Difference between revisions of "Connect to Linux"

From CAC Documentation wiki
Jump to navigation Jump to search
(Added a couple of VNC tips)
(clarified the steps for setting up VNC and ssh tunnels from different platforms)
Line 101: Line 101:
 
For security reasons, we are requiring all VNC connections to be tunneled inside ssh. You will therefore need to be able to connect to the login nodes [[Getting_Started#Using_Secure_Shell | using SSH]]. Because the firewall running on linuxlogin blocks all incoming ports except for ssh, VNC connections must be made over a ssh tunnel as described below.
 
For security reasons, we are requiring all VNC connections to be tunneled inside ssh. You will therefore need to be able to connect to the login nodes [[Getting_Started#Using_Secure_Shell | using SSH]]. Because the firewall running on linuxlogin blocks all incoming ports except for ssh, VNC connections must be made over a ssh tunnel as described below.
  
'''''Appropriate use'''''
+
'''''Appropriate use on clusters'''''
  
 
VNC gives you the ability to establish a remote desktop on the login nodes, but this ability does '''''NOT''''' imply that you are permitted to run compute-intensive, GUI-driven applications on these machines. On linuxlogin, such usage is contrary to CAC policy. On other shared resources, it is disrespectful toward other users because the login node may become unresponsive through your actions.
 
VNC gives you the ability to establish a remote desktop on the login nodes, but this ability does '''''NOT''''' imply that you are permitted to run compute-intensive, GUI-driven applications on these machines. On linuxlogin, such usage is contrary to CAC policy. On other shared resources, it is disrespectful toward other users because the login node may become unresponsive through your actions.
Line 115: Line 115:
 
''(You only need to do this once)''
 
''(You only need to do this once)''
  
:* Install a VNC client if one isn't installed. For Windows, [http://www.tightvnc.com/ TightVNC] works well, but so do others. For Mac, you can use the built-in [http://www.davidtheexpert.com/post.php?id=5 Screen Sharing] app.
+
:* Install a local VNC client if one isn't installed. For Windows, [http://www.tightvnc.com/ TightVNC] works well, but so do others. For Mac, you can use the built-in [http://www.davidtheexpert.com/post.php?id=5 Screen Sharing] app.
:* Login to linuxlogin using ssh, and set the password for your VNC server using the "vncpasswd" command.
+
:* Use ssh to log in to the Linux login node, and set the password for your VNC server using the "vncpasswd" command.
  
 
'''''Start your VNC server'''''
 
'''''Start your VNC server'''''
 
''(Do these steps from an ssh shell)''
 
''(Do these steps from an ssh shell)''
  
:* '''On linuxlogin''', start the VNC server using the "vncserver" command like this:
+
:* '''On the Linux login node''', start the VNC server using the "vncserver" command like this:
 
   vncserver -geometry 1024x768 -localhost
 
   vncserver -geometry 1024x768 -localhost
 
The geometry numbers, 1024x768, specify the size, in pixels, of the desktop.
 
The geometry numbers, 1024x768, specify the size, in pixels, of the desktop.
Line 132: Line 132:
 
:* vncserver is running on port 5900 + display number. In the above example, the display number is :1, therefore vncserver is running on port 5901.
 
:* vncserver is running on port 5900 + display number. In the above example, the display number is :1, therefore vncserver is running on port 5901.
  
'''''Connect your VNC client'''''
+
'''''Set up your ssh tunnel'''''
 +
''(Do these steps on your local computer)''
  
:* Set up ssh port forwarding or tunneling on your local computer. Let's say the port number on linuxlogin is 5901 (as above), and your CAC userid is uid12. From Linux, type into a terminal:
+
:* Let's say the port number on linuxlogin is 5901 (as above), and your CAC userid is uid12.
 +
:* '''From Linux''', in order to start ssh port forwarding or tunneling to that port, type into a terminal:
 
    
 
    
 
   ssh -L 10000:localhost:5901 uid12@linuxlogin.cac.cornell.edu
 
   ssh -L 10000:localhost:5901 uid12@linuxlogin.cac.cornell.edu
:'''From Windows''', ssh clients such as PuTTY can do port forwarding (tunneling). See [[VNC Tunnel Windows]].
+
 
:'''From Mac OS X''', open a Terminal and enter the Linux command above.
+
:* '''From Mac OS X''', open a Terminal and enter the Linux command above.
 +
:* '''From Windows''', ssh clients such as PuTTY can do port forwarding (tunneling); see [[VNC Tunnel Windows]].  
 
:* Leave this ssh session running on your local client computer. (It can run in the background.)
 
:* Leave this ssh session running on your local client computer. (It can run in the background.)
:* Launch your VNC client program. Connect to localhost:10000. When prompted, type in your VNC server password.
+
 
 +
'''''Connect your VNC client'''''
 +
 
 +
:* Launch your VNC client program. Connect it to localhost:10000. When prompted, type in your VNC server password.
 
:* A nice GNOME desktop should appear!
 
:* A nice GNOME desktop should appear!
 
:* See [http://linuxtoolkit.blogspot.com/2013/11/fixing-authentication-is-requried-to.html this link] for how to prevent the "Authenticate" pop-up from appearing in your future vncserver sessions.
 
:* See [http://linuxtoolkit.blogspot.com/2013/11/fixing-authentication-is-requried-to.html this link] for how to prevent the "Authenticate" pop-up from appearing in your future vncserver sessions.

Revision as of 13:22, 13 October 2015

There are three distinct ways to connect to a login node:

  1. Use SSH to open a Linux shell on a login node, which provides a text-only interface.
  2. Use SSH together with X-Windows, which sends any interactive graphics back to your machine window-by-window through an SSH tunnel.
  3. Use VNC to get a remote desktop with multiple text and graphics windows. This is not as straightforward as it sounds, due to the need to set up a secure tunnel for the remote desktop first.

These instructions are intended mainly for users of personal computers and workstations. However, much of the material carries over to mobile computing platforms such as tablets and smartphones. You will have to locate and download an app to enable SSH or VNC connectivity; even a browser plug-in may suffice.

Whichever method you choose, at your first login, you will be challenged for a new password. Find help at Changing a Password at First Login. You will also be asked for an ssh passphrase. You can just leave this blank; hit the Enter key in response.

Using Secure Shell

For basic command-line access, a Secure Shell (SSH) client will give you a remote command shell on one of the login nodes.

  • Nearly all Unix/Linux varieties (including Mac) already have a built-in SSH2 implementation, required by our clusters.
  • If you are coming from a Microsoft Windows machine, an SSH2 client must first be installed, as described below.
  • The non-secure predecessor of SSH, telnet, is disabled for security reasons.

Linux users:

To connect to the second login node with ssh, you simply open a terminal window and type

localhost$ ssh username@linuxlogin.cac.cornell.edu

Mac OS X users:

OS X on the Mac is built on a version of Unix, so ssh is available directly from the Terminal application.

  • One option is to use the shortcut cmd-space to open Spotlight and then type "Terminal" to open a Terminal window.

Otherwise:

  • Navigate in the Finder to the Applications folder and Utilities sub-folder.
    MacApplicationsFolder.png
  • Then double-click on the Terminal application to see a Bash command-line.
    MacTerminalWindow.png
  • As in Linux, simply type "ssh username@linuxlogin.cac.cornell.edu" into this window.

Windows users:

Secure Shell (ssh) clients work nicely as long as they support the SSH2 protocol. As mentioned, telnet is disabled for security reasons. A popular client for Windows is the free PuTTY client.

  • The simplest installation is to download the Windows installer, called putty-0.65-installer.exe, and run it. This installs PuTTY into your Start menu.
  • To connect, start PuTTY, then type in a host name such as linuxlogin.cac.cornell.edu, and click "Open".
    Setting the host name in PuTTY
Using X-Windows

X-Windows or X11 is the longstanding Unix mechanism for displaying interactive graphics in a window. Your "X server" software runs locally, but it is capable of displaying windows that have been generated either locally or remotely. An "X client" on a remote machine can create X-Windows for local display, but it is necessary first to establish a shell on that machine using SSH.

Appropriate use

Among other things, X-Windows gives you the ability to display a GUI that originates on a login node. However, this ability does NOT imply that you are permitted to run compute-intensive, GUI-driven applications on these machines. On linuxlogin, such usage is contrary to CAC policy. On other shared resources, it is disrespectful toward other users because the login node may become unresponsive through your actions.

Linux users:

The standard way to use X-Windows is to tunnel the X-Windows protocol through an ssh connection. If you open your ssh session with the -X option, it will automatically set up the necessary tunnel and environment variables.

localhost$ ssh -X username@linuxlogin.cac.cornell.edu
linuxlogin$ echo $DISPLAY
localhost:11.0
linuxlogin$ gs

If all goes well, you should see a valid setting for your DISPLAY environment variable, then have a blank window presented to you by gs (Ghostscript, the PostScript and PDF previewer). Note, if gs is not installed on the machine you're logging into, you can try another X client such as xclock, xlogo, emacs, etc.

There is another option to use a trusted version of X-windows forwarding,

linuxlogin$ ssh -Y compute-1-37

When you're working on a cluster, the trusted (-Y) version is necessary for forwarding X11 connections from a compute node to the login node, then back to your client machine.

Mac OS X users:

If you start ssh with the -X or -Y option, X-Windows should start up automatically. You can then try the "gs" test, as described above for Linux.

X11 is preinstalled on Macs starting with OS X 10.6 (Snow Leopard). For Mac OS X 10.5 (Leopard), you may need to install X11 in order for X-Windows applications to launch. If there is no X11 application in the Applications->Utilities folder, you'll have to find your OS X install disk. From the Mac OS X Server Introduction to Command-Line Administration, "The X11 server and an application to access X windows from the Finder are available as an optional installation in the Optional Installs folder of your installation disc (X11 is in the Applications package)."

Windows users:

Along with your ssh client (e.g., PuTTY), you will need to install an X-Windows server on your Windows machine.

  • Xming - Open Source. A shareware contribution will get you a version with improved performance for graphics (GLX). There are two pieces to download
    Xming-download.jpg
    • Xming-mesa (public domain release). There are two links together, one for Xming, one for Xming-mesa. Either will work, but Xming-mesa has some newer features that might come in handy some time.
    • Xming-fonts (public domain release)

If you purchase the website release of Xming, remember to install the Xming-fonts, as well.

Here are some other X-server possibilities for Windows:

  • VcXsrv - Open Source. Freeware solutions like this one can often work very well, but as always, the installation and use of such packages comes with no guarantees.
  • Cygwin/X - Open Source. Cygwin is much more that just an X-Windows server. It actually creates an entire Linux-like environment within Windows.
  • OpenText's Exceed and Exceed 3D - Cornell no longer has a site license. Installing Exceed 3D will improve performance of graphics applications. Exceed installs several icons under the Start menu; choose the one that just says "Exceed" because it starts the program in multi-window mode, which is usually what you want.

Here is how to start a session using PuTTY and Xming.

  1. Start Xming from the Start menu. It will appear briefly and disappear except for an X in the application tray.
  2. Start PuTTY.
  3. In the window that appears, type a host name, linuxlogin.cac.cornell.edu.
  4. Use the tree menu on the left to set X11 forwarding. It's in the Connection > SSH branch.
    Setting X11 forwarding in PuTTY
  5. For PuTTY 0.61 and above - In the "Auth" section of the SSH branch, go to GSSAPI and uncheck "Attempt GSSAPI authentication". This will prevent an annoying "Access denied" message from appearing in your terminal window.
  6. You can return to the Session category and Save this session's configuration for future use. Give it a logical name like linuxlogin.
  7. Click Open, and it will connect to a login node.
  8. Test your X-Windows setup by typing the command for Ghostscript, which is a PostScript and PDF previewer:
gs

You should see a blank window appear on your screen. You can stop it by typing Ctrl-c in the terminal window.

Using VNC

VNC lets you see a whole Linux desktop from the login node on your computer. Using SSH and X-Windows is generally faster, and uses a lot less of the login node's resources, but VNC can be much faster if you are doing visualization on the login node from off campus.

For security reasons, we are requiring all VNC connections to be tunneled inside ssh. You will therefore need to be able to connect to the login nodes using SSH. Because the firewall running on linuxlogin blocks all incoming ports except for ssh, VNC connections must be made over a ssh tunnel as described below.

Appropriate use on clusters

VNC gives you the ability to establish a remote desktop on the login nodes, but this ability does NOT imply that you are permitted to run compute-intensive, GUI-driven applications on these machines. On linuxlogin, such usage is contrary to CAC policy. On other shared resources, it is disrespectful toward other users because the login node may become unresponsive through your actions.

Here is a good example of how to use VNC appropriately. By following these steps you can run (say) Abaqus in GUI-driven mode on a compute node that has been allocated to you through an interactive batch job.

  1. Open a VNC connection to linuxlogin through an ssh tunnel using the instructions below, in order to gain access to a Linux desktop. Make sure two terminal windows are available on this desktop.
  2. In one of the terminal windows, submit an interactive job to the queue of your choice (add the #PBS -I directive to your job submission script).
  3. Once the job starts, you will be given a command prompt on your assigned machine. Note the result of "hostname". There is no need to enter further commands at this prompt (except to exit the job).
  4. Go to the other terminal window and open a second ssh connection to the compute node using "ssh -Y <userid>@<hostname>"
  5. This new ssh session will tunnel X-Windows from the compute node back to the VNC desktop. Therefore (if Abaqus is on your path), you can now open the Abaqus GUI using "abaqus cae -mesa".

Initial setup (You only need to do this once)

  • Install a local VNC client if one isn't installed. For Windows, TightVNC works well, but so do others. For Mac, you can use the built-in Screen Sharing app.
  • Use ssh to log in to the Linux login node, and set the password for your VNC server using the "vncpasswd" command.

Start your VNC server (Do these steps from an ssh shell)

  • On the Linux login node, start the VNC server using the "vncserver" command like this:
 vncserver -geometry 1024x768 -localhost

The geometry numbers, 1024x768, specify the size, in pixels, of the desktop.

  • You will need to get the display number from the output of the vncserver command:
 New 'linuxlogin.cac.cornell.edu:1 (shl1)' desktop is linuxlogin.cac.cornell.edu:1
 Starting applications specified in /home/fs01/shl1/.vnc/xstartup
 Log file is /home/fs01/shl1/.vnc/linuxlogin.cac.cornell.edu:1.log
  • vncserver is running on port 5900 + display number. In the above example, the display number is :1, therefore vncserver is running on port 5901.

Set up your ssh tunnel (Do these steps on your local computer)

  • Let's say the port number on linuxlogin is 5901 (as above), and your CAC userid is uid12.
  • From Linux, in order to start ssh port forwarding or tunneling to that port, type into a terminal:
 ssh -L 10000:localhost:5901 uid12@linuxlogin.cac.cornell.edu
  • From Mac OS X, open a Terminal and enter the Linux command above.
  • From Windows, ssh clients such as PuTTY can do port forwarding (tunneling); see VNC Tunnel Windows.
  • Leave this ssh session running on your local client computer. (It can run in the background.)

Connect your VNC client

  • Launch your VNC client program. Connect it to localhost:10000. When prompted, type in your VNC server password.
  • A nice GNOME desktop should appear!
  • See this link for how to prevent the "Authenticate" pop-up from appearing in your future vncserver sessions.

To disconnect your client

  • Close the vnc client program.
  • Disconnect the ssh forwarding session (i.e., kill it).

To reconnect your client

  • Restart port forwarding with ssh, using the same remote port number as before.
  • Again connect the VNC client to localhost:10000.

When you are all done

  • On linuxlogin, type this command to shut down the VNC server
 vncserver -kill :<display number>
  • If you merely log out from linuxlogin, it will leave the VNC server running. You must shut down the VNC server explicitly when you are finished with it. (Actually this can be a nice feature.)
Passwordless SSH

Create ssh key pair

Your ssh key pair will only need to be created once. You will not need to repeat this step. You can complete this step from either a Linux or Windows login node. If this is your first login to a CAC login node, it will ask you to change your password. This will become your password for connecting to the nodes.

Create your ssh key pair by logging into the linux login node (linuxlogin.cac.cornell.edu), which will begin the process of creating the keys; you can use the defaults or empty responses for all prompts.

Alternatively, you can create your ssh key pair on the linux login node by logging into the Windows login node (winx64login.cac.cornell.edu), opening a Command Prompt window, and running plink.exe to connect to the linux login node, as shown in this example:

>"C:\Programs Files (x86)\Putty\plink.exe" %USERNAME%@linuxlogin.cac.cornell.edu
Password: Enter Your Password
Rocks 5.0 (V)
Profile built 12:54 06-May-2008

Kickstarted 09:22 06-May-2008
-----------------------------------------------------------
Welcome to the Center for Advanced Computing Cluster!
-----------------------------------------------------------
Please send your questions to help@cac.cornell.edu
-----------------------------------------------------------


It doesn't appear that you have set up your ssh key.
This process will make the files:
     /home/gfs01/cacshl1/.ssh/id_rsa.pub
     /home/gfs01/cacshl1/.ssh/id_rsa
     /home/gfs01/cacshl1/.ssh/authorized_keys

Generating public/private rsa key pair.
Enter file in which to save the key (/home/gfs01/cacshl1/.ssh/id_rsa): Press Enter to accept default
Created directory '/home/gfs01/cacshl1/.ssh'.
Enter passphrase (empty for no passphrase): Press Enter to accept default
Enter same passphrase again: Press Enter to accept default
Your identification has been saved in /home/gfs01/cacshl1/.ssh/id_rsa.
Your public key has been saved in /home/gfs01/cacshl1/.ssh/id_rsa.pub.

After this is done, type "exit" to log out of the linux login node.

Convert ssh Private Key for Putty / Plink

Next run PuTTYgen to generate public and private keys to be used with PuTTY and Plink:

  • Log in to winx64login.tc.cornell.edu (if you are not already)
  • Run C:\Program Files (x86)\Putty\puttygen.exe.
  • Select Import Key from the Conversions menu and select H:\.ssh\id_rsa in your home directory. And click on the Open button.
LoadPrivateKey.jpg
  • Click on the "Save Private Key" button.
SavePrivateKey.jpg
  • Click on "Yes" when asked to save the private key without a passphrase.
  • Save the private key as private.ppk in the .ssh directory inside your home directory.
SpecifyPrivateKey.jpg
  • Close (choose File, then Exit)
  • To confirm you have converted the ssh private key successfully, do:
"C:\Program Files (x86)\Putty\plink.exe" -i %HOMEDRIVE%\.ssh\private.ppk %USERNAME%@linuxlogin.cac.cornell.edu

It may notify you that "The server's host key is not cached in the registry." Type "y" to "store the key in cache."

  • You should now be logged into linuxlogin without being prompted for a password. Stay logged in for the next step.