Remote desktop

From MetaCentrum
Jump to: navigation, search

(Czech version)

You can use VNC Protocol to connect to remote virtual desktop and that way utilize computing power of computational nodes for graphical applications. Compared to X-Window is this method faster.

Important: Tunneling through ssh is recommended for machines with OS Debian 9 gui start --ssh. See chapter 2.3.

General information

VNC (Virtual Network Computing) is a protocol/program which allows remote connection to graphical user interface via computer network. VNC works as a client-server, where the server creates a graphical desktop in a main memory and then communicates with the client, which displays the desktop to user. However, RFB protocol which client and server use for communication, isn't secure and potential intruder might be able to eavesdrop it (including passwords, etc.). That's why was created this howto on secure communication with MetaCentrum infrastructure.

Graphical desktop on server is started by gui script in module gui. Although you'll be able to start it even on frontend nodes, it's not a preferred way for computing-heavy tasks. For these it's recommended to start virtual desktop from an interactive job.

Note: The alternative solution -- tunnelling graphical interface using SSH protocol -- is also supported. For more information see the X-Window system page.

Usage

General

Connection to frontend node, start of interactive job and addition of module gui:

jenicek$ ssh skirit.metacentrum.cz

skirit$ qsub -I -l select=1:ncpus=2:mem=4gb:scratch_local=1gb -l walltime=1:00:00 -l matlab=1

took11$ module add gui


Apart of model scenarios which are covered later, there are several parameters of gui script you'll find useful (see gui --help):

  • gui start [-s] [-w] [-g GEOMETRY] [-c COLORS] ... starts a VNC session
  • flag -s ... the VNC server will be accessible only via SSH tunnel
  • flag -w ... the VNC server will additionally become available via JAVA-enabled web browsers
  • flag -g GEOMETRY ... specifies the required screen geometry (e.g. -g 1280x1024 - default is 1280x768)
  • flag -c COLORS ... specifies the required color depth in bits(e.g. -c 16 - default is 24)
  • gui info [-p] ... displays information about running VNC sessions on the local node
  • flag -p ... allows to show the VNC session passwords as well
  • gui traverse [-p] ... displays information about running VNC sessions across all the MetaCentrum nodes
  • flag -p ... allows to show the VNC session passwords as well
  • warning: processing of this command may take long time
  • gui stop DISPLAYID ... stops a VNC session (DISPLAYID may be omitted if single session is running)
  • gui kill DISPLAYID ... kills a VNC session (DISPLAYID may be omitted if single session is running)


For example:

[testvnc@took11 ~]$ gui info -p
*****************************************
 Your running VNC sessions are:
   display tunnel machine:port (password)
   :20     SSL    took11.ics.muni.cz:10100 (rxqqOFHK)
   :21     SSH    took11.ics.muni.cz:10102 (IG9Ac1yN)
*****************************************
[testvnc@took11 ~]$ gui stop :21
The VNC session running at port 10101 has been successfully stopped... 

Your virtual desktop will remain active until you stop its interactive job (if run via interactive job), or until you stop it manually (either by command gui stop DISPLAYID or by Start->Logout from graphical interface). Disconnection of VNC client won't affect it in any way.

Tunneling through SSL

SSL (Secure Sockets Layer) is a protocol which ensures that between transport layer (TCP) and application layer (RFB) is inserted another layer (SSL), which provides authentication and encryption of the communication.

In MetaCentrum, you can connect to remote desktop in two ways - using a VNC client(faster, preferred method) or using a web browser.

Connecting via VNC client

Model example of VNC clients supporting SSL is multiplatform TigerVNC (download here), which will be assumed to be used in this howto. However, SSL (or more precisely VeNCrypt - the extension of VNC protocol) is supported in several other clients, e.g. most clients included in recent Linux distros (Remmina, KRDC).

Warning.gif WARNING: We strongly recommend to use Java version already linked above, since other variants (native clients for both Linux and Windows) suffer from frequent freezing of transferred display.


  • after adding a gui module run command gui start, resulting output should look similar to this:
took11$ gui start
*****************************************
 Your VNC session has been started.
 The connection details are as follows:
   Host & port : took11.ics.muni.cz:10100
   Password    : vQFYmf4U
   Display     : :20
***************************************** 
  • run on your machine TigerVNC client
  • copy to a VNC server: field a Host & port value from former output and choose Connect
  • input password from a Password line


Tunneling through SSH

Important: Tunneling through ssh is recommended for machines with OS Debian 9 gui start --ssh.

When tunneling through SSH, the same type of security measures is utilized for VNC protocol data as for your access to remote machines via protocol/command ssh. In the same manner as when connecting to VNC secured by SSL tunnel, you need to start the gui start command first, this time with a parameter --ssh though.

  • after adding a gui module run command gui start --ssh, resulting output should look similar to this:
took11$ gui start --ssh
*****************************************
 Your VNC session has been started.
 The connection details are as follows:
   Remote Host : localhost
   Port        : 10110
   Use SSH tun.: yes
   SSH Server  : took11.ics.muni.cz
   SSH User    : testvnc
   VNC Password: g18LyoAE
   Display     : :23
***************************************** 

Then proceed according to your platform - following are howtos for multiplatform TightVNC Java Viewer client, unix shell and the most used Windows SSH client - PuTTy.

TightVNC

SSH secured connection using a TightVNC Java Viewer

The easiest way is probably to use TightVNC Java Viewer (needs installed Java JRE) - just enter fileds according to gui start --ssh output, then first enter your MetaCentrum password (for establishing of a SSH tunnel) and then the temporary password for connecting to your virtual desktop session.

Putty (for Windows)

Establishing SSH tunel in PuTTy
  • first enter into Host name field the SSH server address (see former gui start --ssh output, ans if you wanted to connect)
  • select Connection > SSH > Tunnels in a side panel
  • enter value of "Port" from former output into Source port field and set Destination field to localhost:PORT (PORT - again the same number)
  • choose Add and Open and enter password to the MetaCentrum infrastructure
  • use any VNC client to connect to address localhost:PORT (here localhost:10110) and enter the VNC password

Linux

  • on your local machine run ssh -TN -f sshuser@sshserver -L PORT:localhost:PORT (PORT - see output of gui) with values from gui start --ssh and enter password to the MetaCentrum infrastructure. For output above, it would be:
novak$ ssh -TN -f testvnc@took11.ics.muni.cz -L 10110:localhost:10110
testvnc@took11.ics.muni.cz's password: 
  • use any VNC client to connect to address localhost:PORT (here localhost:10110) and enter the VNC password

Long-standing desktop session

  • If you need long-standing remote desktop session with possibility to reconnect, you can use following script (file.sh):
#!/bin/bash

#PBS -m abe

module add gui
gui -f start
  • This script submit as batch job (with specification of memory, time, CPU, ...). E.g.
skirit$ qsub -l walltime=24h -l mem=16g file.sh
  • As soon as the job will be started (you will be informed by e-mail), please log in without delay to any frontend and type
skirit$ module add gui
skirit$ gui traverse -p
  • You can see all running VNC sessions with login information
  • Using VNC client connect to created session. If you close the window of VNC client, the job won't be stopped.
  • After end of your work please log out (Penguin on the bottom panel -> Logout). Otherwise job end after exhaust reserved time (walltime)