🖥 Computers @NeuroPoly

GE

A GE network account is required to have access to internal computational resources.

You will receive a GE account during your onboarding.

Password

Important

Once in a while, you are requested to change your password. To do so, log onto another machine (eg bireli, joplin) and use the command passwd to change your password.

Groups

The list of permissions for shared folders on duke are available here.

Connect to Windows Servers

Use Microsoft Remote Desktop Connection on creer51, creer52, creer53.

Computer : creer51.grames.polymtl.ca

Username: grames\your_polygrames_username

Password: your_polygrames_password

List of Computers at NeuroPoly

Are you new to NeuroPoly and looking for a desk and a station? Please check the list of Desktop/Server/Clusters computers and Printers so you can pick one that is free. If you’d like a particular desk and someone else is using a station remotely, please ask the admins to move the station to another location.

If you prefer to work on your laptop, please let the admins know in your onboarding ticket and they will find you an available screen you can connect to your laptop.

VPN

When working remotely from off-campus you need to use the VPN.

To connect to the VPN, you need to have an account with École Polytechnique, specifically with CAS. Students should already have this. Consultants and Research Associates will need to have an account created for them. This should have happened during your onboarding.

You can change your CAS password at Gestion des Codes.

The VPN uses the Cisco AnyConnect protocol, and to use it, you must first install a compatible VPN client.

Important

Depending on your status at Polytechnique, you will be assigned to a different VPN group. Your assigned group will determine how authentication will work for you, as well as which VPN clients will be compatible with your needs.

Instructions for different user scenarios are provided below.

Note

The VPN will not work if you are already accessing wifi on campus via eduroam, it is typically intended for off-campus use only.

Background on VPN changes

In September 2024, Polytechnique reconfigured their VPN management strategy.

Previously, VPN authentication worked similarly for all Neuropoly members. Linux and macOS users wishing to avoid installing proprietary Cisco AnyConnect software could follow the instruction provided for students (below).

Because of the changes implemented by Polytechnique, these instructions no longer work for non-students.

If you are not a student, please follow the instructions provided for your specific use case.

Students

Students should be approved for VPN access by default. They are assigned to the PolySSL group.

For Linux and macOS users, openconnect is the recommended VPN client.

Windows users should typically follow the official Polytechnique instructions. Advanced users concerned about the monitoring capabilities of the Cisco AnyConnect client might consider adapting the instructions for a VM-based workaround documented under Polytechnique Staff to their needs.

MacOS

brew install openconnect

Open your Keychain program and click ‘+’ to add a new item:

• Name: poly-vpn

• Account: your YOUR_CAS_USERNAME

• Password: enter your password here.

Note: the new item has to be added as an application password to your login Keychain (i.e., not to your iCloud Keychain).

Then, create the following script:

#!/bin/bash
# vpn.sh

set -eo pipefail

USER="<YOUR_CAS_USERNAME>"
PASS="$(security find-generic-password -a "${USER}" -s poly-vpn -w)"
GROUP=PolySSL # or PolyInvites, depending on your account's status
echo -n "$PASS" | sudo openconnect -u "$USER" --authgroup "$GROUP" --passwd-on-stdin --reconnect-timeout 20 ssl.vpn.polymtl.ca

To connect to the VPN, you need to run:

./vpn.sh

Linux

apt install openconnect

Then, create the following script:

#!/bin/bash
# vpn.sh

set -eo pipefail

USER="<YOUR_CAS_USERNAME>"
PASS="<YOUR_CAS_PASSWORD>"
GROUP=PolySSL # or PolyInvites, depending on your account's status
echo -n "$PASS" | sudo openconnect -u "$USER" --authgroup "$GROUP" --passwd-on-stdin --reconnect-timeout 20 ssl.vpn.polymtl.ca

To connect to the VPN, you need to run:

./vpn.sh

Depending on your Linux set up, you may also be able to create a graphical interface for your VPN. The following instructions were tested on a system using NetworkManager and the GNOME desktop environment:

1. Install the NetworkManager openconnect plugin. For example, with:

apt install network-manager-openconnect-gnome

2. Under Settings go to Network.

3. Under VPN select + to Add VPN.

4. Select Multi-protocol VPN client (openconnect).

5. Under Gateway put ssl.vpn.polymtl.ca.

6. Click Apply.

7. Activate the VPN.

8. Under GROUP: select PolySSL.

9. Under Username: put your CAS username.

10. Under Password: put your CAS password.

11. Click Connect.

Windows

Please follow the official steps from PolyMTL (French or English).

In case the above links ever break, the steps are:

1. Install “Cisco AnyConnect Secure Mobility Client”.

   • NB: This software is licensed to organizations, so the download page will typically be behind some sort of authentication. Right now, you have to download it from the “Utilisation du Service” section of this page, which requries you to sign in with your CAS account.

2. Run the newly-installed Cisco AnyConnect Secure Mobility Client program.

3. Configure the VPN:

   • Enter the server address: ssl.vpn.polymtl.ca

   • In the “Group” drop-down list, choose the profile: PolySSL

   • Identify yourself with the username and password of your CAS account (e.g. p123123)

4. Click “Accept”. You’re connected! :)

Polytechnique Staff

Polytechnique staff (including Professors, Research Associates, and Postdoctoral Researchers) are assigned to the PolyQuartz group.

The PolyQuartz group relies on an authentication flow that makes use of your Okta account. The authentication flow is not natively supported by the openconnect client.

Users wishing to avoid installing the officially provisioned Cisco AnyConnect client can consider several known workarounds.

Linux and macOS users can use a workaround involving the openconnect client and manual cookie extraction.

All users can implement a workaround involving running the Cisco AnyConnect client inside a Virtual Machine.

Instructions for each of these options are as follows:

Openconnect with cookie extraction

This workaround allows you to complete the Okta-based authentication flow while using the openconnect client.

It should be effective for Linux and macOS users.

1. Ensure that the openconnect client is installed on your computer.

2. Visit https://ssl.vpn.polymtl.ca in a browser

3. Select PolyQuartz and press Logon

4. Logon with your Okta credentials

5. On the Cisco Secure Client Download page, open your browser’s DevTools.

6. Find the webvpn cookie and copy its value.

7. Pass this value to the following command on stdin (either by typing it, or piping to it):

sudo openconnect --protocol=anyconnect --authgroup=PolyQuartz --cookie-on-stdin https://ssl.vpn.polymtl.ca/

Note

A script to automate this process can be found here.

Cisco AnyConnect in a VM

This workaround allows you to isolate the Cisco AnyConnect client in a virtual machine. Additionally it allows you to determine which traffic you send through the VPN.

It should be effective for Linux, macOS and Windows users.

It is recommended for advanced users.

1. Create an Ubuntu virtual machine using your preferred Virtual Machine Manager (these instructions were tested with QEMU-KVM, but other VMMs should work fine as well).

2. Under network settings, your VM should be set to use NAT.

3. Inside your new VM, follow the official Polytechnique instructions to install the Cisco AnyConnect client.

4. Set up your VM as an SSH server.

sudo apt install openssh-server

sudo systemctl enable ssh

sudo systemctl start ssh

5. Get the ip address of your VM (ip a) and write it down.

6. On the host, generate an SSH key pair, (or select an existing key pair to use) then transfer the public key to your VM using ssh-copy-id. You can modify the following commands with the correct info to do this:

ssh-keygen -t ed25519 -C "<VM_USER>@<VM_NAME>" -f ~/.ssh/<VM_USER>_ed25519

ssh-copy-id -i ~/.ssh/<VM_USER>_ed25519.pub -o PreferredAuthentications=password <VM_USER>@<VM_IP>

7. Test that you can successfully SSH into the VM.

8. In your SSH config file (~/.ssh/config) configure your VM as a proxy jump for traffic directed to NeuroPoly servers. You can modify the following config for your purposes:

# Needed for proxy jump with AnyConnect vm

# Replace the HostName with your VM's IP
# Replace the User with the username on your VM
# Replace the IdentityFile with the correct path to the relevant SSH key
Host jumpvm
    HostName <VM_IP>
    User <VM_USER>
    IdentityFile ~/.ssh/<VM_USER>_ed25519

# This allows you to proxy ssh traffic to NeuroPoly servers
Host *.neuro.polymtl.ca 132.207.*
    ProxyJump jumpvm

# Needed to use git with data

# Replace the IdentityFile with the correct path to the SSH key you use on data
Host data.neuro.polymtl.ca
    User git
    IdentityFile ~/.ssh/<KEY_FILE>

Note

If you sometimes work on campus, this config will interfere with your onsite access if not disabled. If you want to make it easier to manage alternate ssh config settings, you can create a different config file that includes these settings, and then point to it with the ssh -F option.

Once you have finished with configuration, you can test your set up. For it to work, you will need to first start your VM and enable the VPN connection using the Cisco AnyConnect client inside your VM.

You will then be able to proxy NeuroPoly-destined ssh traffic from your main host through your VM, which will make it easier to connect to NeuroPoly resources without significantly altering your workflow. You can test making an ssh connection to a NeuroPoly server to confirm that this works.

Note

You can use port forwarding to form other kinds of connections through your VM. (e.g. for RDP connections, to access duke or to access data in your browser). Examples follow.

To connect to a station using RDP

ssh -NL 3389:localhost:3389 <GE_USERNAME@<STATION>.neuro.polymtl.ca

Then in your RDP client put localhost:3389 for the server.

To connect to duke

ssh -NL 1445:duke.neuro.polymtl.ca:445 <VM_USER>@jumpvm  

Then follow standard instructions for duke but replace duke.neuro.polymtl.ca with localhost:1445 (e.g. smb://localhost:1445/<FOLDER>).

To access data in your browser

ssh -NL 3000:localhost:3000 <GE_USERNAME>@data.neuro.polymtl.ca

Then in your browser go to: http://localhost:3000

Official instructions

The official Polytechnique instructions for configuring the Cisco AnyConnect client can be found here.

Other Members

If you are an Intern, a Consultant, or are otherwise considered an “Invité” by Polytechnique, this section applies to you. Users in your category are not granted VPN access by default. A specific request must be submitted to DGE IT to give you VPN access. (Normally, someone on the admin team should help you with this during your onboarding).

Once you are approved for VPN access, DGE IT will provide personalized instructions for your specific use case. Most likely, you will be be added to the PolyPhoton group. Like PolyQuartz, this group uses Okta for authentication.

Note

If you do not wish to use the official Cisco AnyConnect client, you may be able to adapt the instructions under the Polytechnique Staff section for your purposes. However, please note that the workarounds described for PolyQuartz users have not been adequately tested for PolyPhoton users.

Warning

DGE IT’s protocols for integration of VPN users with an “Invité” status are currently under development, so at the moment we cannot provide much assurance that alternative VPN configurations will work for these users. The most reliable option is to follow the official instructions provided by DGE IT and Polytechnique.

Connect to NeuroPoly Computers

Locally

To log into a desktop station while at NeuroPoly, use your GE account.

SSH (command line)

Note

If working off-campus, start your VPN first.

Note

If working on-campus using eduroam wifi, make sure you are connected to eduroam using your Poly credentials. The ssh command below will probably not work if you are using eduroam credentials from another university. Alternatively, you can use the cable connection.

Connect via ssh using the STATION you want:

 ssh <GE_USERNAME>@<STATION>.neuro.polymtl.ca

Note

Use the password you received by email. Not the password you received on printed paper. To change the password, see the section Password above.

Note

To get ssh on Windows, you can install Microsoft’s ssh package, WSL, PuTTY, or cmder, or Git-Bash.

Optionally, install this shortcut which allows you to just type ssh <STATION>:

cat >~/.ssh/config_neuropoly <<EOF
Match Host abbey,betty,bireli,coltrane,davis,django,ella,ferguson,jarrett,joplin,kirk,marsalis,mingus,parker,romane,rosenberg,tatum
HostName %h.neuro.polymtl.ca

Match host *.neuro.polymtl.ca
User <GE USERNAME> # fill in your username and remove this comment
# passwords are required to access /mnt/duke: https://github.com/neuropoly/computers/issues/90:
PreferredAuthentications password
EOF

echo 'Include ~/.ssh/config_neuropoly' >> ~/.ssh/config

Optionally, add this shortcut which makes simultaneous ssh connections possible without retyping your password:

cat >>~/.ssh/config <<EOF
Host *
ControlMaster auto
ControlPath ~/.ssh/%r@%h:%p

SFTP (Mount a remote station)

ssh also allows accessing remote files, via sftp.

The best way to do this is sshfs, which makes them appear as if they were a drive on your computer:

Install sshfs, if not yet installed:

Linux

sudo apt install -y sshfs

mac (Monterey and after)

Follow this procedure.

mac (Before Monterey)

brew install --cask osxfuse
brew install sshfs

Then mount the folder

mkdir cluster_folder
sshfs <USERNAME>@<STATION>: cluster_folder

If you use ~ or nothing (as shown) after the :, the connection will be relative to to your remote home directory, e.g.

sshfs <USERNAME>@<STATION>:~/project1/ cluster_folder

will attach the remote /home/ge.polymtl.ca/$USER/project1/ to the local ./cluster_folder, and

sshfs <USERNAME>@<STATION>:project1/ cluster_folder

will do the exact same.

However if you use / after the :, the mount will be relative to the remote root directory, e.g.

sshfs <USERNAME>@<STATION>:/tmp/ cluster_folder

will attach the remote /tmp/ to the local ./cluster_folder

Note

If you are experiencing mounting issues on macOs, this might help.

VNC (graphical interface)

macOS

1. Open Finder

2. Click Cmd+K

3. In the “Server Address”, type (using the STATION you want): vnc://STATION.neuro.polymtl.ca

4. You can use your local/network account information or the shared account credentials

PC/Linux

1. Establish a VNC connection using vinaigre.

2. In the “Server Address”, type (using the STATION you want): vnc://STATION.neuro.polymtl.ca

3. You can use the password from shared account credentials

Linux stations

On Linux targets, a VNC server needs to be started manually before the above instructions will work.

1. Create configuration file under ~/.vnc/xstartup with the following contents:

 #!/bin/sh
 # Uncomment the following two lines for normal desktop:
 unset SESSION_MANAGER
 unset DBUS_SESSION_BUS_ADDRESS
 startxfce4 &
 [ -x /etc/vnc/xstartup ] && exec /etc/vnc/xstartup
 [ -r $HOME/.Xresources ] && xrdb $HOME/.Xresources
 xsetroot -solid grey
 vncconfig -iconic &

1. Give the right permissions to the file ~/.vnc/xstartup

 chmod +x ~/.vnc/xstartup

1. Start VNC server

 vncserver -geometry 1600x1200 :<PORT_NUMBER>

Note: To list all running vncservers, use: ps -ef | grep vnc`

After starting the vncserver, connect to it as above.

Note

Note:

• On the first start of the vncserver, you will have to set a personal password for your vnc session

• The resolution can be defined by changing the value of the -geometry flag.

1. Stop VNC server - mandatory at the end of your session

 vncserver -kill :<PORT_NUMBER>

Language

The default interface on our systems is français. To use another language, set your LANG environment variable:

echo 'export LANG=en_CA.UTF-8' >> ~/.profile

Logout and back in again and apps should now be in English (or the other language code you chose).

CPU/GPU Clusters

The following CPU and GPU clusters are available for internal use at NeuroPoly.

Warning

Please indicate in NeuroPoly’s “Computer resource” calendar if you plan to launch intensive calculations on a computer. These are shared resources, so it helps to know which computer is being used and by who, in order to prioritize tasks and make the best of our resources. Your calendar entry could span several days, and should specify your name and the ID or number of GPU/CPU used. Example: julien@rosenberg:gpu[4,5], or naga@joplin:cpu[n=20] If you don’t have writing permission on this calendar please post a request on the ticket tracker.

Note

If you wish to monitor the CPU/GPU/RAM/disk and other aspects of the server you are using, you can use our monitoring system. You need to be inside the VLAN to see the monitoring system.

rosenberg

Spec	Description
CPU	2x Intel E5-2630
GPU	8x P100
RAM	16x 32GB DDR4
Hostname	rosenberg.neuro.polymtl.ca

• By default, the root (OS and home folder) mount point is on the NVME disk

• Shared scratch located under /scratch. Please clean the unnecessary data after you finish the processing.

• How to use GPU Clusters at NeuroPoly

  • Video tutorial to get started

For system administrators: Please log all the changes on the station by updating the ansible scripts from neuropoly/computers.

romane

Spec	Description
CPU	AMD EPYC 7452 32-Core
GPU	4x RTX A6000 48GB
RAM	16x 32GB DDR4
Hostname	romane.neuro.polymtl.ca

• By default, the root (OS and home folder) mount point is on the NVME disk. You can train your model on your /home

• How to use GPU Clusters at NeuroPoly

  • Video tutorial to get started

For system administrators: Please log all the changes on the station by updating the ansible scripts from neuropoly/computers.

bireli

Spec	Description
CPU	i7-5930K 3.5GHz 6 Cores
GPU	2x GTX Titan X 12GB
RAM	1x 64GB DDR4
Hostname	bireli.neuro.polymtl.ca

• Add event to the computer calendar

• Use your GE account to connect on the machine

• How to use GPU Clusters at NeuroPoly

joplin

Spec	Description
CPU	8x Intel E7-4809v4 8-Core 2.10GHz
RAM	16x 16GB DDR4
Hostname	joplin.neuro.polymtl.ca

The server is bound to the GRAMES which is linked to the GE domain.

abbey

Spec	Description
CPU	Xeon 12-core
OS	Ubuntu
Hostname
Credentials	NeuroPoly Internal Document: Abbey Teamviewer Credentials

fitzgerald

Spec	Description
Model
OS	Windows 7
Hostname
Credentials	NeuroPoly Internal Document: Fitzgerald TeamViewer Credentials

tristano

Spec	Description
Model	Mac Mini
OS	Ubuntu 16.04
Hostname
Credentials	NeuroPoly Internal Document: Tristano VNC Credentials

For SCT database interface use: SCT annotations

vnmrj

Spec	Description
Model	PC Intel Duo Quad Core
OS	RedHat
Hostname
Credentials	NeuroPoly Internal Document: VNMRJ VNC Credentials

idea3t

Spec	Description
Purpose	Programming pulse sequences within the Siemens IDEA environment for VE11C (Prisma)
Model	PC
OS	Windows 10 (⚠️ Connect with Microsoft Remote Desktop)
Hostname	idea3t.neuro.polymtl.ca
Credentials	NeuroPoly Internal Document: Idea3t Remote Credentials

Warning

Possible error: “The certificate or associated chain is not valid.”
Solution: Install remote Desktop v10 or higher (v8 does not work)

idea7t

Spec	Description
Purpose	Programming pulse sequences within the Siemens IDEA environment for VE12U (Terra)
Model	PC
OS	Windows 10 (⚠️ Connect with Microsoft Remote Desktop)
Hostname	idea7t.neuro.polymtl.ca
Credentials	NeuroPoly Internal Document: Idea7t Remote Credentials

peterson

Spec	Description
Purpose	EM simulation with CST
Model	PC, NVIDIA RTX A6000 (1x)
OS	Windows 10 (Connect with Microsoft Remote Desktop)
Hostname	peterson.grames.polymtl.ca
Credentials	<GE_USERNAME>/<GE_PASSWORD>

node006 (Poly-Grames)

Spec	Description
Purpose	EM simulation with CST
Model	PC, NVIDIA Tesla V100S-PCIE-32GB (1x)
OS	Windows 10 (Connect with Microsoft Remote Desktop)
Hostname	node006.grames.polymtl.ca
Credentials	<GE_USERNAME>/<GE_PASSWORD>

node007 (Poly-Grames)

Spec	Description
Purpose	EM simulation with CST
Model	PC, NVIDIA Tesla V100S-PCIE-32GB (1x)
OS	Windows 10 (Connect with Microsoft Remote Desktop)
Hostname	node007.grames.polymtl.ca
Credentials	<GRAMES_USERNAME>/<GRAMES_PASSWORD>

Connect to the Polytechnique public disk

Finder –> Go –> Connect to server Server address:

smb://genie06.polymtl.ca/public

Then enter your ID and password at poly.

Retrieve an old backup

duke (/mri, /projects, /sct_testing) is backed up on grappelli every evening at 21:00 EST. In order to retrieve old backup you have to contact Jean-Sébastien Décarie.

Software Installed

Installed on each station (local)

MRI

• FSL

• ANTS

• FreeSurfer

• mricron (for dcm2nii conversion)

• Osirix

• ITKsnap

• MITKworkbench

• Diffusion Toolkit (with quicklook plugin) + Trackvis

Programming

• git

• source tree –> visualiser of git

• Xcode (with command line tools)

• PyCharm (Python editor)

• Sublime Text (code editor)

Misc

• Google Sketchup

• Google Chrome

• VirtualBox

• Endnote

• Dropbox

• X11 Quartz

• Microsoft suite (Installation kit can be found on the GRAMES server. Please see section below.)

• Matlab (Installation kit can be found on the GRAMES server. Please see section below.)

• Slack

• NDP view

• QuickLook:

  • Nifti viewer

• Tanguy’s app to open Nifti files with FSLview

To access software from the department (Matlab, Microsoft Office, etc.), connect to:

smb://hcifst.grames.polymtl.ca/tools

Scheduled reboots

Each computer has a regular unattended upgrade that forces a reboot once a week. The date and time of the next reboot will be indicated in a message when you log in. Do try and consider this when starting your computations. If you started a long computation that you think will be interupted by the scheduled reboot, you can contact neuropoly-admin@liste.polymtl.ca to request that the reboot be exceptionally delayed.

Admins: Documentation on the standard operating procedure for delaying scheduled reboots is described here.

Admin

Technical details about station management and documentation is found on this repository.