Running graphical applications using SSH and X tunneling

Some applications on our systems (e.g Matlab) have a graphical user interface. To be able to display windows from an application running on an NSC system on your own computer, you need two things:

  1. An X server software installed on your computer.
    • If you run Linux, this is already taken care of.
    • If you run MacOS, you might need to install and start X11.app which is included in MacOS but not always installed.
    • If you run Windows, you need to find a third-party X server software (e.g Xming), as this is not normally included in Windows. Ask your local system administrator.
  2. Enable X11 forwarding in your SSH client. This allows windows from the NSC system to be displayed on your local computer. If you use OpenSSH this is done using the -X option to ssh, e.g ssh -X x_abcde@triolith.nsc.liu.se.

Note: For better performance when running graphical applications, we recommend using ThinLinc (See below) - a remote desktop/visualization software.

Running graphical applications using ThinLinc

Note: Thinlinc is only available on Triolith.

ThinLinc is a remote desktop solution from Cendio Systems. See the Cendio website for a complete description.

By running the X server on a server in the cluster (i.e closer to your application) and using an efficient method for delivering the image to your local computer (VNC-based), most graphical applications will run significantly better than when using X-forwarding tunneled through SSH.

ThinLinc can also make use of a graphics card in the ThinLinc server to provide hardware acceleration to OpenGL applications (e.g VMD, Maestro, Gaussview).

Why would you want to use ThinLinc?

Here are some use cases:

  1. Using accelerated OpenGL applications

    Perhaps you want to run a graphical user interface (GUI) that is using OpenGL (e.g VMD) to visualize data that is located at NSC. Rather than moving a large amount of data to your local computer and visualize it there, you can run the GUI directly on an NSC system and display the window on your computer with much better results (higher framerate etc) than using traditional X-windows tunneling through SSH.

  2. Modern GUIs that do not run well using X-forwarding

    Certain graphical user interfaces are implemented with no regard for performance when tunneled through SSH on a connection with high latency, and will be more or less unusable. Since ThinLinc presents a local X server to the application (with almost zero latency) and handles the transportation of the graphics data invisible to the application, it can perform much better for these types of applications.

Installing the ThinLinc client and connecting to Triolith

The ThinLinc client can be downloaded for free from http://www.cendio.com/downloads/clients/. It is available for Windows, Mac OS X, Linux and Solaris.

To use ThinLinc to connect to Triolith:

  1. Download the client matching your local computer (i.e Windows, Linux, MacOS X or Solaris) and install it.

  2. Start the client.

  3. Change the "Server" setting to "triolith-thinlinc.nsc.liu.se" (Do NOT use "triolith.nsc.liu.se", it will only work under certain conditions).

  4. Change the "Name" setting to your Triolith username (e.g x_abcde).

  5. You do not need to change any other settings.

  6. Enter your Triolith password in the "Password" box.

  7. Press the "Connect" button.

The first time you connect, you will get a message saying "The server's host key is not cached...". Verify that the server key for triolith-thinlinc.nsc.liu.se is "4d:66:25:46:82:a9:1c:bc:8c:04:77:b9:b0:6b:64:8b", then press Continue.

After a few seconds, a window with a simple desktop session in it will appear. From the Applications menu, start a Terminal Window. You are now logged in to Triolith and can submit jobs, start interactive sessions, start graphical interfaces as usual.

Please note that all Triolith applications are available on the ThinLinc server, not just the ones listed in the Application menu.

To log out end end your session, click the green "running man" icon to the right of the Applications menu and select Logout.

The default session is a fullscreen session (will cover your entire screen). If this is not what you want, you can change it in the ThinLinc client settings. Click Options, select the Screen tab and deselect Full Screen Mode. You will then get a window with your Triolith desktop inside it, which you can resize to whatever size you want.

In most cases you also want to disable the session option "send system keys". This option is on by default, and it means that "system keys" (e.g Alt-Tab, Cmd-Tab etc) are sent to the ThinLinc server and not to your local computer while the ThinLinc session is running.

Using SSH public key authentication instead of password

If you use SSH public key authentication to login to Triolith you need to do this to use this method also for ThinLinc:

  1. Start the ThinLinc client

  2. Click "Options"

  3. In the "Security" tab, Change "Password" to "Public key"

  4. Press OK

  5. The "Password" box has now changed to "Key". Click the browse button to the right of the Key field and select your SSH private key file (or enter the path to your key directly)

  6. Press the "Connect" button.

  7. Enter the passphrase for your SSH private key (if you don't have one, you really should…)

Note: you will need to enter your SSH key passphrase each time you log in. This is due to the ThinLinc client not being integrated with the Linux ssh-agent.

Using ssh-agent with ThinLinc (unsupported)

If you want to use SSH keys loaded into ssh-agent to connect to ThinLinc, you can do that by modifying your ThinLinc client.

The method described below is unsupported by Cendio and NSC. Use it at your own risk. However, it's unlikely that anything can go wrong that you cannot fix by reinstalling the ThinLinc client.

This has been tested on Ubuntu Linux running the ThinLinc client version 4.1.1, but it will probably work with other Linux distributions and ThinLinc client versions. Note: you will have to re-apply this fix every time you upgrade the ThinLinc client.

If you use this fix, the ThinLinc client will use any keys from your ssh-agent to log in regardless of whether you have specified password or public key login in the client settings. Recommendation: set client to use password and don't enter anything into the password box.

To apply the fix, run the following as root on your Linux client:

mv /opt/thinlinc/lib/tlclient/ssh /opt/thinlinc/lib/tlclient/ssh.real
cat > /opt/thinlinc/lib/tlclient/ssh <<"EOF"
#! /bin/sh
# SSH wrapper for ThinLinc client to enable using keys loaded into
# ssh-agent to be used
TLSSHARGS="$*"

# Only try to use this method if an ssh-agent is actually running
if [ "$SSH_AGENT_PID" != "" ] ; then
    SSH_AUTH_SOCK="$MY_SSH_AUTH_SOCK"
    if [ -S "$SSH_AUTH_SOCK" ] ; then
        TLSSHARGS="`echo "$*" | sed s/\-o\ PubkeyAuthentication=no//`"
    fi
fi

# Run the real SSH client
exec $0.real $TLSSHARGS
EOF
chmod 755 /opt/thinlinc/lib/tlclient/ssh

mv /opt/thinlinc/bin/tlclient /opt/thinlinc/bin/tlclient.real

cat > /opt/thinlinc/bin/tlclient <<"EOF"
#!/bin/bash
# ThinLinc client wrapper to enable using SSH keys loaded into
# ssh-agent for authentication.
#
# Since ThinLinc will unset $SSH_AUTH_SOCK, we need to save the value
# of it into another variable.
export MY_SSH_AUTH_SOCK="$SSH_AUTH_SOCK"

# Launch the real ThinLinc client
exec $0.real $*
EOF
chmod 755 /opt/thinlinc/bin/tlclient

Running accelerated OpenGL applications

In order to make use of hardware-accelerated OpenGL, the application needs to be launched in a certain way.

Some applications have already been modified to do this automatically. The applications listed below will automatically be accelerated when run from ThinLinc, so you just need to start them manually.

  • GaussView (e.g "module add gaussview/5.0.9; gv")

  • VMD (e.g "module add vmd/1.9.1; vmd")

  • Maestro (e.g "module add schrodinger/2012u1-nsc; maestro")

  • VESTA (e.g "module add vesta/3.1.3; vesta")

All other OpenGL applications needs to be launched using "vglrun", e.g "vglrun SOME_OPENGL_APPLICATION".

Thinlinc sessions

If you close your ThinLinc client or explicitly disconnect, your session on Triolith will still be running, and you will automatically be reconnected to that session the next time you login to ThinLinc.

If you will not be using ThinLinc for a few days, we recommend logging out (using the green "running man" logout icon in the ThinLinc desktop).

NSC reserves the right to log out sessions that have been idle for a significant time. Also, if a login node is rebooted, all ThinLinc sessions on that node will be logged out.

If you have no current ThinLinc session, your next one will be on the login node with the lowest load. You can not control which server your next session will use. If you need to access the other login node, login to it using SSH (e.g "ssh triolith2").