[Support] jasonbean - Apache Guacamole


Message added by Taddeusz,

Before upgrading to 1.5.0 you need to have first upgraded to 1.4.0-3 of the container. I discovered that prior to 1.4.0-3 it was not shutting down MariaDB correctly and causing the database to be left in a dirty state.

 

If after upgrading to 1.5.0 you discover that MariaDB is stopping and the log mentions something about needing to open the database in an older version of MariaDB you should downgrade specifically to 1.4.0-3, start the container and make sure it's running correctly. Then you may upgrade to 1.5.0.

Recommended Posts

  • 3 weeks later...

Hello, 

I was using AG with no issue and recently have ran into this concern
image.png.03d09228fa60d618298d0c21c84e883c.png

I can connect to everything else but this one system. I can't see to track down what the concern may be. Anyone else have this concern?

 

guacd[758]: INFO: User "@5835a4e1-fbd6-4273-a68c-b90cb9634f11" disconnected (0 users remain)
guacd[758]: INFO: Last user of connection "$bc849b57-11d4-4807-83b1-39f9b0482739" disconnected
guacd[30]: INFO: Connection "$bc849b57-11d4-4807-83b1-39f9b0482739" removed.
guacd[30]: INFO: Creating new client for protocol "rdp"
guacd[30]: INFO: Connection ID is "$0b6b9bd1-1933-4d62-81a3-065b121a6a41"
guacd[775]: INFO: Security mode: NLA
guacd[775]: INFO: Resize method: display-update
guacd[775]: INFO: User "@491f6ba2-db58-42e9-adcd-30d53c12f8e7" joined connection "$0b6b9bd1-1933-4d62-81a3-065b121a6a41" (1 users now present)
guacd[775]: INFO: Loading keymap "base"
guacd[775]: INFO: Loading keymap "en-us-qwerty"
guacd[775]: INFO: RDP server closed/refused connection: Connection failed (server unreachable?)

guacd[775]: INFO: User "@491f6ba2-db58-42e9-adcd-30d53c12f8e7" disconnected (0 users remain)
guacd[775]: INFO: Last user of connection "$0b6b9bd1-1933-4d62-81a3-065b121a6a41" disconnected
guacd[30]: INFO: Connection "$0b6b9bd1-1933-4d62-81a3-065b121a6a41" removed.
guacd[30]: INFO: Creating new client for protocol "rdp"
guacd[30]: INFO: Connection ID is "$c4cf9241-1f9f-4654-8db4-305ccbb9228f"
guacd[792]: INFO: Security mode: NLA
guacd[792]: INFO: Resize method: display-update
guacd[792]: INFO: User "@5cff0582-cef0-415e-9bdf-ea8e431fd464" joined connection "$c4cf9241-1f9f-4654-8db4-305ccbb9228f" (1 users now present)
guacd[792]: INFO: Loading keymap "base"
guacd[792]: INFO: Loading keymap "en-us-qwerty"
guacd[792]: INFO: RDP server closed/refused connection: Connection failed (server unreachable?)


EDIT:
It seems that Windows Firewall prevents the connection now (maybe a windows update).

Disabling Windows firewall or allowing RDP via the workstation firewall resolves this concern.
What is strange, in the past, Windows firewall did not need the RDP exception set (enabled) to make the connection to the workstation via AG/RDP.

Anyone else see this change as of recent?


Thanks,

Edited by bombz
Link to comment
10 minutes ago, Taddeusz said:

@bombz What do the connection settings look like? You want to make sure the settings under "GUACAMOLE PROXY PARAMETERS (GUACD)" are empty and the hostname or IP address you're connecting to is in the "PARAMETERS" section.

Hello,

Yes that is correct.
Hostname = internal IP of system
Port = RDP port

Confirmed -- "GUACAMOLE PROXY PARAMETERS (GUACD)" are empty

I was messing around with the local workstations 'Windows Firewall' 
It seems:

  • Disabling the local workstations firewall allows AG to connect
  • Adding the RDP exception to the windows firewall (while the firewall is enabled) works as well

However, I am worried that may be a potential security risk of the sort.

Thoughts?

Link to comment

@bombz It should be fine. AFAIK exposing the RDP port is the only way to connect to a Windows machine. Otherwise it's going to be blocked just like you've experienced. There's always risk to everything but as long as the machine is behind a router firewall and not connected directly to the internet it should be fine.

Link to comment
9 minutes ago, Taddeusz said:

@bombz It should be fine. AFAIK exposing the RDP port is the only way to connect to a Windows machine. Otherwise it's going to be blocked just like you've experienced. There's always risk to everything but as long as the machine is behind a router firewall and not connected directly to the internet it should be fine.

Fair enough.
Find it odd the change required on the workstation side, never had to have RDP exception enabled on the local workstation in the past and was functional with AG.... It makes sense it needs to be, was puzzled was all of what changed recently.
Thanks again for the support and fast response, I wasn't sure if this thread was 'dead'
Appreciate it !

Link to comment
On 5/10/2021 at 4:15 PM, DrDirtyDevil said:

Ahh thank you for the heads up, after some digging i found this: https://issues.apache.org/jira/browse/GUACAMOLE-1289 So they are aware of it.  i did not find a "vote up" button though.

It would be nice to see a way to manage user 2FA from the admin GUI.
There was a time I had a user created, but lost the 2FA code on the phone. The only work around was to make a new ADMIN user on AG and disable the old one as there was no way to reset that previous ADMIN user to setup 2FA again on that user (if I explained that correctly)

Love the app, looking forward to new updates to come down the pipe!

Link to comment
12 minutes ago, Taddeusz said:

@bombz It's definitely active. I usually only make posts when there's an update. The Guacamole team usually only makes as many as two releases a year. Otherwise it's pretty quiet.

Hey,
Awesome! I appreciate that. Glad to hear it is still alive and active. Thank you for your time and support. I look forward to more posts moving forward.
Thank you to the whole community as well! 

Link to comment
4 hours ago, bombz said:

It would be nice to see a way to manage user 2FA from the admin GUI.
There was a time I had a user created, but lost the 2FA code on the phone. The only work around was to make a new ADMIN user on AG and disable the old one as there was no way to reset that previous ADMIN user to setup 2FA again on that user (if I explained that correctly)

Love the app, looking forward to new updates to come down the pipe!

 

I agree. Their 2FA management is non-existent. There's no facility for backup codes or a way to disable it. I've had to manually edit my database before to recover, I think, after the last time I upgraded my iPhone.

Link to comment
15 hours ago, Taddeusz said:

There's been a minor update to merge a change from Steve (4o66) to add the logrotate package to prevent the catalina.out file from growing forever.

 

I've also added some tooling to automate the image build process from Github to Docker Hub.

Awesome thanks!
Docker update pushed, updating now.

image.png.f12a5bffac34ed8e2db9cab56758f256.png
 

Link to comment
  • 1 month later...
  • 3 weeks later...

I'

3 hours ago, Taddeusz said:

What did the container log look like? Which containers are you using? The one with or without MariaDB?

I'm using the one that doesn't say NoMariaDB. 

 

usermod: no changes
----------------------
User UID: 99
User GID: 100
----------------------
Using existing properties file.
Using existing MySQL extension.
No permissions changes needed.
Database exists.
Database upgrade not needed.
2021-07-30 08:14:31,546 INFO Included extra file "/etc/supervisor/conf.d/supervisord.conf" during parsing
2021-07-30 08:14:31,547 INFO Set uid to user 0 succeeded
2021-07-30 08:14:31,548 INFO supervisord started with pid 27
2021-07-30 08:14:32,550 INFO spawned: 'guacd' with pid 30
2021-07-30 08:14:32,552 INFO spawned: 'mariadb' with pid 31
2021-07-30 08:14:32,553 INFO spawned: 'tomcat9' with pid 32
guacd[30]: INFO: Guacamole proxy daemon (guacd) version 1.3.0 started

guacd[30]: INFO: Listening on host 0.0.0.0, port 4822
2021-07-30 08:14:33,680 INFO success: guacd entered RUNNING state, process has stayed up for > than 1 seconds (startsecs)
2021-07-30 08:14:33,681 INFO success: mariadb entered RUNNING state, process has stayed up for > than 1 seconds (startsecs)
2021-07-30 08:14:33,681 INFO success: tomcat9 entered RUNNING state, process has stayed up for > than 1 seconds (startsecs)

 

Link to comment
3 minutes ago, RichardU said:

@Taddeusz I'm running MariaDB for another purpose, but would prefer not to use it here. Since I don't plan on using a separate database it seems like I SHOULD use plain ApacheGuacamole and NOT use ApacheGuacamoleNoMariaDB which is what I have been doing, or do I have that wrong? 

 

Cheers,

My apologies. I misread your answer. The only thing I can think you could do is clear the container’s appdata folder and start from scratch.

Link to comment
1 hour ago, RichardU said:

@Taddeusz I'm running MariaDB for another purpose, but would prefer not to use it here. Since I don't plan on using a separate database it seems like I SHOULD use plain ApacheGuacamole and NOT use ApacheGuacamoleNoMariaDB which is what I have been doing, or do I have that wrong? 

 

Cheers,

 

if you dont want to use mariadb then of course you should use the NOMARIADB version (standalone)

Link to comment

Trying to overachieve here and get Guac working with a separate MariaDB. I followed the spacer invader mariadb nextcloud instructions to make a guacamole user and db with all the privileges. Then I copied and pasted the schema instructions into mariadb console with the db selected and it seemed like it worked. Then I did the same to create the guacadmin user. 

 

image.png.76b3c6e3c2a6e5597e2135bb0d4c9a2c.png

image.png.32ab894638efb1d32956e9ae601f9faf.png

But when I go to WebGUI of Guac I get an error.

image.png.ff133fa9c78c23ec007d8dc3bd28d980.png

 

I've got guacamole.properties set as:

guacd-hostname: localhost
guacd-port:     4822

mysql-hostname: x.x.x.x (unraid server)
mysql-port: 3306 (port MariaDB is running on x.x.x.x)
mysql-database: guacamole
mysql-username: guacamole
mysql-password: <password>

What am I missing? The container log doesn't show the error. 

 

Here is my docker command:

root@localhost:# /usr/local/emhttp/plugins/dynamix.docker.manager/scripts/docker run -d --name='ApacheGuacamoleNoMariaDB' --net='br0' --ip='<x.x.x.x>' --privileged=true -e TZ="America/New_York" -e HOST_OS="Unraid" -e 'TCP_PORT_8080'='8080' -e 'OPT_MYSQL'='Y' -e 'OPT_SQLSERVER'='N' -e 'OPT_LDAP'='N' -e 'OPT_DUO'='N' -e 'OPT_CAS'='N' -e 'OPT_TOTP'='N' -e 'OPT_QUICKCONNECT'='N' -e 'OPT_HEADER'='N' -e 'OPT_SAML'='N' -e 'PUID'='99' -e 'PGID'='100' -v '/mnt/user/appdata/ApacheGuacamoleNoMariaDB':'/config':'rw' 'jasonbean/guacamole:latest-nomariadb'
f680bbad75f308849fd002e1e88f1853a6fd4d407c104218fc044bf23571fa1c

The command finished successfully!

 

If I set OPT_MYSQL to N then it works fine. But I like the idea of a separate MariaDB like all my other containers.

Link to comment
36 minutes ago, Taddeusz said:

@bigbangus Do you have your container’s network type set to a custom network? If so you probably need to have “Host access to custom networks” enabled in your Docker settings.

 

Yup that fixed it. What do you recommend as best practice here on how to set this up? Am I opening up a security risk here by enabling that? At this point just following space invader's video for the setup, but open to ideas since I'm using external db.

Link to comment

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.