[HOW TO] FN11.1 Docker VM, Rancher, Plex, Tautulli, Ombi, Deluge w/OpenVPN & PIA, Sickrage, & More

I've spent the past couple weekends teaching myself Rancher and Docker for the intended purpose of migrating my Jails to Docker Containers. I run a Homelab & a dedicated VMHost (website and internal web apps) that I also want to migrate many of the apps to leverage many of the features of Rancher and Docker. In this guide we will install and configure a RacherOS or Ubuntu VM with Docker/Rancher. Additionally, I will also be walking you through backing up and migrating your current Plex data from a Plugin or Jail install.

Previously I was only working with RancherOS on a single host. I've since migrated to Ubuntu Server 16.04 OS w/ Docker/Rancher on two hosts managed from a single WebUI. I moved away from RancherOS as it was easier in my environment to centrally manage. This is all a work in progress and taken from my Homelab. I will try to assist in troubleshooting when time is available.

While I have things separated in stacks, you could have them all in the same one. You can pick and chose how you configure your docker environment.

Installing the VM + Docker/Rancher
Choose the VM OS you prefer

Log into your FreeNAS and go to VMs

Select Add VM

VM Type: Change to Docker VM
Name: Give it a name
Description: {Optional}
Virtual CPUs: Min of 1
Memory Size (MiB): Min of 2048
Autostart: Enable

OK to save. You can then select the VM and then Devices at the bottom

Select the RAW device and then Edit at the bottom

Raw File: Provide a path to a .IMG file. You must enter the full filename after the path but the install will create it.
Disk boot: Enable
Password: Provide a password. When we access RancherOS via shell, this is the password we will use.
Disk size: Enter the size of the disk

Start the VM! It will download and install the image. You will now want to access your FreeNAS's shell through your preferred method. Now to access VM's shell by running:
cu -l /dev/nmdm#B (Replace # with number listed in /dev/)

You may have to hit enter to get the RancherOS login

Login with the username ' rancher' and the password you configured earlier for the RAW device. Next you will want to configure a static IP. First run ' ifconfig' to get your interface name ( eth0 be default.) Then run the following after modifying what you need to depending on your network configuration:[/B]

sudo ros config set rancher.network.interfaces.eth0.address 10.1.10.15/24 sudo ros config set rancher.network.interfaces.eth0.gateway 10.1.10.1 sudo ros config set rancher.network.interfaces.eth0.mtu 1500 sudo ros config set rancher.network.interfaces.eth0.dhcp false

Reboot the VM by running ' sudo reboot'. You should be able to SSH into the VM now instead of going the FreeNAS's shell.

Run the following to install the Rancher container so we can access the WebUI:
sudo docker run -d --restart=unless-stopped -p 8080:8080 rancher/server
Note: After it completes the pull and extract processes, it may take a few minutes before the WebUI is accessible!

Once that completes, go to http://{Your_Static_IP}:8080 and go to Add Host. Verify and save the Host Registration URL. Enter the IP for the new host, copy the command and run it in the RancherOS shell

Got to Admin > Access Control and select Local Authentication

Enter in your information and Enable Local Auth. RancherOS VM is now installed!

We need to create storage for our VM. Log into your FreeNAS and go to Storage. Select a Dataset where you want to store the VM's disk and then select ' Create zvol'.

zvol name: {Name}
Comments: {Optional}
Size for this zvol: ## GiB Must end in GiB
The reset are defaults

Select Add zvol to create. Now go to VMs and select Add VM

VM Type: Virtual Machine
Name: {Name}
Description: {Optoinal}
Virtual CPUs: Minimum of 1
Memory Size (MiB): Minimum or 2048
Boot Method: UEFI
Autostart: {Enabled}

Select OK and then select your new VM. At the bottom, select Devices. You should now see the two default devices, NIC & VNC. Select the NIC and then select Edit at the bottom. We need to configure a MAC Address so we do not get a random one every time it reboots.

MAC Address: {Ramdom MAC} HINT: Select 00:00:00:00 Format and Upper Case!

NOTE: If you are able, I recommend that you go ahead and create a DHCP reservation with the MAC address.

Select OK to save and then select Add device button near the top.

VM: {Name}
Type: Disk
ZVol: {The zvol we made earlier}
Mode: AHCI

Select OK to save and then select Add device button near the top.

VM: {Name}
Type: CD-ROM
CD-ROM (ISO): {Path to ISO File on dataset} I'm using ubuntu-16.04.4-server-amd64.iso.

Select OK to save and then click the X next to the VMs name near the top:

. You will need to get a VNC Viewer to view and control the VM. We will also use it to correct a booting issue will arise after performing a shutdown.

On the VM page we can see our VM and VNC Port

We will need to configure our VNC View to our FreeNAS IP and that port. Once you configure your viewer, start the VM and connect.

Press Enter on Install Server and allow the installer to boot.

Select your Language
Select your Country
Select <No> to Detect keyboard layout
Select Country of origin for the keyboard
Select Keyboard layout
Enter a hostname
Enter a name
Enter a username
Enter a password & confirm
Select <No> to Encrypt your home directory
Confirm the detected Time Zone
Select Guided - use entire disk and set up LVM
Select disk to partition
Select <Yes> to Write the changes to disk and configure LVM
Confirm the detected Amount of volume group to use for guided partitioning
Select <Yes> to Force UEFI installation
Select <Yes> to Write the change to disks
Enter Proxy info if any
Configure Automatic Updates
At the Choose software to install screen, select OpenSSH server
Finish the installation prompt now appears
Remove the CD-ROM Device: Go to the FreeNAS WebUI > VMs > Select new VM > Devices > Select CD-ROM device > Delete
Back to VNC Viewer, Select <Continue> to Reboot

The VNC Viewer will disconnect upon reboot but you can reconnect and log back in after the system boots.

There is an issue with UEFI boot when trying to boot up after a shutdown that we should go ahead and resolve.

Once you are able to type, enter exit

Scroll down to Boot Maintenance Manager

Scroll down to Boot From File

Navigate down until you can select the grubx64.efi and select it to start Ubuntu

We need to create a new boot directory and copy the working grubx##.elf into it

 sudo -i

mkdir /boot/efi/EFI/BOOT

cp /boot/efi/EFI/ubuntu/grubx64.elf /boot/efi/EFI/BOOT/bootx64.elf

poweroff

Start the VM back up and verify with VNC that it boots the the login screen without issue. I would go ahead and SSH into the VM instead of VNC. We first need to update and upgrade the VM.
sudo apt-get update && sudo apt-get upgrade -y

Configure apt to use a repository over HTTPS
sudo apt-get install -y apt-transport-https ca-certificates curl software-properties-common

Add the Docker's official GPG key
curl -fsSL https://download.docker.com/linux/ubuntu/gpg | sudo apt-key add -

Add a stable repo for Docker
sudo add-apt-repository "deb [arch=amd64] https://download.docker.com/linux/ubuntu $(lsb_release -cs) stable"

Lets update package lists again
sudo apt-get update

If you are like me, and may have mutiple docker hosts, you want to run the same version. Check the available versions of Docker
sudo apt-cache madison docker-ce

  docker-ce | 17.12.1~ce-0~ubuntu | https://download.docker.com/linux/ubuntu xenial/stable amd64 Packages

 docker-ce | 17.12.0~ce-0~ubuntu | https://download.docker.com/linux/ubuntu xenial/stable amd64 Packages

 docker-ce | 17.09.1~ce-0~ubuntu | https://download.docker.com/linux/ubuntu xenial/stable amd64 Packages

 docker-ce | 17.09.0~ce-0~ubuntu | https://download.docker.com/linux/ubuntu xenial/stable amd64 Packages

 docker-ce | 17.06.2~ce-0~ubuntu | https://download.docker.com/linux/ubuntu xenial/stable amd64 Packages

 docker-ce | 17.06.1~ce-0~ubuntu | https://download.docker.com/linux/ubuntu xenial/stable amd64 Packages

 docker-ce | 17.06.0~ce-0~ubuntu | https://download.docker.com/linux/ubuntu xenial/stable amd64 Packages

 docker-ce | 17.03.2~ce-0~ubuntu-xenial | https://download.docker.com/linux/ubuntu xenial/stable amd64 Packages

 docker-ce | 17.03.1~ce-0~ubuntu-xenial | https://download.docker.com/linux/ubuntu xenial/stable amd64 Packages

 docker-ce | 17.03.0~ce-0~ubuntu-xenial | https://download.docker.com/linux/ubuntu xenial/stable amd64 Packages

Lets install the latest (or similar version of other hosts) stable version
sudo apt-get install docker-ce=17.12.0~ce-0~ubuntu

Finally, we can install Rancher
sudo docker run -d --restart=unless-stopped -p 8080:8080 rancher/server:stable
Note: After it completes the pull and extract processes, it may take a few minutes before the WebUI is accessible!

Once that completes, go to http://{Your_Static_IP}:8080 and go to Add Host. Verify and save the Host Registration URL. Enter the IP for the new host, copy the command and run it in the RancherOS shell

Got to Admin > Access Control and select Local Authentication

Enter in your information and Enable Local Auth. Ubuntu Server VM w/Docker/Rancher is now installed!

Mounting External CIFS

When it's time to restore Plex, I recommend keeping your paths the same. In my configuration, Plex's Storage for the Jail had been configured to /media.

I verified by going to my FreeNAS WebUI, navigated to Jailes > Storage and verified the jails Destination path(s).

First we need to create a .YAML file to merge into the RancherOS Config. Will will accomplish this with vi in terminal.

vi mount.yaml

Press i to enter insert mode.

 mounts:

- - //{FreeNAS}/Backup

  - /media/Backup

  - cifs

  - username={Username},password={Password},iocharset=utf8,_netdev

- - //{FreeNAS}/Media

  - /media/Media

  - cifs

  - username={Username},password={Password},iocharset=utf8,_netdev

- - //{FreeNAS}/Downloads

  - /media/Downloads

  - cifs

  - username={Username},password={Password},iocharset=utf8,_netdev

- - //{FreeNAS}/NextCloud

  - /media/NextCloud

  - cifs

  - username={Username},password={Password},iocharset=utf8,_netdev

Once you've configured the file to your needs, press ESC and then :x to save and close the file.

Run the following to merge the file into the config
sudo ros config merge -i mount.yaml

Reboot the VM by running ' sudo reboot'. You can then run ' sudo df -h' to verify everything mounted correctly.

 Filesystem                     Size  Used Avail Use% Mounted on

...

//{FreeNAS}/Backup             100T  3.6T  96.3T  3% /media/Backup

//{FreeNAS}/Media              100T  3.6T  96.3T  3% /media/Media

//{FreeNAS}/Downloads          100T  3.6T  96.3T  3% /media/Downloads

//{FreeNAS}/NextCloud          100T  3.6T  96.3T  3% /media/NextCloud

...

First, we need to install cifs-utils
sudo apt-get install -y cifs-utils

We need to edit the systems fstab file.
sudo nano /etc/fstab

At the end of the file, we need to mount our shares by adding the following

 //{FreeNAS}/Backup  /media/Backup  cifs  username={Username},password={Password},iocharset=utf8,sec=ntlm  0  0

//{FreeNAS}/Downloads  /media/Downloads  cifs  username={Username},password={Password},iocharset=utf8,sec=ntlm  0  0

//{FreeNAS}/Media  /media/Media  cifs  username={Username},password={Password},iocharset=utf8,sec=ntlm  0  0

//{FreeNAS}/Nextcloud /media/nextcloud cifs  username={Username},password={Password},iocharset=utf8,sec=ntlm  0  0

When you are done editing the file, press CTRL + X, press Y to confirm, and press Enter to save.

Next, we need to mount the added shares
sudo mount -a

Plex Media Stack

Go to STACKS > Users > Add Stack

Name: pms
Description: {Optional}

Select Add Service

Name: pms
Description: {Optional}
Select Image*: plexinc/pms-docker
+ Port Map: 32400:32400

Add three Environment Variables

Auto Restart= Always
HOSTNAME= pms
TZ= Timezone
PLEX_CLAIM= claim-https://www.plex.tv/claim/

Configure Volumes

 /media/pms/config:/config

/media/Media:/media

/media/pms/transcode:/transcode

Configure Networking

Network: Managed
Hostname: Use the container name | Set a specific hostname
Resolving Servers: {Your DNS Servers}

You should now be able to Create the service. It will download and configure the container for the service and you should now be able to access it at http://{Docker_IP}:32400

First we need to disable some Plex features for the server migration. You will want to go to Settings > Server > Library and disable Empty trash automatically after every scan in your Plex Jail. Thanks to Where is the Plex Media Server data directory located? we also know the following:

Manual Jail Install:
${JAIL_ROOT}/usr/local/plexdata/Plex Media Server

Plugin Jail Install:
${JAIL_ROOT}/var/db/plexdata/Plex Media Server/

If you do not have a share, you will want to create one to copy your Plex data to.
I migrated my Plex Media Server folder to an existing Backup share via shell like this:

 # In a shell, navigate to your plexdata folder and run the following to compress folder

tar -zcvf pms.tar.gz "Plex Media Server/"

# Copy pms.tar.gz file to share.

cp -R /mnt/Jails/plex/usr/local/plexdata/pms.tar.gz /mnt/Volume01/Backup/plexdata/pms.tar.gz

After you've verified you can access the Plex Wizard first webapge, go ahead and stop the service. Back in the VM shell, navigate to /media/config/Library/Application Support.
Delete the current Plex Media Server folder by running
sudo rm -R "Plex Media Server"

Now, lets copy the Jails Plex Media Server to /media/config/Library/Application Support
sudo cp /media/Backup/plexdata/pms.tar.gz "/media/pms/config/Library/Application Support/" This took some time!

 #If running RancherOS:

sudo gunzip pms.tar.gz && sudo tar -xvf pms.tar

Must perform two commands as z is missing from tar in RancherOS. If someone knows a better way...
sudo rm pms.tar

 #If running Ubuntu:

sudo tar -zxvf pms.tar.gz

sudo rm pms.tar.gz

Run the following IF you need to adjust permissions
sudo chown -R user:group "/media/config/Library/Application Support/*"

After everything was done, I was able to start the pms service and access the WebUI just as if it were in my jail! Remember to enable Empty trash automatically after every scan in Settings > Server > Library. Be sure and allow your PMS to re-process all your media.

Under the pms stack, select Add Service

Name: tautulli
Description: {Optional}
Select Image*: shiggins8/tautulli
+ Port Map: 8181:8181

Add Environment Variables

TZ= Timezone

Configure Volumes

Variables we will need to address:

<path to plexlogs>:/logs:ro Map to Plex Media servers log directory; preferably mapped with ro (ReadOnly) access.

We know from the plex setup it is located on the VM at /media/config/Library/Application Support/Plex Media Server/Logs

 /media/tautulli:/config

/media/config/Library/Application Support/Plex Media Server/Logs:/logs:ro

Configure Networking

Network: Managed
Hostname: Use the container name | Set a specific hostname
Resolving Servers: {Your DNS Servers}

Create the Tautulli service. It will take some time to initialize but you should be able to access the Setup page http://{Docker_IP}:8181 to get started.

Under the pms stack, select Add Service

Name: ombi
Description: {Optional}
Select Image*: linuxserver/ombi
+ Port Map: 3579:3579

Add Environment Variables

TZ= Timezone

Configure Volumes

/media/ombi:/config

Configure Networking

Network: Managed
Hostname: Use the container name | Set a specific hostname
Resolving Servers: {Your DNS Servers}

Create the Ombi service. It will take some time to initialize but you should be able to access the Setup page http://{Docker_IP}:3579 to get started.

docker-compose.yml

 version: '2'

services:

  ombi:

    image: linuxserver/ombi

    environment:

      TZ: America/Chicago

    stdin_open: true

    volumes:

    - /media/ombi:/config

    dns:

    - 10.1.10.3

    - 10.1.10.2

    tty: true

    ports:

    - 3579:3579/tcp

    labels:

      io.rancher.container.pull_image: always

      io.rancher.container.hostname_override: container_name

  tautulli:

    image: shiggins8/tautulli

    hostname: tautulli

    environment:

      TZ: America/Chicago

    stdin_open: true

    volumes:

    - /media/pms/config/Library/Application Support/Plex Media Server/Logs:/logs:ro

    dns:

    - 10.1.10.3

    - 10.1.10.2

    tty: true

    ports:

    - 8181:8181/tcp

    labels:

      io.rancher.container.pull_image: always

  pms:

    image: plexinc/pms-docker

    environment:

      TZ: America/Chicago

      PLEX_CLAIM: claim-

    stdin_open: true

    volumes:

    - /media/pms/config:/config

    - /media/Media:/media

    - /media/pms/transcode:/transcode

    dns:

    - 10.1.10.3

    - 10.1.10.2

    tty: true

    ports:

    - 32400:32400/tcp

    labels:

      io.rancher.container.pull_image: always

      io.rancher.container.hostname_override: container_name

rancher-compose.yml

 version: '2'

services:

  ombi:

    scale: 1

    start_on_create: true

  tautulli:

    scale: 1

    start_on_create: true

  pms:

    scale: 1

    start_on_create: true

Downloader Stack

I'm utilizing Deluge with an Open VPN client connected to Private Internet Access. Considering it is using an OpenVPN client this should work with other VPN providers. This will require OpenVPN configuration files and certs for your VPN provider.

PIA - The configuration files and certs for OpenVPN.

Go to STACKS > Users > Add Stack

Name: downloaders
Description: {Optional}

Select Add Service

Name: delugevpn
Description: {Optional}
Select Image*: binhex/arch-delugevpn
+ Port Map: 8112:8112
+ Port Map: 8118:8118
+ Port Map: 58846:58846
+ Port Map: 58946:58946

Add three Environment Variables

VPN_ENABLED= yes
VPN_USER= {Username} Your VPN Username
VPN_PASS= {Password} Your VPN Password
VPN_PROV= pia Your VPN Provider
STRICT_PORT_FORWARD= yes
ENABLE_PRIVOXY= yes
LAN_NETWORK= 10.1.10.0/24 Your networks subnet
NAME_SERVERS= 209.222.18.222,37.235.1.174,8.8.8.8,209.222.18.218,37.235.1.177,8.8.4.4 An external DNS
DEBUG= false
UMASK= 000
PUID= 1001 User permissions for the Download share
PGID= 1001 Group permissions for the Download share

Configure Volumes

/media/deluge/data:/data
/media/deluge/config:/config
/media/Downloads:/downloads

You will want to creat /media/deluge/config/openvpn on the host for OpenVPN configuration files and certs.
sudo mkdir /media/deluge/config/openvpn

You need to copy the ca.rsa.2048.crt crl.rsa.2048.pem & {Location}.ovpn files to the new folder. I placed my files in my existing Downloads CIFS share to copy.

 sudo cp /media/Dowloads/openvpn/ca.rsa.2048.crt /media/deluge/config/openvpn/ca.rsa.2048.crt

sudo cp /media/Dowloads/openvpn/crl.rsa.2048.pem /media/deluge/config/openvpn/crl.rsa.2048.pem

sudo cp /media/Dowloads/openvpn/{Location}.ovpn /media/deluge/config/openvpn/{Location}.ovpn

Next, lets adjust permissions to match the PUID:PGID that configured in our Environment Variables
sudo chown -R 1001:1001 /media/deluge/config/openvpn

Configure Networking

Network: Managed
Hostname: Use the container name | Set a specific hostname

Configure Security

Add: NET_ADMIN

Create the delugevpn service. It will take some time to initialize but you should be able to access the Setup page http://{Docker_IP}:8112 to get started. The default password is ' deluge'.

To change the default Downloads folder go to Preferences > Downloads, configure ' Download to:' field to ' /downloads'.
To change your password go to Preferences > Interface, fill out the fields, and press the ' Change' button.

If you are like me, and want to tbe able to connect your PC and\or phone, we will need to add an authenticated user. From the VM's host's shell we need to modify an auth file
sudo nano /media/deluge/config/auth

On the next like, add a username and password
username:password:10

When you are done editing the file, press CTRL + X, press Y to confirm, and press Enter to save.

You should now be able to connect with your external clients and the WebUI!

Under the downloaders stack, select Add Service

Name: sickrage
Description: {Optional}
Select Image*: linuxserver/sickrage
+ Port Map: 8081:8081

Add Environment Variables

PUID= 1001
PGID= 1001
TZ= Timezone

Configure Volumes

/media/sickrage:/config
/media/Downloads:/downloads
/media/Media:/media

Configure Networking

Network: Managed
Hostname: Use the container name | Set a specific hostname
Resolving Servers: {Your DNS Servers}

Create the Sickrage service. It will take some time (took almost 3 mintues for me) to initialize but you should be able to access the Setup page http://{Docker_IP}:8081 to get started.

Under the downloaders stack, select Add Service

Name: couchpotato
Description: {Optional}
Select Image*: linuxserver/couchpotato
+ Port Map: 5050:5050

Add Environment Variables

PUID= 1001
PGID= 1001
TZ= Timezone

Configure Volumes

/media/couchpotato:/config
/media/Downloads:/downloads
/media/Media:/media

Configure Networking

Network: Managed
Hostname: Use the container name | Set a specific hostname
Resolving Servers: {Your DNS Servers}

Create the CouchPotato service. It will take some time to initialize but you should be able to access the Setup page http://{Docker_IP}:5050 to get started.

docker-compose.yml

 version: '2'

services:

  sickrage:

    image: linuxserver/sickrage

    environment:

      PUID: '1001'

      PGID: '1001'

      TZ: America/Chicago

    stdin_open: true

    volumes:

    - /media/sickrage:/config

    - /media/Downloads:/downloads

    - /media/Media:/media

    dns:

    - 10.1.10.3

    - 10.1.10.2

    tty: true

    ports:

    - 8081:8081/tcp

    labels:

      io.rancher.container.pull_image: always

      io.rancher.container.hostname_override: container_name

  couchpotato:

    image: linuxserver/couchpotato

    environment:

      PUID: '1001'

      PGID: '1001'

      TZ: America/Chicago

    stdin_open: true

    volumes:

    - /media/couchpotato:/config

    - /media/Downloads:/downloads

    - /media/Media:/media

    dns:

    - 10.1.10.3

    - 10.1.10.2

    tty: true

    ports:

    - 5050:5050/tcp

    labels:

      io.rancher.container.pull_image: always

      io.rancher.container.hostname_override: container_name

  delugevpn:

    cap_add:

    - NET_ADMIN

    image: binhex/arch-delugevpn

    environment:

      VPN_ENABLED: 'yes'

      VPN_USER: {Username}

      VPN_PASS: {Password}

      VPN_PROV: pia

      STRICT_PORT_FORWARD: 'yes'

      ENABLE_PRIVOXY: 'yes'

      LAN_NETWORK: 10.1.10.0/24

      NAME_SERVERS: 8.8.8.8,8.8.4.4

      DEBUG: 'false'

      UMASK: '000'

      PUID: '1001'

      PGID: '1001'

    stdin_open: true

    volumes:

    - /media/deluge/data:/data

    - /media/deluge/config:/config

    - /media/Downloads:/downloads

    tty: true

    ports:

    - 8112:8112/tcp

    - 8118:8118/tcp

    - 58846:58846/tcp

    - 58946:58946/tcp

    labels:

      io.rancher.container.pull_image: always

      io.rancher.container.hostname_override: container_name

rancher-compose.yml

 version: '2'

services:

  sickrage:

    scale: 1

    start_on_create: true

  couchpotato:

    scale: 1

    start_on_create: true

  delugevpn:

    scale: 1

    start_on_create: true

Gucamole Stack

I leverage Apache Guacamole to remotely access my home network. I will also walk you through hardening the connection by adding Duo 2FA.

Go to STACKS > Users > Add Stack

Name: guacamole
Description: {Optional}

Select Add Service

Name: guac
Description: {Optional}
Select Image*: guacamole/guacamole
+ Port Map: 8090:8080 Since 8080 is already used by Rancher, you will need to change the Public Port to an unused one.

Add Environment Variables

GUACD_HOSTNAME= guacd
GUACD_PORT= 4822
MYSQL_HOSTNAME= guacdb
MYSQL_DATABASE= guacamole_db
MYSQL_USER= guacamole_user
MYSQL_PASSWORD= {Password}
GUACAMOLE_HOME= /etc/guacamole

Configure Volumes

/media/guacamole:/etc/guacamole

Configure Networking

Network: Managed
Hostname: Use the container name | Set a specific hostname
Resolving Servers: {Your DNS Servers}

We're not done yet as now we need to add a guacd sidekick container.

Next, add guacd as a sidekick container

Name: guacd
Description: {Optional}
Select Image*: guacamole/guacd

Configure Networking

Network: Managed
Hostname: Use the container name | Set a specific hostname

We're not done yet as now we need to add a guacdb sidekick container.

Next, add guacdb as a sidekick container

Name: guacdb
Description: {Optional}
Select Image*: mariadb

Add Environment Variables

MYSQL_ROOT_PASSWORD= {Password}

Configure Volumes

/media/Backup:/backup You will need a way to pass along files to the MariaDB container so that we can initialize the database.

Configure Networking

Network: Managed
Hostname: Use the container name | Set a specific hostname

Create the guacamole service but it will not work as there are still a few more steps left before the WebUI is available.

In order to create our DB user, table, apply permissions, and import the database scheme, we will need to access the guacdb container's shell.

From guacdb's host shell we need to identify the container ID
sudo docker container ls

Output Example:

 CONTAINER ID  IMAGE    COMMAND                 CREATED             STATUS            PORTS  NAMES

210259f0fec0  mariadb  "/.r/r docker-entryp…"  About a minute ago  Up About a minute        r-guacamole-guac-guacdb-1-3e9a8e52

To enter the containers shell
sudo docker exec -it {CONTAINER ID} bash

Hostname will change once your are connected
root@guacamole-guac-guacdb-1:/#

Log into the database as root
mysql -u root -p

The following queries create our database table, user, and configures permissions

 CREATE DATABASE guacamole_db;

CREATE USER 'guacamole_user'@'%' IDENTIFIED BY '{Password}';

GRANT ALL PRIVILEGES ON guacamole_db.* TO 'guacamole_user'@'%';

FLUSH PRIVILEGES;

quit

Once the database and user are created, the database schema must be applied. In the volume we mounted for guacdb, you will want to place the mysql folder found in guacamole-auth-jdbc-0.9.14.tar.gz connector. I was able to cd /backup/mysql to perform the following
cat schema/*.sql | mysql -u root -p guacamole_db

You should be able to access the Login page http://{Docker_IP}:8090/guacamole to get started.

Default username & password: guacadmin | guacadmin
I recommend creating a new Admin account and removing the default before proceeding with Duo 2FA.

Apache Guacamole supports Duo two-factor authentication. I'm using the Duo Free subscription in my environment with a mix of some Google 2FA.

From your Duo Dashboard, go to Applications and click Protect and Application.
Scroll down to Web SDK and click Protect and Application.

Details will provide:

 duo-api-hostname: 

duo-integration-key: 

duo-secret-key:

Scroll down and fill in the remainder of the information and save it. Be sure to note down the values we need for the configuration.

We also need to generate a long random string for the duo-application-key: value.

 dd if=/dev/random count=1 | sha256sum

0+1 records in

0+1 records out

113 bytes copied, 0.000108476 s, 1.0 MB/s

d82dc0f05943de342de2630046c5e38dc083cf5f75c77ca7e81bf0548ec3c8e2  -

Now we need to add the values to the guacamole.properties file. From our container host's shell, we need to

 cd /media/guacamole

sudo nano guacamole.properties

 duo-api-hostname: 

duo-integration-key: 

duo-secret-key:

duo-application-key:

When you are done editing the file, press CTRL + X, press Y to confirm, and press Enter to save.

Next, we need to create the extensions folder for the guacamole-auth-duo-0.9.14.jar extension found in guacamole-auth-duo-0.9.14.tar.gz.
sudo mkdir /media/guacamole/extensions

Copy the guacamole-auth-duo-0.9.14.jar into the extensions folder.

Restart the guac service, navigate to the login page http://{Docker_IP}:8090/guacamole, login and configure your Duo 2FA.

docker-compose.yml

 version: '2'

services:

  guac:

    image: guacamole/guacamole

    environment:

      GUACD_HOSTNAME: guacd

      GUACD_PORT: '4822'

      MYSQL_HOSTNAME: guacdb

      MYSQL_DATABASE: guacamole_db

      MYSQL_USER: guacamole_user

      MYSQL_PASSWORD: {Password}

      GUACAMOLE_HOME: /etc/guacamole

    stdin_open: true

    volumes:

    - /media/guacamole:/etc/guacamole

    dns:

    - 10.1.10.3

    - 10.1.10.2

    tty: true

    ports:

    - 8090:8080/tcp

    labels:

      io.rancher.container.pull_image: always

      io.rancher.sidekicks: guacd,guacdb

      io.rancher.container.hostname_override: container_name

  guacd:

    image: guacamole/guacd

    stdin_open: true

    tty: true

    labels:

      io.rancher.container.pull_image: always

      io.rancher.container.hostname_override: container_name

  guacdb:

    image: mariadb

    environment:

      MYSQL_ROOT_PASSWORD: {Password}

    stdin_open: true

    volumes:

    - /media/Backup:/backup

    tty: true

    labels:

      io.rancher.container.pull_image: always

      io.rancher.container.hostname_override: container_name

rancher-compose.yml

 version: '2'

services:

  guac:

    scale: 1

    start_on_create: true

  guacd:

    scale: 1

    start_on_create: true

  guacdb:

    scale: 1

    start_on_create: true

NextCloud Stack

I'm dealing with a permissions issue. I will update this guide once I've found a solution.

Reactions: marshalleq, JJT211, DaPutzy and 4 others

Important Announcement for The TrueNAS Community.

[HOW TO] FN11.1 Docker VM, Rancher, Plex, Tautulli, Ombi, Deluge w/OpenVPN & PIA, Sickrage, & More

Share this resource

Latest reviews

Important Announcement for The TrueNAS Community.