Following on from @breadcentric's overview of docker and how to use it
and @ety001's tutorial on the use of portainer to easily manage them with a nice GUI I thought I would start my first techy post showing what you can actually do with docker once you have it set up.
Docker installation of Guacamole.
What is Guacacmole?
Gucamole is a remote desktop management portal whuch uses HTML5 technologies to bring a remote desktop view into the browser with no additional technologies. The effectively means you have remote access to any machine that is configured for you to have access to from any web browser anywhere. Examples of it's use are below.
Guacacmole Docker Set up Instructions
Set up a persistent volume for postgres or data will be lost on restart.
docker create volume dock-postgres_vol
and then start docker container as follows.
docker run --name dock-postgres -v dock-postgres_vol:/var/lib/postgres/data --restart=always -d postgres
Initialise the database as directed above.
docker run --rm guacamole/guacamole /opt/guacamole/bin/initdb.sh --postgres > initdb.sql
Copy sql file to postgres container.
docker cp initdb.sql dock-postgres:/tmp
Login to container and create initial database.
docker exec -it dock-postgres /bin/bash su -c /bin/bash postgres createdb guacamole_db psql guacamole_db < /tmp/initdb.sql
Create Guacacmole DB user
$ psql -d guacamole_db psql (10.1) Type "help" for help. guacamole_db=# CREATE USER guacamole_user WITH PASSWORD '$password'; CREATE ROLE guacamole_db=# GRANT SELECT,INSERT,UPDATE,DELETE ON ALL TABLES IN SCHEMA public TO guacamole_user; GRANT guacamole_db=# GRANT SELECT,USAGE ON ALL SEQUENCES IN SCHEMA public TO guacamole_user; GRANT guacamole_db=# \q
Install Guacd container
docker run --name guacd -d guacamole/guacd
Install guacamole container
docker run --name guacamole --link guacd:guacd --link dock-postgres:postgres -e POSTGRES_DATABASE=guacamole_db -e POSTGRES_USER=guacamole_user -e POSTGRES_PASSWORD=$password -d -p 8080:8080 guacamole/guacamole
Point web browser @ http://localhost:8080/guacamole
Login as guacadmin default password guacadmin
create extra users as needed. Create a USER group. Create a Connection in USER group.
Click on Settings then the tab Connections.
Click on New Connection and you will be presented with a long form. Give the connection a name and fill out the parameters as needed. Most of the fields you can leave blank unless you are planning to do more sophisticated things like remote applications (see below)
Assign connection to a user.
NB. RDP Connections take auth credentials from the windows user on the server being connected to.
This will by default serve up the complete desktop as if you were connecting via a RDP client only within the browser. Sound, too, will be forwarded.
Note about customisation.
Login page can be customised using extensions, however adding and extension to a docker is a little more complex. Essentially you have to export a host directory into the container. eg.
docker run --name guacamole --link guacd:guacd --link dock-postgres:postgres -e POSTGRES_DATABASE=guacamole_db -e POSTGRES_USER=guacamole_user -e POSTGRES_PASSWORD=$password -v /var/lib/docker/custom/guacamole:/opt/local -e GUACAMOLE_HOME=/opt/local -d -p 8080:8080 guacamole/guacamole
See the addition of -v for mapping and the environment variable
GUACAMOLE_HOME. The mapped directory will be used as a template base for the actual home directory which is in
/root/.guacamole inside the container. Thus you need to make a folder on your host share called
extensions and drop your custom extension .jar into that. It will then be loaded automatically.
The example extension can be found here
And the result looks like this:
Adding Remote Apps.
By setting up a remote app profile you can export that app via Gucamole so it is the only application available to the user. This means they will not have access to any other program on the system or the ability to break out of the program they are running. In that sense it helps lock down usage and complexity when it comes to user access.
Remote apps are define in the profile:
Recent versions of Windows provide a feature called RemoteApp which allows individual applications to be used over RDP, without providing access to the full desktop environment. If your RDP server has this feature enabled and configured, you can configure Guacamole connections to use those individual applications.
|remote-app||Specifies the RemoteApp to start on the remote desktop. If supported by your remote desktop server, this application, and only this application, will be visible to the user. Windows requires a special notation for the names of remote applications. The names of remote applications must be prefixed with two vertical bars. For example, if you have created a remote application on your server for notepad.exe and have assigned it the name "notepad", you would set this parameter to: :pipe:pipe:notepad|
|remote-app-dir||The working directory, if any, for the remote application. This parameter has no effect if RemoteApp is not in use.|
|remote-app-args||The command-line arguments, if any, for the remote application. This parameter has no effect if RemoteApp is not in use.|
The RemoteApp Tool is a free software package and can be found here
Installing the portable app is probably the best
Example of set up.
And then in the server connection settings you need to add the command to the remote app.
Note. In order to get multiple RDP sessions on any version of Windows Running you need to patch the RDP dll using this tool.
UniversalTermsrvPatch_20090425.zip available here
This is just a guide to setting up Guacamole in an insecure manner. You can also use docker to put a front end https proxy to the service which can further secure your installation.
Well I hope that this helped someone and if you like to know more especially about setting up a web forwarding proxy let me know.
Thanks for reading.