KAGRA VIS Operations Manual - Remote Operation
Contents
-
KAGRA VIS Operations Manual - Remote Operation
- General Info
- ICRR VPN
- Login via ssh
-
Login via Microsoft Remote Desktop Connection
- Port Forwarding Setup via ssh in Linux/Mac for Microsoft Remote Desktop
- Port Forwarding Setup for PuTTY (Windows or Mac)
- Port Forwarding Setup for Mac Terminal (for Older Versions of Microsoft Remote Desktop)
- Port Forwarding Setup for Mac iTerm (for Older Versions of Microsoft Remote Desktop)
- Connection with Microsoft Remote Desktop
- Troubleshooting
- Front End Web Server
Note: The IP numbers for key computers shown below are subject to change. The most up-to-date values can be found at KAGRA/Subgroups/DGS/IP.
General Info
To work remotely, you are required to have a "buddy" at Kamioka who can liaise with other groups who might be working on the computer system or interferometer.
The KAGRA network is protected by two levels of private network. From the general Internet, it can only be accessed by a three-step process:
- Use VPN software and ICRR credentials to get onto the ICRR private network.
- Log onto the gateway machine for the KAGRA network k1gate via its external IP address, 172.16.33.11.
- Log onto a control room workstation (e.g., k1ctr0 ... k1ctr5) or other computer of interest.
From the k1ctrA and k1ctrG wireless networks, the first two steps can be skipped.
Apply to Miyoki-san, miyoki AT icrr.u-tokyo.ac.jp, for ICRR VPN credentials. Cisco VPN software is required.
Logging onto a control room workstation can be done via terminal commands (preferably from a computer with X Windows available) or with Microsoft Remote Desktop Connection. On the Mac, MRDC is available for free on the App Store.
ICRR VPN
To access the ICRR VPN, enter the ICRR VPN server:
then enter your credentials:
Note that this will disrupt any running terminal sessions and downloads on your computer, and may disrupt some browser sessions.
Login via ssh
Open a terminal window and log into first the gateway machine and then a workstation or other computer:
Alberts-Mac:~ aeinstein$ ssh -Y controls@172.16.33.11 # need to use the external IP number of k1gate controls@172.16.33.11's password: [controls@k1gate ~]$ ssh -Y controls@k1ctr4 # can use k1ctr1 through k1ctr9 controls@k1ctr4's password:
The gateway password and the workstation password are different. Ask a DGS member what they are. The -Y flag sets up trusted X forwarding so that if you have X Windows software installed (standard on Linux; Xquartz for Mac; ??? on Windows) you can have workstation windows appear on your own machine. (In general, use -Y instead of the older -X flag to avoid security and other issues.)
Login via Microsoft Remote Desktop Connection
Workstations k1ctr1, k1ctr2, k1ctr3 and k1ctr4 (at least) are configured for Microsoft Remote Desktop Connection. Using MRDC has the advantage that the session on the workstation is preserved unless you specifically log out, so it's useful if you want to set up long-running tasks like transfer functions from a laptop or other computer that you can't conveniently leave turned on and in the same place. Information about your session is stored in a .rdp file on your local machine, so multiple people can login from different machines and have their own independent sessions.
From the control network (in the control room or in the tunnel; wired or via the the k1ctrA or k1ctrG wireless networks), it's possible to login to the workstations directly.
From other locations in the ICRR network it is necessary to set up port forwarding to get through the gateway machine (see below for details).
From outside ICRR it is necessary to use a VPN and then set up port forwarding.
If you do any level of automation, then it's useful to do the port forwarding even if you're connecting from the internal network, so that you only need one profile per workstation in MRDC and you are guaranteed to get the same environment every time.
Port Forwarding Setup via ssh in Linux/Mac for Microsoft Remote Desktop
The screenshots are from MRDC v10 for Mac, but other versions are similar.
First, in the User Accounts pane of MRDC Preferences, set up an account for controls on the workstations:
Then in the Desktop List window,
set up a new desktop. Note that MRDC for Mac v10 gives a spurious error message when you try to type the ":" that introduces the port specification, but this goes away if you just keep typing:
To use MRDC from outside ICRR, first connect to the ICRR VPN as described above.
Open a terminal window and log in as controls to the gateway machine, setting up port forwarding from port 3389 (the default port for MRDC) on the desired workstation k1ctr1/k1ctr2/k1ctr3/k1ctr4/etc to port 3390 (an arbitrary number not in use for anything else) on your local machine. You will need to enter the gateway password (but not the workstation password at this point).
Alberts-Mac:~ aeinstein$ ssh -L:3390:k1ctr4:3389 controls@172.16.33.11 controls@172.16.33.11's password:
The external IP address (172.16.33.11) works both on the controls network and the broader ICRR network. You can also use the internal IP addresss, 10.68.10.1, but only from the controls network (including the k1crtA or k1ctrG wireless networks).
If you're automating this step, you can set up port forward for several different workstations at once, e.g.:
ssh -L:3391:k1ctr1:3389 -L:3392:k1ctr2:3389 -L:3393:k1ctr3:3389 -L:3394:k1ctr4:3389 controls@172.16.33.11
Leave this terminal session open and continue below.
Port Forwarding Setup for PuTTY (Windows or Mac)
- Open PuTTY and go to the Session tab. If you have already created a session, select it in the list and click Load. Otherwise, specify the gateway machine IP address under the Session tab.
- Go to the Connection/SSH/Tunnels tab:
- Fill in the source port as 3900 (or similar number) and the destination as k1ctr7:3389 (or a different workstation):
- Click Add:
- Optionally, add additional port forwarding combinations for other workstations. Choose a different local port number for each, but keep the remote port 3389 the same.
- Optionally, go back to the Sessions tab, give the new session a suitable name in the Saved Sessions field and click Save.
Click Open, and fill in the gateway machine controls username and password in the resulting terminal window:
Leave this terminal session open and continue below.
Port Forwarding Setup for Mac Terminal (for Older Versions of Microsoft Remote Desktop)
In the Profile tab of Preferences, click on the +" button to add a new profile, give it a name like "KAGRA Port Forwarding", check the "Run Command" box and enter a suitable ssh command (see above).
Double click on the profile name to open a new window and enter the gateway machine controls username and password:
Close any Terminal windows besides the new one and choose the Windows->Save Windows as Group... menu command. Give the new group a name like "KAGRA Port Forwarding" in the dialog that appears:
In subsequent sessions, a new port forwarding window can be opened from the Windows->Open Window Group submenu.
Leave this terminal session open and continue below.
Port Forwarding Setup for Mac iTerm (for Older Versions of Microsoft Remote Desktop)
In the Profiles pane of the Preferences, create a profile with a name like "KAGRA Port Forwarding", click the "Command:" radio button and enter a suitable ssh command (see above).
The profile can then be invoked from the Profiles menu in the menubar, or the New Window... (or New Tab...) submenu of the iTerm menu in the Dock. In the resulting window, enter the gateway machine controls username and password.
Leave this terminal session open and continue below.
Connection with Microsoft Remote Desktop
Finally, use MDRC to connect to the local port, either via the desktop definition set up above or manually:
(MRDC for Mac v8)
There may be a warning dialog - if so, click Connect:
If you did not set up the account info earlier you will need to enter "controls" and the password, and click OK:
The workstation virtual desktop comes up in a window:
The size of the virtual desktop can be adjusted in MRDC settings. If you are logged in, you will need to log out of the workstation and back in again to have the change take effect. If you log in to a particular workstation from multiple machines (e.g., your desktop and your laptop) you will get the same MRDC session if and only if the screen sizes match.
Troubleshooting
When there is an RDP problem, you can ssh to k1ctr1/k1ctr2/k1ctr3/k1ctr4 and find and kill all the Xvnc processes by
ps aux|grep Xvnc kill NNNN # where NNNN is the process id of Xvnc.
Front End Web Server
Each front end has a web server for configuration. The main operation useful to VIS is powering down and up the front end remotely.
See the list of server IPs at KAGRA/Subgroups/DGS/IP#management. Using a web browser, go to http:// plus the IP number. Ask Miyakawa-san for the username/password combination.
Add more stuff here