Difference between revisions of "Cool Solution - Guacamole"

Version 4.2

Guacamole is a clientless remote desktop gateway. It supports standard protocols like VNC and RDP.

The version of Guacamole used in this article is Guacamole 0.9.12-incubating.

Installation

To successfully deploy and start Guacamole, three images must be downloaded via Docker:

• guacd
• guacamole
• mysql

At the moment, Docker images of Guacamole can only be started when a database is provided.

Hint: Instead of MySQL, PostgreSQL can be used as well. In this case the image postgres must be downloaded. Refer to the Docker documentation and Guacamole manual for downloading and configuring PostgreSQL. This article will use the MySQL connection.

In this article the following Guacamole docker containers are used:

• https://hub.docker.com/r/mjumper/guacd/
• https://hub.docker.com/r/mjumper/guacamole/

MySQL

Download and deploy the MySQL image:

docker run --name mysql -e MYSQL_ROOT_PASSWORD=<MYSQL_PASSWORD> -d mysql:5.7.7

Hint: Change <MYSQL_PASSWORD> to an actual password of your choice.

This will download and deploy the MySQL image and provide an instance as "mysql". After the command is finished, a 65 character long ID is printed out. Save this ID for the next step.

guacd

Download and deploy the guacd image:

docker run --name guacd -d mjumper/guacd

This will provide the guacd daemon that handles all Guacamole connections. Nothing more must be done with this container.

Creating the Guacamole database

First, run the following command to create the tables for the database:

docker run --rm mjumper/guacamole /opt/guacamole/bin/initdb.sh --mysql > initdb.sql

Hint: This command will also download the Guacamole image, but does not start Guacamole for using. This is a one-time command and should not contain a --restart parameter.

Next, copy the local file initdb.sql to the MySQL Docker container:

docker cp initdb.sql mysql:/root

Replace <MySQL ID> with the ID you saved in the step above.

Next, connect to the MySQL container to create the Guacamole databse, user and tables:

docker exec -it mysql bash

This will provide a bash inside the MySQL container.

Next, connect to MySQL to create the database and user for Guacamole:

mysql -uroot -p<MYSQL_PASSWORD>
CREATE DATABASE guacamole_db;
CREATE USER 'guacamole_user'@'%' IDENTIFIED BY '<GUACAMOLE_PASSWORD>';
GRANT SELECT,INSERT,UPDATE,DELETE ON guacamole_db.* TO 'guacamole_user'@'%';
FLUSH PRIVILEGES;
quit

Hint: Change <GUACAMOLE_PASSWORD> to the actual password used for the Guacamole database user.

Next, create the database structure needed by Guacamole:

cat /root/initdb.sql | mysql -uroot -p<MYSQL_PASSWORD> guacamole_db

Leave the container with:

exit

guacamole

Since the Guacamole image is already downloaded, just deploy Guacamole itself. Guacamole comes with a Apache Tomcat8 server:

docker run --name guacamole --link guacd:guacd --link mysql:mysql \
-e MYSQL_DATABASE=guacamole_db \
-e MYSQL_USER=guacamole_user \
-e MYSQL_PASSWORD=<GUACAMOLE_PASSWORD> \
-d -p 8181:8080 mjumper/guacamole

With the parameter -p 8181:8080, the Tomcat port 8080 from inside the container is routed to the local port 8181. This is done to prevent other software, like Zarafa (which also uses port 8080) to malfunction.

Configuration

Automatically start Docker container

If the container should start automatically, eg. after a server reboot, add the following line to the docker run command:

--restart=always

Apache

To provide Guacamole via Apache, add the following site as a new file guacamole.conf to your Apache installation in /etc/apache2/sites-available:

<Location /guacamole>
	Require all granted
	ProxyPass http://localhost:8181/guacamole max=20 flushpackets=on
	ProxyPassReverse http://localhost:8181/guacamole
</Location>

Next you must make the new site available and reload the Apache webserver:

a2ensite guacamole
systemctl reload apache2.service

It is possible to get access to Guacamole via Tomcat. For this, please refer to the Tomcat manual for accessing applications.

UCS overview

To configure the UCS startsite to provide a link to Guacamole as a webservice, the UCR variables ucs/web/overview/entries/service must be set:

ucr set \
ucs/web/overview/entries/service/guacamole/description/de="Guacamole für Remote-Zugriff per RDP oder VNC." \
ucs/web/overview/entries/service/guacamole/description/fr="Guacamole pour l'accès distant via RDP ou VNC." \
ucs/web/overview/entries/service/guacamole/description="Guacamole for accessing remote systems via RDP or VNC." \
ucs/web/overview/entries/service/guacamole/icon="/guacamole/images/logo-64.png" \
ucs/web/overview/entries/service/guacamole/label/de="Guacamole" \
ucs/web/overview/entries/service/guacamole/label/fr="Guacamole" \
ucs/web/overview/entries/service/guacamole/label="Guacamole" \
ucs/web/overview/entries/service/guacamole/link="/guacamole"

Note: The UCR variables can be set on a UCS 4.2 system, a Portal entry is created automatically.

The above configuration assumes that your Guacamole installation is configured via Apache. The UCR variable ucs/web/overview/entries/service/guacamole/link must be changed accordingly.

After that, you can access you Guacamole installation via http://FQDN-of-your-UCS/guacamole or via the overview site http://FQDN-of-your-UCS/ucs-overview.

Note: The default administration user is guacadmin, the password is guacadmin. It is advised to change the password after the first login! To do this, open the top-right drop down menu and go to Settings → Preferences.

Accessing the container

The conainter can either be accessed by starting a shell inside the container:

docker exec -it guacamole bash

To edit files inside the container, install your favourite editor, eg. vim:

apt update
apt install vim

User authentication

Installing the "No auth" plugins

To use Guacamole with no user login, download the "No auth" plugin from here (file name: guacamole-auth-noauth-<VERSION>-incubating.tar.gz). To install the plugin, download the plugin and place it inside the mysql or postgres folder in /opt/guacamole in the Guacamole container, and remove any other auth plugin available in that folder. For accessing the container, look at Accessing the container.

Hint: Depending on how you initally configured the Guacamole container, choose either mysql or postgres.
Note: Download <VERSION> accordingly to the Guacamole version.

Next, add a line near the end to the /opt/guacamole/bin/start.sh script to enable your plugin:

Before:

[...]
#
# Finally start Guacamole (under Tomcat)
#

start_guacamole

After:

[...]
#
# Finally start Guacamole (under Tomcat)
#

echo "noauth-config: /opt/guacamole/noauth.xml" >> $GUACAMOLE_HOME/guacamole.properties
start_guacamole

Save the file and restart the docker container:

docker restart guacamole

It can take up to five minutes until Tomcat is started and Guacamole deployed.

Example configuration

An example for the noauth-plugin against a UCC terminal server using RDP:

<configs>
	<config name="UCC session" protocol="rdp">
		<param name="hostname" value="ucc-ts" />
		<param name="port" value="3389" />
	</config>
</configs>

The configuration must be saved in the file /opt/guacamole/noauth.xml inside the Guacamole container.

Using the LDAP

Edit the start script /opt/guacamole/bin/start.sh inside the docker container and add the following block at the end of the file, just before the start_guacamole command:

echo "ldap-hostname: <IP or FQDN of the LDAP server>" >> $GUACAMOLE_HOME/guacamole.properties
echo "ldap-port: 7389" >> $GUACAMOLE_HOME/guacamole.properties
echo "ldap-search-bind-dn: <DN of LDAP search user>" >> $GUACAMOLE_HOME/guacamole.properties
echo "ldap-search-bind-password: <Password of LDAP search user>" >> $GUACAMOLE_HOME/guacamole.properties
echo "ldap-user-base-dn: cn=users,<LDAP base>" >> $GUACAMOLE_HOME/guacamole.properties
echo "ldap-username-attribute: uid" >> $GUACAMOLE_HOME/guacamole.properties
ln -s /opt/guacamole/ldap/guacamole-auth-ldap-*-incubating.jar $GUACAMOLE_HOME/extensions

Note: To get the LDAP base, run ucr get ldap/base on the command line.

The docker container must be restarted for the LDAP authentication to be effective:

docker restart guacamole

Next, log in using the guacadmin user and add one user user using the administration panel. It is important to give the user at least the right to create new users, optionally the right to create connections, and edit users. Also, the username must match the LDAP user name. The password fields can be left blank. Logout and login with the newly created user, using the LDAP password. Since this user can create users, all users from the LDAP matching the "ldap-user-base-dn" path are now able to login to Guacamole.

Next, create the connections needed described in the documentation, using the guacadmin user, or the administrative user from above.

After creating a connection, users must be allowed to use the connection. To give users the rights to use a connection, edit the user in Guacamole and connect the connection to the user account. See the documentation for details.

Further information

• More information about configuration can be obtained from the Guacamole manual.
• Creating an LDAP search user

Archive

There is a version of this article for UCS 4.1.