User Tools

Site Tools


doc:installation:x2gobroker

Installing X2Go Session Broker

The X2Go Session Broker falls into three components.

  • X2Go Session Broker Daemon/WSGI
  • X2Go Session Broker Authentication Service
  • X2Go Session Broker Agent

X2Go Session Broker can either be installed as a standalone Daemon, or it can be integrated into Apache2 (or other httpd) using 'mod_wsgi'.

X2Go Session Broker Daemon

Package name: 'x2gobroker-daemon'

On Debian based systems:

$ sudo apt-get install x2gobroker-daemon

The standalone daemon setup works out of the box, but can only bind to IP ports greater than 1024. However, for security, the X2Go Session Broker standalone daemon only binds to the IPv4 localhost device.

Check /etc/defaults/x2gobroker-daemon for modifying the daemon's bind address.

X2Go Session Broker WSGI

Package name: 'x2gobroker-wsgi'

On Debian based systems:

$ sudo apt-get install x2gobroker-wsgi

For production deployments, the WSGI based setup is probably preferrable. With Apache2+WSGI you can provide VirtualHost setups with many different broker configurations on the same machine. You can also use the Apache2-way of setting up SSL support.

With the Apache2+WSGI setup you can integrate the X2Go Session Broker functionality into a complex X2Go Broker site (e.g. with a session configuration WebUI).

In the source code of X2Go Session Broker we provide two example configurations for Apache2+X2GoBroker:

X2Go Session Broker Authentication Service

Package name: 'x2gobroker-authservice'

On Debian based systems:

$ sudo apt-get install x2gobroker-authservice

The X2Go Session Broker Authentication Service normally gets installed on the machine that also has x2gobroker-daemon or x2gobroker-wsgi installed. The broker code itself runs as system user x2gobroker whereas the authentication service has to run as root. By security design, the functionality of the broker that requires root privileges has been separated from the rest of the broker.

The X2Go Session Broker Authentication Service requires root privileges for a few PAM based authentication backends. The default installation authenticates against PAM, on default Linux systems, PAM authentication (pam_unix.so) requires root privileges by the authentication process.

With other PAM setups (e.g. pam_ldap.so) root privileges are not required and it is ok to not install x2gobroker-authservice.

Furthermore, X2Go Session Broker can be extended by other (non-PAM) authentication methods. The currently available authentication mechanisms in X2Go Session Broker are listed here.

X2Go Session Broker Agent

Package name: 'x2gobroker-agent'

On Debian based systems:

$ sudo apt-get install x2gobroker-agent

Installing X2Go Session Broker Agent is optional. The broker agent has to be installed on machines that are in the roll of an X2Go Server (i.e. in the role of a terminal server running X2Go).

The X2GO Session Broker Agent is a requirement for load balancing setups and is also needed if X2Go Client shall be aware of already running X2Go Sessions. X2Go Client in non-broker mode resumes a suspended session (if exactly there is one) automatically. Other than that, X2Go Client in broker mode waits for resuming instructions from the session broker. The session broker, however, requires feedback from the broker agent to notice that there is a suspended/running session for a certain user.

Thus, the broker agent is like a man-in-the-middle. It sits between X2Go Session Broker and the X2Go Server(s) that the session broker provides. Through the X2Go Session Broker Agent the broker core can obtain information on provided X2Go Servers for all users on that server host.

The currently available functions of the broker agent are:

  • list user sessions of any user
  • deploy SSH public keys on behalf of any user
  • drop SSH public keys on behalf of any user
  • render an ordered list of X2Go Servers and their usage (by number of running/suspended sessions), only needed in load balancing setups
  • suspend sessions on behalf of any user
  • render a list of used X2Go Servers
  • (more to come…)

Note: The X2Go Session Broker Agent gets installed setuid root (group: x2gobroker system group, permissions: 0750). System administrators should be aware of this. If someone hacks the x2gobroker user account on one of your X2Go Servers, this hacker can then execute certain X2Go related commands with root privileges on the X2Go Server system.

X2Go Session Broker: Backends and Frontends

The design of X2Go Session Broker as provided in X2Go Git is highly modular. The X2Go Session Broker Daemon can be easily extended with broker backends and WebUI frontends.

Broker Backends

The backends deal with the storage of, the rendering of and possibly the user/group/client based filtering of session profiles which then get provided via X2Go Session Broker to the querying X2Go client application.

Broker WebUI Frontends

The WebUI frontends deal with delivering the list of session profiles (available for this user/group/client address) to the X2Go client application (X2Go Client: text/plain WebUI, Unity Greeter: UCCS WebUI).

Currently available broker backends

  • ZeroConf backend (name: zeroconf), set up by default, allows one to test the broker and see that client ↔ broker configuration basically works
  • INI File backend (name: inifile), text file (INI format) based configuration of the X2Go Session Broker backend

Other broker backends (written in Python) can be added easily if needed. Contact the X2Go developers for further information on custom broker backend development.

Currently available WebUI frontends

  • The 'plain' WebUI frontend: usable with X2Go Client
  • The 'uccs' WebUI frontend: usable with Unity Greeter (experimental)

Setting up Config Files

Configuration of X2Go Session Broker

For a basic configuration with the INI file backend and the standalone daemon (recommended for beginners) you only need to touch. Click on the config file names below to retrieve more info on how to modify/tweak those individual files.

The X2Go Session Broker uses several more configuration files. Below is a complete list (for version 0.0.2.x, if not applicable to later versions anymore, please update the below lists). The files are linked to their initial layout (in X2Go Git) to show what they look like directly after installation of the session broker packages.

X2Go Session Broker's Core: /etc/default/python-x2gobroker (enviroment variables, used to set defaults in Python X2Go Session Broker with impact on the daemon and the authentication service), /etc/x2go/x2gobroker.conf (main configuration file), /etc/x2go/broker/x2gobroker-sessionprofiles.conf (configuration file for the INI file backend), /etc/pam.d/x2gobroker (PAM configuration for X2Go Session Broker Authservice), /etc/x2go/broker/x2gobroker-loggers.conf (don't touch!)

X2Go Session Broker Daemon: /etc/default/x2gobroker-daemon (enviroment variables, used to set defaults in Python X2Go Session Broker with impact on the daemon only), /etc/logrotate.d/x2gobroker-daemon (rotate broker logfiles)

X2Go Session Broker WSGI: /etc/x2go/x2gobroker-wsgi.apache.conf (global implementation, enabled by default) /etc/x2go/x2gobroker-wsgi.apache.vhost (VirtualHost example for the WSGI implementation of X2Go Session Broker) /etc/logrotate.d/x2gobroker-wsgi (rotate WSGI logfile)

Configuration of X2Go Session Broker Authentication Service

The authentication service normally does not need any configuration, unless you strongly deviated from the default setup.

X2Go Session Broker Authentication Service: /etc/default/x2gobroker-authservice (enviroment variables, used to set defaults in Python X2Go Session Broker with impact on the authentication service only), /etc/x2go/broker/x2gobroker-authservice-logger.conf (don't touch) /etc/logrotate.d/x2gobroker-authservice (rotate the authentication service's logfile)

Testing Your X2Go Session Broker Setup

Enabling Debug Mode

If you want to check the broker funtionality with your web browser, please make sure you have enabled the debug mode of the broker. Make sure that before launching the 'x2gobroker' executable the environment variable X2GOBROKER_DEBUG is set to 1.

On Debian based systems, this can be done in /etc/defaults/x2gobroker-daemon or the Apache2-WSGI configuration of X2Go Session Broker in /etc/x2go/x2gobroker-wsgi.apache.*. Make sure to restart the corresponding service (x2gobroker-daemon resp. apache2) after you have changed either of those config files:

For x2gobroker-daemon

$ invoke-rc.d x2gobroker-daemon restart

For Apache2/WSGI/X2Go Session Broker setup…

$ invoke-rc.d apache2 restart

Testing X2Go Session Broker with a Browser

The different backends and frontends can be accessed with this URL pattern:

http(s)://<broker-base-url>/<frontend>/<backend>

Where…

Example: http://localhost:8080/plain/zeroconf

doc/installation/x2gobroker.txt · Last modified: 2023/03/27 15:22 by gratuxri