Differences between revisions 37 and 38

KAGRA VIS Operations Manual - Remote Operation

Contents

KAGRA VIS Operations Manual - Remote Operation

Note: The IP numbers for key computers shown below are subject to change. The most up-to-date values can be found at KAGRA/Subgroups/DGS/IP.

General Info

To work remotely, you are required to have a "buddy" at Kamioka who can liaise with other groups who might be working on the computer system or interferometer.

The KAGRA network is protected by two levels of private network. From the general Internet, it can only be accessed by a three-step process:

Use VPN software and ICRR credentials to get onto the ICRR private network.
Log onto the gateway machine for the KAGRA network k1gate via its external IP address, 172.16.33.11.
Log onto a control room workstation (e.g., k1ctr0 ... k1ctr5) or other computer of interest.

From the k1ctrA and k1ctrG wireless networks, the first two steps can be skipped.

Apply to Miyoki-san, miyoki AT icrr.u-tokyo.ac.jp, for ICRR VPN credentials. Cisco VPN software is required.

Logging onto a control room workstation can be done via terminal commands (preferably from a computer with X Windows available) or with Microsoft Remote Desktop Connection. On the Mac, MRDC is available for free on the App Store.

ICRR VPN

To access the ICRR VPN, enter the ICRR VPN server:

then enter your credentials:

Note that this will disrupt any running terminal sessions and downloads on your computer, and may disrupt some browser sessions.

Login via ssh

Open a terminal window and log into first the gateway machine and then a workstation or other computer:

Alberts-Mac:~ aeinstein$ ssh -Y controls@172.16.33.11   # need to use the external IP number of k1gate 
controls@172.16.33.11's password: 
[controls@k1gate ~]$ ssh -Y controls@k1ctr4   # can use k1ctr1 through k1ctr9
controls@k1ctr4's password:

The gateway password and the workstation password are different. Ask a DGS member what they are. The -Y flag sets up trusted X forwarding so that if you have X Windows software installed (standard on Linux; Xquartz for Mac; ??? on Windows) you can have workstation windows appear on your own machine. (In general, use -Y instead of the older -X flag to avoid security and other issues.)

Login via Microsoft Remote Desktop Connection

Workstations k1ctr1, k1ctr2, k1ctr3 and k1ctr4 (at least) are configured for Microsoft Remote Desktop Connection. Using MRDC has the advantage that the session on the workstation is preserved unless you specifically log out, so it's useful if you want to set up long-running tasks like transfer functions from a laptop or other computer that you can't conveniently leave turned on and in the same place. Information about your session is stored in a .rdp file on your local machine, so multiple people can login from different machines and have their own independent sessions.

From the control network (in the control room or in the tunnel; wired or via the the k1ctrA or k1ctrG wireless networks), it's possible to login to the workstations directly.

From other locations in the ICRR network it is necessary to set up port forwarding to get through the gateway machine (see below for details).

From outside ICRR it is necessary to use a VPN and then set up port forwarding.

If you do any level of automation, then it's useful to do the port forwarding even if you're connecting from the internal network, so that you only need one profile per workstation in MRDC and you are guaranteed to get the same environment every time.

Port Forwarding Setup via ssh in Linux/Mac (for Older Versions of Microsoft Remote Desktop)

Note: Microsoft Remote Desktop Connection for Mac v10 has a crippling missing feature: it will not connect to any port other than 3389, the default. This makes setting up port forwarding inconvenient because the setup script has to be specific to a particular workstation and has to map 3389 on that workstation to the same port on localhost. MRDC v10 has a gateway feature that looks as it would do what you want but only connects to a custom MRDC gateway server. Grab v8 from the App Store if you can still get it.

To use MRDC from outside ICRR, first connect to the ICRR VPN as described above.

Open a terminal window and log in as controls to the gateway machine, setting up port forwarding from port 3389 (the default port for MRDC) on the desired workstation k1ctr1/k1ctr2/k1ctr3/k1ctr4/etc to port 3390 (an arbitrary number not in use for anything else) on your local machine. You will need to enter the gateway password (but not the workstation password at this point).

Alberts-Mac:~ aeinstein$ ssh -L:3390:k1ctr4:3389 controls@172.16.33.11 
controls@172.16.33.11's password:

The external IP address (172.16.33.11) works both on the controls network and the broader ICRR network. You can also use the internal IP addresss, 10.68.10.1, but only from the controls network (including the k1crtA or k1ctrG wireless networks).

If you're automating this step, you can set up port forward for several different workstations at once, e.g.:

ssh -L:3391:k1ctr1:3389 -L:3392:k1ctr2:3389 -L:3393:k1ctr3:3389 -L:3394:k1ctr4:3389 controls@172.16.33.11

Leave this terminal session open and continue below.

Port Forwarding Setup for PuTTY (Windows or Mac)

Open PuTTY and go to the Session tab. If you have already created a session, select it in the list and click Load. Otherwise, specify the gateway machine IP address under the Session tab.

Go to the Connection/SSH/Tunnels tab:

Fill in the source port as 3900 (or similar number) and the destination as k1ctr7:3389 (or a different workstation):

Click Add:

Optionally, add additional port forwarding combinations for other workstations. Choose a different local port number for each, but keep the remote port 3389 the same.
Optionally, go back to the Sessions tab, give the new session a suitable name in the Saved Sessions field and click Save.
Click Open, and fill in the gateway machine controls username and password in the resulting terminal window:

Leave this terminal session open and continue below.

Port Forwarding Setup for Mac Terminal (for Older Versions of Microsoft Remote Desktop)

In the Profile tab of Preferences, click on the +" button to add a new profile, give it a name like "KAGRA Port Forwarding", check the "Run Command" box and enter a suitable ssh command (see above).

KAGRA Port Forwarding Terminal 1.png

Double click on the profile name to open a new window and enter the gateway machine controls username and password:

KAGRA Port Forwarding Terminal 2.png

Close any Terminal windows besides the new one and choose the Windows->Save Windows as Group... menu command. Give the new group a name like "KAGRA Port Forwarding" in the dialog that appears:

KAGRA Port Forwarding Terminal 3.png

In subsequent sessions, a new port forwarding window can be opened from the Windows->Open Window Group submenu.
Leave this terminal session open and continue below.

Port Forwarding Setup for Mac iTerm (for Older Versions of Microsoft Remote Desktop)

In the Profiles pane of the Preferences, create a profile with a name like "KAGRA Port Forwarding", click the "Command:" radio button and enter a suitable ssh command (see above).

KAGRA Port Forwarding iTerm.png

The profile can then be invoked from the Profiles menu in the menubar, or the New Window... (or New Tab...) submenu of the iTerm menu in the Dock. In the resulting window, enter the gateway machine controls username and password.
Leave this terminal session open and continue below.

Connection with Older Versions of Microsoft Remote Desktop

Finally, use MDRC to connect to local port 3390 (or whatever value you used):

There may be a warning dialog - if so, click Connect:

Enter "controls" and the password, and click OK:

The workstation virtual desktop comes up in a window:

The size of the virtual desktop can be adjusted in MRDC settings. If you are logged in, you will need to log out of the workstation and back in again to have the change take effect. If you log in to a particular workstation from multiple machines (e.g., your desktop and your laptop) you will get the same MRDC session if and only if the screen sizes match.

Troubleshooting

When there is an RDP problem, you can ssh to k1ctr1/k1ctr2/k1ctr3/k1ctr4 and find and kill all the Xvnc processes by

ps aux|grep Xvnc

kill NNNN # where NNNN is the process id of Xvnc.

Front End Web Server

Each front end has a web server for configuration. The main operation useful to VIS is powering down and up the front end remotely.

See the list of server IPs at KAGRA/Subgroups/DGS/IP#management. Using a web browser, go to http:// plus the IP number. Ask Miyakawa-san for the username/password combination.

Add more stuff here

KAGRA/Subgroups/VIS/OpsManual/Remote (last edited 2018-11-14 13:19:16 by MarkBarton)

-  ⇤ ← Revision 37 as of 2018-11-14 10:48:11 → 
  Size: 9919
  Editor: MarkBarton
  Comment:
+   ← Revision 38 as of 2018-11-14 10:49:55 → ⇥
  Size: 10445
  Editor: MarkBarton
  Comment:
-Deletions are marked like this.
+Additions are marked like this.
 Line 129:
+'''Note: Microsoft Remote Desktop Connection for Mac v10 has a crippling missing feature: it will not connect to any port other than 3389, the default. This makes setting up port forwarding inconvenient because the setup script has to be specific to a particular workstation and has to map 3389 on that workstation to the same port on localhost. MRDC v10 has a gateway feature that looks as it would do what you want but only connects to a custom MRDC gateway server. Grab v8 from the App Store if you can still get it.'''