We now have proper Windows support in our HPC environment. Hooray? It is through pretty novel means, meant to make it as secure as possible while being easy to maintain for Linux systems administrators.
Long story short, a Windows VM is launched through Open OnDemand and starts inside of a network namespace. The network namespace is started by spank_iso_netns (see below), a SPANK plugin I wrote. The user's files are made available inside the Windows VM.
7lbd, developed by Dean Anderson, uses elements of Apache Guacamole to provide an HTML5 interface in Open OnDemand to connect to RDP on the VM. There are several components involved in this process. Rather than rehash the 7lbd documentation, I will refer you to its wiki page. Just know that there is a lot of security that goes into this; Windows RDP is not just sitting around listening for connections from outside the namespace.
Here is a summary of the features of 7lbd, copied from the wiki page:
- Run Windows 11 VMs on cluster nodes and make interactive sessions available through Open OnDemand.
- Utilizes 3 different methods to deliver a desktop: web-based RDP for speed and convenience, web-based VNC console access intended for systems administrators, and direct RDP access through standard RDP clients via a custom built spank_oodproxy for maximum performance and utility.
- The Windows VM, desktop visualization processes, and the integrated Samba server all run in a network namespace, limiting job network traffic to job processes only.
- At the core of 7lbd is the concept of running Microsoft Windows in a highly isolated environment using the spank_iso_netns plugin. Due to the architecture of 7lbd, Windows VMs have no access to the Internet, or any network resources. There are some exceptions.
- User files on the host node are available through an integrated Samba server.
- Uses a read-only VM with a temporary overlay file so any changes to a VM are not persistent.
- Authentication to the application is handled like most other Open OnDemand applications, through randomly assigned temporary passwords.
spank_iso_netns
spank_iso_netns.c is a SPANK plugin that provides network namespace isolation for Slurm jobs. This plugin creates a separate network namespace for a job, enabling isolated network environments with custom configurations while maintaining controlled communication channels with the outside world.
This completely isolates the Windows VM such that the user who launched the batch job can't even talk to the processes inside of the batch job, even from within the same node. The only way to talk into the VM is through approved "connectors" like the guacd (Guacamole) connector, which uses an inherited file descriptor to provide specific connectivity into the VM.
By default, no outbound network access is allowed whatsoever.
This plugin can be used for more purposes than just providing Windows connectivity. I'm aware of a children's hospital testing (and using?) it for other isolation purposes.
Conclusion
It works. It works well. Others have successfully run it. This effectively turns Windows into "just another application". You don't need AD or any other Windows infrastructure. You can use any version of Windows, even desktop versions, that you have licensed. Windows is now easy for HPC/Linux people.
Look at the 7lbd wiki for details.
They said it couldn't be done, but pigs are flying...
No comments:
Post a Comment
Please leave any comments, questions, or suggestions below. If you find a better approach than what I have documented in my posts, please list that as well. I also enjoy hearing when my posts are beneficial to others.