Difference between revisions of "Resolving UWindsor Internet Connectivity Issues"

From SHARCNETHelp
Jump to navigationJump to search
Line 4: Line 4:


==Overview==
==Overview==
Earlier this summer the University of Windsor experienced a serious cyber-security incident, e.g., [https://www.uwindsorsupport.ca/node/3|notice/update page for the incident]. Since the University of Windsor has significantly restricted network service access that likely affects all researchers using external resources to do their research, e.g., using SHARCNET / Compute Ontario / Alliance, etc. resources.
Earlier this summer the University of Windsor experienced a serious cyber-security incident, e.g., [https://www.uwindsorsupport.ca/node/3 notice/update page for the incident]. Since the University of Windsor has significantly restricted network service access that likely affects all researchers using external resources to do their research, e.g., using SHARCNET / Compute Ontario / Alliance, etc. resources.


One is using the University of Windsor's network when:
One is using the University of Windsor's network when:
Line 20: Line 20:
As of this writing, August 15, 2022, it appears that from the University of Windsor's network:
As of this writing, August 15, 2022, it appears that from the University of Windsor's network:
* using a device that is '''not owned''' by the University of Windsor one can only access HTTP (port 80) and HTTPS (port 443) ports to external sites, and,
* using a device that is '''not owned''' by the University of Windsor one can only access HTTP (port 80) and HTTPS (port 443) ports to external sites, and,
** Apparently this can only be done '''only if''' one is '''also''' running GlobalProtect VPN. Contact [https://www.uwindsor.ca/itservices/|Information Technology Services (ITS)] for further assistance concerning obtaining and installing this software. (SHARCNET, Compute Ontario, the Alliance, etc. are '''not''' the appropriate entities to assist with such.)
** Apparently this can only be done '''only if''' one is '''also''' running GlobalProtect VPN. Contact [https://www.uwindsor.ca/itservices/ Information Technology Services (ITS)] for further assistance concerning obtaining and installing this software. (SHARCNET, Compute Ontario, the Alliance, etc. are '''not''' the appropriate entities to assist with such.)
* using a device that is owned by the University of Windsor '''only if''' a program called ''SentinelOne'' is installed on that computer (and any other possible requirements as required by [https://www.uwindsor.ca/itservices/|Information Technology Services (ITS)].
* using a device that is owned by the University of Windsor '''only if''' a program called ''SentinelOne'' is installed on that computer (and any other possible requirements as required by [https://www.uwindsor.ca/itservices/ Information Technology Services (ITS)].
** i.e., see [https://www.uwindsorsupport.ca/node/2#install|this link] and contact ITS for any and all aspects concerning such. (SHARCNET, Compute Ontario, the Alliance, etc. are '''not''' the appropriate entities to assist with such.)
** i.e., see [https://www.uwindsorsupport.ca/node/2#install this link] and contact ITS for any and all aspects concerning such. (SHARCNET, Compute Ontario, the Alliance, etc. are '''not''' the appropriate entities to assist with such.)


Since many research teams (i.e., faculty, students, staff, etc.) often use personal devices and may not even have University of Windsor-owned devices to use, this essentially means all of those persons will not be able to access any resources that are not exclusive to HTTP or HTTPS outside the University of Windsor. These resources include:
Since many research teams (i.e., faculty, students, staff, etc.) often use personal devices and may not even have University of Windsor-owned devices to use, this essentially means all of those persons will not be able to access any resources that are not exclusive to HTTP or HTTPS outside the University of Windsor. These resources include:
* any and all SHARCNET, Compute Ontario, and Alliance resources which are not exclusive to HTTP and/or HTTPS, and
* any and all SHARCNET, Compute Ontario, and Alliance resources which are not exclusive to HTTP and/or HTTPS, and
** e.g., including but not limited to systems and resources mentioned in the [https://docs.alliancecan.ca/wiki/Technical_documentation|Alliance wiki].
** e.g., including but not limited to systems and resources mentioned in the [https://docs.alliancecan.ca/wiki/Technical_documentation Alliance wiki].
* any and all CERN, XSEDE (Access), EuroHPC, etc. systems and resources which are not exclusive to HTTP and/or HTTPS.
* any and all CERN, XSEDE (Access), EuroHPC, etc. systems and resources which are not exclusive to HTTP and/or HTTPS.
** NOTE: Obviously, SHARCNET, Compute Ontario, and the Alliance do not support such systems but many researchers using our systems do also use systems in these and other locales and/or collaboratively conduct research and/or data exchange with these and others around the world so it is entirely appropriate to mention this here.
** NOTE: Obviously, SHARCNET, Compute Ontario, and the Alliance do not support such systems but many researchers using our systems do also use systems in these and other locales and/or collaboratively conduct research and/or data exchange with these and others around the world so it is entirely appropriate to mention this here.


It also appears that important services such as Globus, which is used to transfer files, also do not currently work from the University of Windsor network.
It also appears that important services such as Globus, which is used to transfer files, also do not currently work from the University of Windsor network.
** e.g., per some testing on August 15, 2022 it appears that using the [https://globus.computecanada.ca|Globus web interface] and using the Globus Connect Personal client application cannot be used to transfer files to/from the University of Windsor network.
** e.g., per some testing on August 15, 2022 it appears that using the [https://globus.computecanada.ca Globus web interface] and using the Globus Connect Personal client application cannot be used to transfer files to/from the University of Windsor network.


Locally at the University of Windsor, if a research team is using lab/research team network services to know that such cannot be accessed unless whitelisted by ITS and/or ''SentinelOne'' is run on those servers. (Please don't submit a ticket to SHARCNET, Compute Ontario, the Alliance, etc. as we cannot do anything about this: this is purely a University of Windsor matter so contact ITS to address such issues.)
Locally at the University of Windsor, if a research team is using lab/research team network services to know that such cannot be accessed unless whitelisted by ITS and/or ''SentinelOne'' is run on those servers. (Please don't submit a ticket to SHARCNET, Compute Ontario, the Alliance, etc. as we cannot do anything about this: this is purely a University of Windsor matter so contact ITS to address such issues.)
Line 58: Line 58:
===Using JupyterHub===
===Using JupyterHub===


# Go to the [https://docs.alliancecan.ca/wiki/JupyterHub#JupyterHub_on_clusters|JupyterHub web page] of the desired cluster.
# Go to the [https://docs.alliancecan.ca/wiki/JupyterHub#JupyterHub_on_clusters JupyterHub web page] of the desired cluster.
# Log in with your Alliance username and password.
# Log in with your Alliance username and password.
# Select the desired account (if you've more than one available).
# Select the desired account (if you've more than one available).
Line 92: Line 92:
# Arrange to test such with after such as been set up.
# Arrange to test such with after such as been set up.


This is very manual process and involves staff within SHARCNET/Compute Ontario/Alliance as well as University of Windsor staff (e.g., technicians and ITS) and requires testing. Nicely, after such has been successfully tested, however, one is able to focus on running research jobs on the cluster (as long as the licence server is up-and-running). Before going down this path, however, we encourage all researchers to first search for and have a look at (if it exists) the software they are using in our [https://docs.alliancecan.ca|Documentation Wiki] --a number of programs have specific pages detailing what needs to be done in order to get things to work.
This is very manual process and involves staff within SHARCNET/Compute Ontario/Alliance as well as University of Windsor staff (e.g., technicians and ITS) and requires testing. Nicely, after such has been successfully tested, however, one is able to focus on running research jobs on the cluster (as long as the licence server is up-and-running). Before going down this path, however, we encourage all researchers to first search for and have a look at (if it exists) the software they are using in our [https://docs.alliancecan.ca Documentation Wiki] --a number of programs have specific pages detailing what needs to be done in order to get things to work.

Revision as of 17:08, 16 August 2022

University of Windsor 2022 Connectivity Issues

Notice

Since various persons (as of this writing August 15, 2022) are on vacation or will be on vacation, the (initial) text on this page has been written by Paul Preney (i.e., the SHARCNET staff person located at the University of Windsor) with limited input from other SHARCNET staff. Hopefully any issues below are sufficiently/completely resolved before the fall semester starts. That said, a limited work-around to obtain some terminal and file transfer abilities is discussed below (i.e., using JupyterLab).

Overview

Earlier this summer the University of Windsor experienced a serious cyber-security incident, e.g., notice/update page for the incident. Since the University of Windsor has significantly restricted network service access that likely affects all researchers using external resources to do their research, e.g., using SHARCNET / Compute Ontario / Alliance, etc. resources.

One is using the University of Windsor's network when:

  • one is physically connected to such on-campus,
  • one is using the campus wireless network, or
  • one is using GlobalProtect VPN (when it is activated/connected).

otherwise one is not on the University of Windsor's network. If one is not on the University of Windsor's network (and also has GlobalProtect VPN inactive on that computer), then one should be able to connect normally without issues (assuming your network is not otherwise blocking you from connecting to various network services) and the content of this page is not a concern. On the other hand, if one needs to use the University of Windsor's network (even from home or elsewhere with GlobalProtect VPN activated) then the content of this page matters as it may well (at this time, August 2022) be the only way access to external resources to do one's research work.

Throughout the summer, the University of Windsor's ITS has been activity working to bring back various network services and has the following pages detailing their progress:

Connectivity From the UWindsor Network

As of this writing, August 15, 2022, it appears that from the University of Windsor's network:

  • using a device that is not owned by the University of Windsor one can only access HTTP (port 80) and HTTPS (port 443) ports to external sites, and,
    • Apparently this can only be done only if one is also running GlobalProtect VPN. Contact Information Technology Services (ITS) for further assistance concerning obtaining and installing this software. (SHARCNET, Compute Ontario, the Alliance, etc. are not the appropriate entities to assist with such.)
  • using a device that is owned by the University of Windsor only if a program called SentinelOne is installed on that computer (and any other possible requirements as required by Information Technology Services (ITS).
    • i.e., see this link and contact ITS for any and all aspects concerning such. (SHARCNET, Compute Ontario, the Alliance, etc. are not the appropriate entities to assist with such.)

Since many research teams (i.e., faculty, students, staff, etc.) often use personal devices and may not even have University of Windsor-owned devices to use, this essentially means all of those persons will not be able to access any resources that are not exclusive to HTTP or HTTPS outside the University of Windsor. These resources include:

  • any and all SHARCNET, Compute Ontario, and Alliance resources which are not exclusive to HTTP and/or HTTPS, and
    • e.g., including but not limited to systems and resources mentioned in the Alliance wiki.
  • any and all CERN, XSEDE (Access), EuroHPC, etc. systems and resources which are not exclusive to HTTP and/or HTTPS.
    • NOTE: Obviously, SHARCNET, Compute Ontario, and the Alliance do not support such systems but many researchers using our systems do also use systems in these and other locales and/or collaboratively conduct research and/or data exchange with these and others around the world so it is entirely appropriate to mention this here.

It also appears that important services such as Globus, which is used to transfer files, also do not currently work from the University of Windsor network.

    • e.g., per some testing on August 15, 2022 it appears that using the Globus web interface and using the Globus Connect Personal client application cannot be used to transfer files to/from the University of Windsor network.

Locally at the University of Windsor, if a research team is using lab/research team network services to know that such cannot be accessed unless whitelisted by ITS and/or SentinelOne is run on those servers. (Please don't submit a ticket to SHARCNET, Compute Ontario, the Alliance, etc. as we cannot do anything about this: this is purely a University of Windsor matter so contact ITS to address such issues.)

Connecting to SHARCNET/Compute Ontario/Alliance Resources If Only HTTP/HTTPS Are Available

If only HTTP and/or HTTPS are only available then the ability to make full use of various tools to access SHARCNET, Compute Ontario, and/or Alliance systems and resources is limited. Realize that the following (non-exhaustive) items will not work:

  • using any Secure Shell clients (e.g., ssh, scp, sftp, WinSCP, editors that use SSH to transfer files, IDEs using SSH (such as VisualStudio Code) that use SSH, etc.) will not work,
  • using rsync will not work,
  • using VNC (even with the equivalent of HTTPS security will not work, e.g., connecting to gra-vdi.computecanada.ca will not work),
  • etc.

Many Alliance systems (not just SHARCNET systems) do run instances of JupyterHub which will allow you to connect to the various Alliance clusters to use JupyterLab which will enable you to:

  • use a terminal window on that cluster,
  • use a graphical environment on that cluster (if such is needed),
    • ASIDE: Since SSH cannot be used, no SSH tunnelling can be done. Since VNC cannot be used gra-vdi isn't available to be used for visualizations. Consequently, this is the only remaining visualization option for University of Windsor-network-using researchers to use a graphical environment to visualize and explore their research especially when very large data sets are involved.

With JupyterHub, one will not be able to do the following (non-exhaustive) items:

  • use the equivalent of pipes with ssh (since SSH is not available)
    • This includes using such in scripts, software that internally uses SSH, etc.
  • local machine/servers that regularly run SSH and/or scp and/or rsync commands, etc. will not work
    • NOTE: Such will now have to manually be done by a human being.
  • Globus and the Data Transfer Nodes (DTNs) cannot be used so any files that cannot be transferred in the amount of time available to a JupyterHub session, cannot be transferred.
    • If this is an issue, please submit a ticket to support@computecanada.ca mentioning this problem and how much data needs to be transferred so we can figure out how that data can be moved to/from our systems.

Using JupyterHub

  1. Go to the JupyterHub web page of the desired cluster.
  2. Log in with your Alliance username and password.
  3. Select the desired account (if you've more than one available).
  4. Specify the amount of time (maximum) you want for this session.
    • NOTE: The session is a Slurm job. Once the maximum time has been reached, the job will be killed. It is recommended to keep the time asked for restricted to the amount of time you will actively use Jupyter, e.g., 2 or 3 hours.
  5. Specify the number of cores needed.
    • Typically this should be one unless you want to test your program with multiple cores, etc.
    • If you will be using MPI programs, remember to use srun to run your MPI programs in the terminal window within Jupyter.
  6. Specify the total amount of RAM needed.
    • Ideally keep this figure low to below 4000M per CPU core.
  7. Only if you will be using a GPU, specify the desired GPU configuration.
  8. Specify JupyterLab for the user interface. (This is the newest and most useful interface.)
  9. Click the Start button.

After clicking the Start button, wait for Jupyter to start.

  • It will timeout after 5 minutes. If it times out, then try it again. It such persists reduce the number of cores, RAM, GPUs, etc. being asked for and try again. If needed, submit a ticket to support@computecanada.ca ask for help with his and/or report a problem connecting.

Once JupyterLab starts use the Launcher (or File > New Launcher) to start a Terminal window or Desktop to start a graphical environment.

Know there is no need to use an salloc session since one is inside a Slurm job within JuptyerLab. Consequently since this is within a Slurm job, $SLURM_TMPDIR is also set and can/should be used when relevant.

Odds and Ends

Running a Licence Server @uwindsor.ca

If you need to use proprietary software on SHARCNET, Compute Ontario, Alliance systems where the software requires a licence server which must be physically located on the University of Windsor campus, know this can be done and has always involved doing the following:

  1. Set up the licence server at a specific IP and port on campus.
    • It is advised to enlist the help of a UWindsor Technician and/or ITS to do this.
  1. Enlist the help of a UWindsor Technician and ITS to ensure that IP and Port will be able to be accessed from outside of the UWindsor network.
  2. If the cluster you want to use does not allow Internet access from its compute nodes, or, if ITS wants more security than anyone from anywhere on the Internet can access that IP and port, then submit a ticket to support@computecanada.ca asking for a tunnel to be opened up with your research team's jobs to the IP and port AND ask from which DNS name (or IPs) where such queries will appear to be coming from.
    • The latter allows ITS to limit the ability to successfully connect to that IP and Port which helps reduce possible security issues.
  1. Arrange to test such with after such as been set up.

This is very manual process and involves staff within SHARCNET/Compute Ontario/Alliance as well as University of Windsor staff (e.g., technicians and ITS) and requires testing. Nicely, after such has been successfully tested, however, one is able to focus on running research jobs on the cluster (as long as the licence server is up-and-running). Before going down this path, however, we encourage all researchers to first search for and have a look at (if it exists) the software they are using in our Documentation Wiki --a number of programs have specific pages detailing what needs to be done in order to get things to work.