Architecture - BYUHPC/7lbd GitHub Wiki

The main goal in creating 7lbd was to provide HPC users with access to Windows while minimizing the required staff time, Windows infrastructure, and expertise. With 7lbd, the only Microsoft Windows component is a single read-only VM. Although there may be thousands of copies of this VM running for different users on your cluster, HPC staff only need to maintain one VM. This solution offers extremely low maintenance overhead and high scalability, although it is subject to Microsoft licensing.

At the core of 7lbd is the concept of running Microsoft Windows in a highly isolated environment. Yes, we provide users with access to computing on Microsoft Windows—but that's all! These 7lbd Windows VMs run in an isolated network namespace with no connectivity to the outside world. By design, they are completely isolated. In the articles below, we explain how users can remotely access these Windows VMs, access all files belonging to the logged-in user, and check out software licenses even without a network interface on a routable network. Users will not have access to the Internet, printers, or any other network or Internet resource—they will have access only to locally installed software and their files.

Remote Desktop Connectors

Remote desktop connectors are custom daemons written for 7lbd that run as part of the Open OnDemand job. They allow incoming connections to the Windows VM running within the job's isolated network namespace. It is not required to provide all of these connectors.

User accounts and authentication

7lbd uses a shared Windows account with a randomly assigned temporary password, similar to most other Open OnDemand applications. See how this is accomplished in the article, Windows user accounts and authentication.

File access

User File Access is handled by a smbd daemon running as the user in the Open OnDemand job.

VM Image Management

In production, VMs are read-only and use temporary overlay files. See Windows Image Management for more information. For regular VM maintenance tasks, see the article on creating a maintenance OOD application for 7lbd.

Accessing software license servers

The solution to accessing network license servers from a VM running in a 7lbd network namespace is through the --iso-netns-proxies option of the spank_iso_netns plugin. Similar to how the 3 remote desktop connectors provide access to inbound desktop connections, the spank_iso_netns plugin runs a connector outside of the namespace that provides outbound access to license servers, also using a file descriptor.

Windows licensing

Microsoft licensing is a highly complex topic. It can sometimes take weeks or even months to get Microsoft licensing questions answered by your institution, a reseller, or Microsoft. We highly recommend starting licensing conversations very early in the planning and installation process. For 7lbd, you will be licensing Windows 11 VMs that will be used by a single remote user and run on a non-licensed Linux host. This can be accomplished without requiring any Microsoft Server licenses or licensing any server cores. These Windows 11 licenses might not be covered under your campus agreement and may need to be purchased separately to supplement your existing licensing. Typically, options are available on a per-VM (simultaneous instance) or per-named-user, per-year basis. As always, this is subject to change, and this does change frequently.