Difference between revisions of "VNC"
Line 1: | Line 1: | ||
'''Logging in''' | '''Logging in''' | ||
+ | |||
Due to recent brute force ssh attacks we are moving to using two factor authentication. This is pretty easy to setup as follows (from a terminal in your mac or linux laptop (and Windows if new enough) or using Putty (see below for installing and setting up putty-- stuff you need to type will be in ''italic''): | Due to recent brute force ssh attacks we are moving to using two factor authentication. This is pretty easy to setup as follows (from a terminal in your mac or linux laptop (and Windows if new enough) or using Putty (see below for installing and setting up putty-- stuff you need to type will be in ''italic''): | ||
Revision as of 17:17, 7 September 2020
Logging in
Due to recent brute force ssh attacks we are moving to using two factor authentication. This is pretty easy to setup as follows (from a terminal in your mac or linux laptop (and Windows if new enough) or using Putty (see below for installing and setting up putty-- stuff you need to type will be in italic):
ssh jumpgate-phasta.colorado.edu
This will prompt for your username and password (the private password you set or, if this is your first login the one in the account creation email).
Next you need to download and install an authenticator application either for your computer or phone. There are several from Google, Microsoft, Twilio, etc. Launch that application on your phone or computer. In whatever mode it uses to create a new token generator, do that (often it opens with a QR code scanner enabled as it knows that is the easiest way to link the phone application to the QR scan created on the machine you are trying to access).
If you want to be safe, start a second terminal connection to jumpgate by repeating the above. In the first (or only) jumpgate terminal on your laptop type:
google-authenticator
If your terminal is big enough, it should display a QR code that you can scan with your phone. At this point it will ask you some questions about options (I answered yes to all). If you goof this step in any way and want to start over, just go to that second window I mentioned and type rm -rf ~/.google_authenticator and start over but, more than likely, what you did is fine.
The next time you log into jumpgate, it will request a verification code which your phone application will provide. Enter that codes in the terminal.
Virtual Network Computing (VNC) is a tool which projects a GUI session over the network. If may be useful if you want to use GUI tools remotely when X forwarding performs poorly.
Warning: The VNC password is transmitted in clear text over the network and should not be considered secure
portal1
is designated to host VNC sessions.
To start a VNC session:
ssh jumpgate-phasta.colorado.edu ssh portal1 source /etc/profile start_vnc.sh
Then follow the directions from start_vnc.sh
. Make sure to remember your password and port number (59**) so that you can reuse your session.
It is common practice to leave your VNC session running on portal1
. Next time you want to access your desktop, just ssh into jumpgate with a tunnel between portal1's VNC port (59**) and some port on your machine. Then use a VNC client to connect to the port on your machine.
If, for some reason, you want to end your session and kill your virtual desktop, run
source /etc/profile stop_vnc.sh # ONLY run this if you want to kill your virtual desktop. Most users will never need to do this as the idea is to create one session and continue to use that one for all future usage.
Contents
OpenGL
portal1
is equipped with a VirtualGL install which will allow you to use OpenGL programs (which do not use pthreads)
Simply wrap your OpenGL program with the vglrun
command
vlgrun glxgears
Our lab has 2 VirtualGL servers you can connect to from portal1
. You must connect to one of them for large memory and/or computationally intensive processes.
The names of the servers are viz002
and viz003
(viz001
is probably never coming back to life).
portal1
doesn't have a particularly fast graphics processor and MUST NOT be used for large memory or computationally intensive process)
vglconnect -s viz002
or
vglconnect -s viz003
from this connection you will want to run graphic applications (e.g., SimModeler or ParaView) prefaced by the command vglrun
. You can test that you have it setup right
with the toy-app glxgears
as follows
vglrun glxgears
Note that VGL uses a number of threads. If you have trouble with vglrun
crashing with a message about Thread::Start()
make sure you haven't set your stack size too large (remove any ulimit -s
or ulimit -n
calls from your shell start scripts).
NOTE ALSO: The primary purpose for viz003
is for visualization and for debugging. Production runs should be done elsewhere.
Clients
portal1
uses TurboVNC from the VirtualGL project, available from their website
Other VNC viewers will also work, such as TightVNC and RealVNC
Changing the VNC Password
/opt/tigervnc/bin/vncpasswd
View Only Mode
To share your desktop with another user in view only mode set a view only password by running
vncpasswd
Have the other user connect in the same way you would but have them set their viewer to be in view only mode and use your view only password. Typically this is done as follows:
vncviewer -viewonly
Mac or Linux
The instructions given when you started the session on portal1
are OK but it always tells you to start a session (in a terminal on your mac or linux machine command line)
ssh -L5905:portal1:59zw jumpgate-phasta.colorado.edu
where zw
will be different for each user. That suggestion is OK if you never plan to connect to anyone else's session but since we often collaborate but sharing VNC sessions, the better practice we adopt is to use zw
in place of the suggested 05 (which just an arbitrary local port on your laptop). So if when I created a session the last for numbers were 5923
then zw
for me is 23
and the best practice is to ignore the script suggestion in favor of
ssh -L5923:portal1:5923 jumpgate-phasta.colorado.edu
Windows
The PuTTY SSH client can handle ssh tunneling on Windows based machines. You can download it here.
When you open putty, enter jumpgate-phasta.colorado.edu
in the "Host Name" box. Then click the + button next to SSH on the left pane (to expand the SSH tree node). Choose the "Tunnels" page. The start_vnc.sh
script should tell you to run ssh -L59xy:portal1:59zw jumpgate-phasta.colorado.edu
on your machine. Those instructions are OK but a better practice is to ignore what that script suggested for xy
(it always suggests 05 currently) and instead use ssh -L59zw:portal1:59zw jumpgate-phasta.colorado.edu" where <code>zw
varies for each new session created. If you get 23
that just means there were 22
sessions created before you created this one (but the plan is for you to keep using 23 until the machine gets rebooted). Enter 59zw
in the "Source Port" box. Enter portal1:59zw
in the "Destination" box (starting and click the add button). Putty is a little strange about saving the session which you want to do to avoid having to do all the above every time you re-connect. BEFORE you click the "Open" button, you want to name your session (your choice) and click save. Then in the future when you start putty you should be able to just click that saved session name and click load. Then click "Open" and login as normal. You will then be able to use a vncviewer as instructed by the script.
Example:
The script says:
ssh -L5905:portal1:5923 jumpgate-phasta.colorado.edu
your zw
from the instructions above is 23
enter 5923
in the "Source Port" box
enter portal1:5923
in the destination box.
Connecting to your VNC with PuTTY
Once we SSH to jumpgate (on the default SSH port 22), our main desktop on portal1 can be accessed via a VNC session as follows.
- The VNC server should already be running on portal1 using port 59zw.
- To check the port, on portal1 run
/opt/vnc_script/findsession.sh
- To confirm the VNC server is running (and see port), run
ps aux | grep vnc
- To check the port, on portal1 run
- Open PuTTY on your local machine.
- Under "Session", SSH to
USERNAME@jumpgate-phasta.colorado.edu:22
, whereUSERNAME
is your username onjumpgate
, and22
is the standard SSH port. - Under "Session">"SSH">"Tunnels", select source port
59##
and destination portportal1:59##
, where##
is the two-digit number of your VNC session. Select destinationlocal
and click "Add".- We select
local
because we have a service (VNC Server) running on a machine (portal1
) that can be reached from the remote machine (jumpgate
), and we want to access it directly from thelocal
machine.
- We select
- Confirm the dialog by clicking "Open", thus establishing an SSH connection between
localhost
andjumpgate
, and tunnelinglocalhost:59##
toportal1:59##
via this connection. - Open RealVNC, and connect to
localhost:##
, which is shorthand forlocalhost:59##
. VNC ports are enumerated starting with5901
, so any two digit port##
is assumed to be port59##
. - You should now have access to your desktop on
portal1
. DON'T FORGET-- no meshing, solving, post-processing, EVEN MATLAB onportal1
. To run memory and/or processor and/or graphics intensive jobs you need to create a terminal and typevglconnect -s viz00x
where, at this timex
is either 2 or 3.
Starting a VNC viewer
Whether you followed the Mac or Linux or Windows instructions above, successful completion will have established a tunnel from your laptop to portal1
. The last step is to start a VNC viewer (graphical windowing program) that uses this tunnel to display your portal1
session on the screen of your laptop. There are a variety of choices for each platform and they evolve but their operation seems, thankfully, pretty universal.
The most basic input is that they provide a box that says VNC server. You will want to type localhost:zw
in that box and then apply start (or whatever the particular applications action button is). The zw
here will need to be whatever you used after the 59zw:portal1
..... part of the tunnel. What the number is actually doing is telling this VNC viewer which port you have established a tunnel on for the session you are starting the VNC viewer for. Note it is possible to have several different simultaneous sessions. Each needs its own tunnel (established by repeating the process above with a unique zw
) and then a corresponding "new" VNC viewer. In this way we might continue to work in our own session but then take a break to look at a collaborator's session without having to close out the tunnel and viewer pair.
Web Based Viewer
If you can't or don't want to install a VNC viewer you can use a Java based one. You will need a JVM and a Java browser plugin. You will also need the port that the start_vnc script assigned you to be free on your local computer
Forward your session through jumpgate as before before, adding a second port, 580n. For example, if the script tells you to
ssh -L5905:portal1:5902 jumpgate-phasta.colorado.edu you should
ssh -L5902:portal1:5902 -L5802:portal1:5802 jumpgate-phasta.colorado.edu
Then point your browser to http://localhost:5802 and log in with the password specified by the script when prompted. (Replace 2 with the value specified by the script)
Changing the Size (Resolution) of an Existing Session
You can usually use the xrandr
tool to change the resolution of a running VNC session. First you'll need to know your session's display number (this should be the last digit or two of the port number). For example, if your VNC session is running on port 5902, then your screen number should be :2. For this example, we'll use screen 2.
Once you know your screen number, you can see the list of supported modes as follows:
xrandr -display :2
Once you pick the one you want (generally the same size or smaller than the native resolution of your client), you can choose it by running a command like
xrandr -s 1400x1050 -display :2
(this example will set the resolution to 1400 pixels by 1050 pixels)
You'll probably be disconnected at this point, but when you reconnect your screen size should be changed (hopefully without crashing your running programs).
Finding an Existing Session
SSH to portal1 and then run:
/opt/vnc_script/findsession.sh
Which will return the shortened port number of each of your currently running sessions.
Troubleshooting
If you have used vncserver (It doesn't matter which version) before, you will need to clear your vnc settings for the script to work. You can do this by running rm -rf ~/.vnc
stop_vnc.sh may display some errors; this is normal.
If you have trouble deleting ~/.vnc send an email to Benjamin.A.Matthews@colorado.edu
If any of these commands fail, you may need to source /etc/profile to get the necessary environment variables (this should be fixed soon)
VirtualGL has trouble with some threaded programs. If your OpenGL program exhibits segmentation faults or other issues, this could be the problem. Check back for the solution later.
If the given password is rejected you can run stop_vnc.sh and restart to get a new one. Occasionally the random password generator may generate passwords which VNC doesn't like.
If VirtualGL complains about not being able to get a 24bit FB config either vglconnect to another VirtualGL enabled server or complain to Benjamin.A.Matthews@Colorado.edu
If your VNC connection is very slow, you might want to try changing the compression and encoding options. See your vncviewer's documentation or try this
vncviewer -encodings tight -quality 6 -compresslevel 6
If you have trouble with text distortion try adding
-nojpeg
If you're running OSX and see an error about Zlib, try changing your compression settings (maximum quality usually works) or use a different client. RealVNC and certain versions of ChickenOfTheVNC both exhibit this issue. The latest build of TigerVNC should work reliably, as does the Java based TightVNC client.