 @@ nav: - 'Object Storage': storage/object.md - 'Guides': - guides/index.md + - 'Internet Access on Alps': guides/internet-access.md - 'Storage': guides/storage.md - 'Policies': - policies/index.md From 942d2929e163dc72f4dae62c30d51e38b61ebb8f Mon Sep 17 00:00:00 2001 From: Mikael Simberg Date: Thu, 13 Mar 2025 09:57:48 +0100 Subject: [PATCH 2/5] Address review comments and add notes about public IPs being a shared resource --- docs/guides/internet-access.md | 11 +++++++++-- docs/software/container-engine.md | 6 ++++++ 2 files changed, 15 insertions(+), 2 deletions(-) diff --git a/docs/guides/internet-access.md b/docs/guides/internet-access.md index 500a126a..d11cda5a 100644 --- a/docs/guides/internet-access.md +++ b/docs/guides/internet-access.md @@ -17,9 +17,16 @@ Login nodes have public IP addresses which means that they can directly access t NO_PROXY=.local, .cscs.ch, localhost, 148.187.0.0/16, 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16 ``` +!!! warning "Public IPs are a shared resource" + Be aware that public IPs, whether on login nodes or through the proxy, are essentially a shared resource. + Many services will rate limit or block usage based on the IP address if abused. + An example is pulling container images from Docker Hub. + [Authenticating with Docker Hub][ref-ce-third-party-private-registries] makes their rate limit apply per user instead. + ## Using SSH through the proxy server -While use of the proxy server is transparent for most use cases, e.g. cloning git repositories from GitHub over SSH requires additional configuration for compute nodes. +While use of the proxy server is transparent for most use cases, others need additional configuration for compute nodes. +An example is cloning git repositories from GitHub over SSH. Cloning over https works without additional configuration. To make SSH use the proxy server, add the following to your `~/.ssh/config` file: @@ -30,7 +37,7 @@ Match Host *,!148.187.0.0/16,!192.168.0.0/16,!172.16.0.0/12,!10.0.0.0/8 exec "ho This configuration takes into account that login and compute nodes require a different setup. -!!! info "Error message when cloning without the proxy set up for SSH" +??? info "Error message when cloning without the proxy set up for SSH" When cloning a git repository without the correct SSH configuration, cloning will time out as follows: ```bash [daint][@daint-ln001 ~]$ git clone git@github.com:open-mpi/ompi.git diff --git a/docs/software/container-engine.md b/docs/software/container-engine.md index 2b84ded9..6231d38f 100644 --- a/docs/software/container-engine.md +++ b/docs/software/container-engine.md @@ -268,10 +268,16 @@ image = "/capstor/scratch/cscs//nvidia+cuda+11.8.0-cudnn8-devel-ubuntu !!! note It is recommended to save images in `/capstor/scratch/cscs/` or its subdirectories before using them with the CE. +[](){#ref-ce-third-party-private-registries} ### Third-party and private registries [Docker Hub](https://hub.docker.com/) is the default registry from which remote images are imported. +!!! warning "Registry rate limits" + Some registries will rate limit image pulls by IP address. + Since [public IPs are a shared resource][ref-guides-internet-access] we recommend authenticating even for publicly available images. + For example, [Docker Hub applies its rate limits per user when authenticated](https://docs.docker.com/docker-hub/usage/). + To use an image from a different registry, the corresponding registry URL has to be prepended to the image reference, using a hash character (#) as a separator. For example: ```bash From 1f9a772dbbe14a70ffa03e39c65fc2ed45f1b852 Mon Sep 17 00:00:00 2001 From: Mikael Simberg Date: Thu, 13 Mar 2025 15:36:09 +0100 Subject: [PATCH 3/5] Give ssh config a title and use plain text lexer --- docs/guides/internet-access.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/docs/guides/internet-access.md b/docs/guides/internet-access.md index d11cda5a..1f7312fd 100644 --- a/docs/guides/internet-access.md +++ b/docs/guides/internet-access.md @@ -30,8 +30,8 @@ An example is cloning git repositories from GitHub over SSH. Cloning over https works without additional configuration. To make SSH use the proxy server, add the following to your `~/.ssh/config` file: -```bash -Match Host *,!148.187.0.0/16,!192.168.0.0/16,!172.16.0.0/12,!10.0.0.0/8 exec "hostname -I | grep -vqF 148.187." +``` title="~/.ssh/config" +Match Host *,!148.187.0.0/16,!192.168.0.0/16,!172.16.0.0/12,!10.0.0.0/8exec "hostname -I | grep -vqF 148.187." ProxyCommand nc -X connect -x proxy.cscs.ch:8080 %h %p ``` From e5370975c086e777ae159a3b39538ca672d7184a Mon Sep 17 00:00:00 2001 From: Mikael Simberg Date: Fri, 14 Mar 2025 11:23:18 +0100 Subject: [PATCH 4/5] Add export to proxy environment variables for easier copy-pasting --- docs/guides/internet-access.md | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/docs/guides/internet-access.md b/docs/guides/internet-access.md index 1f7312fd..4089212a 100644 --- a/docs/guides/internet-access.md +++ b/docs/guides/internet-access.md @@ -9,12 +9,12 @@ Login nodes have public IP addresses which means that they can directly access t Compute nodes are configured with the following environment variables to use the proxy server: ```bash - https_proxy=http://proxy.cscs.ch:8080 - http_proxy=http://proxy.cscs.ch:8080 - no_proxy=.local, .cscs.ch, localhost, 148.187.0.0/16, 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16 - HTTPS_PROXY=http://proxy.cscs.ch:8080 - HTTP_PROXY=http://proxy.cscs.ch:8080 - NO_PROXY=.local, .cscs.ch, localhost, 148.187.0.0/16, 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16 + export https_proxy=http://proxy.cscs.ch:8080 + export http_proxy=http://proxy.cscs.ch:8080 + export no_proxy=.local, .cscs.ch, localhost, 148.187.0.0/16, 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16 + export HTTPS_PROXY=http://proxy.cscs.ch:8080 + export HTTP_PROXY=http://proxy.cscs.ch:8080 + export NO_PROXY=.local, .cscs.ch, localhost, 148.187.0.0/16, 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16 ``` !!! warning "Public IPs are a shared resource" From fd29d208357a6e539cfc06e1df9591dcd0b2b6c6 Mon Sep 17 00:00:00 2001 From: Mikael Simberg Date: Fri, 14 Mar 2025 11:27:28 +0100 Subject: [PATCH 5/5] Make git cloning without ssh config a warning instead of error --- docs/guides/internet-access.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/guides/internet-access.md b/docs/guides/internet-access.md index 4089212a..6e7e2b74 100644 --- a/docs/guides/internet-access.md +++ b/docs/guides/internet-access.md @@ -37,7 +37,7 @@ Match Host *,!148.187.0.0/16,!192.168.0.0/16,!172.16.0.0/12,!10.0.0.0/8exec "hos This configuration takes into account that login and compute nodes require a different setup. -??? info "Error message when cloning without the proxy set up for SSH" +??? warning "Error message when cloning without the proxy set up for SSH" When cloning a git repository without the correct SSH configuration, cloning will time out as follows: ```bash [daint][@daint-ln001 ~]$ git clone git@github.com:open-mpi/ompi.git