[X2Go-Dev] X2Go Session Broker development release 0.0.0.3 -> happy testing

Thu Feb 21 22:33:17 CET 2013

Hi all,

I have today released another development release of the generic X2Go  
Session Broker. Generic in this context means: highly configurable,  
highly flexible, but not always suitable for enterprise brokerage.

The broker development is currently sponsored by http://fleten.net  
(and actually also by one of its customers).

NOTE: The version 0.0.0.3 is able to provide load balancing for X2Go.

Below I will give a raw outline on how to setup X2Go Session Broker  
with load balancing. I will presume that you either use Debian or  
Ubuntu. I will also presume that you know how to install packages,  
edit config files etc. (I am mailing this to x2go-dev ML, aren't I?)

The proposed setup is:

   o 1 machine: broker.intern
   o n machines: ts01.intern, ts02.intern, ts02.intern, .., tsNN

Please install all machines with a minimal system so we have clean  
machines to play with. Make sure you have a local DNS that is properly  
setup. All hostnames must be resolve through local DNS, and possibly  
also reverse resolvable.

Setting up the X2Go Session Broker on broker.intern
---------------------------------------------------

  Installing the standalone X2Go Session Broker (x2gobroker-daemon)

  1. add the X2Go package archive (Debian/Ubuntu) to your APT system
  2. install the package x2gobroker-daemon
  3. NOTE: read all the comments in the config file templates, they are
     very informative
  4. in /etc/x2go/x2gobroker.conf, enable the inifile broker backend
  5. edit /etc/x2go/x2gobroker-sessionprofiles.conf to your needs, look at
     the examples and be creative...
  6. edit /etc/default/x2gobroker-daemon to let the broker bind to all
     interface addresses (bind_address is set to localhost:8080 by default).

  SSL support for x2gobroker-daemon

  7. if in need of https support: create an SSL cert/key file pair, copy
     the files to /etc/x2go/broker/ssl/broker.{crt,key}
  8. enable SSL support in /etc/default/x2gobroker-daemon

  Generate SSH pub/priv key files

  9. Run the script as root: x2gobroker-keygen

  Restart x2gobroker-daemon

  10. Run this command as root: invoke-rc.d x2gobroker-daemon restart

  WARNING: if you test this on Debian squeeze, please be aware of this bug in
  squeeze's python2.6 version: http://bugs.debian.org/701001. You have to
  manually apply the there-proposed patch to /usr/lib/python2.6/asyncore.py.
  -> If not: you will see the x2gobroker-authservice daemon consume 100% of
  the core it is running on... :-(

  Install PostgreSQL on the broker.intern machine

  11. Install PostgreSQL server on this machine
  12. Install the x2goserver package on this machine
  13. Make sure this machine knows all users (libnss-***) and that all
      users can login to this machine (libpam-***).
  14. Configure X2Go to use PostgreSQL as session DB backend:
      http://wiki.x2go.org/doku.php/wiki:advanced:multi-node:x2goserver-pgsql
  15. Prevent your non-admin users from logging in via SSH to this machine.
      This can be done with pam_access.so and /etc/security/access.conf.

Setting up the X2Go Servers ts01.intern, ts02.intern, ...
---------------------------------------------------------

  Installing the standalone X2Go Session Broker (x2gobroker-daemon)

  1. Install your favourite desktop shell (e.g. XFCE)
  2. Install X2Go Server (package: x2goserver-xsession)
  3. Tune your X2Go Server as you would do with a standalone X2Go Server
  4. All users in your network must be able to logon to all X2Go Servers
  5. All users must have the same home directory on all servers.
  -> use LDAP and NFS for achieving this!!!

  Use the PostgreSQL DB on broker.intern as backend for X2Go session management

  6. Hook up each X2Go server to the PostgreSQL DB on broker.intern
  7. Test, if all configured users are able to login via SSH, then via X2Go
     (use X2Go Client in normal mode, configure a session profile for testing
     and then test the session startup)

  Get the X2Go Broker Agent up and running...

  8. Install the package x2gobroker-agent on all X2Go terminal servers.
  9. On each X2Go Server in the multi-server farm run this script as root:
     $ x2gobroker-pubkeyauthorizer --broker-url
           http://broker.intern:8080/pubkeys/

     --> if you have SSL configured in the broker, use https://... instead.

  Test X2Go Broker Agent access...

  10. Switch over to broker.intern and test passwordless SSH:

      $ root at broker.intern$ su - x2gobroker
      $ x2gobroker at broker.intern$ ssh ts01.intern

      -> accept the host key manually here!
      -> do this for all X2Go Servers

   Start X2Go Client in Broker Mode

   11. on some client system launch X2Go Client like this:

   <user>@client$ x2goclient  
--broker-url=http://broker.intern:8080/plain/infile/

   -> with SSL support use https://..., of course.
   -> I have not tested SSL thorougly, yet, so you might start playing without
      SSL.

If all went well (and I have not forgotten anything...), you can now  
login as one of your (LDAP) users and you get provided with a session  
profile list via the X2Go Broker.

The communication between X2Go Client and X2Go Session Broker uses  
http as communication protocol. For trouble shooting...

TROUBLE SHOOTING:
-----------------

  o enable debugging in /etc/default/x2gobroker-daemon
  o restart x2gobroker-daemon (via invoke-rc.d)
  o in X2GOBROKER_DEBUG mode you can use your webbrowser to test the broker
    communication...

  o e.g.

http://broker.intern:8080/plain/inifile/?user=<user>&password=<pw>&task=listsessions

http://broker.intern:8080/plain/inifile/?user=<user>&password=<pw>&task=selectsession&sid=<session-profile-id>

    --> the session profile id is the name in the square brackets at the top
        of each session profile option set...

Happy testing!!! Please give feedback on this ML!!! Question can also  
asked via IRC (my nick is ,,sunweaver'').

light+love,
Mike

-- 

DAS-NETZWERKTEAM
mike gabriel, rothenstein 5, 24214 neudorf-bornstein
fon: +49 (1520) 1976 148

GnuPG Key ID 0x25771B31
mail: mike.gabriel at das-netzwerkteam.de, http://das-netzwerkteam.de

freeBusy:
https://mail.das-netzwerkteam.de/freebusy/m.gabriel%40das-netzwerkteam.de.xfb
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 836 bytes
Desc: Digitale PGP-Unterschrift
URL: <http://lists.x2go.org/pipermail/x2go-dev/attachments/20130221/723705a0/attachment.pgp>