Connecting to virtual machines¶
Three different ways to connect to the VMs are available, the user should choose depending on the VM type and configuration and on the intended use case.
Connecting from outside CERN
Connections from outside CERN can be performed using SSH tunneling for SSH or FastX connections to Linux machines or through the Remote Desktop Service Gateway for Windows machines.
The description of each of the connection methods contains specific information for a configuration from outside CERN.
The connection method should be chosen based on the following matrix:
| From | To | Type | Method | Documentation |
|---|---|---|---|---|
| Windows | Windows | Graphical | Windows RDC |  |
| Linux / Mac OS | Windows | Graphical | Windows RDC | |
| Windows | Linux | Command line | SSH | |
| Linux / Mac OS | Linux | Command line | SSH | |
| Windows | Linux | Graphical | FastX client | |
| Linux / Mac Os | Linux | Graphical | FastX client | |
| Any browser | Linux | Graphical | FastX web | |
SSH connection from Linux / Mac OS to Linux¶
This is the primary way of connecting to the Linux VMs from any Linux or Mac OS machine (including lxplus). As the mp-linux hostgroup is configured in a lxplus-like fashion, users can connect following the usual procedure applicable to IT-managed machines. In particular, two SSH credential methods are available: password or Kerberos. It should be noted that connecting with a SSH keypair is not possible (mostly because the home directory is on AFS). It is always worth investing some time to make the Kerbero method work.
To properly configuration SSH and Kerberos, users connecting from Mac OS can refer to this guide and this documentation page. Users connecting from Linux can refer to this guide.
For reference, here is a $HOME/.ssh/config file for connections from inside the GPN
Do not forget to replace {{username}} by your CERN account name.
Uncomment the commented line if this is a configuration for Mac OS.
Host *
UseKeychain yes
Protocol 2
IdentityFile ~/.ssh/id_rsa
#XAuthLocation /opt/X11/bin/xauth
Host *.cern.ch
User {{username}}
Host *.cern.ch !lxtunnel.cern.ch !lxplus.cern.ch !aiadm.cern.ch !lxplus !aiadm !gitlab.cern.ch
ProxyJump lxplus.cern.ch
Host mp-linux*.cern.ch lxtunnel.cern.ch
GSSAPIAuthentication yes
GSSAPIDelegateCredentials yes
PubkeyAuthentication no
PasswordAuthentication no
Host lxplus*.cern.ch lxplus
GSSAPIAuthentication yes
GSSAPIDelegateCredentials yes
PubkeyAuthentication no
PasswordAuthentication no
ForwardX11 yes
ForwardX11Trusted yes
ForwardAgent yes
Host gitlab.cern.ch
Preferredauthentications publickey
IdentityFile ~/.ssh/id_rsa
GSSAPIAuthentication yes
GSSAPIDelegateCredentials yes
ForwardX11 no
SSH is configured so that all connections to a .cern.ch machine will be tunnelled through lxplus. This is very useful when connecting from outside CERN. The connection to lxplus and to mp-linux*.cern.ch (the Linux VMs of this project) are handled through Kerberos authentication. This setup allows password-less connections from inside and outside CERN.
When the SSH client is configured properly, the next step is to acquire a Kerberos token with
kinit USERNAME@CERN.CH
kinit -R
These steps will require your password. If you are connecting from lxplus, or from another machine which already obtained a token, this is unnecessary.
The user can then simply connect from a terminal, without typing a password, with the following command:
ssh machine_name
machine_name is the short name of the machine, for example mp-linux-01.
Automatic ticket renewal on Mac OS
To manage your Kerberos token and automatically renew them using your password stored in the keychain, the user can install Kerberos Ticket Autorenewal from the app store.
Connecting from outside CERN
Connections from outside CERN can be performed in a variety of ways. The example SSH configuration file below shows how to use SSH tunneling through lxplus using ProxyJump.
For reference, here is a $HOME/.ssh/config file for connections from outside CERN
Do not forget to replace {{username}} by your CERN account name.
Uncomment the commented line if this is a configuration for Mac OS.
Host *
UseKeychain yes
Protocol 2
IdentityFile ~/.ssh/id_rsa
#XAuthLocation /opt/X11/bin/xauth
Host *.cern.ch
User {{username}}
Host *.cern.ch !lxtunnel.cern.ch !lxplus.cern.ch !aiadm.cern.ch !lxplus !aiadm !gitlab.cern.ch
ProxyJump lxplus.cern.ch
Host mp-linux*.cern.ch lxtunnel.cern.ch
GSSAPIAuthentication yes
GSSAPIDelegateCredentials yes
PubkeyAuthentication no
PasswordAuthentication no
Host lxplus*.cern.ch lxplus
GSSAPIAuthentication yes
GSSAPIDelegateCredentials yes
PubkeyAuthentication no
PasswordAuthentication no
ForwardX11 yes
ForwardX11Trusted yes
ForwardAgent yes
Host gitlab.cern.ch
Preferredauthentications publickey
IdentityFile ~/.ssh/id_rsa
GSSAPIAuthentication yes
GSSAPIDelegateCredentials yes
ForwardX11 no
SSH is configured so that all connections to a .cern.ch machine will be tunnelled through lxplus. This is very useful when connecting from outside CERN. The connection to lxplus and to mp-linux*.cern.ch (the Linux VMs of this project) are handled through Kerberos authentication. This setup allows password-less connections from inside and outside CERN.
SSH connection from from Windows to Linux¶
Trough lxplus tunnelling (preferred)¶
- Install PuTTY from CMF (or alternatively from here)
-
Open PuTTY and insert
lxplus.cern.chinto "Host Name"
-
Go to "Connection" -> "SSH" -> "Tunnel"
- Insert 3300 for the "Source Port"
- The VM adress followed by
:3300(e.g.mp-linux-ts-01.cern.ch:3300) in "Destination" - Click "Add"
-
Go back to "Session" (top in the left menu)
- Give this configuration a name (e.g. lxplus_tunnel) in "Saved Session"
- Click "Save"
- Click "Open" to start the proxy. If you reopen PuTTY you can double-click on
lxplus_tunnelto restart the proxy directly - Enter your CERN username and your password in the new window
- Open FastX and add a new connection by clicking on de "+" in the top-left corner
- Select "https" in the top box
-
Enter
localhostin the "Host" field and your CERN username in "User"
-
You can now connect to the VM outside CERN
ToDo Kerberos auto renew
Users connecting from a Windows machine can find more details on the use of Putty in this documentation:
- Explanation on how to connect to
lxplusare provided and are also valid to connect to the Machine Protection Linux VMs; - Details are given on how to generate a private/public key pair;
- Apparently Windows 10 has a built-in SSH client, see details on that page.
Details for connections as root can be found in the system administrator documentation.
Trough Windows Terminal Server¶
Alternativly you can connect to your CERN desktop via the Remote Desktop Service and from there connect to the VM with FastX. This documentatiom explains how to configure the remote connection via Remote Desktop Service.
Desktop environment using FastX¶
Although X-forwarding over SSH is always an option, FastX is installed on all the mp-linux-ts-* machines to support interactive access to the installed desktop environments (KDE, GNOME and XFCE). FastX is highly optimized for speed, even over slow network connections, and also provides a "Linux in the browser" feature, in addition to a more traditional desktop client (available on Mac, Linux and Windows). FastX is being deployed at CERN in a pilot phase of the CERN Applications Gateway project.
The FastX desktop clients can be downloaded from here.
Connection using the web client
To connect using a web browser, simply follow these steps:
- Go to https://{machine-name}.cern.ch:3300 where
machine-nameis the host (*e.g.mp-linux-ts-01) - Connect using your credentials with username and password
- Start a new session by choosing your favorite desktop environment (XFCE is a good choice)
- Refer to this documentation as needed
Connection using the desktop client on Mac OS
To connect using the Mac OS desktop client, follow these steps:
- Create a new connection using the SSH protocol (recommended, as it allows tunneling and password-less authentication) as show in the screenshot
- Start a new session by choosing your favorite desktop environment (XFCE is a good choice)
- Refer to this documentation as needed
Connection using the desktop client on Windows
To connect using the Windows desktop client, follow these steps:
- Create a new connection using the web protocol
- Connect using your credentials with username and password
- Start a new session by choosing your favorite desktop environment (XFCE is a good choice)
- Refer to this documentation as needed
Connecting from outside CERN
To connect from outside CERN using the FastX desktop clients, refer to the SSH configuration above, especially the part on using lxplus with ProxyJump. With the connection type set to ssh as shown above, the whole process is password-less.
Windows Remote Desktop connection¶
The connection to Windows VMs uses the Windows Remote Desktop clients available on Windows and on Mac OS. No specific configuration is needed. Users can use the CERN Remote Desktop Services to create a .rdp file (use the Generate a .rdp file to connect to a Server link). Slightly more detailed instruction are available for:
The general documentation on Windows at CERN can also be consulted.
Connecting from outside CERN
The VMs in the mp-windows hostgroup are accessible through the Windows Remote Desktop Gateway (all users in the machine-protection-studies-users are allowed to login through the gateway). Users should use cerngt.cern.ch has gateway when connecting from outside the CERN network (see screenshot below). Alternatively, a .rdp file can be downloaded directly from this page (use the Generate a .rdp file to connect to a PC from outside CERN link).
