[FreeNX-kNX] Manually starting a freenx session

Fabian Franz FabianFranz at gmx.de
Fri Sep 7 15:27:48 UTC 2007 

> Well... First time i'm trying to reply in this mailing list... hope i did
> it
> right....

Yes, you did :-).

> Still, Fabian.... I didn't studied completly the way freenx loadbalancing
> works but as far as i know, in the case of freenx, the frontserver would
> create a tunnel though the connection between the client and the
> backserver,
> isn't that right? 

This is right as long as SSL encryption is used.

First ask yourself: Do you need encryption or are you already on a secure network, so that that is not needed?

If so, you can spare yourself all trouble and use NX with SSL turned off as that will establish a real new connection to the back servers.

>That's my idea of what happens and, if true, if many
> users
> are connected the bandwidth available at the frontserver would easily
> decline and could create decreased perfomance..

Sure ...

> My idea is that the client disconnects from the frontserver and creates a
> new connection to the backserver, to restore a session there create by the
> frontserver.

Exactly.

 I'm working with a modified version of the 2X open source
> client to accomplished this... that's why i wanted to know how to, by a
> means of bash or perl scripts, create a session in the backserver with the
> frontserver. If you could help me there, i thank you :)

Well, if you want to rewrite FreeNX ... okay, kidding.

The point is at the stage, where the client says "bye" or "quit" the connetion is either tunneled or closed.

So before nxclient sends the Switch command to nxssh.exe you send "quitkey" (not bye!), kill the process, startup a new one and use that for the communication.

To complicate matters nxssh.exe has the tunneling logic build into the system.

So what you need is a special nxserver instance running on all the backnodes, that just gets a key and then forwards the connection from backmachine to nxagent (running on the same machine).

This could work like:

nxserver-keydaemon runs on port 6445 and accepts keys + port number and creates a file called <key> in some directory with the port number in it. (it is protected via firewall rules to be only accessible from frontnode)

(The frontnode nxserver establishes such a mapping instead of tunneling the connection itself.)

nxserver-keyforwarder as shell for nx user on backnodes:

Getting a "key" and either responding:

NX 404> Not found
NX 999> Bye

and forwarding the connection via netcat to the port from the key file.

This way you have:

- all session logic on the server
- direct connection to backnodes
- nxserver-key{daemon, forwarder} as connecting unit in between 

Btw. Don't use the frontnode as default router for the backnodes, because then you could have done the normal FreeNX scenario as well ... (all traffic will then be routed over the frontnode)

To summarize what you need to do in pseudo code / pseudo patch:

Use global usable ip addresses in your load balancing setup.

- old nxserver code
- vorhandener quit command
+ case "quitkey")
+     echo_x "ByeKey" 1>&2
+     echo_x "NX> 999 ByeKey" 1>&2
+     let PROXY_DISPLAY=$SESS_DISPLAY+4000
+     SESSKEY=$(echo $PROXY_DISPLAY | netcat $SERVER_HOST 6445)
+     echo_x "$SESSKEY:$SERVER_HOST"
+     exit 0
- vorhandener bye command
- old nxserver code

- Old nxclient code until the bye command.
+ "quitkey" -> server (will establish the mapping with keydaemon)
+ Read code back. If the server did not understood the command?
-> fallback to sending bye and letting the server handle the forwarding
-> skip the rest until old
+ Server did understood the command
+ gets back the key and real ip (key:realip)
+ nxssh kill
+ nxssh new startup with right ip to nxserver-shell keyforwarder
+ send key
- Old nxclient code starting with sending Switch command to nxssh.exe

nxserver-keydaemon running via faucet (netpipes package) like:

#!/bin/sh

[ "$(whoami)" != "nx" ] && exec sudo -u nx $0 

if [ "$1" = "readkey" ]
then
  read line
  KEY=$(mcookie)
  echo "$line" > $HOME/keys/$KEY
else
  # FIXME: Possibly cleanup keys here first
  # rm -f $HOME/keys/*
  # FIXME: Add self protecting iptables rule
  exec faucet 6445 -io "$0" readkey
fi

Spawn it as root.

nxserver-keyforwarder is run by putting the following keys in node.conf on all slave machines:

ENABLE_NOMACHINE_FORWARD_PORT="1"
NOMACHINE_FORWARD_PORT="22" # assuming ssh runs on 22

NOMACHINE_SERVER="/usr/NX/bin/nxserver-keyforwarder"
NOMACHINE_NX_HOME_DIR="/usr/NX/home/nx"

nxserver-keyforwarder would look like:

#!/bin/sh

read -t5 KEY || exit 1 # add a timeout, so no one 
                       # can hold up the connection 

if [ -r "$HOME/keys/$KEY" ]
then
  port=$(cat "$HOME/keys/$KEY")
  echo "NX> 999 Bye"
  netcat 127.0.0.1 "$port"
else
  echo "NX> 404 Key not found".
fi

Good luck!

cu

Fabian

PS: This was all written quite fast, so there might be some minor syntax errors, but I would do the overall design like that.
PPS: Once you have it working, I would of course accept a patch and apply it to 2x SVN and FreeNX SVN.

More information about the FreeNX-kNX mailing list