Initial commit

Author: Cinnamals

.gitignore

@@ -0,0 +1,3 @@
+*~
+**/*.o
+**/*.so

README.md

@@ -0,0 +1,33 @@
+# ThinLinc for Open OnDemand (Beta Version)
+Welcome to the beta release of ThinLinc for Open OnDemand (OOD). 
+
+This repository contains everything you need to get started with using ThinLinc through Open OndDemand in a Slurm cluster. This repository is targeted at system administrators as it requires elevated privileges to install ThinLinc and the OOD ThinLinc application. If you are a user of an OOD system, please contact the administrator and ask for installation of this app.
+
+## Requirements
+- Open OnDemand version 4.1
+  - It is possible to run this application on earlier Open OnDemand versions, though it will require manual patching of the Open OnDemand `mod_ood_proxy` module. If this is preferred, see the [pre-4.1-ood](https://github.com/cendio/ood-thinlinc/tree/pre-4.1-ood) branch.
+- ThinLinc version 4.20
+- Slurm as the batch system
+  - We have tested with Slurm version `22.05`, but it should work with older versions as well.
+- X86 compute nodes with Linux
+
+## What is ThinLinc for Open OnDemand
+This beta version provides functionality that is similar to what the build-in "interactive desktop" function of OOD provides, but implemented using ThinLinc. ThinLinc is easier to install and configure than going through the OOD Interactive Desktop process. Using ThinLinc also enables connecting to the desktop from the ThinLinc native clients rather than just through the web browser.
+
+In a future version, we plan to expand the functionality to also run ThinLinc on servers outside the batch system, to enable truly persistent desktops that users can log-in for days and weeks. This will make it possible to build an HPC Desktop through OOD.
+
+## Why a beta release / What are we looking for
+The primary goal of publishing  a beta version is to get feedback from the community. Please submit a feedback form if you have installed the beta version and let us know how it went. We are looking for feedback, even if everything went well and you didn't encounter any issues during setup or usage.
+
+[Link to the feedback form](https://docs.google.com/forms/d/e/1FAIpQLSc29FNqfOW0E0d84nUfwJY_Qh0nWHOBSKOVxskCmp6Sa8Sg1w/viewform?usp=header)
+
+## Getting Started
+Please read the [Installation guide](installation.md).
+
+## Note on the ThinLinc End User License Agreement
+The ThinLinc End User License Agreement restricts ThinLinc the free usage of ThinLinc to 10 concurrent users. If your organization doesn't already have a ThinLinc license and you expect more than 10 users, please [contact](mailto:contact@cendio.com) us. We are happy to provide evaluation licenses for testing out this beta version.
+
+## Submitting Feedback / Bugs / Issues
+Please use the issue tracker in this repository to submit feedback and open issues.
+
+If you already have a ThinLinc license and an active support agreement, and you have site specific issues, you can also open a support ticket through the usual [ThinLinc support](https://www.cendio.com/support/) channel. 

form.yml

@@ -0,0 +1,41 @@
+---
+attributes:
+  cluster:
+    widget: select
+    label: "Cluster"
+    options:
+      - ["lab-210", "test"]
+    help: "Choose the cluster you want to run this session on"
+    required: true
+  bc_num_hours:
+    widget: "number_field"
+    label: "Number of hours"
+    value: "1"
+    min: 1
+    step: 1
+    help: "Select the number hours for the session to run"
+    required: true
+  bc_num_slots:
+    widget: "number_field"
+    label: "Number of Cores"
+    value: "1"
+    min: 1
+    max: 4
+    step: 1
+    help: "Select the number of CPU cores for the session"
+    required: true
+  num_mem:
+    widget: "number_field"
+    label: "Memory (GB)"
+    value: "2"
+    min: 1
+    max: 3
+    help: "Select amount of memory for the session"
+    required: true
+  node_type: null
+
+form:
+  - cluster
+  - bc_num_hours
+  - bc_num_slots
+  - num_mem

installation.md

@@ -0,0 +1,95 @@
+# Installation overview
+1. Configure SSL redirection for OOD
+2. Install the application on OOD
+3. Install and configure the ThinLinc server on the compute node
+4. Set up PAM module pam_tlpasswd for automatic login
+
+Chapter 1-2 are for the Open OnDemand **login node** and chapter 3-4 are for
+the **compute nodes**.
+
+# 1. Configure SSL redirection for OOD
+You need to set the SSL redirection sub-uri and the additional SSL settings for
+the OOD reverse proxy in `/etc/ood/config/ood_portal.yml`:
+```
+secure_rnode_uri: '/secure-rnode'
+ssl_proxy:
+  - 'SSLProxyCheckPeerCN Off'
+  - 'SSLProxyCheckPeerName Off'
+```
+
+Should you want to enable Native client support, this custom virtual host
+directive will be needed to set the correct MIME-type for the ThinLinc
+profile. The native client will only work if users are able to establish a
+direct SSH connection to the compute node/ThinLinc server.
+```
+custom_vhost_directives:
+  - '<LocationMatch ".*\.tlclient$">'
+  - '  Header set Content-Type "application/thinlinc.client"'
+  - '  Header set Content-Disposition "attachment"'
+  - '</LocationMatch>'
+```
+
+When you have added these configurations to your `ood_portal.yml` config,
+generate the new Apache config as such:
+```
+sudo /opt/ood/ood-portal-generator/sbin/update_ood_portal
+```
+
+To apply the new configurations made with `update_ood_portal`, you need to
+restart the web server running the OOD instance.
+
+# 2. Install the application on OOD
+1. Clone this repository into your applications folder for OOD.
+
+2. Configure the `form.yml`
+   - You need to *at least* configure the clusters available to start the job on. These
+     clusters names are the ones specified in `/etc/ood/config/clusters.d/<clustername>.yml`.
+
+3. Configure the `submit.yml.erb` 
+   - This may or may not need configurations for resources such as GPU (sharing or no
+     sharing) or other devices/configuration changes made in `form.yml`.
+
+4. Configure the `view.html.erb`
+   - To enable the native client functionality, set the `enabled_client`
+     variable to either `native` for native client-only support, or `both` to
+     enable the native client and the web client.
+   - If you configured the `secure_rnode_uri` to something other than
+     `/secure-rnode`, change the `webaccess_url` variable to your value.
+
+# 3. Install and configure the ThinLinc server on the compute node
+[Download](https://www.cendio.com/thinlinc/download/) and
+[install](https://www.cendio.com/thinlinc/docs/install/) the latest ThinLinc
+server on the **compute node**.
+
+# 4. Set up PAM module pam_tlpasswd for automatic login
+This chapter contains two steps. Installing the PAM module, then installing a
+Slurm Epilog script to clean up the temporary password files created by the Open
+OnDemand job. Both of these steps are done on the **Compute nodes**.
+
+## Install the PAM module pam_tlpasswd
+1. Install the PAM module `pam_tlpasswd`, you need to reconfigure the path to
+   your PAM modules directory.
+```
+sudo install ./prequisites/pam_tlpasswd/pam_tlpasswd.so /lib64/security/pam_tlpasswd.so
+```
+
+2. Configure `/etc/pam.d/sshd` to add this in the top of the file:
+```
+auth	   [success=done ignore=ignore default=die] pam_tlpasswd.so
+```
+
+## Install the Slurm Epilog clean up script
+1. Install the clean up script
+```
+sudo cp ./prequisites/ood_thinlinc_cleanup.sh /etc/slurm/ood_thinlinc_cleanup.sh
+```
+
+2. Edit `/etc/slurm/slurm.conf` to add the following line:
+```
+Epilog=/etc/slurm/ood_thinlinc_cleanup.sh
+```
+
+Debugging The Epilog clean up script:
+```
+sudo journalctl -t tlCleanupEpilog
+```

manifest.yml

@@ -0,0 +1,8 @@
+---
+name: ThinLinc
+icon: fa://desktop
+category: Interactive Apps
+subcategory: Desktops
+role: batch_connect
+description: |
+  This app launch an interactive desktop environment as a ThinLinc session.

prequisites/ood_thinlinc_cleanup.sh

@@ -0,0 +1,38 @@
+#!/usr/bin/env bash
+
+TAG="tlCleanupEpilog"
+
+if [ -z "$SLURM_JOB_ID" ]; then
+    logger -t $TAG "$TAG: Error - SLURM_JOB_ID is not set. Cannot check job name. Exiting."
+    exit 1
+fi
+
+if [ -z "$SLURM_JOB_USER" ]; then
+    logger -t $TAG "$TAG: Error - SLURM_SLURM_JOB_USER not set. Exiting."
+    exit 1
+fi
+
+USER_HOME=$(getent passwd "$SLURM_JOB_USER" | cut -d: -f6)
+if [ -z "$USER_HOME" ]; then
+    logger -t $TAG "$TAG: Error - Could not find home directory for user $SLURM_JOB_USER. Exiting."
+    exit 1
+fi
+
+SECRET_FILE_TO_DELETE="$USER_HOME/.thinlinc/.ood-secrets/job-$SLURM_JOB_ID"
+
+if [ -f "$SECRET_FILE_TO_DELETE" ]; then
+    logger -t $TAG "$TAG: Found ThinLinc secret for Job $SLURM_JOB_ID. Proceeding with cleanup."
+
+    rm -f "$SECRET_FILE_TO_DELETE"
+    logger -t $TAG "$TAG: Removed secret hash: $SECRET_FILE_TO_DELETE Status: $?"
+
+    JOB_CONFIG_TO_DELETE="$USER_HOME/.thinlinc/.ood-secrets/session_config.$(hostname)"
+    if [ -f "$JOB_CONFIG_TO_DELETE" ]; then
+        rm -f "$JOB_CONFIG_TO_DELETE"
+        logger -t $TAG "$TAG: Removed session config: $JOB_CONFIG_TO_DELETE. Status: $?"
+    fi
+
+else
+    logger -t $TAG "$TAG: Job $SLURM_JOB_ID does not appear to be a ThinLinc job (no secret file found). Skipping."
+    exit 0
+fi

prequisites/pam_tlpasswd/Makefile

@@ -0,0 +1,16 @@
+SRC = pam_tlpasswd.c
+TARGET = pam_tlpasswd.so
+
+CC = gcc
+CFLAGS = -fPIC -fno-stack-protector -shared
+LDLIBS = -lcrypt
+
+.PHONY: all clean
+
+all: $(TARGET)
+
+$(TARGET): $(SRC)
+	$(CC) $(CFLAGS) -o $(TARGET) $(SRC) $(LDLIBS)
+
+clean:
+	rm -f $(TARGET)

prequisites/pam_tlpasswd/pam_modutil.h

@@ -0,0 +1,21 @@
+#ifndef PAM_MODUTIL_H
+# define PAM_MODUTIL_H
+
+#include <security/pam_modules.h>
+#include <security/_pam_macros.h>
+#include <security/_pam_types.h>
+# ifdef HAVE_SECURITY_PAM_MODUTIL_H
+#  include <security/pam_modutil.h>
+# else
+
+#  ifdef HAVE_SECURITY_PAM_MODULES_H
+#   include <security/pam_modules.h>
+#  endif
+
+#  include <pwd.h>
+
+struct passwd *pam_modutil_getpwnam (pam_handle_t * pamh, const char *user);
+extern void send_user_msg(pam_handle_t *pamh, const char *msg);
+
+# endif
+#endif