Project

General

Profile

These instructions are for DAQ experts, NOT for setting up a ROC
ROC instructions can be found here:

https://nova-docdb.fnal.gov/cgi-bin/private/ShowDocument?docid=13741

Remote Access Using Your Personal Computer

To access the control room software from your personal computer you will need to follow the procedures outlined here. Additionally you will need to have installed certain software packages and have configurations in place to support kerberos authentication.

Required Software

The following software will need to be installed:

  • Cisco AnyConnect VPN Client
    This is available from Fermilab from the VPN setup pages. Follow the instructions Fermilab VPN for setting up the vpn software.
  • VNC Viewer from RealVNC
    This is free and can be found here: RealVNC Client Other VNC packages may work, but this really does work with the ssh tunnels properly.
  • Additional Software Requirements for Microsoft Windows:
    • MIT Kerberos for Windows
      Install the kerberos software and configure it for the .FNAL.GOV realm. When that is done see if you can obtain a ticket using the network identity manager. This should work pretty much out of the box.
      Follow the instructions here: MIT Kerberos for Windows The relevant section is about half way down the page.
    • PuTTY terminal emulation software
      This is really only required for debugging some of the connection issues and for times when you don't want a full VPN session but need a terminal. The software is found here: PuTTY
      Install PuTTY and then try and connect to a machine at FNAL. PuTTY version after v0.70 are known not working with MIT kerberos properlly. You are advised to use PuTTY v0.6x at the moment. With those version of PuTTY, it should pick up your ticket that you got with the MIT kerberos package. Refer to this link for instructions on how to establish an ssh tunnel with PuTTY, Note: If your Fermilab kerberos principle (username) differs from the one that you have on your home computer, make sure to configure PuTTY with the Fermilab username. Otherwise it will default to using your home computer's name

General Steps to Enable VNC

The following steps should be taken to setup the software:

  1. Connect to FNAL using the VPN software (AnyConnect).
    • Connect to: vpn.fnal.gov
    • You should use your standard fermilab username and your services (not your kerberos) password.
  2. (Windows only) Obtain an MIT Kerberos Ticket
  3. Open a terminal window (Cygwin on Windows) and obtain a kerberos ticket (not MIT Kerberos).
    Andrew@Neutrino ~
    $ kinit anorman@FNAL.GOV
    anorman@FNAL.GOV's Password:
    
    Andrew@Neutrino ~
    $ klist
    Credentials cache: FILE:/tmp/krb5cc_1001
            Principal: anorman@FNAL.GOV
    
      Issued                Expires               Principal
    Oct  6 11:56:04 2013  Oct  7 13:55:58 2013  krbtgt/FNAL.GOV@FNAL.GOV
    
    • If you are setting up VNC for the first time, try connecting to one of the gateway machines as novadaq. If you can connect then logout and continue. If you can't then you need to be given access to these accounts. Contact the DAQ group.
      ssh novadaq@novadaq-far-gateway-01.fnal.gov
      
  4. Create the ssh tunnels for the VNC servers that run at the detector using the following command:
    ssh -L <local_port>:localhost:<remote_port> -N -f -l <remote account> <remote host> 

    The following table gives machine, account, and port information for each of the six stations used at a Remote Operation Center (ROC):
    Station Functions Host Account Gateway Remote Port Gateway Port Local Port
    1 FD Run Control
    Message Logger
    novadaq-far-master-02 novacr01 novadaq-far-gateway-01 5951 Variable 5981
    2 FD Event Display
    Online Monitoring
    APD Cooling GUI
    novadaq-far-master-02 novacr02 novadaq-far-gateway-01 5952 Variable 5982
    3 Synoptics nova-cr-03 novacr03 novadaq-near-gateway-01 5953 Variable 5973
    4 Camera pages
    beam pages
    webpage ---------- ----------------------------- ------ ------ ------
    5 ND Run Control
    Message Logger
    novadaq-near-master novacr01 novadaq-near-gateway-01 5951 Variable 5991
    6 ND Event Display
    Online Monitoring
    APD Cooling GUI
    novadaq-near-master novacr02 novadaq-near-gateway-01 5952 Variable 5992
    -- FD Expert Desktop novadaq-far-master novacr03 novadaq-far-gateway-01 5953 Variable 5983
    -- ND Expert Desktop novadaq-near-master novacr03 novadaq-near-gateway-01 5953 Variable
  • The gateway and gateway port are what you need to know to set up your own SSH tunnels so that you can view the sessions from your local machine. The local port is a recommendation for what port to use on your local machine.
  • The gateway port can change depending on the order they are created. If you use fixed numbers you will not always connect to the same display, or there may be no server there.
  • When you run the ssh commands, you should just get to the next line on your terminal. Nothing will happen visibly.
    • If you plan on doing this frequently I advise writing a script or function with the commands:
      #!/bin/bash
      echo "Opening NOvA tunnels..." 
          ssh -L 5981:localhost:5900 -N -f -l novadaq novadaq-far-gateway-01.fnal.gov
          ssh -L 5982:localhost:5901 -N -f -l novadaq novadaq-far-gateway-01.fnal.gov
          ssh -L 5983:localhost:5902 -N -f -l novadaq novadaq-far-gateway-01.fnal.gov
      
          ssh -L 5991:localhost:5900 -N -f -l novadaq novadaq-near-gateway-01.fnal.gov
          ssh -L 5992:localhost:5901 -N -f -l novadaq novadaq-near-gateway-01.fnal.gov
          ssh -L 5993:localhost:5902 -N -f -l novadaq novadaq-near-gateway-01.fnal.gov
      
          ssh -L 5973:localhost:5903 -N -f -l novadaq novadaq-near-gateway-01.fnal.gov
       echo "Done." 
      
    • Run the script and it will create the proper tunnels.
5. Start a VNC session
  • Open the VNC Viewer application. When prompted for VNC server enter localhost:<local_port> i.e. "localhost:5981" (or 5982, 5991 etc...)
  • Enter the nova VNC passwords when prompted. If you don't know them ask someone in the DAQ group.
  • You should now have an active VNC to the detector control room.
6. When you are finished, please be sure to clean up after yourself.
pkill -f 'ssh -L <local_port>:localhost:<remote_port> -N -f -l <remote account> <remote host>'
  • As before, when you run this command, you should just get to the next line on your terminal.
    • You can use a script or function for this step as well.
      #!/bin/bash
      echo "Closing NOvA tunnels..." 
          pkill -f 'ssh -L 5981:localhost:5900 -N -f -l novadaq novadaq-far-gateway-01.fnal.gov'
          pkill -f 'ssh -L 5982:localhost:5901 -N -f -l novadaq novadaq-far-gateway-01.fnal.gov'
          pkill -f 'ssh -L 5983:localhost:5902 -N -f -l novadaq novadaq-far-gateway-01.fnal.gov'
      
          pkill -f 'ssh -L 5991:localhost:5900 -N -f -l novadaq novadaq-near-gateway-01.fnal.gov'
          pkill -f 'ssh -L 5992:localhost:5901 -N -f -l novadaq novadaq-near-gateway-01.fnal.gov'
          pkill -f 'ssh -L 5993:localhost:5902 -N -f -l novadaq novadaq-near-gateway-01.fnal.gov'
      
          pkill -f 'ssh -L 5973:localhost:5903 -N -f -l novadaq novadaq-near-gateway-01.fnal.gov'
      echo "Done." 
      
    • This will close the tunnels you created in step 4.