You can remotely run visualization applications on the DASG high-end analysis servers, enabling you to interact in real time with those applications from the comfort of your office. Follow the steps below to get started.
Have your system administrator install TurboVNC 1.0.90 (or a later version) on your system. The binary packages are available on this web site in these locations:
You must first be logged into your chosen DASG analysis server using your SSH client. Start the TurboVNC server by running the vncserver command. It will print some information about the allocated VNC display, which you will need to remember for the next step. In this example, we are using storm0 as our analysis server, and the allocated virtual display number is :1.
storm0% vncserver
New 'X' desktop is storm0:1
Creating default startup script /glade/home/username/.vnc/xstartup.turbovnc
Starting applications specified in /glade/home/username/.vnc/xstartup.turbovnc
Log file is /glade/home/username/.vnc/storm0:1.log
storm0%
The display number allocated may not always be :1 if other remote visualization sessions are in use.
Run the TurboVNC client on your system, giving it the analysis server name and display number printed by vncserver as a single arugment. Be sure to use the fully qualified domain name of the analysis server, if necessary. When prompted for your user name, enter your UCAS account name. When prompted for your password, enter your UCAS token response (Cryptocard or Yubikey). A window will appear on your display with a virtual desktop served from the DASG analysis server.
Open an xterm or other terminal application and start the TurboVNC client by running the vncviewer command.
my-computer% vncviewer storm0.ucar.edu:1
Select the TurboVNC Viewer item from the Start Menu TurboVNC group and fill in the connection dialog with the appropriate information.
Run your application by starting it inside the virtual desktop.
You can normally run any application that does not require OpenGL.
To run an OpenGL application, you must start it with the vglrun command. In the simplest case, you just place vglrun at the start of the command line you would normally use to start your application.
storm0% vglrun glxgears
When you are done with your VNC session, you should stop the TurboVNC server to free the resources allocated to that server. To do this, run the following command, either in a terminal window inside the VNC session itself or from a SSH login to the analysis server. Be sure to replace the d display number with the appropriate value:
storm0% vncserver -kill :1
Killing Xvnc process ID 32061
storm0%
A more detailed reference, including collaborative visualization scenarios, is available at Remote and Shared Visualization
Last update: May 10, 2012
You can remotely run visualization applications on the DASG high-end analysis servers. This enables you to interact in real time with those applications from the comfort of your office, while gaining access to the visualization and data resources attached to the analysis servers.
The TurboVNC software is used to provide the remote display capability. The TurboVNC server provides a virtual X Windows display, and any X Windows application can be run. Display performance using TurboVNC may be better than using the X Windows protocol when connecting from a remote site with low bandwidth and/or high latency. Another benefit is that you can disconnect from a TurboVNC session, go to another location and reconnect to that TurboVNC session, picking up from where you left off. Shared visualization is also possible with TurboVNC. Multiple users at separate remote sites can all view a single TurboVNC session.
TurboVNC, when used along with VirutalGL, provides remote visualization for OpenGL based applications. Quoting from the VirtualGL web site:
VirtualGL is an open source package which gives any Unix or Linux remote display software the ability to run OpenGL applications with full 3D hardware acceleration. … With VirtualGL, the OpenGL commands and 3D data are instead redirected to a 3D graphics accelerator on the application server, and only the rendered 3D images are sent to the client machine.
Here is a diagram, borrowed (slightly modified, courtesy of the The VirtualGL Project) from the TurboVNC documentation, showing how everything is tied together:
If you are impatient to get started and can use the basic default configuration, follow these steps:
The user interacts with the display, keyboard and pointing device of the display system. The TurboVNC client is run on the display system.
We highly recommend the you install TurboVNC 1.0.90 (or a later version) if possible, as the TurboVNC client understands the performance and authentication enhancements supported by the TurboVNC server that is installed on the analysis servers. The binary and source packages are available on this web site in these locations:
If you install from the source package, it is not necessary to build or install the Xvnc server program.
If you are unable to install the TurboVNC client, either due to a site policy or the unavailability of an appropriate binary package, you can try using the Java version of the TurboVNC viewer. This will allow you to access the VNC session, with possibly a reduced display update rate. See the Java in Your Web Browser section for more information.
If your organization has a site wide firewall and/or your display system has a local firewall enabled, the firewall(s) must permit outbound connections from your display system to the analysis server using the TCP protocol and the correct destination port number for your VNC session. The port number can be calculated by adding 5900 to the VNC display number. For example, if the VNC display number printed by vncserver was :1, the port number on which the VNC client will contact the VNC server will be 5901.
If, for some reason, you need to use the Java based VNC client as an alternative to the TurboVNC client, your firewall must also permit outbound connections from your display system to the analysis server using the TCP protocol and the correct Java class download destination port number for your VNC session. The port number can be calculated by adding 5800 to the VNC display number. For example, if the VNC display number printed by vncserver was :1, the port number on which the VNC client will contact the VNC server will be 5801.
After installation, you may need to perform some configuration before you can access the TurboVNC client and documentation.
Add the /opt/TurboVNC/bin directory to your execution path, and add the /opt/TurboVNC/share/man directory to your MANPATH environment variable.
For example, if you are using csh or tcsh as your shell, you could use the following commands:
set -f path = (/opt/TurboVNC/bin $path)
setenv MANPATH /opt/TurboVNC/share/man:$MANPATH
For other shells:
PATH=/opt/TurboVNC/bin:$PATH
MANPATH=/opt/TurboVNC/share/man:$MANPATH
You must have the X11 application installed on your system, then follow the instructions given above for Linux.
If you use the Windows Start Menu to start the TurboVNC client, there is nothing more you need do. If you start it from a command prompt, you may wish to add the directory name in which it is installed to your PATH.
The analysis server is one of the DASG high-end analysis servers. The TurboVNC server is run on the analysis server to provide a virtual X Windows display.
The server side software is currently installed on the following analysis servers for non-OpenGL applications:
The server side software is currently installed on the following analysis servers for all applications:
These versions are currently installed on the analysis servers:
| Package | Version |
|---|---|
| TurboVNC | 1.0 |
| VirtualGL | 2.2 |
To access the software, add these two directories to your execution path:
/opt/VirtualGL/bin
/opt/TurboVNC/bin
To view the manual pages, add this directory to your MANPATH environment variable:
/opt/TurboVNC/share/man
For example, if you use either csh or tcsh:
set -f path = (/opt/VirtualGL/bin /opt/TurboVNC/bin $path)
setenv MANPATH /opt/TurboVNC/share/man:$MANPATH
For other shells:
PATH=/opt/VirtualGL/bin:/opt/TurboVNC/bin:$PATH
MANPATH=/opt/TurboVNC/share/man:$MANPATH
A visualization session is created when the TurboVNC client connects o the TurboVNC server, and the user successfully authenticates. The user then has access to the virtual display provided by the TurboVNC server. A full control session, which allows the user at the display system to enter key strokes and use the pointing device, is the default. You can also limit sessions to a view only mode by passing the -v option to vncpasswd.
You must first be logged into your chosen analysis server using your SSH client. To start the TurboVNC server, named Xvnc, run the vncserver command. It will print some information about the allocated VNC display and leave Xvnc running in the background. In the following example, storm0 is the server name and :1 is the allocated display number. If this is the first time you have run vncserver, it will create a $HOME/.vnc directory, which contains the Xvnc log files, as well as the xstartup.turbovnc file, described in the Customizing Your VNC Session section. See also the Use Cases section for further variations on how to start the server.
storm0% vncserver
New 'X' desktop is storm0:1
Creating default startup script /fs/home/user/.vnc/xstartup.turbovnc
Starting applications specified in /fs/home/user/.vnc/xstartup.turbovnc
Log file is /fs/home/user/.vnc/storm0:1.log
storm0%
You will need to remember the number of the VNC display allocated by vncserver so you can connect from your VNC client or if you need to later run either vncpasswd or vncserver.
You run the TurboVNC client on your display system. You will need to tell the client the name of the analysis server and the VNC display number. When the connection is established, you must authenticate with the TurboVNC server before you can access the virtual display. See the User Authentication section for more information.
For Linux and Mac OS X, when you provide the analysis server and display number as an argument to vncviewer, you will be prompted for your authentication response(s) at the terminal. If you forget to provide the analysis server and display number as an argument, vncviewer will pop up dialog windows will appear to ask for this information and your authentication response(s). These dialog windows are very small and easy to miss on a larger display.
Open an xterm or other terminal application and start the TurboVNC client by running the vncviewer command with the appropriate arguments. See the Use Cases section for details.
Open a Terminal app window or an xterm window and start the TurboVNC viewer by running the vncviewer command with the appropriate arguments. If the X11 application is not already running, it should be started automatically. If for some reason the X11 application fails to start, you should find it in the Applications/Utilites folder. See the Use Cases section for details.
Select the TurboVNC Viewer item from the Start Menu TurboVNC group. Alternatively you can start it from a command prompt window by entering the path name where you installed it. For example, if it was installed in the default location: C:\Program Files\TurboVNC\vncviewer.exe
Access to the TurboVNC server (via ports in the 5801-5820 range) to download the Java client class files will not work from networks outside of UCAR.
A Java based version of the TurboVNC client is available if you can not use the compiled client for your system. The Java version may not provide the best possible display update performance, but may be sufficient for your needs. You will need to instruct your web browswer access a URL on the analysis server, which is storm0 in the example below. The port number can be calculated by adding 5800 to the VNC display number. For example, if the VNC display number printed by vncserver was :1, the port number on which the VNC client will contact the VNC server will be 5801.
http://storm0.ucar.edu:5801/
Your browser will download the Java class file that implements the TurboVNC client, then start it automatically, possibly in a new window. You will then authenticate to the TurboVNC server and access your VNC session like the other clients.
The VNC protocol does not provide data privacy for the VNC session. This means it may be possible for a third party to snoop the data stream of your VNC session and spy on what you are doing inside your VNC session. Theoretically, suitably located and determined third party could even interpose himself between your VNC client on the display system and the VNC server on the analysis server, and inject keyboard or pointer motion events, or even hijack your VNC session entirely leaving you to think your VNC session may have died. Keep this in mind and avoid entering or viewing sensitive data (such as repeatable passwords). There are two methods you can use to avoid sending sensitive information across the VNC connection:
The X Windows DISPLAY environment variable is set for you by vncserver. Applications started inside your VNC session (either from a terminal window or by a window or desktop manager) will be directed to the VNC virtual display unless you specify otherwise.
You can normally run any application that does not require OpenGL.
To run an OpenGL application, you must start it with the vglrun command. In the simplest case, you just place vglrun at the start of the command line you would normally use to start your application. The vglrun command accepts options, which are only described in the User's Guide for VirtualGL 2.2 Client Settings section on the Virtual GL web site (there is no man page). For example:
storm0% vglrun glxgears
There are two files you can place into your $HOME/.vnc directory to control how your VNC display will be configured and how your desktop session will be started. The first file is $HOME/.vnc/turbovncserver.conf, in which you can override the system wide vncserver settings(defined in /etc/turbovncserver.conf, which you can examine for the available settings). For example, to set the reported screen resolution in dots per inch and the virtual display size to 1200 by 800 pixels, you would use:
$dpi=100
$geometry="1200x800"
The second file is $HOME/.vnc/xstartup.turbovnc, which controls what programs will be automatically started inside your VNC session. You can edit this file to customize your session to your taste. For example, if you always want an xterm window to start up with a certain position and size, add the appropriate command to the end of this file.
In the use cases below, the analysis server is shown as storm0 and the display is :1. Replace storm0 with the name of the analysis server on which you have chosen to run the TurboVNC server and your applications and replace :1 with the display number with the one printed by vncserver when you start it.
For Windows TurboVNC client users, the examples below use the Linux or Mac OS X command line VNC client, vncviewer. You can start your client from the Start Menu and use the dialog boxes to specify the analysis server and display number.
If you are external to the UCAR network, you will need to use the fully quallified domain name of the analysis server. See the Supported Analysis Servers section above.
TurboVNC servers running on the DASG analysis servers are configured to support two methods of user authentication. UCAS authentication is the preferred authentication method. One time password (OTP) authentication is also available. By default, both are enabled and both can be used within a single VNC session (see the Use Cases section for scenarios). When both methods are enabled, the TurboVNC server will advertise the UCAS method first and the one time password method second to the VNC client. The TurboVNC client will, unless told otherwise by command line options, attempt authentication in this order. Other VNC clients may or may not behave similarly.
| Authentication Method | Required Authentication Information | VNC Protocol Security Type |
|---|---|---|
| UCAS | Your UCAS user name and token (Cryptocard or Yubikey) response | Tight/Unix Login |
| One Time Password | The one time password set by vncpasswd or vncserver | VNC Authentication |
To use UCAS authentication, your VNC client must support the VNC protocol's Tight security type and Unix Login authentication capability. Earlier versions of many VNC clients do not support this authentication method, and if you must use one of those clients, you can only use one time password authentication. One time password authentication uses the VNC protocol's VNC authentication security type, and should be usable with any client that supports the older VNC password authentication method.
When UCAS authentication is selected, you will enter your UCAS account name and UCAS token (Cryptocard or Yubikey) response when prompted while connecting to the TurboVNC server. In addition, the TurboVNC server maintains an internal user access control list (ACL) that limits which users will be allowed to connect to the server. The user who started the server is automatically placed onto the ACL.
If you wish to share the VNC session in full control mode with another user, you can add that user to the ACL by running vncpasswd:
storm0% vncpasswd -a user2 -display :1
storm0%
If you wish to share the VNC session in view only mode with another user, you can add that user to the ACL by running vncpasswd:
storm0% vncpasswd -a user2 -v -display :1
storm0%
You can remove a user from the ACL by running vncpasswd:
storm0% vncpasswd -r user2 -display :1
storm0%
You can disable the UCAS authentication method entirely by starting vncserver with the -nopam option (you will need to use OTP authentication in this case):
storm0% vncserver -nopam
storm0%
When one time password authentication is selected, you will enter the current OTP when prompted while connecting to the TurobVNC server. OTPs are generated by running the vncpasswd program. Each successful OTP authentication will use up the current OTP and subsequent authentications for connections to the same VNC display will require the generation of a new OTP.
You can tell vncserver to generate an initial OTP when you start the TurboVNC server by giving it the -otp option:
storm0% vncserver -otp
New 'X' desktop is storm0:1
One-time password authentication enabled. Generating initial OTP ...
Full control one-time password: 31606495
Run 'vncpasswd -o' from within the TurboVNC session or
'vncpasswd -o -display storm0:1' from within this shell
to generate additional OTPs
Starting applications specified in /fs/home/user/.vnc/xstartup.turbovnc
Log file is /fs/home/user/.vnc/storm0:1.log
storm0%
You can generate a new full control OTP at any time by running the vncpasswd command:
storm0% vncpasswd -o -display :1
Full control one-time password: 82948584
storm0%
You can generate new full control and view only OTPs at any time by running the vncpasswd command. You can ignore the generated full control OTP if you only need the view only OTP.
storm0% vncpasswd -o -v -display :1
Full control one-time password: 26940702
View-only one-time password: 15375532
storm0%
You can clear all OTPs at any time by running the vncpasswd command:
storm0% vncpasswd -c -display :1
storm0%
You can disable the OTP authentication methods by starting vncserver with the -nootp option (you will need to use UCAS authentication in this case):
storm0% vncserver -nootp
storm0%
You can use this procedure if you have a UCAS account and token.
storm0% vncserver
New 'X' desktop is storm0:1
Starting applications specified in /fs/home/user/.vnc/xstartup.turbovnc
Log file is /fs/home/user/.vnc/storm0:1.log
storm0%
ds% vncviewer storm0:1
Any one may use this procedure, but if your VNC client does not understand the TurboVNC Unix Login authentication capability, you must use this procedure.
storm0% vncserver -otp
New 'X' desktop is storm0:1
One-time password authentication enabled. Generating initial OTP ...
Full control one-time password: 14619716
Run 'vncpasswd -o' from within the TurboVNC session or
'vncpasswd -o -display storm0:1' from within this shell
to generate additional OTPs
Starting applications specified in /fs/home/user/.vnc/xstartup.turbovnc
Log file is /fs/home/user/.vnc/storm0:1.log
storm0%
ds% vncviewer -nounixlogin storm0:1
This case describes when the primary user wishes to share a VNC session in full control mode with a secondary user, who also has a UCAS account and token.
storm0% vncserver
New 'X' desktop is storm0:1
Starting applications specified in /fs/home/user/.vnc/xstartup.turbovnc
Log file is /fs/home/user/.vnc/storm0:1.log
storm0%
ds1% vncviewer storm0:1
storm0% vncpasswd -a user2 -display :1
storm0%
ds2% vncviewer storm0:1
This case describes when the primary user wishes to share a VNC session in full control mode with a secondary user, who does not have a UCAS account and token.
storm0% vncserver
New 'X' desktop is storm0:1
Starting applications specified in /fs/home/user/.vnc/xstartup.turbovnc
Log file is /fs/home/user/.vnc/storm0:1.log
storm0%
ds1% vncviewer storm0:1
storm0% vncpasswd -o -display :1
Full control one time password: 3450292
storm0%
ds2% vncviewer storm0:1
This case describes when the primary user wishes to share a VNC session in view only mode with a secondary user, who also has a UCAS account and token.
storm0% vncserver
New 'X' desktop is storm0:1
Starting applications specified in /fs/home/user/.vnc/xstartup.turbovnc
Log file is /fs/home/user/.vnc/storm0:1.log
storm0%
ds1% vncviewer storm0:1
storm0% vncpasswd -a user2 -v -display :1
storm0%
ds2% vncviewer storm0:1
This case describes when the primary user wishes to share a VNC session in view only mode with a secondary user, who does not have a UCAS account and token.
storm0% vncserver
New 'X' desktop is storm0:1
Starting applications specified in /fs/home/user/.vnc/xstartup.turbovnc
Log file is /fs/home/user/.vnc/storm0:1.log
storm0%
ds1% vncviewer storm0:1
storm0% vncpasswd -o -v -display :1
Full control one time password: 3450292
View Only one time password: 1760066
storm0%
ds2% vncviewer storm0:1
If you know you will be using a secured VNC session, you should run vncserver with the -localhost option to prevent Xvnc from accepting connections from outside the analysis server.
storm0% vncserver -localhost
New 'X' desktop is storm0:1
Starting applications specified in /fs/home/user/.vnc/xstartup.turbovnc
Log file is /fs/home/user/.vnc/storm0:1.log
storm0%
Starting vncserver this way will prevent anyone who can not log directly into the analysis server from participating in a collaborative visualization session.
To start a secured VNC session, use the -via option when you start vncviewer. Be sure to note that you must separate (with a space) the analysis server name from the VNC display number. You will first authenticate with the SSH daemon on the analysis server, then you will authenticate with the TurboVNC server itself. In the following example, UCAS token authentication is used in both authentication steps.
ds% vncserver -via storm0 :1
UCAS Token Response:
Connected to RFB server, using protocol version 3.8
Enabling TightVNC protocol extensions
Performing Unix Login VNC authentication
User (user):
Password:
Authentication successful
Desktop name "user's X desktop (storm0:1)"
VNC server default format:
32 bits per pixel.
Least significant byte first in each pixel.
True colour: max red 255 green 255 blue 255, shift red 16 green 8 blue 0
Using default colormap which is TrueColor. Pixel format:
32 bits per pixel.
Least significant byte first in each pixel.
True colour: max red 255 green 255 blue 255, shift red 16 green 8 blue 0
Using shared memory PutImage
Tunneling active: preferring tight encoding
ShmCleanup called
ds%
You must first use the command prompt to start the SSH tunnel using the putty command (supplied in the TurboVNC Windows binary package). Be sure to replace both instances of 5901 with the appropriate port number for your VNC display (see the discussion in the Firewall Configuration section for details), user with your UCAS account name and storm0 with the analysis server name.
C:\>"C:\Program Files\TurboVNC\putty" -L 5901:localhost:5901 user@storm9
Then start the TurboVNC Viewer and supply localhost for the host name along with the display number (as normal).
See the Starting the TurboVNC Server and Use Cases sections for details on the methods you can use to start the TurboVNC server and allocate a VNC display.
To show your active VNC displays, run the following command on the analysis server:
storm0% vncserver -list
TurboVNC server sessions:
X DISPLAY # PROCESS ID
:1 30639
storm0%
When you are done with your VNC session, you should stop the TurboVNC server to free the resources allocated to that server. To do this, run the following command, either in a terminal window inside the VNC session itself or from a SSH login to the analysis server. Be sure to replace the server name and display number with the appropriate values:
storm0% vncserver -kill :1
Killing Xvnc process ID 32061
storm0%
Manual pages are available for the TurboVNC commands. If you configured your environment (on your display system and the analysis server) as described above, you can simply use the man command to see the manual page for a command. For example:
storm0% man vncserver
If your MANPATH environment variable has not been set to include the TurboVNC man pages directory, you can tell the man command where to look with a command line option:
storm0% man -M /opt/TurboVNC/share/man vncserver
Web based documentation provided by the VirutalGL project is available. This documentation has additional details regarding the configuration and use of both TurboVNC and VirutalGL. You can access this documentation via these links to the VirutalGL web site:
If you are experiencing problems you should examine the TurboVNC server log, which is located in your $HOME/.vnc directory. The name of the log file was printed by vncserver when you ran it. This may provide clues as to what may be going on.
If you have problems establishing the VNC session, your VNC client may display an informative error message. Some of these messages are shown below with some trouble shooting steps you can take to correct the problem.
The TurboVNC server is using OTP authentication, but a OTP is not currently set. Run the vncpasswd command to generate a one-time password, then provide that password to your VNC client. For example:
storm0% vncpasswd -o -display storm0:1
Full control one-time password: 20503307
storm0%
UCAS authentication is being used and the user name entered at the VNC client is not on the TurboVNC server's user access control list. Follow the instructions in the UCAS Authentication section to add the user's name to the access control list.
The VNC client and the TurboVNC server could not agree on an authentication method to use. See the discussion under the User Authentication section for more information.
The Windows TurboVNC client tries to remember which authentication method was last used with a specific server. If the authentication method in use for a VNC session changed since the last time you connected to that analysis server (say from Unix Login to OTP or visa versa), you will need to force the client to use the authentication method currently in use. You can correct this by starting the TurboVNC client from a command prompt. The way you can tell which method the Windows TurboVNC client is currently attempting to use is by looking at the title of the authentication dialog box, and if the "User name" field is greyed out or not.
| UCAS Authentication | OTP Authentication |
|---|---|
To force the client to perform UCAS authentication, start it this way, replacing username with your UCAS user name:
C:\>"C:\Program Files\TurboVNC\vncviewer.exe" /user username storm0:1
To force the client to perform OTP authentication, start it this way:
C:\>"C:\Program Files\TurboVNC\vncviewer.exe" /nounixlogin storm0:1
These are the possibilities:
This can sometimes happen when using the Gnome desktop in the virtual display. If you type abcde and you see asdfg displayed (or something else) by your application uncomment, by removing the hash (#) character from, the following line in your $HOME/.vnc/xstartup.turbovnc file:
# export XKL_XMODMAP_DISABLE=1
Verify the following items:
The frequently asked questions can be found at the Remote and Shared Visualization FAQ.
Call 303-497-2400 
Send an email 
Submit a help ticket 
Walk-in: ML 1B Suite 55