Virtual Cloud Desktop Using Apache Guacamole

Updated by Sam Foo Written by Sam Foo

Contribute on GitHub

Report an Issue | View File | Edit File

Virtual Cloud Desktop Using Apache Guacamole

Apache Guacamole is an HTML5 application useful for accessing a remote desktop through RDP, VNC, and other protocols. You can create a virtual cloud desktop where applications can be accessed through a web browser. This guide will cover the installation of Apache Guacamole through Docker, then access a remote desktop environment hosted on a Linode.

Install Docker

The installation method presented here will install the latest version of Docker. Consult the official documentation to install a specific version or if Docker EE is needed.

  1. At the time of writing, the recommended Docker installation is Docker CE. Remove any older installations of Docker that may be on your system:

    apt remove docker docker-engine
  2. Make sure you have the necessary packages to allow the use of Docker’s repository:

    apt install apt-transport-https ca-certificates curl software-properties-common
  3. Add Docker’s GPG key:

    curl -fsSL | sudo apt-key add -
  4. Verify the fingerprint of the GPG key:

    apt-key fingerprint 0EBFCD88

    You should see output similar to the following:

    pub   4096R/0EBFCD88 2017-02-22
          Key fingerprint = 9DC8 5822 9FC7 DD38 854A  E2D8 8D81 803C 0EBF CD88
    uid                  Docker Release (CE deb) <>
    sub   4096R/F273FCD8 2017-02-22
  5. Add the stable Docker repository:

    add-apt-repository "deb [arch=amd64] $(lsb_release -cs) stable"
  6. Update your package index and install Docker CE:

    apt update
    apt install docker-ce
  7. Add your limited user account to the docker group:

    usermod -aG docker exampleuser

    You will need to restart your shell session for this change to take effect.

  8. Check that the installation was successful by running the built-in “Hello World” program:

    docker run hello-world

Initialize Guacamole Authentication with MySQL

MySQL will be used in this guide, but PostgreSQL and MariaDB are supported alternatives.

  1. Pull Docker images for guacamole-server, guacamole-client, and MySQL.

    docker pull guacamole/guacamole
    docker pull guacamole/guacd
    docker pull mysql/mysql-server
  2. Create a database initialization script to create a table for authentication:

    docker run --rm guacamole/guacamole /opt/guacamole/bin/ --mysql > initdb.sql
  3. Generate a one-time password for MySQL root. View the generated password in the logs:

    docker run --name example-mysql -e MYSQL_RANDOM_ROOT_PASSWORD=yes -e MYSQL_ONETIME_PASSWORD=yes -d mysql/mysql-server
    docker logs example-mysql

    Docker logs should print the password in the terminal.

    [Entrypoint] Database initialized
    [Entrypoint] GENERATED ROOT PASSWORD: <password>
  4. Rename and move initdb.sql into the MySQL container.

    docker cp initdb.sql example-mysql:/guac_db.sql
  5. Open a bash shell within the MySQL Docker container.

    docker exec -it example-mysql bash
  6. Log in using the one-time password. No commands will be accepted until a new password is defined for root. Create a new database and user as shown below:

    bash-4.2# mysql -u root -p
    Enter password:
    Welcome to the MySQL monitor.  Commands end with ; or \g.
    Your MySQL connection id is 11
    Server version: 5.7.20
    Copyright (c) 2000, 2017, Oracle and/or its affiliates. All rights reserved.
    Oracle is a registered trademark of Oracle Corporation and/or its
    affiliates. Other names may be trademarks of their respective
    Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.
    mysql> ALTER USER 'root'@'localhost' IDENTIFIED BY 'new_root_password';
    Query OK, 0 rows affected (0.00 sec)
    mysql> CREATE DATABASE guacamole_db;
    Query OK, 1 row affected (0.00 sec)
    mysql> CREATE USER 'guacamole_user'@'%' IDENTIFIED BY 'guacamole_user_password';
    Query OK, 0 rows affected (0.00 sec)
    mysql> GRANT SELECT,INSERT,UPDATE,DELETE ON guacamole_db.* TO 'guacamole_user'@'%';
    Query OK, 0 rows affected (0.00 sec)
    Query OK, 0 rows affected (0.00 sec)
    mysql> quit
  7. While in the bash shell, create tables from the initialization script for the new database.

    cat guac_db.sql | mysql -u root -p guacamole_db

    Verify successful addition of tables. If there are no tables in guacamole_db, ensure the previous steps are completed properly.

    mysql> USE guacamole_db;
    Reading table information for completion of table and column names
    You can turn off this feature to get a quicker startup with -A
    Database changed
    mysql> SHOW TABLES;
    | Tables_in_guacamole_db                |
    | guacamole_connection                  |
    | guacamole_connection_group            |
    | guacamole_connection_group_permission |
    | guacamole_connection_history          |
    | guacamole_connection_parameter        |
    | guacamole_connection_permission       |
    | guacamole_sharing_profile             |
    | guacamole_sharing_profile_parameter   |
    | guacamole_sharing_profile_permission  |
    | guacamole_system_permission           |
    | guacamole_user                        |
    | guacamole_user_password_history       |
    | guacamole_user_permission             |
    13 rows in set (0.00 sec)

    Leave the bash shell.


Guacamole in Browser

  1. Start guacd in Docker:

    docker run --name example-guacd -d guacamole/guacd
  2. Link containers so Guacamole can verify credentials stored in the MySQL database:

    docker run --name example-guacamole --link example-guacd:guacd --link example-mysql:mysql -e MYSQL_DATABASE='guacamole_db' -e MYSQL_USER='guacamole_user' -e MYSQL_PASSWORD='guacamole_user_password' -d -p guacamole/guacamole

    To see all running and non-running Docker containers:

    docker ps -a
  3. If example-guacamole, example-guacd, and example-mysql are all running, navigate to localhost:8080/guacamole/. The default login credentials are guacadmin and password guacadmin. This should be changed as soon as possible.

    Guacamole Login

VNC Server on a Linode

Before sharing a remote desktop, a desktop environment and VNC server must be installed on a Linode. This guide will use Xfce because it is lightweight and doesn’t excessively consume system resources.

  1. Install Xfce on the Linode.

    sudo apt install xfce4 xfce4-goodies

    Alternately Unity if there are less constraints on system resources:

    sudo apt install --no-install-recommends ubuntu-desktop gnome-panel gnome-settings-daemon metacity nautilus gnome-terminal
  2. Install VNC server. Starting VNC server will prompt the user for a password.

    sudo apt install tightvncserver

    This will prompt for a password in addition to a view-only option. The maximum password length is 8 characters. For setups requiring more security, deploying Guacamole as a reverse proxy with SSL encryption is highly recommended.

    You will require a password to access your desktops.
    Would you like to enter a view-only password (y/n)?
  3. Ensure to start the desktop environment the end of .vnc/xstartup otherwise only a gray screen will be displayed.

    echo 'startxfce4 &' | tee -a .vnc/xstartup

    Alternate Unity configuration example:

     1 2 3 4 5 6 7 8 91011121314
    xrdb $HOME/.Xresources
    xsetroot -solid grey
    #x-terminal-emulator -geometry 80x24+10+10 -ls -title "$VNCDESKTOP Desktop" &
    #x-window-manager &
    # Fix to make GNOME work
    gnome-panel &
    gnome-settings-daemon &
    metacity &
    nautilus &

New Connection in Guacamole

VNC, RDP, SSH, and Telnet are supported. This section of the guide will show how to navigate the browser interface and add a new connection.

  1. Before connecting to the VNC server, create an SSH tunnel replacing user and with the Linode’s user and public IP.

    ssh -L 5901:localhost:5901 -N -f -l user
  2. In the Guacamole dashboard, click the top right drop down menu and select Settings. Under Connections, press the New Connection button.

    Guacamole Settings

  3. Under Edit Connection, choose a name. Under Parameters, the hostname is the public IP of the Linode. The port is 5900 plus the display number - in this case, port 5901. Enter the 8 character password.

    Guacamole VNC Configuration

    The official documentation has detailed descriptions of all parameter names.

    If you have multiple displays running on the same Linode, increment the port number for each display: 5902, 5903, etc. If your remote displays are hosted on different Linodes, each display should still use port 5901.
  4. From the top right drop down menu, click Home. The new connection is now available.

    CTRL + ALT + SHIFT - Opens menu for clipboard, keyboard/mouse settings, and the navigation menu.

    Guacamole Drop Down

  5. Press back on the browser to return to the Home menu.

  6. Additional connections can be made, and simultaneous connections can be made in new browser tabs.

    Guacamole Recent Connections

This guide aimed to streamline the installation process through Docker and demonstrate remote desktop with Apache Guacamole as quickly as possible. There are many features such as screen recording, two factor authentication with Duo, file transfer via SFTP, and much more. As an Apache Incubator project, expect to see further developments in the near future.

More Information

You may wish to consult the following resources for additional information on this topic. While these are provided in the hope that they will be useful, please note that we cannot vouch for the accuracy or timeliness of externally hosted materials.

See Also

comments powered by Disqus

This guide is published under a CC BY-ND 4.0 license.