Gunvor
End-user details
Gunvor is the new server for SRC. It's a 2017 Dell PowerEdge R430.
Hostname: gunvor.stockholmresilience.su.se (130.237.187.30)
SSH port: 222
Accessing Gunvor
Gunvor is primarily accessed via SSH. Ask Ingo or Emma to add a user for you. You will need to provide a public key to log in to your account. If you need help with generating such a key, please take a look at this tutorial from DigitalOcean.
Once you've created such a key and have had it added to your account, you can use it to log in to Gunvor. This procedure varies depending on the operating system you use.
Logging in from MacOS X or Linux
The easiest way to log in to Gunvor from MacOS X or Linux is to open a terminal and use the ssh command:
ssh -p 222 USERNAME@gunvor.stockholmresilience.su.se
You will of course have to replace USERNAME with your username on Gunvor (you were given this when you received your account).
The above code will automatically grab your default SSH key, and use that to log you in to Gunvor. You can log out again by entering the command exit, or pressing Ctrl+D. All commands you enter before exit/Ctrl+D will be executed on Gunvor, as opposed to your local machine.
If you also want to have access to the R Studio Server running on Gunvor, you will need to open a local tunnel. This is easily done by adding a command line parameter to the command:
ssh -p 222 -L 8787:localhost:8787 USERNAME@gunvor.stockholmresilience.su.se
This will log you in to Gunvor as above, but with an added, encrypted, tunnel between your computer's port 8787 and Gunvor's port 8787. While you're connected to Gunvor, you will be able to use R Studio Server by pointing your web browser to http://localhost:8787.
Logging in from Windows
For Windows the easiest way to access Gunvor is to use the program PuTTY. If you wish, you can also use MobaXterm as an alternative. However, this tutorial is based around PuTTY.
When starting PuTTY, you will see this screen:
In the field marked Host Name (or IP address), enter gunvor.stockholmresilience.su.se, and in the field marked Port, enter 222. You should then see this:
You will also need to provide an key for the session. This is done by clicking Connection in the tree list to the left, and then selecting the SSH option. Under SSH there's an option called Auth. Click that, and then the Browse... button next to the text box labeled Private key file for authentication. Use the file browser to select your private key (usually ends with .ppk). You should then see something akin to this:
Once done, click the Session text in the tree view to the left. If you want to save this session (and not have to do this setup again) please fill out a name in the textbox marked Saved Sessions and click the Save button. You should then see something similar to this:
Once this is done, click the Open button at the bottom of the window. If you saved your session, you can double-click it in the list of sessions to connect.
If you also want to use R Studio Server, you will need to add a tunnel. You can do this by navigating the tree menu on the left to Connections > SSH > Tunnels. Fill out the information like the picture below, and click the Add button:
Afterwards, you can of course go back to the main page and save your session as before. You can now in to Gunvor as above, but with an added, encrypted, tunnel between your computer's port 8787 and Gunvor's port 8787. While you're connected to Gunvor, you will be able to use R Studio Server by pointing your web browser to http://localhost:8787.
Uploading and downloading files to and from Gunvor
In some cases, you may wish to upload or download files to or from Gunvor. For these purposes we recommend using FileZilla, a free and open-source FTP client that's available for MacOS X, Linux, and Windows.
When you have started FileZilla, click the File menu and select Site Manager.... This will open up a window where you can add sites to your library. Click the New Site button, and enter a name for you site ("Gunvor", perhaps?). In the Host field, enter gunvor.stockholmresilience.su.se and in the Port field enter 222. For Protocol select SFTP. For Logon Type select Key File. Now enter your user name in the User field, and use the Browse... button to located you private key file (.pki). Once done, things should look similar to this:
If everything seems to be in order, click the Connect button to connect to Gunvor. FileZilla will automatically save the settings for the site. You should now see the contents of your home directory on Gunvor on the right side, and a local folder on the left side. This works like a normal file transfer client, but if you find this difficult to use you can right-click on most files to see what actions you can perform on them.
Running simulations on Gunvor
Gunvor currently has tutorials for NetLogo and R. As mentioned elsewhere, Gunvor also has R Studio Server installed if you want to work in a web GUI. It's accessible on port 8787, but requires an SSH tunnel (see Accessing Gunvor above).
You can also use various other programming languages (Python 3, Java, Julia, C/C++, Perl, Bash) but you'll be working without tutorials. All configurations are based on the Ubuntu standard, however.
The Jupyter Notebook package is installed for Python and R, but you will need to set up your own SSH tunnel to the correct port in order to access the notebook. For MacOS X/Linux this involves changing the -L argument to the ssh command , and for Windows it means adding another tunnel in PuTTY (details see Jupyter Notebooks)
The system Python installation also has Mesa, along with Matplotlib, numpy, and various other scientific compute libraries installed.
Running netlogo experiments headless
- copy netlogo file to gunvor
- scp \path-to-modelfile\modelfile.netlogo gunvor:~/Data/
- log into gunvor
- ssh gunvor (if config file exists)
- start tmux session
- tmux
- start headless simulation
- netlogo-headless --model .Data/modelfile.netlogo --experiment "Name" --table output.csv
- detach tmux session
- ctrl b d
- check status of simulation
- htop -u maja
- q
- access tmux session
- tmux attach
- exit tmux session
- exit
Why all this security?
Two reasons:
University servers are prime targets for attack from the outside. We have good Internet, fast computers, and often lax security. They don't want our data as much as control over our machines, so that they can be used to various attacks against other targets.
Some of the software that we run (Jupyter Notebooks, R Studio Server) are extremely vulnerable to attacks and should not be exposed to the Internet. Because of their nature as remote coding software, they are essentially facilitators for what is called arbitrary code execution attacks. This is potentially devastating for the server's security, and because of that they've been locked down quite severely.
We have, however, figured out a way around it - one that requires that users open up an encrypted tunnel to the server to use it. These are described in the Accessing Gunvor section above.
Administrative details
Dell service tag: 5Q2Q7J2
Specs
- Dell PowerEdge R430 1U server
- 2 Intel Xeon E5-2650v4 processors
- 128GB RAM
- 800GB SSD storage in RAID1
- 8 SATA slots, 2 occupied by SSDs
- 1 full height and 1 half height PCI-E slot
Gunvor has 3 years of on-site next business day service (starting March 2017) so if anything fails just call Dell's support and provide the service tag (see above).
Software
Gunvor runs Ubuntu Server 16.04 LTS. It's configured to automatically perform security updates.
The core packages include:
- Python 3
- Mesa + deps
- Jupyter Notebooks + deps
- R (from CRAN)
- R Studio Server
NetLogo
NetLogo 6.0.1 64bit linux package is unzipped in /usr/share/netlogo, and the netlogo-headless shell script has been added to /usr/bin so that it's available in the global path. If you update the NetLogo install, you will have to update the reference to the NetLogo jar file in /usr/bin/netlogo-headless.
Admin rights
Since this is an Ubuntu system, all root access is done via sudo. Logging in as root directly is currently disabled.
People who need sudo access should be added to the sudo system group.
Networking
Gunvor gets it's IP address via DHCP. It's MAC locked to eno1 (18:66:da:91:0f:4f) and on the same network as Ursus. As of the time of setup (2017-03-29) Gunvor was connected to port 45 in the switch labeled KRA2A-PO-1. Gunvor also has 3 other networking ports, which are currently not in use.
iptables
The iptables config lives in /root/tables.sh. When run, it will set the rules and automatically save them to /etc/firewall.conf. As of setup time (2017-03-29) the iptables config was as follows:
iptables -P INPUT DROP iptables -A INPUT -i lo+ -j ACCEPT # Always accept everything from localhost iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT # Incoming, allow only what we initiate or related iptables -A OUTPUT -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT # Outgoing # Allow SSH iptables -A INPUT -p tcp --dport 222 -j ACCEPT # SSH
Note that this intentionally does not open port 8787. This is to prevent any leakage from the R Studio Server, which is supremely vulnerable to remote code execution attacks. In addition, there's a second layer of firewalling being done from the university's IT department. They've currently opened TCP ports 80 and 222 for us, but more can be opened by request via the ticket system.
Gunvor is also configured to save and restore the firewall whenever eno1 is brought up or down. See /etc/network/interfaces for specifics.
Adding new users
Adding new users is done with adduser, as is normal for Ubuntu systems. Additionally, you will need to add their public key to the user's ~/.ssh/authorized_keys. You will have to create the .ssh folder, the authorized_keys file, and chown them to the user and their group (sudo chown USER:USER .ssh/) and additionally restrict accessibility to the files within .ssh to readonly to the user (sudo chmod -R 700 .ssh/). Check status with ls -al .ssh'. Since security of DSA encryption has been breached .dsa encyrption key files are not longer accepted by SSH hosts. Make sure you use RSA keys (the default in ssh-keygen)





