Dockers, deployment and Display Brokers.

3년 전

Following on from @breadcentric's overview of docker and how to use it
and @ety001's tutorial on the use of portainer to easily manage them with a nice GUI I thought I would start my first techy post showing what you can actually do with docker once you have it set up.

Docker installation of Guacamole.

What is Guacacmole?

Gucamole is a remote desktop management portal whuch uses HTML5 technologies to bring a remote desktop view into the browser with no additional technologies. The effectively means you have remote access to any machine that is configured for you to have access to from any web browser anywhere. Examples of it's use are below.


Guacacmole Docker Set up Instructions

souce listing

Install postgres.

Set up a persistent volume for postgres or data will be lost on restart.

docker create volume dock-postgres_vol

and then start docker container as follows.

docker run --name dock-postgres -v dock-postgres_vol:/var/lib/postgres/data --restart=always -d postgres

Initialise the database as directed above.

docker run --rm guacamole/guacamole /opt/guacamole/bin/ --postgres > initdb.sql

Copy sql file to postgres container.

docker cp initdb.sql dock-postgres:/tmp

Login to container and create initial database.

docker exec -it dock-postgres /bin/bash
su -c /bin/bash postgres
createdb guacamole_db
psql guacamole_db < /tmp/initdb.sql

Create Guacacmole DB user

$ psql -d guacamole_db
psql (10.1)
Type "help" for help.

guacamole_db=# CREATE USER guacamole_user WITH PASSWORD '$password';
guacamole_db=# GRANT SELECT,USAGE ON ALL SEQUENCES IN SCHEMA public TO guacamole_user;
guacamole_db=# \q

Install Guacd container

docker run --name guacd -d  guacamole/guacd

Install guacamole container

 docker run --name guacamole --link guacd:guacd     --link dock-postgres:postgres          -e POSTGRES_DATABASE=guacamole_db      -e POSTGRES_USER=guacamole_user        -e POSTGRES_PASSWORD=$password     -d -p 8080:8080 guacamole/guacamole

Administer Guacamole.

Point web browser @ http://localhost:8080/guacamole

Login as guacadmin default password guacadmin

create extra users as needed. Create a USER group. Create a Connection in USER group.

Click on Settings then the tab Connections.


Click on New Connection and you will be presented with a long form. Give the connection a name and fill out the parameters as needed. Most of the fields you can leave blank unless you are planning to do more sophisticated things like remote applications (see below)


Assign connection to a user.

NB. RDP Connections take auth credentials from the windows user on the server being connected to.

This will by default serve up the complete desktop as if you were connecting via a RDP client only within the browser. Sound, too, will be forwarded.

Note about customisation.

Login page can be customised using extensions, however adding and extension to a docker is a little more complex. Essentially you have to export a host directory into the container. eg.

  docker run --name guacamole --link guacd:guacd     --link dock-postgres:postgres          -e POSTGRES_DATABASE=guacamole_db      -e POSTGRES_USER=guacamole_user        -e POSTGRES_PASSWORD=$password  -v /var/lib/docker/custom/guacamole:/opt/local -e GUACAMOLE_HOME=/opt/local   -d -p 8080:8080 guacamole/guacamole

See the addition of -v for mapping and the environment variable GUACAMOLE_HOME. The mapped directory will be used as a template base for the actual home directory which is in /root/.guacamole inside the container. Thus you need to make a folder on your host share called extensions and drop your custom extension .jar into that. It will then be loaded automatically.

The example extension can be found here

And the result looks like this:


and more information on creating a custom extension can be found here and here

Adding Remote Apps.


By setting up a remote app profile you can export that app via Gucamole so it is the only application available to the user. This means they will not have access to any other program on the system or the ability to break out of the program they are running. In that sense it helps lock down usage and complexity when it comes to user access.

Remote apps are define in the profile:


Recent versions of Windows provide a feature called RemoteApp which allows individual applications to be used over RDP, without providing access to the full desktop environment. If your RDP server has this feature enabled and configured, you can configure Guacamole connections to use those individual applications.

Parameter nameDescription
remote-appSpecifies the RemoteApp to start on the remote desktop. If supported by your remote desktop server, this application, and only this application, will be visible to the user. Windows requires a special notation for the names of remote applications. The names of remote applications must be prefixed with two vertical bars. For example, if you have created a remote application on your server for notepad.exe and have assigned it the name "notepad", you would set this parameter to: :pipe:pipe:notepad
remote-app-dirThe working directory, if any, for the remote application. This parameter has no effect if RemoteApp is not in use.
remote-app-argsThe command-line arguments, if any, for the remote application. This parameter has no effect if RemoteApp is not in use.

The RemoteApp Tool is a free software package and can be found here

Installing the portable app is probably the best

Example of set up.



And then in the server connection settings you need to add the command to the remote app.


Note. In order to get multiple RDP sessions on any version of Windows Running you need to patch the RDP dll using this tool. available here

Overview of Tool

This is just a guide to setting up Guacamole in an insecure manner. You can also use docker to put a front end https proxy to the service which can further secure your installation.

Well I hope that this helped someone and if you like to know more especially about setting up a web forwarding proxy let me know.

Thanks for reading.

Authors get paid when people like you upvote their post.
If you enjoyed what you read here, create your account today and start earning FREE STEEM!
Sort Order:  trending

You could have posted this through utopian, this would give you an extra audience.
It's a nicely detailed tutorial. So Guacamole is like Citrix desktop?


Still not sure where I could have posted that on Utopian. Not 100% ofey with how it works as I have no intention of linking my github to anything and apache host their own forum.

Glad you liked it and it is not quite citrix in so much as all it does is export only the application without the desktop but it needs a desktop to export the application if you see what I mean. End result is similar though only you are limited to the number of sessions a single machine can support and it is still one per user.

It is handy for small deployments though and easy to set up as you can see.


If guacamole has a GitHub, you can link it and make it a tutorial. It's not very intuitive, I know, but makes sense.


But Guacamole does not have an official git repo and should it be in docker or guacamole ? I am trying to get straight answer out of them where generic tutorial are supposed to go because not all of them can be attached to a single project and not all of them are on github but the tutorials can still be useful.


Yeah, there isn't a straight answer. My experience so far is to try your best guess, or toss a coin of they are equal, submit, get rejected, ask a moderator on discord, ask for reopening of the submission and fix it.
It is unclear, but at the same time the moderators really try to help.
I would suggest using the one of projects that has a github repo


Well I am trying to clarify an answer because I cannot be the only person who comes up with a tutorial that covers more than one project or does not have a github repo. It occurs to me the submission procedure is flawed if you are unable to submit against a project that is not on github but we'll have to see what they say.


It is as you say, or rather this is as far as they could get so far with the system. After an, they aren't getting paid for this, it's a spare time thing.