You are viewing a plain text version of this content. The canonical link for it is here.
Posted to user@guacamole.apache.org by Ciro Iriarte <cy...@gmail.com> on 2021/08/22 16:21:04 UTC
Pseudo VDI: VNC pool
Hello!,
I'm working on a lab environment for coworkers & given the requirements are
GUI Jumphosts & no licenses for OS we settled on Linux+VNC & Loadbalancing
pools with Guacamole.
All the OS users will be named, authenticated to FreeIPA and potentially a
NFS based $HOME. Guacamole also authenticating with LDAP+OTP and
JDBC-stored connections.
I've struggled setting up VNC with openSUSE 15.3 and their KDE desktop
(SDDM). Have a slightly better outcome with XDM (uglier but works somehow).
The desktops/jumphosts are running as PVE VMs, so also tested with KVM/QEMU
VNC support. The experience with that case is way better, rock solid VNC
session, even manual screen resize works, there's one annoying bit
(keyboard mapping for es-latam) and a major roadblock: it's the VM console,
user2 could land on the already logged in session for user1.
I imagine I could create the loadbalancing group with 1 connection per user
with session "stickiness" & then setup OS level timeouts to lock the GUI
session after no activity. That & fixing the keyboard mapping with
guacamole-> QEMU VNC console would make it, but feels like having a lot of
moving parts.
Any smarter approach to this?. Could anybody share their recipe for similar
scenarios?.
Regards,
CI.-
Re: Pseudo VDI: VNC pool
Posted by Nick Couchman <vn...@apache.org>.
On Wed, Aug 25, 2021 at 1:58 AM Stefan M. Radman <sm...@kmi.com.invalid>
wrote:
> Hi Nick
>
> xrdp supports dynamic resizing since 0.9.16
>
> https://github.com/neutrinolabs/xrdp/releases
> Release notes for xrdp v0.9.16 (2021/04/30)
> New features
> • On-the-fly resolution change now supported for Xvnc and Xorg
> (#448, #1820) - thanks to @Nexarian for this significant first
> contribution. See the following YouTube video for a demo.
> • [Windows] https://youtu.be/cZ0ebieZHeA
> • [Mac] https://youtu.be/6kfAkyLUgFY
>
>
Thanks, Stefan, great to know!
-Nick
>
Re: Pseudo VDI: VNC pool
Posted by "Stefan M. Radman" <sm...@kmi.com.INVALID>.
Hi Nick
xrdp supports dynamic resizing since 0.9.16
https://github.com/neutrinolabs/xrdp/releases
Release notes for xrdp v0.9.16 (2021/04/30)
New features
• On-the-fly resolution change now supported for Xvnc and Xorg (#448, #1820) - thanks to @Nexarian for this significant first contribution. See the following YouTube video for a demo.
• [Windows] https://youtu.be/cZ0ebieZHeA
• [Mac] https://youtu.be/6kfAkyLUgFY
Stefan
On Aug 25, 2021, at 02:49, Nick Couchman <vn...@apache.org>> wrote:
To be fair, xrdp does not support dynamic resizing, either, so there's that - however, it will at least dynamically size the browser window initially.
CONFIDENTIALITY NOTICE: This communication may contain privileged and confidential information, or may otherwise be protected from disclosure, and is intended solely for use of the intended recipient(s). If you are not the intended recipient of this communication, please notify the sender that you have received this communication in error and delete and destroy all copies in your possession.
Re: Pseudo VDI: VNC pool
Posted by Nick Couchman <vn...@apache.org>.
On Tue, Aug 24, 2021 at 8:31 PM Ciro Iriarte <cy...@gmail.com> wrote:
> Thanks Nick,
>
> I'm giving it a try. Any tips you could share regarding:
> - Screen resize with browser.
>
Almost completely unsupported in VNC - there are a few servers that support
it, but it isn't part of the standard, and Guacamole does not support it as
a client.
To be fair, xrdp does not support dynamic resizing, either, so there's that
- however, it will at least dynamically size the browser window initially.
> - Audio
>
Can be supported with VNC and PulseAudio, but it's a bit tricky to get it
to work.
Should work natively with any RDP server, including xrdp, though audio is
not central to the way I use xrdp, so I don't know that I've actually tried
that.
> - Keyboard layout
>
Honestly I don't stray far from US-10X QWERTY layouts, so I can't help
much, here. I would imagine that you'll need to configure it within the
window manager in your Linux sessions, and that it may not work passing
through RDP, but I'm not certain on that.
> - Firewall rules (weirdly enough, I can't make it work enabling
> 3389/tcp, only completely disabling the firewall makes it work. Still
> investigating..)
>
I just do:
firewall-cmd --add-port=3389/tcp
firewall-cmd --add-port=3389/tcp --permanent
And that does the trick. You might check on special zones or something like
that on your install - it'll depend on the Linux distribution and version
you're using, if firewalld is being used to manage it, etc.
-Nick
Re: Pseudo VDI: VNC pool
Posted by Nick Couchman <vn...@apache.org>.
On Tue, Aug 24, 2021 at 11:03 PM Ciro Iriarte <cy...@gmail.com> wrote:
> Hello!,
>
> Well, with VNC I was planning to use a 1:1 mapping between users and VMs
> (around 20), but with XRDP it seems I can reduce the VM count and have 4
> machines with 5 users. That would reduce the OS maintenance overhead like
> patching, or Firefox bookmarks maintenance (Puppet in the ToDo list, but
> won't be ready soon).
>
>
Yep, this is one of the advantages of using xrdp over VNC, at least in my
use-cases. There may be situations where it's actually better to do a
1-to-1 mapping, but for many cases having multiple users per system is
fine, and xrdp definitely enables this in a way that's a bit easier from a
session management perspective.
> I disabled the default entries which include VNC, and just kept the xorg
> one. No audio out of the box.
>
Hmmm....I'll have to play around with it and see if I can get audio
working. Never really tried this - not been on my use-case list.
>
> Regarding performance, native RDP had nice upgrades in the latest versions
> like UDP support and some kind of out of the box acceleration. I don't
> expect multimedia to be center of the usecase, but a quick YouTube test
> makes it clear XRDP is not there yet (very choppy experience).
>
>
Yeah, this isn't terribly surprising. Again, not how I've used xrdp, so I'm
not sure I can offer a lot of help. Maybe the xrdp mailing list or issue
tracker would have some help on this front.
-NIck
>
Re: Pseudo VDI: VNC pool
Posted by Ciro Iriarte <cy...@gmail.com>.
Hello!,
Well, with VNC I was planning to use a 1:1 mapping between users and VMs
(around 20), but with XRDP it seems I can reduce the VM count and have 4
machines with 5 users. That would reduce the OS maintenance overhead like
patching, or Firefox bookmarks maintenance (Puppet in the ToDo list, but
won't be ready soon).
I disabled the default entries which include VNC, and just kept the xorg
one. No audio out of the box.
Regarding performance, native RDP had nice upgrades in the latest versions
like UDP support and some kind of out of the box acceleration. I don't
expect multimedia to be center of the usecase, but a quick YouTube test
makes it clear XRDP is not there yet (very choppy experience).
Regards,
CI.-
On Tue, Aug 24, 2021, 21:28 Nick Couchman <vn...@apache.org> wrote:
> On Tue, Aug 24, 2021 at 8:50 PM Ciro Iriarte <cy...@gmail.com> wrote:
>
>> Quick update:
>>
>> Works:
>> - Keyboard layout --> set in Guacamole profile
>>
>
> Great!
>
>
>> - Resize --> changed to reconnect (there's a patch for "display
>> update" at https://github.com/neutrinolabs/xrdp/pull/1820, but not
>> present in 0.9.13.1 that ships with openSUSE 15.3)
>>
>
> Nice! Hopefully this will get added to future releases.
>
>
>>
>> Could you share any tips regarding:
>> - Audio
>>
>
> Not much other than previous e-mail.
>
>
>> - Multiuser logins on the same machine (ala terminal server)
>>
>
> This works pretty much out-of-the-box for me - I don't generally have to
> do anything additional. Note that I am using the xorgxrdp package/driver,
> and have modified xrdp.ini to use that rather than VNC (which is the
> default, at least in the EPEL packages I use with CentOS/RHEL), so that may
> have something to do with it. Are you running into any particular issue
> with multiple users?
>
>
>> - Any performance tuning known/suggested (connection works, although
>> not as smooth as Win10 RDP)
>>
>
> I'm not generally tuning for performance, so I can't really offer much,
> here. Guacamole + xrdp performs perfectly adequately for me, though I'm
> generally just doing admin stuff and nothing that requires any multimedia
> support or performance.
>
> -Nick
>
Re: Pseudo VDI: VNC pool
Posted by Nick Couchman <vn...@apache.org>.
On Tue, Aug 24, 2021 at 8:50 PM Ciro Iriarte <cy...@gmail.com> wrote:
> Quick update:
>
> Works:
> - Keyboard layout --> set in Guacamole profile
>
Great!
> - Resize --> changed to reconnect (there's a patch for "display
> update" at https://github.com/neutrinolabs/xrdp/pull/1820, but not
> present in 0.9.13.1 that ships with openSUSE 15.3)
>
Nice! Hopefully this will get added to future releases.
>
> Could you share any tips regarding:
> - Audio
>
Not much other than previous e-mail.
> - Multiuser logins on the same machine (ala terminal server)
>
This works pretty much out-of-the-box for me - I don't generally have to do
anything additional. Note that I am using the xorgxrdp package/driver, and
have modified xrdp.ini to use that rather than VNC (which is the default,
at least in the EPEL packages I use with CentOS/RHEL), so that may have
something to do with it. Are you running into any particular issue with
multiple users?
> - Any performance tuning known/suggested (connection works, although
> not as smooth as Win10 RDP)
>
I'm not generally tuning for performance, so I can't really offer much,
here. Guacamole + xrdp performs perfectly adequately for me, though I'm
generally just doing admin stuff and nothing that requires any multimedia
support or performance.
-Nick
Re: Pseudo VDI: VNC pool
Posted by Ciro Iriarte <cy...@gmail.com>.
Quick update:
Works:
- Keyboard layout --> set in Guacamole profile
- Resize --> changed to reconnect (there's a patch for "display
update" at https://github.com/neutrinolabs/xrdp/pull/1820, but not
present in 0.9.13.1 that ships with openSUSE 15.3)
Could you share any tips regarding:
- Audio
- Multiuser logins on the same machine (ala terminal server)
- Any performance tuning known/suggested (connection works, although
not as smooth as Win10 RDP)
Regards,
CI.-
El mar, 24 ago 2021 a las 20:30, Ciro Iriarte (<cy...@gmail.com>) escribió:
>
> Thanks Nick,
>
> I'm giving it a try. Any tips you could share regarding:
> - Screen resize with browser.
> - Audio
> - Keyboard layout
> - Firewall rules (weirdly enough, I can't make it work enabling
> 3389/tcp, only completely disabling the firewall makes it work. Still
> investigating..)
>
> Regards,
> CI.-
>
> El dom, 22 ago 2021 a las 15:08, Nick Couchman (<vn...@apache.org>) escribió:
> >
> > On Sun, Aug 22, 2021 at 12:21 PM Ciro Iriarte <cy...@gmail.com> wrote:
> >>
> >> Hello!,
> >>
> >> I'm working on a lab environment for coworkers & given the requirements are GUI Jumphosts & no licenses for OS we settled on Linux+VNC & Loadbalancing pools with Guacamole.
> >>
> >> All the OS users will be named, authenticated to FreeIPA and potentially a NFS based $HOME. Guacamole also authenticating with LDAP+OTP and JDBC-stored connections.
> >>
> >> I've struggled setting up VNC with openSUSE 15.3 and their KDE desktop (SDDM). Have a slightly better outcome with XDM (uglier but works somehow). The desktops/jumphosts are running as PVE VMs, so also tested with KVM/QEMU VNC support. The experience with that case is way better, rock solid VNC session, even manual screen resize works, there's one annoying bit (keyboard mapping for es-latam) and a major roadblock: it's the VM console, user2 could land on the already logged in session for user1.
> >>
> >
> > Yes, here you have run up against one of the chief drawbacks of VNC - lack of session management.
> >
> >>
> >> I imagine I could create the loadbalancing group with 1 connection per user with session "stickiness" & then setup OS level timeouts to lock the GUI session after no activity. That & fixing the keyboard mapping with guacamole-> QEMU VNC console would make it, but feels like having a lot of moving parts.
> >>
> >
> > Yeah, if you're going to go this route, you're essentially going to have to rely upon Guacamole to manage the sessions, which means not load balancing groups and session stickiness, but also logouts. I would say that you need to log out as soon as Guacamole disconnects, not just lock, because you could still run into the same scenario.
> >
> >>
> >> Any smarter approach to this?. Could anybody share their recipe for similar scenarios?.
> >>
> >
> > In personal experience, where I need access to Linux systems remotely, I tend toward xrdp instead of VNC. While xrdp is certainly far from a perfect RDP server implementation, it does feature TLS encryption, some basic session management (disconnect/reconnect and multi-user access to a single system), and there's even a native Xorg xrdp driver that I generally use that avoids having to go through the pain of setting up VNC to back xrdp (which was the way it was originally deployed).
> >
> > You'll still have to rely upon some of Guacamole's features to manage sessions - particularly if you want to load balance and split to multiple hosts, Guacamole's load balancing and session stickiness will still be required to help handle those things. And, if you go that route, you'll still have some challenges with users getting disconnected from one host and then logged on to a different host, where their session will essentially be "lost" (even if it's still running). xrdp does not have any inter-server communications mechanisms (that I know of, anyway) that would help with this, so it really would rely on Guacamole to handle that part of session management.
> >
> > Hope this helps - I'm not saying this is the "right" way to do it, just how I've settled on remote, graphical access to Linux systems over the past couple of years, and it works well for me.
> >
> > -Nick
>
>
---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@guacamole.apache.org
For additional commands, e-mail: user-help@guacamole.apache.org
Re: Pseudo VDI: VNC pool
Posted by Ciro Iriarte <cy...@gmail.com>.
Thanks Nick,
I'm giving it a try. Any tips you could share regarding:
- Screen resize with browser.
- Audio
- Keyboard layout
- Firewall rules (weirdly enough, I can't make it work enabling
3389/tcp, only completely disabling the firewall makes it work. Still
investigating..)
Regards,
CI.-
El dom, 22 ago 2021 a las 15:08, Nick Couchman (<vn...@apache.org>) escribió:
>
> On Sun, Aug 22, 2021 at 12:21 PM Ciro Iriarte <cy...@gmail.com> wrote:
>>
>> Hello!,
>>
>> I'm working on a lab environment for coworkers & given the requirements are GUI Jumphosts & no licenses for OS we settled on Linux+VNC & Loadbalancing pools with Guacamole.
>>
>> All the OS users will be named, authenticated to FreeIPA and potentially a NFS based $HOME. Guacamole also authenticating with LDAP+OTP and JDBC-stored connections.
>>
>> I've struggled setting up VNC with openSUSE 15.3 and their KDE desktop (SDDM). Have a slightly better outcome with XDM (uglier but works somehow). The desktops/jumphosts are running as PVE VMs, so also tested with KVM/QEMU VNC support. The experience with that case is way better, rock solid VNC session, even manual screen resize works, there's one annoying bit (keyboard mapping for es-latam) and a major roadblock: it's the VM console, user2 could land on the already logged in session for user1.
>>
>
> Yes, here you have run up against one of the chief drawbacks of VNC - lack of session management.
>
>>
>> I imagine I could create the loadbalancing group with 1 connection per user with session "stickiness" & then setup OS level timeouts to lock the GUI session after no activity. That & fixing the keyboard mapping with guacamole-> QEMU VNC console would make it, but feels like having a lot of moving parts.
>>
>
> Yeah, if you're going to go this route, you're essentially going to have to rely upon Guacamole to manage the sessions, which means not load balancing groups and session stickiness, but also logouts. I would say that you need to log out as soon as Guacamole disconnects, not just lock, because you could still run into the same scenario.
>
>>
>> Any smarter approach to this?. Could anybody share their recipe for similar scenarios?.
>>
>
> In personal experience, where I need access to Linux systems remotely, I tend toward xrdp instead of VNC. While xrdp is certainly far from a perfect RDP server implementation, it does feature TLS encryption, some basic session management (disconnect/reconnect and multi-user access to a single system), and there's even a native Xorg xrdp driver that I generally use that avoids having to go through the pain of setting up VNC to back xrdp (which was the way it was originally deployed).
>
> You'll still have to rely upon some of Guacamole's features to manage sessions - particularly if you want to load balance and split to multiple hosts, Guacamole's load balancing and session stickiness will still be required to help handle those things. And, if you go that route, you'll still have some challenges with users getting disconnected from one host and then logged on to a different host, where their session will essentially be "lost" (even if it's still running). xrdp does not have any inter-server communications mechanisms (that I know of, anyway) that would help with this, so it really would rely on Guacamole to handle that part of session management.
>
> Hope this helps - I'm not saying this is the "right" way to do it, just how I've settled on remote, graphical access to Linux systems over the past couple of years, and it works well for me.
>
> -Nick
--
Ciro Iriarte
http://iriarte.it
--
---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@guacamole.apache.org
For additional commands, e-mail: user-help@guacamole.apache.org
Re: Pseudo VDI: VNC pool
Posted by Nick Couchman <vn...@apache.org>.
On Sun, Aug 22, 2021 at 12:21 PM Ciro Iriarte <cy...@gmail.com> wrote:
> Hello!,
>
> I'm working on a lab environment for coworkers & given the requirements
> are GUI Jumphosts & no licenses for OS we settled on Linux+VNC &
> Loadbalancing pools with Guacamole.
>
> All the OS users will be named, authenticated to FreeIPA and potentially a
> NFS based $HOME. Guacamole also authenticating with LDAP+OTP and
> JDBC-stored connections.
>
> I've struggled setting up VNC with openSUSE 15.3 and their KDE desktop
> (SDDM). Have a slightly better outcome with XDM (uglier but works somehow).
> The desktops/jumphosts are running as PVE VMs, so also tested with KVM/QEMU
> VNC support. The experience with that case is way better, rock solid VNC
> session, even manual screen resize works, there's one annoying bit
> (keyboard mapping for es-latam) and a major roadblock: it's the VM console,
> user2 could land on the already logged in session for user1.
>
>
Yes, here you have run up against one of the chief drawbacks of VNC - lack
of session management.
> I imagine I could create the loadbalancing group with 1 connection per
> user with session "stickiness" & then setup OS level timeouts to lock the
> GUI session after no activity. That & fixing the keyboard mapping with
> guacamole-> QEMU VNC console would make it, but feels like having a lot of
> moving parts.
>
>
Yeah, if you're going to go this route, you're essentially going to have to
rely upon Guacamole to manage the sessions, which means not load balancing
groups and session stickiness, but also logouts. I would say that you need
to log out as soon as Guacamole disconnects, not just lock, because you
could still run into the same scenario.
> Any smarter approach to this?. Could anybody share their recipe for
> similar scenarios?.
>
>
In personal experience, where I need access to Linux systems remotely, I
tend toward xrdp instead of VNC. While xrdp is certainly far from a perfect
RDP server implementation, it does feature TLS encryption, some basic
session management (disconnect/reconnect and multi-user access to a single
system), and there's even a native Xorg xrdp driver that I generally use
that avoids having to go through the pain of setting up VNC to back xrdp
(which was the way it was originally deployed).
You'll still have to rely upon some of Guacamole's features to manage
sessions - particularly if you want to load balance and split to multiple
hosts, Guacamole's load balancing and session stickiness will still be
required to help handle those things. And, if you go that route, you'll
still have some challenges with users getting disconnected from one host
and then logged on to a different host, where their session will
essentially be "lost" (even if it's still running). xrdp does not have any
inter-server communications mechanisms (that I know of, anyway) that would
help with this, so it really would rely on Guacamole to handle that part of
session management.
Hope this helps - I'm not saying this is the "right" way to do it, just how
I've settled on remote, graphical access to Linux systems over the past
couple of years, and it works well for me.
-Nick
>