Help with enabling guacd SSL

[Kelvin Middleton <ke...@gmail.com>]

Hi, I've a working install using Docker on Windows and am wanting to enable
encryption between the guacamole tomcat instance and guacd.

Reading the manual this seems pretty straightforward if using guacd.conf
but from what I can tell the guacd docker image simply luaches the guacd
binary at start and the only itemI can change by passing environment
variables is the log level.

$docker ps -a --no-trunc
"/bin/sh -c '/usr/local/guacamole/sbin/guacd -b 0.0.0.0 -L $GUACD_LOG_LEVEL
-f'"

Would appreciate any pointers as to the correct way to modify the startup
of a guacd docker container?

Thanks,

Kelvin

Re: Help with enabling guacd SSL

[Kelvin Middleton <ke...@gmail.com>]

Thank you for clarifying, SSL now working between web client and guacd
proxy :-)

On Mon, 13 Jan 2020 at 11:05, Mike Jumper <mj...@apache.org> wrote:

> On Mon, Jan 13, 2020, 02:27 Kelvin Middleton <ke...@gmail.com>
> wrote:
>
>> Thanks for taking the time Mike.
>>
>> So I figured I'd need to mount in certs and I've successfully done this
>> for the guacamole tomcat server and my web proxy so no issues with this.
>> I'd just assumed that the guacd image allowed for more run-time container
>> flexibility like the guacamole images does but from looking at the image
>> config...
>>
>> docker inspect --format='{{.Config.Cmd}}' guacamole/guacd
>> '[/bin/sh -c /usr/local/guacamole/sbin/guacd -b 0.0.0.0 -L
>> $GUACD_LOG_LEVEL -f]'
>>
>> ...I'd need to customise the image to commit a change to the above
>> default CMD behaviour for it recognise and use a /etc/guacamole/guacd.conf
>> file as I understand the guacd binary will preference the use of command
>> line parameters over the contents of a guacd.conf file?
>>
>
> It will use both. Only the command line parameters that are actually given
> will override their equivalent settings in guacd.conf. Any settings in
> guacd.conf that aren't specifically overridden on the command line will
> remain in effect.
>
> - Mike
>
>

Re: Help with enabling guacd SSL

[Mike Jumper <mj...@apache.org>]

On Mon, Jan 13, 2020, 02:27 Kelvin Middleton <ke...@gmail.com>
wrote:

> Thanks for taking the time Mike.
>
> So I figured I'd need to mount in certs and I've successfully done this
> for the guacamole tomcat server and my web proxy so no issues with this.
> I'd just assumed that the guacd image allowed for more run-time container
> flexibility like the guacamole images does but from looking at the image
> config...
>
> docker inspect --format='{{.Config.Cmd}}' guacamole/guacd
> '[/bin/sh -c /usr/local/guacamole/sbin/guacd -b 0.0.0.0 -L
> $GUACD_LOG_LEVEL -f]'
>
> ...I'd need to customise the image to commit a change to the above default
> CMD behaviour for it recognise and use a /etc/guacamole/guacd.conf file as
> I understand the guacd binary will preference the use of command line
> parameters over the contents of a guacd.conf file?
>

It will use both. Only the command line parameters that are actually given
will override their equivalent settings in guacd.conf. Any settings in
guacd.conf that aren't specifically overridden on the command line will
remain in effect.

- Mike

Re: Help with enabling guacd SSL

[Kelvin Middleton <ke...@gmail.com>]

Thanks for taking the time Mike.

So I figured I'd need to mount in certs and I've successfully done this for
the guacamole tomcat server and my web proxy so no issues with this.  I'd
just assumed that the guacd image allowed for more run-time container
flexibility like the guacamole images does but from looking at the image
config...

docker inspect --format='{{.Config.Cmd}}' guacamole/guacd
'[/bin/sh -c /usr/local/guacamole/sbin/guacd -b 0.0.0.0 -L $GUACD_LOG_LEVEL
-f]'

...I'd need to customise the image to commit a change to the above default
CMD behaviour for it recognise and use a /etc/guacamole/guacd.conf file as
I understand the guacd binary will preference the use of command line
parameters over the contents of a guacd.conf file?

Apols if the above is obvious & dumb, I'm new to guacamole and docker so
just making sure I'm going down the right path.

Regards,

Kelvin

On Sun, 12 Jan 2020 at 21:13, Mike Jumper <mj...@apache.org> wrote:

> On Sun, Jan 12, 2020 at 11:19 AM Kelvin Middleton <
> kelvin.middleton@gmail.com> wrote:
>
>> Hi, I've a working install using Docker on Windows and am wanting to
>> enable encryption between the guacamole tomcat instance and guacd.
>>
>> Reading the manual this seems pretty straightforward if using guacd.conf
>> but from what I can tell the guacd docker image simply luaches the guacd
>> binary at start and the only itemI can change by passing environment
>> variables is the log level.
>>
>> $docker ps -a --no-trunc
>> "/bin/sh -c '/usr/local/guacamole/sbin/guacd -b 0.0.0.0 -L
>> $GUACD_LOG_LEVEL -f'"
>>
>> Would appreciate any pointers as to the correct way to modify the startup
>> of a guacd docker container?
>>
>
> Enabling SSL for guacd within the container would require bringing the
> relevant SSL certificate and key into the container, either as part of an
> image that is built on top of the guacamole/guacd image or via volume
> mounts. Whichever of those mechanisms you intend to use to bring your key
> and certificate into the container, I would recommend you use the same
> mechanism to add an /etc/guacamole/guacd.conf which points to that key and
> certificate.
>
> - Mike
>
>

Re: Help with enabling guacd SSL

[Mike Jumper <mj...@apache.org>]

On Sun, Jan 12, 2020 at 11:19 AM Kelvin Middleton <
kelvin.middleton@gmail.com> wrote:

> Hi, I've a working install using Docker on Windows and am wanting to
> enable encryption between the guacamole tomcat instance and guacd.
>
> Reading the manual this seems pretty straightforward if using guacd.conf
> but from what I can tell the guacd docker image simply luaches the guacd
> binary at start and the only itemI can change by passing environment
> variables is the log level.
>
> $docker ps -a --no-trunc
> "/bin/sh -c '/usr/local/guacamole/sbin/guacd -b 0.0.0.0 -L
> $GUACD_LOG_LEVEL -f'"
>
> Would appreciate any pointers as to the correct way to modify the startup
> of a guacd docker container?
>

Enabling SSL for guacd within the container would require bringing the
relevant SSL certificate and key into the container, either as part of an
image that is built on top of the guacamole/guacd image or via volume
mounts. Whichever of those mechanisms you intend to use to bring your key
and certificate into the container, I would recommend you use the same
mechanism to add an /etc/guacamole/guacd.conf which points to that key and
certificate.

- Mike