Forwarding X11

In the Unix/Linux world, the X Window System (a.k.a. "X11" or simply "X") provides the underlying mechanism for constructing graphical user interfaces (GUIs) and displaying visual information on screen. One of the most powerful features of X11 is the ability to run application programs (X clients) on one system and have them display on another system (X server) by routing the graphical protocol stream across the network. On SciClone, this capability allows us to submit interactive X11-based jobs (such as GRASS or R) to the TORQUE job scheduler and route the display back to the user's desktop workstation. This can be accomplished either with X11 Forwarding through Secure Shell (SSH), or via the Xauthority mechanism which is built into X11.

X11 Forwarding is the simplest and most secure mechanism. With this technique, the user simply logs into a front end server (typhoon or hurricane) via SSH, and then uses the qlogin command to initiate a job. qlogin automatically configures the DISPLAY environment variable so that X11 sessions will be forwarded through the front end back to the user's desktop (assuming that the user is running an X server on an authorized host and that his/her local SSH configuration allows X11 Forwarding). This makes qlogin the preferred way to launch simple GUI-based applications on compute nodes.

For applications which have complex GUIs, require frequent screen updates, and/or produce a high volume of image data, the SSH forwarding scheme is inefficient and may perform poorly. Overheads are incurred in encrypting the graphical data stream and routing it back through the front end node, where it may compete with several other users for a slice of the Gigabit Ethernet link to the outside world. A better approach for these types of applications is to establish a direct connection between a compute node and the user's workstation. To allow this, the user must first establish an X11 authorization key on his/her workstation and then propagate that to SciClone. The key is essentially a "permission slip" which gives X clients on SciClone the ability to connect to the user's local display. Some X11 installations create the appropriate keys automatically when a user logs in on his/her workstation, while others do not. In either case, the key must be copied over to SciClone.

To facilitate this process, we provide a script which can be downloaded and run on the user's workstation to automatically generate a key (if necessary) and merge it into the user's ~/.Xauthority file on SciClone. Once the key is in place, X11-based TORQUE jobs can be submitted to SciClone in the usual way (either interactive or batch mode), setting the DISPLAY environment variable to point back to the local workstation.

The following example illustrates how to do this for an interactive R session. First, request an interactive shell on a compute node:

    qsub -I -l nodes=1:c9:ppn=4 -l walltime=1200

Once the job is active, run the following commands to set up the shell environment, direct X11 output back to your workstation, and initiate R. If everything is configured properly, graphical output, such as plot() commands, will appear in a window on your display.

    module load r
    setenv DISPLAY myworkstation.mydomain:0
    cd myprojdir
    R -g X11
    > ... R commands ... 

X sessions established with this mechanism will bypass the login server and are normally routed directly to the campus backbone via SciClone's "back door" 10 Gb/s Ethernet link. The primary disadvantage of this approach is that the connection is unencrypted and therefore inherently insecure: X11 authorization keys are transmitted "in the clear" across the network, as is the data stream between the X client and the X server. This means that anyone with the appropriate software tools and access to a host on any of the network segments along the route could potentially steal authorization keys and/or intercept the contents of X sessions. For this reason, we recommend using X authorization keys only for applications which need to maximize graphical performance. It is imperative that passwords, passphrases, or other sensitive information never be entered into X applications which are initiated using this technique.