From 1c09ba4e108c86c0c7b0e2512193e1fffab20f0e Mon Sep 17 00:00:00 2001 From: ebner Date: Thu, 8 Dec 2022 15:43:02 +0100 Subject: [PATCH] add draft for nx --- proposals/draft-nx-overview.drawio.svg | 878 +++++++++++++++++++++++++ proposals/draft-nx.md | 117 ++++ 2 files changed, 995 insertions(+) create mode 100644 proposals/draft-nx-overview.drawio.svg create mode 100644 proposals/draft-nx.md diff --git a/proposals/draft-nx-overview.drawio.svg b/proposals/draft-nx-overview.drawio.svg new file mode 100644 index 00000000..ccaa3e1e --- /dev/null +++ b/proposals/draft-nx-overview.drawio.svg @@ -0,0 +1,878 @@ + + + + + + + + + +
+
+
+ http://rem-acc-ganglia.psi.ch +
+
+
+ + + http://rem-acc-ganglia.psi.ch + + + + + + + + + + + +
+
+
+ rem-acc-1.psi.ch +
+
+
+ + + rem-acc-1.psi.ch + + + + + + + + +
+
+
+ rem-acc.psi.ch +
+
+
+ + + rem-acc.ps... + + + + + + + + + + +
+
+
+ nx-proxy-1 +
+
+
+ + + nx-proxy-1 + + + + + + + + + + + +
+
+
+ nx-proxy-2 +
+
+
+ + + nx-proxy-2 + + + + + + + + +
+
+
+ nomachine-proxy.psi.ch +
+
+
+ + + nomachine-pro... + + + + + + + +
+
+
+ Extranet +
+
+
+ + + Extranet + + + + + + + +
+
+
+ Intranet +
+
+
+ + + Intranet + + + + + + + + + + + +
+
+
+ port 4000 +
+
+
+ + + port 4000 + + + + + + + + +
+
+
+ port 4000 +
+
+
+ + + port 4000 + + + + + + + +
+
+
+ svc-nx +
+
+
+ + + svc-nx + + + + + + + + + + + + +
+
+
+ ra-nx-1 +
+
+
+ + + ra-nx-1 + + + + + + + + + + + +
+
+
+ ra-nx-2 +
+
+
+ + + ra-nx-2 + + + + + + + + +
+
+
+ ra-nx.psi.ch +
+
+
+ + + ra-nx.psi.ch + + + + + + + + + + +
+
+
+ merlin-nx-1 ??? +
+
+
+ + + merlin-nx-1 ??? + + + + + + + + + + + +
+
+
+ merlin-nx-2 ??? +
+
+
+ + + merlin-nx-2 ??? + + + + + + + + +
+
+
+ merlin-nx.psi.ch +
+
+
+ + + merlin-nx.psi... + + + + + + + +
+
+
+ Ivano +
+
+
+ + + Ivano + + + + + + + +
+
+
+ Marc +
+
+
+ + + Marc + + + + + + + +
+
+
+ svc-cluster_ra +
+
+
+ + + svc-cluste... + + + + + + + +
+
+
+ svc-cluster_merlin5 +
+
+
+ + + svc-cluste... + + + + + + + +
+
+
+ svc-cluster_merlin6 +
+
+
+ + + svc-cluste... + + + + + + + + +
+
+
+ port 4000 +
+
+
+ + + port 4000 + + + + + + + + +
+
+
+ port 4000 +
+
+
+ + + port 4000 + + + + + + + + + + +
+
+
+ https:// +
+ rama.psi.ch +
+
+
+ + + https://... + + + + + + + + +
+
+
+ can login to give access to certain consolse +
+
+
+ + + can login... + + + + + + + + +
+
+
+ mongo +
+
+
+ + + mongo + + + + + + + +
+
+
+ Angular +
+
+
+ + + Angular + + + + + + + + + +
+
+
+ Admins +
+ Beamline Responsible (member of the active directory group e.g. unx-sf_furka_bs) +
+
+
+ + + Admins... + + + + + + + +
+
+
+ monitoring +
+
+
+ + + monitoring + + + + + + + + + + +
+
+
+ update access rules +
+
+
+ + + update acc... + + + + + + + + + + + + +
+
+
+ rem-acc-2.psi.ch +
+
+
+ + + rem-acc-2.psi.ch + + + + + + + + +
+
+
+ centos7 +
+
+
+ + + centos7 + + + + + + + +
+
+
+ pre-shared ssh keys - changes done via ssh commands +
+ there is a script on rem-acc from dima +
+ /root/scripts/change_rule.sh +
+
+
+ + + pre-shared ssh keys - c... + + + + + + + + + + + + +
+
+
+ consoles ... +
+
+
+ + + consoles ... + + + + + + + + + +
+
+
+ port:4000 +
+
+
+ + + port:4000 + + + + + + + +
+
+
+ Rene +
+
+
+ + + Rene + + + + + + + + + + +
+
+
+ nx-node-1 +
+
+
+ + + nx-node-1 + + + + + + + + + + + +
+
+
+ nx-node-2 +
+
+
+ + + nx-node-2 + + + + + + + + + + + +
+
+
+ nx-node-3 +
+
+
+ + + nx-node-3 + + + + + + + + + + + +
+
+
+ nx-node-4 +
+
+
+ + + nx-node-4 + + + + + + + + +
+
+
+ node randomly choosen +
+ or re-connect to existing connection +
+
+
+ + + node rando... + + + + + + + + + + + + + + + + + + + + + + + + + + +
+
+
+ login nodes +
+ .... +
+
+
+ + + login nodes... + + + + + + + + + + + +
+
+
+ login nodes +
+ .... +
+
+
+ + + login nodes... + + + + + + + + + + Viewer does not support full SVG 1.1 + + + + \ No newline at end of file diff --git a/proposals/draft-nx.md b/proposals/draft-nx.md new file mode 100644 index 00000000..64a5f227 --- /dev/null +++ b/proposals/draft-nx.md @@ -0,0 +1,117 @@ +# NX + +![scetch](draft-nx-overview.drawio.svg) + +Highavailability mode really needed +NX does the decision - sometimes not transparent how it is done + +##rem-acc.psi.ch +decides who is allowed to connect to a certain nx machine connected to rem-acc + +configuration inside NX in a database + +svc-nx - AD group this defines who is allwed to access NoMachine Proxy from rem-acc + + + +/root/scripts/change_rule.sh Written by Dima does nxserver commands - used to update rules +history of root will show last changes + +/root/scripts contain a set of other scripts + + + +Usually NX access from rem-acc to machines in the office network is not allowed (security request) +There are exceptions: +* detector group shared workstateion - pcmic05 +* ENE - Jens Ehler - mpc2053, mpc2959 +* + + +Rules for these machines are not dynamically modifiable, need to be done manually! +need request to security to open a firewall rule + + + +# Commands on rem-acc + +List of all configured servers +``` +nxserver --serverlist --extended +# nxserver --serverlist --extended | grep psi.ch | grep nomach + +``` + +Output: one line for each server + + +Show all access rules +``` +nxserver --rulelist +``` + +# Software +RemACC - NoMachine Cloud Server +xxx proxies - NoMachine Enterprise Desktop Service +nodes behing proxy - NoMachine Enterprise Server Nodes - you can only to these nodes through a proxy (Enterprise Desktop Service) + +consoles - Enterprise Desktop - allows connections to the physical console) (- with Windows this is the only product that we use) - 1 session + +Virtual desktops Linux: +NoMachine Workstation - up to 4 virtual session can be created - usually used on the *-vcons-* systems +Small Business Terminal Server Subscription - same as above but up to 10 virtual sessions - (only used for ENE) +Terminal Server - same as above but unlimited number of sessions + +Desktop - completely free license - funcionality same as Enterprise Desktop but cannot be connected/accessed from proxy/cloudServer!!! + + +Depending on the product the price differences are HUGE + + +Each machine has its own license! +Bought in packs of multiple licenses +Some licenses depend sometimes on the number of code + + +All licenses are now synchronized to be payed in April + +> Distribution of the licenses via Puppet (encrypted ...) +> machines this is distributed to machines in different hiera classes - so its difficult to assign/configure the licenses + + +There are 50 Windows machines !!!! (we have 60 Licenses) +Distribution - Baramundi - Dima has access to this +Update of the software done by the Windows Team (they make the Baramundi packaging) + +Linux 85 machines (90 Licenses - Enterprise Desktop) + + +Every installation of the nomachine software requires 2 reboots! +1 after remove +1 after install + +For linux you don't need the reboot +When installing the virtual sessions will be killed - on pysical desktop no affects + +!!!! Need communication regarding the Updates with users !!!! + +Linux RPMs are located in this repository - updated by Dima +http://repo00.psi.ch/el7/manual/nxserver/ + +__THERE IS A .htaccess file in there that restricts the access to this repo to only the listed nodes !!!!__ +This file gives info about all linux nodes that are somehow related to NX + +NoMachine only releases RPM for current version - but removes older ones + + + +Open firewall (network@psi.ch) +install sw on node +Nodes are registered on rem-acc with /root/scripts/add_node.sh +update of Mongo-DB for Rama (done by Dima) + connect to rama.psi.ch as root + `mongo` + `use rama` + `db.TargetMode.insert(......` (check history) + +!!!!! RAMA IS NOT UP TO DATE !!!! \ No newline at end of file