Difference between revisions of "Guidelines for Remote Worker Shift"

From Hall D Ops Wiki
Jump to: navigation, search
(Run a VNC Client)
Line 40: Line 40:
 
## <u>Session</u> → ''Host Name'':  <code>your_jlab_userid@hallgw.jlab.org</code>
 
## <u>Session</u> → ''Host Name'':  <code>your_jlab_userid@hallgw.jlab.org</code>
 
## <u>Connection → SSH</u> → ''Remote command'':  <code>echo “Enter hdops password next…”; ssh -X -t -L59XX:localhost:5933 hdops@gluon03</code>
 
## <u>Connection → SSH</u> → ''Remote command'':  <code>echo “Enter hdops password next…”; ssh -X -t -L59XX:localhost:5933 hdops@gluon03</code>
## <u>Connection → SSH → X11</u> → ''Enable X11 forwarding'':  check box
+
<!-- ## <u>Connection → SSH → X11</u> → ''Enable X11 forwarding'':  check box -->
 
## <u>Connection → SSH → Tunnels</u> → ''Add new forwarded port'':
 
## <u>Connection → SSH → Tunnels</u> → ''Add new forwarded port'':
 
### ''Source port'':  <code>59XX</code>
 
### ''Source port'':  <code>59XX</code>
Line 55: Line 55:
 
In all cases below, you will end up with a terminal session open as hdops on gluon03.  Leave this session active -- it acts as the ssh tunnel.  Once the session is closed, the tunnel is gone.   
 
In all cases below, you will end up with a terminal session open as hdops on gluon03.  Leave this session active -- it acts as the ssh tunnel.  Once the session is closed, the tunnel is gone.   
  
* '''Linux:'''  open a local terminal and run: <code>ssh -X -t -L59XX:localhost:59XX your_jlab_userid@hallgw.jlab.org ssh -X -t   -L59XX:localhost:5933 hdops@gluon03</code>
+
* '''Linux:'''  open a local terminal and run: <code>ssh -t -L59XX:localhost:59XX your_jlab_userid@hallgw.jlab.org ssh -t -L59XX:localhost:5933 hdops@gluon03</code>
 
# replace XX with a user preferred number: 01 to 99
 
# replace XX with a user preferred number: 01 to 99
 
# The first password required is the two-factor authentication code, the second password is the hdops account password.  (If you do not know the hdops account password you may obtain it verbally from the shift leader through a BlueJeans connection.  Please do not email or post the password anywhere.)
 
# The first password required is the two-factor authentication code, the second password is the hdops account password.  (If you do not know the hdops account password you may obtain it verbally from the shift leader through a BlueJeans connection.  Please do not email or post the password anywhere.)

Revision as of 18:21, 19 August 2021

Responsibilities of the Remote Worker

The role of the remote worker is to support the data acquisition and monitoring that is being conducted by the shift leader that is physically located in the counting room. Remote workers will have access to a counting room desktop display via VNC and will be able to interact with it exactly as if they were in the counting room. The remote worker should monitor data quality and data acquisition as well is keep in constant live communication with the shift leader. The remote worker should never conduct an operation that will result in the change of hardware configuration in hall, e.g., manipulating high voltages, moving the diamond, etc.

Days prior to taking any remote shifts, shift crew members should:

  • verify they able to establish a VNC connection to the counting room, which necessarily involves using two-factor authentication (see notes at the bottom of this page) to login to hallgw.jlab.org,
  • read the Hall D Conduct of Operations (COO) document and other relevant information linked on the Hall D Safety Page,
  • obtain, as necessary, proper training and orientation from an experienced shift worker.

Tasks for the remote shift person during a shift:

  • Establish and maintain live communication with onsite shift person through BlueJeans.
    • Specific BlueJeans connection information will be added to this document once a BlueJeans room is established.
  • Open a VNC session, according to the instructions below, and conduct shift duties. Remember that that the onsite person can both see and interact with the desktop that the remote worker is using. This enables, for example, pointing to features in plots and discussing potential issues.
  • Continue doing any activities that would typically be done by the worker in the counting house, except conducting any operation that involves controlling hardware including acknowledging alarms. Control of hardware and DAQ interface should only be done by the shift leader that is physically present in the counting room.
  • Resources and Tasks for Shift Takers

Initiating a Remote Connection to the Counting Room

The remote VNC session must be run through a ssh tunnel though hallgw.jlab.org. The instructions below describe how to establish this tunnel and then connect a VNC client which will be run locally on the workers machine to the tunneled port where the VNC server is running in the counting room.

Initial Setup Instructions

The setup instructions below will need to be completed and tested well before the first shift.

  • Linux: the minimum requirement for remote shift taker is a vnc client referred to generically as vncviewer on linux in the instructions below. This client could in principle be TightVNC, TigerVNC, RealVNC, or any other. Many linux distributions have the executable vncviewer as distributed as part of the TigerVNC package: https://tigervnc.org
  • Mac: likely the stock macOS is sufficient
  • Windows:
  1. install both PuTTY from https://www.putty.org and version 2.x of TightVNC for Windows from https://www.tightvnc.com
  2. configure and test a PuTTY session for the VNC tunnel by opening PuTTY and entering the following customizations. The words underlined reference the side menu and italics are the fields to adjust. (replace XX with a user preferred number: 01 to 99)
    1. SessionHost Name: your_jlab_userid@hallgw.jlab.org
    2. Connection → SSHRemote command: echo “Enter hdops password next…”; ssh -X -t -L59XX:localhost:5933 hdops@gluon03
    3. Connection → SSH → TunnelsAdd new forwarded port:
      1. Source port: 59XX
      2. Destination: localhost:59XX
      3. click Add
    4. Return to Session and in the Saved Sessions area name this session something like “Hall D VNC Tunnel” and click Save.

Establishing a Remote VNC Session

Each time you start a remote shift you will need to establish a VNC session to conduct the shift. Follow the instructions below.

Create an ssh Tunnel

In all cases below, you will end up with a terminal session open as hdops on gluon03. Leave this session active -- it acts as the ssh tunnel. Once the session is closed, the tunnel is gone.

  • Linux: open a local terminal and run: ssh -t -L59XX:localhost:59XX your_jlab_userid@hallgw.jlab.org ssh -t -L59XX:localhost:5933 hdops@gluon03
  1. replace XX with a user preferred number: 01 to 99
  2. The first password required is the two-factor authentication code, the second password is the hdops account password. (If you do not know the hdops account password you may obtain it verbally from the shift leader through a BlueJeans connection. Please do not email or post the password anywhere.)
  3. verify you are logged in to gluon03 with account hdops (the vncserver on this account uses port 33)
  4. minimize this window to avoid confusion and leave the session running until the end of your shift
  • Mac: same as Linux above using the Terminal app
  • Windows: select the appropriate pre-configured PuTTY session that you setup according to the instructions above and click “Load” and the “Open” to start the session
  1. type in the two-factor authentication code to the first password prompt and then the hdops password to the second password prompt
  2. verify you are logged in to gluon03 with account hdops
  3. minimize this window to avoid confusion and leave the session running until the end of your shift

Run a VNC Client

Now you need to connect a locally run VNC client to the port 59XX on your local machine. In all of the instructions below replace XX with the number chosen when you established the tunnel above.

  • Linux: use the command line VNC client that is generically named vncviewer in the instructions -- replace with the client you installed. From a new, local terminal (not the hdops account on gluon03!) execute the command vncviewer -shared ::59XX
  1. 59XX is the port
  2. -shared option to keep other connections made by other users
  3. enter the hdops password when prompted by the VNC client
  • Mac:
  1. in the Finder select "Go" and "Connect to Server" or use the shortcut command-K and then use the address: vnc://localhost:59XX
  2. enter the hdops password when prompted by the Screen Sharing app
  3. (Note: if unable to start a VNC session through Safari then download a VNC client like RealVNC and connect to localhost:59XX)
  • Windows:
  1. from Windows menu select TightVNC Viewer
  2. in the Remote Host field enter: localhost::59XX (note the double colon)
  3. in the “Options” box verify the bottom checkbox “Request shared session” is selected
  4. click “Connect”
  5. enter the hdops password when prompted by TightVNC

Two-Factor Authentication Notes

Access to the Hall online systems requires the use of two-factor authentication (2FA). Prior to the run period an attempt was made to enable two-factor authentication for most potential remote users through the MobilePASS system. For information about the two-factor authentication system at JLab please refer to the computer center KnowledgeBase article (JLab login required to view).

  • if you want to test your 2FA capability, then try to ssh to hallgw.jlab.org -- remember that the password is your PIN (setup at token registration) followed by the one time passcode generated by the app with no space in between
  • if you are authorized to have 2FA but are unable to login, contact the help desk (757) 269-7155 during business hours and they can reissue the token immediately
  • if you are not currently authorized to have 2FA (e.g., a new collaborator as of late summer 2021) initiate an incident ticket with the helpdesk and cc your JLab sponsor and/or Mark Ito on the request -- note that such a request may take a few days to process