When displaying an X11 client (e.g., TotalView) remotely over the network, interactive response is typically slow. Using VNC can often improve the situation. The VNC server is run on the login node. The X11 application displays locally to this VNC server. A VNC client on your local machine also connects to the VNC server. The X11 desktop appears on your local machine via the VNC protocol rather than X11 protocol.
Starting Up VNC
To ensure a secure environment, follow these directions carefully
On your local machine, connect to mira.alcf.anl.gov via ssh, and forward a port to the login node.
ssh -L 5901:localhost:5901 mira.alcf.anl.gov
On mira.alcf.anl.gov, If you do not have a ~/.vnc/xstartup file, create one like the following:
#!/bin/sh xterm & twm
IMPORTANT: The -fg option on the server (below) will cause the server to exit when the script completes. That is why, in the example above, twm is not backgrounded.
- Run the VNC server. The following arguments are required to ensure security:
vncserver -nolisten tcp -localhost --NeverShared=1 -fg
In the output, take note of the name of the X server that is created:
New 'miralac1:1 (username)' desktop is miralac1:1 Starting applications specified in /home/username/.vnc/xstartup Log file is /home/username/.vnc/miralac1:1.log
In this case, your DISPLAY will be ":1." Because your connection is local, do not use the part with the host name. To confirm that the X server is running, use ps and look for Xvnc
ps -u username PID TTY TIME CMD 32093 pts/25 00:00:00 Xvnc 32103 pts/25 00:00:00 twm ...
If the server does not stay running, check the server log (the name is given at startup) as well as the ~/.vnc/xstartup file (see note below).
On your local machine, run a VNC client. For example, under Linux:
Or, using TightVNC for Windows:
- Start vncviewer.exe
- Fill in VNC server box with "localhost:1"
- Click "Connect"
NOTE: The "localhost:1" corresponds to port 5900+1.
- On the login host, set your DISPLAY environment variable and run your client
export DISPLAY=:1 #bash setenv DISPLAY :1 #tcsh
Run TotalView or other X11 application.
- When the application is complete, shut down your VNC server using the same display name noted when starting it. In this example:
vncserver -kill :1
- Double-check for any Xvnc processes remaining.
ps -u username ... 24296 pts/9 00:00:00 Xvnc ...
If necessary, kill them manually:
kill -9 24296
- VNC traffic between the client and server is not encrypted, so all VNC connections MUST be made through an ssh tunnel. If this connection were to be compromised, the attacker gains control of your X11 desktop and therefore has direct access to your login.
- The first time vncserver is run, you will be prompted to create a password. Make sure it is a strong password (e.g., containing a mix of uppercase, lowercase, digits, and special characters). The maximum supported password is eight characters; longer passwords will be truncated.
- VNC will create a default ~/.vnc/xstartup. Run window manager and remove un-needed default clients
- Do not leave the VNC server disconnected for any length of time. Although the server is password protected, it is still best to minimize the possibility that any other user might be able to connect to it. Once connected, it will not accept any other connections. After running the X11 client, connect the VNC client to the VNC server then kill the server.
- When connecting to the login node, watch for a conflict on the remote port. This happens if it is already in use. For example:
ssh -L 5901:localhost:5901 mira.alcf.anl.gov
bind: Address already in use channel_setup_fwd_listener: cannot listen to port: 5901 Could not request local forwarding.
In this case, choose another port. e.g., 5902, 5903, etc.
ssh -L 5901:localhost:5902 mira.alcf.anl.gov
- Note how the local port can remain 5901. However, the server will need to be started listening on 5902 by adding the -rfbport option:
vncserver -nolisten tcp -localhost --NeverShared=1 -fg -rfbport 5902
- In the unlikely circumstance that there is a conflict using port 5901, change the port to:
ssh -L 5902:localhost:5901 mira.alcf.anl.gov
- In this case, tell the VNC client to connect to localhost:2, although the server would still listen on 5901.
- The default ~/.vnc/xstartup file created is not compatible with the -terminate option because the first client created (xrdb) exits before any of the persistent clients start (e.g., twm). The server will exit at that point since it has no remaining clients. Verify that xstartup always has a client running in the background.