Log on to a cluster in SSH mode - E-MapReduce - Alibaba Cloud Documentation Center

SSH into any node of an E-MapReduce (EMR) cluster to run commands, inspect logs, debug jobs, or interact with open-source components such as Apache Hadoop, Apache Spark, and Apache Flink directly on the cluster.

This document covers:

Logging on to the master node using an SSH key pair or password
Logging on to the master node through Workbench (ECS console)
Logging on to core and task nodes from the master node

Prerequisites

Before you begin, ensure that you have:

Port 22 open in the security group associated with your cluster. For instructions, see the Add a security group rule section in "Manage security groups."
A public IP address assigned to the master node. Turn on Assign Public IP Address when creating the cluster, or assign one afterward. See Assign a public IP address after cluster creation in the FAQ.

Find a node's public IP address and name

Log on to the EMR console.
In the top navigation bar, select a region and a resource group based on your business requirements.
On the EMR on ECS page, find your cluster and click Nodes in the Actions column.
On the Nodes tab, find the node group and click the icon to expand it.
- Public IP Address column: the node's public IP address.
- Node Name/ID column: the node name, such as master-1-1, core-1-1, or task-1-1.

If the Public IP Address column is empty, no public IP was assigned at cluster creation. See Assign a public IP address after cluster creation in the FAQ.

Log on to the master node

Using an SSH key pair

When you create a cluster with an SSH key pair, a .pem private key file is automatically downloaded to your local machine. Use this file to authenticate.

Make sure port 22 is open in your cluster's security group before connecting. See Prerequisites.

Linux

Restrict the key file's permissions:
```
chmod 400 ~/.ssh/ecs.pem
```
Replace ~/.ssh/ecs.pem with the actual path to your .pem file.
Connect to the master node:
```
ssh -i ~/.ssh/ecs.pem emr-user@<public-ip-of-master-node>
```
To find <public-ip-of-master-node>, see Find a node's public IP address and name.

Windows

Windows 10 and later include a built-in OpenSSH client. Open Command Prompt and run:

ssh -i <path-to-pem-file> emr-user@<public-ip-of-master-node>

Replace <path-to-pem-file> with the full path to your .pem file, for example C:\Users\you\.ssh\ecs.pem.

If you prefer a graphical SSH client, use PuTTY:

Download PuTTY and PuTTYgen.
Convert the .pem file to .ppk format using PuTTYgen:
1. Open PuTTYgen. (This example uses PuTTYgen 0.82.)
2. In the Actions section, click Load.
3. Set the file type filter to **All files (\*.\*), select your `.pem` file, and click Open**.
4. Click Save private key. When prompted, click Yes to save without a passphrase.
5. Enter a name for the .ppk file (for example, kp-123.ppk) and click Save.
Log on using PuTTY:
1. Open PuTTY.
2. In the left panel, go to Connection > SSH > Auth > Credentials to authenticate with.
3. Under Private key file for authentication, click Browse and select the .ppk file.
4. Click Session. In the Host Name (or IP address) field, enter emr-user@<public-ip-of-master-node>, for example emr-user@10.10...
5. Click Open. In the security dialog, select Accept.

Using an SSH password

The username and password are those you set when creating the cluster. The default username is root. Make sure port 22 is open in your cluster's security group before connecting. See Prerequisites.

Linux

ssh root@<public-ip-of-master-node>

Windows

Download and install PuTTY.
Open PuTTY and configure the following:
Field Value
Host Name (or IP address) The master node's public IP address
Port 22
Connection type SSH
Saved Sessions (Optional) Enter a session name and click Save to reuse this configuration
Click Open. Enter root as the username and your password when prompted.

Field	Value
Host Name (or IP address)	The master node's public IP address
Port	`22`
Connection type	SSH
Saved Sessions	(Optional) Enter a session name and click Save to reuse this configuration

Using Workbench (ECS console)

If you get a permission error when using Workbench, see Workbench permission error in the FAQ.

Log on to the EMR console.
In the top navigation bar, select a region and a resource group based on your business requirements.
On the EMR on ECS page, find your cluster and click Nodes in the Actions column.
On the Nodes tab, click the node ID to open the ECS console.
On the Instances page, click Connect in the Actions column. For additional connection options, see Methods for connecting to an ECS instance.

Log on to core and task nodes

Log on to the master node first, then connect to other nodes from there.

Password-free login from the master node

Log on to the master node. See Log on to the master node.
On the master node, switch to emr-user:
```
su emr-user
```
Connect to the target node by name:
```
ssh <node-name>
```
Replace <node-name> with the core or task node name, for example core-1-1 or task-1-1. To find node names, see Find a node's public IP address and name.

Via the ECS console

Core and task nodes have no login password by default. To connect via the ECS console or Workbench, first set a password:

Follow steps 1–3 in Find a node's public IP address and name to open the Nodes tab.
Click the node ID to go to the ECS console.
Reset the instance password. For instructions, see Reset the logon password of an instance.
Important
By default, core and task nodes have no login password. Set a password in the ECS console before connecting.
Connect to the instance using an appropriate tool. See Methods for connecting to an ECS instance.

If you get a permission error when using Workbench, see Workbench permission error in the FAQ.

FAQ

Assign a public IP address after cluster creation {#assign-public-ip}

If you didn't enable Assign Public IP Address when creating the cluster, assign one from the ECS console:

Follow steps 1–3 in Find a node's public IP address and name to open the Nodes tab.
Find the node group, click the icon, then click the node ID to open the Instance Details page.
In the Configuration Information section, find Public IP Address and click one of:
- Associate EIP: Create and attach an elastic IP address (EIP). See EIPs.
- Assign Public IP Address: Set the public bandwidth to greater than 0 Mbit/s. The system assigns a static public IP automatically. See Static public IP address.
Return to the Nodes page, find the node group, and click the icon to confirm the public IP address is now listed.

Log on without a password from a local machine

To set up password-free SSH from your local machine to the master node:

Generate an SSH key pair on your local machine:
```
ssh-keygen
```
This creates ~/.ssh/id_rsa (private key) and ~/.ssh/id_rsa.pub (public key).
Add your public key to the master node:
```
cd ~/.ssh
vim authorized_keys
```
Paste the contents of id_rsa.pub into authorized_keys and save.
Add your local machine's public IP to the cluster's security group (port 22). To find your current public IP, visit http://myip.ipip.net/. For instructions on adding the rule, see the Add a security group rule section in "Manage security groups."
Log on without a password:
```
ssh root@<public-ip-of-master-node>
```

Can I use the cluster creation password to log on?

Yes. The password you set when creating the cluster lets you log on to the master node. For core and task nodes, see Log on to core and task nodes.

How to reset a node password

On the Nodes tab in the EMR console, click the node ID to open the ECS console.
Click More in the Actions column, then choose Password/Key Pair > Reset Instance Password.

For full instructions, see Reset the logon password of an instance.

Workbench permission error {#workbench-permission}

Alibaba Cloud account: On your first Workbench connection, a prompt asks you to create the service-linked role for Workbench. Click OK to proceed.
RAM user: A RAM user must have the AliyunECSWorkbenchFullAccess system policy attached before they can create the service-linked role and use Workbench. Ask the Alibaba Cloud account owner or RAM administrator to attach this policy. For details, see the Service-linked role of Workbench section in "Connect to an instance through Workbench."

Next steps

The ports for web UIs of open-source components (Apache Hadoop, Apache Spark, Apache Flink) are closed by default for security. To access them: