I posted this to the suggestion forum, having assumed that there was no functionality to do this... but maybe there's a workaround that you can describe here. I'd like to get X11 packets from the grid to my desktop/laptop. Normally, I use the -X switch to enable X11 packet forwarding through the SSH tunnel, and a virtual X11 display gets created on the machine that I'm logging into with SSH. But with the AppLogic console model, I login to the console, then to the running application/grid component - but the console's SSH doesn't seem to have a way to forward X11 packets...

So, other than exposing either may laptop/desktop or the component directly to the internet, is there a way to get X11 talking from a component (I'm hoping that there is an undocumented switch of the console's SSH command to enable X11).

Thanks.

tmart,

I think this might work the same way as regular ssh command line from your laptop:

ssh -X root@mygrid.com 'ssh myapp:main.mycomp'

Does it work?

Alternatively, you can use an IN gateway to connect to the appliance -- or even INSSL's aux or PS8 -- to allow a public connection to the appliances that have X11 inside (like Oracle)

Regards,
-- Peter

tmart,

It turns out it is not as simple as the "ssh -X" command above but it may still be possible... stand by while we check out some ideas.

Regards,
-- Peter

tmart,

Here's how you can set up X access over the AppLogic ssh straight to the appliance (see attached instructions from LeoKalev). It is a bit convoluted on a first glance; we'll try to incorporate it in the client-side macros on a next rev.

Let us know if it works for you...

Regards,
-- Peter

Instructions


There is indeed no built-in functionality to do X11 forwarding (or anyithing beyond the basic SSH interactive or non-interactive command execution). This is because there is no direct ssh session between your host and the appliance.

However, ssh provides a mechanism that allows you to create a proxy end-to-end session, over the indirect connection provided by AppLogic. The proxy session is directly between your ssh client and sshd on the appliance and is under your full control, allowing any ssh options supported by your client to be specified.

The technique is somewhat complicated, and I tested it only a little bit, to verify that it is possible. Keep in mind that this is a first attempt to achieve your goal and isn't necessarily very pretty.

Here is how this can be arranged.

Pre-requisites


have GNU bash as your shell (if you have X server, I assume 'bash' is also available on your host).
an SSH client that supports the 'ProxyCommand' and 'ControlMaster' options. OpenSSH 3.9 and later should be fine.


(note that unless stated otherwise, all operations shown here are performed from your local host, at the bash command prompt, not in an AppLogic shell).

Basic Setup - Access for non-root user

First, get the remote-access shell functions for accessing the 3tshell commands directly from your local shell. You can find them here:
http://doc.3tera.net/AppLogic2/ClientSideMacros.html

mkdir ~/apl
cd apl
wget http://doc.3tera.net/AppLogic2/rsrc/AppLogic2/ClientSideMacros/rmacros.sh

Note that the remote-access functions are designed for GNU bash, they won't work on a regular Bourne shell. The example script below assumes that you saved the rmacros.sh file in ~/apl/rmacros.sh. Modify the examples as needed, if you save it somewhere else.

Prepare the following two files on your local host:

1. a configuration file for ssh, e.g., named pxyssh:

cat >pxyssh <<"END"
# config file for using ssh over a proxy connection
ProxyCommand ~/apl/pxyssh.sh %h 'sshd -i'
StrictHostKeyChecking no
UserKnownHostsFile /dev/null
LogLevel ERROR
END

2. a small shell script that will serve as the proxy command, named pxyssh.sh:

cat >pxyssh.sh <<"END"
# proxy script for direct access to appliances via ssh
# re-run with bash, if needed (rmacros.sh doesn't work with /bin/sh)
if [ -z "$BASH_VERSION" ] ; then
exec bash $0 "$@"
else
. ~/apl/rmacros.sh
assh "$@"
fi
END

Log in to the appliance and configure the user account that will be the target for your ssh session. Here, I assume that this is not 'root' (if you want X forwarding for root, see below):


set up your ssh key as an authorized key for the user (i.e., store it in /home/username/.ssh/authorized_keys). The file should have permissions only to the user, and the parent directory should not be writeable to anyone except the user (see the sshd man pages for details).
make sure you have the necessary libraries and utilities to run X clients on the appliance, including xauth (xauth will be invoked automatically by sshd and the X forwarding will fail if it isn't present).

Source the rmacros.sh file and select your application (with the appliance that's setup for X11 access) as the current application.

. ~/apl/rmacros.sh
controller my-controller-hostname # e.g., gridname.3tera.net
ca my-application

Check that you can execute 3tshell commands from your bash prompt, including ssh to the appliance:

3t grid info # this should do the same as 'grid info' from the AppLogic shell
assh appliance-instance 'uname -a' # this should work like 'ssh app-instance' from the AppLogic shell.

Now, you're ready to open the direct ssh session, with any ssh options you want, including -Y or -X for X11 forwarding, -R or -L for any other port forwarding, etc. The example here specifies the -Y option only:

ssh -F pxyssh -Y -l username appliance-instance-name

where username is the user that you set up for the X-forwarded access and appliance-instance-name is the name of the appliance within the application (you can look up the names of all appliances in your application with the '3t comp list' command from your shell).

You should now be logged in to the appliance, check that the DISPLAY variable is set, e.g.:

echo $DISPLAY

The output should be something like "localhost:10.0".


Advanced Stuff - accessing 'root' with the proxy ssh method

AppLogic auto-configures the ssh access keys for the root user, to allow the 'ssh' command to work from the AppLogic shell. This makes it somewhat involved to have your own keys set up, without breaking the grid controller's ability to log in to the appliance.

The steps to achieve this are as follows:


Select an alternate location for your ssh keys, e.g., /root/altssh. Create this directory and set up the authorized_keys file in it. This leaves the '/root/.ssh' file alone for AppLogic use.
Create a copy of the sshd configuration file and modify the AuthorizedKeysFile setting to point to your alternate file (e.g., "AuthorizedKeysFile altssh/authorized_keys"). Let's say the new config file name is /etc/ssh/sshd_config_alt
modify the proxy command line in the ssh configuration file described above (pxyssh) to read like this:
ProxyCommand ~/apl/pxyssh.sh %h 'sshd -i -f /etc/ssh/sshd_config_alt'


-o-

Leaping Lizards! :)

I guess we can temporarily expose prototype machines (or IN gateways) to the Internet to get things installed when necessary. I was hoping that there was some simple way to do this.

As a follow-up, in addition to X11 port forwarding, it would be really nice to be able to setup local and remote proxies (a la ssh's -L and -R switches).

Thanks for you help.