7lbd OOD Install - BYUHPC/7lbd GitHub Wiki

Installation Guide

Previous installation step: Installing the 7lbd OOD app

Next installation step: Run test jobs

The 7lbd_ood folder contains the Open OnDemand code that will need to be copied to your web server. The code will need to be altered for your HPC center. The config.sh that was used for testing earlier with the test-suite is just for the test-suite. All of that information will need to be altered in the OnDemand code like other Open OnDemand applications.

submit.yml.erb

  • We found that these jobs for light MS Office work ran well with 8 cores and about 12G of RAM. The VMs themselves were run with 8G of RAM and 5 cores. The overhead there is for the guacd container, guacd connector and the Samba server. In our experience, with less resources, login times are much longer and the GUI can be sluggish.
  • iso-netns-listeners is a directive for the spank_iso_netns plugin to specify how many ports to listen on. By default we specify 3; one for Guacamole, one for noVNC and one for the spank_oodproxy. Just because this port is opened by the ISO NETNS plugin does not mean that there is a connector daemon listening on that port. The connectors are enabled and disabled in the before.sh script.
  • oodproxy-register=1 is if you are going to be using the spank_oodproxy to connect directly to the Windows VM via a native RDP client from outside the network. This option must be set to 1 for the Spank Slurm plugin to work.

before.sh.erb

  • Decide which of the connectors to enable at the top of this script.
export guacd_rdp_enabled=1
export ws_console_enabled=1
export tls_proxy_enabled=1

  • export host="${host}.rc.byu.edu" will need to be updated to your cluster's DNS.

  • export s7lbd_dir="/apps/7lbd/7lbd.v0.4.4" will need the path to your Guacamole apps directory where the Guacamole client, connector and guacd container are located.

  • win_user="user1" must contain the username of the user account on the Windows VM. For the Windows password, you can either set it manually for testing, or allow it to be generated randomly like it will be in production.

script.sh.erb

  • update the qemu-img command that creates your overlay file to include the path to your read-only VM file.
qemu-img create -f qcow2 -b /apps/.vd/latest.qcow2 -F qcow2 ${JOB_TMP_DIR}/overlay_image.qcow2
  • Update the qemu-kvm section of the script.sh.erb with your settings. Your code may be similar to what we used, but differences are expected. See the article on qemu kvm parameters for more discussion. This part of the code looks like this:
# Launch QEMU
/usr/libexec/qemu-kvm \
    -name guest=${USER}_${job_uuid}_win11,debug-threads=on \
    -machine pc-q35-rhel9.4.0 \
    -smbios file=${script_path}/smbios_data.bin \
    -drive if=pflash,format=raw,readonly=on,file=/usr/share/edk2/ovmf/OVMF_CODE.fd \
    -device ich9-ahci,id=sata_controller \
    -drive file=${JOB_TMP_DIR}/overlay_image.qcow2,format=qcow2,if=none,id=drive0 \
    -device ide-hd,drive=drive0,bus=sata_controller.0 \
    -m 8G \
    -cpu max \
    -smp 5 \
    -device virtio-net-pci,netdev=net0 \
    -netdev user,id=net0,net=169.254.100.0/24,dhcpstart=169.254.100.15,host=169.254.100.2,hostfwd=tcp::3389-:3389 \
    -boot c \
    -vga none \
    -device virtio-gpu-pci \
    -vnc unix:${JOB_TMP_DIR}/vnc.socket,lossy=on,non-adaptive=on \
    -rtc base=localtime \
    -usb -device usb-tablet

When in production, you will need the -smbios line to insert the username and password into the VM. During the initial testing phase, this line is not necessary.

samba_start.sh

  • You will need to update the generated samba config inside the script to match your own desired share names and folders. The permissions and other configuration information should not be affected. See the article on user file access for more information.

The following is an example samba share as seen in samba_start.sh. In this case, we are creating a share for the user's home space. Note that we are allowing full guest access. This is so the user1 user on the Windows VM can access the samba share without any authentication. Why is no authentication okay in this situation? As discussed in the [user file access|User-file-access]] article, only processes inside the job running in the network namespace can access this smbd server.

[home]
   path = /home/$SLURM_JOB_USER
   read only = no
   guest ok = yes
   guest only = yes
   create mask = 0777
   directory mask = 0777