[slurm-users] '--x11' or no '--x11' when using srun when both methods work for X11 graphical applications

Matthieu Hautreux matthieu.hautreux at gmail.com
Wed Nov 29 14:37:10 MST 2017


Hi Kevin,

Based on my understanding and a discussion with the SLURM dev team on that
subject, here are some information about the new support of X11 in
slurm-17.11 :

- slurm's native support of X11 forwarding is based on libssh2
- slurm's native support of X11 can be disabled at configure/compilation
time using the --disable-x11 configure pragma
- slurm-spank-x11 can be used only if you disable slurm's native support of
X11 at configure/compilation time

The simplest case with --pty available since 1.3 only works if you do not
really want to secure your X11 forwarding (using xhost +...).

libssh2 yet offers a subset of the capabilities of openssh (less encryption
methods, less authentication methods, ...). If you need options only
available in openssh, you should use slurm-spank-x11 instead of slurm's
native support of X11. That is what we are doing with 17.11 as we need
GSSAPI support for kerberos authentication, a support that is not provided
by libssh2 right now.

Take a look at https://www.libssh2.org/ to figure out if the provided
features is sufficient for you. If it is the case, I guess that using
slurm's native support of X11 will be easier than having to compile,
install and configure slurm-spank-x11.

Looking at the code in current slurm-17.11
(src/slurmd/slurmstepd/x11_forwarding.c),
the logic behind slurm's native support of X11 differs from slurm-spank-x11
when it comes to establish the ssh connections required to secure the X11
forwarding. If my understandings are correct, native logic is to redirect a
local port on the compute node to the X11 port on the submission/login node
using libssh2 direct-tcpip channels (equivalent to -L %port:%host:%port in
openssh) and set that local port as the X11_DISPLAY to use locally by the
applications. Hostbased authentication and pubkey authentication are the
two authentication logics that are tried. So you need to have either
hostbased authentication configured on your cluster or pubkey/private keys
available and configured for all of your users in their home directories,
readable on the compute nodes after seteuid/setegid.


HTH.

Matthieu

Le 29 nov. 2017 21:20, "Kevin Manalo" <kmanalo at jhu.edu> a écrit :

> Hello SLURM users​,
>
>
>
> I was reviewing the X11 documentation
>
>
>
> https://slurm.schedmd.com/faq.html#terminal
>
> https://slurm.schedmd.com/faq.html#x11
>
>
>
> *15. Can tasks be launched with a remote terminal?*
> * In Slurm version 1.3 or higher, use srun's --pty option. Until then, you
> can accomplish this by starting an appropriate program or script. In the
> simplest case (X11 over TCP with the DISPLAY environment already set),
> executing srun xterm may suffice.*
>
>
>
> At our site, indeed this is sufficient.  We are using the
> https://github.com/hautreux/slurm-spank-x11 plugin currently.
>
>
>
> I see that  in the 17.11.0 announcement
>
>
>
> *  -- X11 support is now fully integrated with the main Slurm code. *
>
>
> * Remove any       X11 plugin configured in your plugstack.conf file to
> avoid errors being       logged about conflicting options. *
>
>
>
> Questions
>
>
>
>    1. If ‘srun —x11’ is not needed to X11 forward (the simplest case
>    works), do we encourage users to use it?  I’m more in need of understanding
>    how it works because some users use it, some do not, and more education on
>    this would be great.
>    2. Is the SLURM spank x11 plugin now unnecessary once we build 17.11.0
>    with the updated configuration?
>
>
>
> Thanks,
>
> Kevin
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.schedmd.com/pipermail/slurm-users/attachments/20171129/120ef0e8/attachment.html>


More information about the slurm-users mailing list