HowTo Setup Guacamole: Difference between revisions
(Created page with "== Overview == Apache's [https://guacamole.incubator.apache.org/ guacamole] provides a "proxy" mechanism allowing users to make SSH, Telnet, VNC and RDP connections from the...") |
No edit summary |
||
Line 139: | Line 139: | ||
You should now be able to use the ''guacamole'' web interface to configure user accounts and connections so that your users can connect to various hosts. | You should now be able to use the ''guacamole'' web interface to configure user accounts and connections so that your users can connect to various hosts. | ||
=== Securing Tomcat === | |||
Unfortunately, the ''guacamole/guacamole'' image expose the tomcat web interface if you point your browser at port 8080. The welcome page provides some security notes and by default it does not appear that there are any accounts configured to allow access to the management features. | |||
Based on suggestions from https://www.cb-net.co.uk/linux/running-guacamole-from-a-docker-container-on-ubuntu-16-04-lts-16-10/ and https://www.owasp.org/index.php/Securing_tomcat, you can completely remove the Tomcat management features by running the following: | |||
docker exec -it ${guacFront} /bin/bash | |||
sed -i 's/redirectPort="8443"/redirectPort="8443" server="" secure="true"/g' /usr/local/tomcat/conf/server.xml | |||
sed -i 's/<Server port="8005" shutdown="SHUTDOWN">/<Server port="-1" shutdown="SHUTDOWN">/g' /usr/local/tomcat/conf/server.xml | |||
rm -Rf /usr/local/tomcat/webapps/docs/ | |||
rm -Rf /usr/local/tomcat/webapps/examples/ | |||
rm -Rf /usr/local/tomcat/webapps/manager/ | |||
rm -Rf /usr/local/tomcat/webapps/host-manager/ | |||
chmod -R 400 /usr/local/tomcat/conf | |||
exit | |||
== Manage == | == Manage == | ||
=== Shell Prompt === | |||
Use the following command to open a shell prompt to a docker container: | |||
docker exec -it ${guacFront} /bin/bash | |||
=== Status === | === Status === |
Revision as of 10:19, 4 October 2017
Overview
Apache's guacamole provides a "proxy" mechanism allowing users to make SSH, Telnet, VNC and RDP connections from the comfort of their web browser. For example:
- A Windows user can use IE to ssh into a NST system (no native software required).
- A Mac user can open up a Windows desktop using Chrome (probably Safari as well).
- A Chromebook user can click on links to open up a Linux VNC desktops or shared Windows Desktops.
Set Up
Setting up guacamole on a NST (or Fedora) based system is not difficult, but it is a non-trivial process and involves several supporting packages.
- You need to have a back-end guacamole server (guacd) that provides the native connections to the services (SSH, Telnet, VNC and RDP).
- You need to have a front-end guacamole server (guacamole) that provides the HTML 5 pages and Web Socket connections to web based clients.
- You need an authentication management system (database).
The installation directions found here are a concise version aimed at a NST (or Fedora) based system. Refer to the guacamole web site for full details and the most recent changes.
Set Up Overview
- Install docker.
- Create and start a docker machine to run the guacamole back-end.
- Create a docker machine to run the guacamole front-end.
- Create and initialize a PostgreSQL database for guacamole.
- Start the guacamole front-end.
- Log into the guacamole and change the default administrative password.
The sections below provide the commands that can be run on an NST system.
Install Docker
Run the following commands as the root user to install, enable and start docker:
dnf install docker systemctl enable docker systemctl start docker
During this set up, everything is done as the root user. If you want to experiment with running docker as a non-root user, refer to the Getting started with Docker page at the Fedora developer wiki.
Set Variables
In order to provide some consistency as well as the ability to customize the examples shown here, we will define some variables for our examples.
# Name of docker container for the guacamole back-end (guacd) declare guacBack="guac-back"; # Name of docker container for the guacamole front-end (guacemole interface) declare guacFront="guac-front"; # Database settings declare DB="guacamole"; declare DB_HOST="255.255.255.255"; declare DB_USER="guacamole_user"; declare DB_PASS="YOUR_PWD"; # For Fedora declare PG_HBA="/var/lib/pgsql/data/pg_hba.conf"; # For NST declare PG_HBA="/var/nst/var/lib/pgsql/data/pg_hba.conf";
If you copy/paste the above into your terminal window, you should be able to up arrow and then adjust values you would like to change before proceeding with the rest of the installation steps. You MUST change DB_HOST to the IPv4 address of your system (you can use getipaddr --default-address on a NST system). You SHOULD change DB_PASS to a unique password.
Start guacamole Containers
Use the following commands to initialize your guacamole docker containers:
docker run --name ${guacBack} -d guacamole/guacd; docker run --name ${guacFront} \ --link ${guacBack}:guacd \ -d -p 8080:8080 guacamole/guacamole; docker image ls docker container ls
Setup/Start Up PostgreSQL
Use NST web interface to setup PostgreSQL server by selecting Database | PostgreSQL | PostgreSQL Database Management from the web interface. Adjust the following settings:
- Enable TCP/IP connections from 127.0.0.1/32.
- Change the administrative password to something you can remember.
- Optionally include the "-d" option under the "Additional PostgreSQL Setup Options" if you want to completely clear out all databases and start over fresh (WARNING THIS REMOVES ALL DATABASES).
Add and Initialize the guacamole Database
Use the following command to generate the initial SQL for the guacamole database:
Next we will create the database for guacamole;
psql -U postgres -c "CREATE DATABASE ${DB}"
We can now run a command within a docker container to generate the necessary SQL to initialize the new database and apply it with the psql command:
docker run --rm guacamole/guacamole /opt/guacamole/bin/initdb.sh --postgres > initdb.sql psql -U postgres ${DB} -f initdb.sql
Now create the guacamole database user and give that user to the guacamole database.
echo -e "CREATE USER ${DB_USER} WITH PASSWORD '${DB_PASS}'; GRANT SELECT,INSERT,UPDATE,DELETE ON ALL TABLES IN SCHEMA public TO ${DB_USER}; GRANT SELECT,USAGE ON ALL SEQUENCES IN SCHEMA public TO ${DB_USER};" | \ psql -U postgres ${DB};
Now that the tables are set up, we need to allow our docker container access to the PostgreSQL server. This is done by modifying the appropriate pg_hba.conf file and then restarting the postgresql service. The following assumes that the docker container that will have a IPv4 address somewhere in the 172.17.0.0/16 range (you may need to adjust this if your container has a different address).
echo "host ${DB} ${DB_USER} 172.17.0.0/16 md5" >> ${PG_HBA}; systemctl restart postgresql;
Start the guacamole Front-End
Now that the database is ready, we need to start the docker container that runs the guacamole front-end. We will first attempt to stop and remove any existing instances (in case it was running) and then start it using the following commands:
docker stop ${guacFront}; docker rm ${guacFront}; docker run --name ${guacFront} \ --link ${guacBack}:guacd \ -e POSTGRES_DATABASE="${DB}" \ -e POSTGRES_HOSTNAME="${DB_HOST}" \ -e POSTGRES_PORT=5432 \ -e POSTGRES_USER="${DB_USER}" \ -e POSTGRES_PASSWORD="${DB_PASS}" \ -d -p 8080:8080 guacamole/guacamole;
Next lets verify that our docker container is running and that port 8080 has been exposed on our system.
docker ps -a netstat -tnap | grep 8080
We can also do a preliminary check on the guacamole front-end error log using the following command:
docker logs ${guacFront} | less
Initial Configuration
At this point we should have guacamole up and running. The first thing we should do is change the password for the guacadmin account.
- Point your web browser at: http://127.0.0.1:8080/guacamole/
- Log in as guacadmin with the initial password of guacadmin.
- Immediately got to Settings | Preferences and change the administrative password.
You should now be able to use the guacamole web interface to configure user accounts and connections so that your users can connect to various hosts.
Securing Tomcat
Unfortunately, the guacamole/guacamole image expose the tomcat web interface if you point your browser at port 8080. The welcome page provides some security notes and by default it does not appear that there are any accounts configured to allow access to the management features.
Based on suggestions from https://www.cb-net.co.uk/linux/running-guacamole-from-a-docker-container-on-ubuntu-16-04-lts-16-10/ and https://www.owasp.org/index.php/Securing_tomcat, you can completely remove the Tomcat management features by running the following:
docker exec -it ${guacFront} /bin/bash sed -i 's/redirectPort="8443"/redirectPort="8443" server="" secure="true"/g' /usr/local/tomcat/conf/server.xml sed -i 's/<Server port="8005" shutdown="SHUTDOWN">/<Server port="-1" shutdown="SHUTDOWN">/g' /usr/local/tomcat/conf/server.xml rm -Rf /usr/local/tomcat/webapps/docs/ rm -Rf /usr/local/tomcat/webapps/examples/ rm -Rf /usr/local/tomcat/webapps/manager/ rm -Rf /usr/local/tomcat/webapps/host-manager/ chmod -R 400 /usr/local/tomcat/conf exit
Manage
Shell Prompt
Use the following command to open a shell prompt to a docker container:
docker exec -it ${guacFront} /bin/bash
Status
You can use the following commands to verify that PostgreSQL and your docker containers are running:
docker ps -a systemctl status postgresql.service
Stopping
You can use the following commands to stop PostgreSQL and your docker containers:
docker stop ${guacFront} docker stop ${guacBack} systemctl stop postgresql.service
Starting
You can use the following commands to start PostgreSQL and your docker containers:
systemctl start postgresql.service docker start ${guacBack} docker start ${guacFront}
Docker Logs (Troubleshooting)
You can review the logs for your your docker containers when troubleshooting problems:
docker logs ${guacFront} docker logs ${guacBack}
Removal
You can use the following commands to completely remove the docker containers and images.
docker stop ${guacFront} docker stop ${guacBack} docker rmi ${guacFront} docker rmi ${guacBack}