Am 15.11.2017 22:37 schrieb "Robert Kudyba" <rkudyba@fordham.edu>:
*x2go* is not installed
Yep, it did. No big deal, just yum install x2goserver x2goserver-xsession.
Ahh success! Even with the NIS user. So should I remove the _copr_mikedep333-nx-libs-3.6.repo?
Fine! Now that we debugged this with ~60 mails we finally have a working system. But to me it is still unclear what was causing the NIS problems!?
Uli
- On 11/16/2017 07:41 AM, Ulrich Sibiller wrote:
Fine! Now that we debugged this with ~60 mails we finally have a working system. But to me it is still unclear what was causing the NIS problems!?
There wasn't a NIS issue to begin with.
What we learned is that X authorization is a fragile construct and easy to get wrong.
Within x2gostartagent, we create an X authorization cookie and add it to the newly spawned nxagent instance - once with the hostname (for TCP connections) and another time with the hostname and a /unix postfix (for UNIX socket connections).
Historically, we've been doing that by relying on bash's HOSTNAME variable, which is (normally) automatically set to the system's hostname. It turned out that relying on that is not a good idea, though, since it can easily be overridden.
Example: bash -c 'echo $HOSTNAME'; env HOSTNAME=outofluck bash -c 'echo $HOSTNAME' japsand outofluck
And of course, there's no way to get the original value back, since it's only set once at process startup IFF such a variable does not exist in the environment yet:
env HOSTNAME=outofluck bash -c 'echo $HOSTNAME; unset HOSTNAME; echo $HOSTNAME' outofluck
Thus, I looked for a more reliable way to get the hostname, and of course there is: the hostname program.
In a previous bug report, a user with tcsh as its default logging shell reported problems starting sessions. This was tracked down to a system startup script exporting HOSTNAME to the environment with a FQDN (because tcsh and csh do not define HOSTNAME as a standard variable that is set by the shell by default, but a lot of scripts nevertheless seem to use it, so the distro decided to be smart and provide it globally using this way), overriding bash's autodetected value of HOSTNAME. Since using a FQDN failed in his case, I (wrongly) inferred, that X authorization always needs a short host name to work, not a FQDN.
This proved be to be wrong, but to be working *sometimes*, which made the matter worse.
Hostname: F.Q.D.N DNS/hosts file: shortname mapping to 127.0.0.1 xauth: cookie added via using shortname
=> works!
Hostname: F.Q.D.N DNS/hosts file: shortname mapping to a public IPv4 address (non-loopback!) xauth: cookie added via shortname
=> fails
Hostname: F.Q.D.N DNS/hosts file: doesn't matter xauth: cookie added via F.Q.D.N
=> works!
Hostname: shortname DNS/hosts file: doesn't matter xauth: cookie added via shortname
=> works
The gist is that we should always add the X authorization cookie with the actual system host name, instead of using a shortname or the FQDN explicitly. Otherwise, X authorization might or might not work depending on other factors, but in most cases it will fail.
The second issue was due mixing old nx-libs packages with the newer Arctica version. Using x2goserver-x2goagent is very important with nx-libs 3.5.99.x+, since this package also implicitly disables the ld preloading hack we've been using for Xinerama support in the past. Using the ld preloading hack with nx-libs 3.5.99.x+ leads to such odd errors when applications try to utilize libX11.
Mihai
On Thu, Nov 16, 2017 at 5:15 PM, Mihai Moldovan <ionic@ionic.de> wrote:
- On 11/16/2017 07:41 AM, Ulrich Sibiller wrote:
Fine! Now that we debugged this with ~60 mails we finally have a working system. But to me it is still unclear what was causing the NIS problems!?
The gist is that we should always add the X authorization cookie with the actual system host name, instead of using a shortname or the FQDN explicitly. Otherwise, X authorization might or might not work depending on other factors, but in most cases it will fail.
Thanks for clarification. But why not simply using all combinations in parallel?
The second issue was due mixing old nx-libs packages with the newer Arctica version. Using x2goserver-x2goagent is very important with nx-libs 3.5.99.x+, since this package also implicitly disables the ld preloading hack we've been using for Xinerama support in the past. Using the ld preloading hack with nx-libs 3.5.99.x+ leads to such odd errors when applications try to utilize libX11.
alright, that's clear.
Maybe we should provide a script that checks common problems ans collects required data to avoid pinging back and forth so often.
Uli
- On 11/17/2017 12:12 AM, Ulrich Sibiller wrote:
Thanks for clarification. But why not simply using all combinations in parallel?
Could do, but that doesn't really make sense if the plain hostname is working fine.
I actually wonder if there's a subtle bug in general - what happens with successfully started sessions if the hostname changes at a later time? In theory, nxagent should have opened its internal display by then, but if it disconnects again after a proxy disconnected and tries to re-open the internal display on subsequent proxy connections, this may fail. I doubt anyone has ever tested such a scenario (at least not willingly). I probably should.
And even if that's a real problem, I'm not sure how to fix it. At least xauth does seem to do duplicate checking, so simply adding more entries on each x2goresume-session call would work.
The next arguable bug is that we never delete any of these entries. Given that we use the "global" user Xauthority file by default, it's not very nice to clutter their file with random "crap" (at least after a session has ended).
Maybe we should provide a script that checks common problems ans collects required data to avoid pinging back and forth so often.
Most issues users have are not based upon "common problems", but mostly very specific site configurations. :/
Mihai
-
Mihai Moldovan -
Ulrich Sibiller -
Ulrich Sibiller