Guacamole with Jetty and MySQL auth in a Jail

dublea

FreeNAS Aware
Joined
May 27, 2015
Messages
32
Thanks
14
#21
Is there a more modern guide of this for 11.1 U6 or 11.2 Beta / RC?

We have docker (kinda) available to us now, as well as iocage jails and full VMs
I have a Guac stack running with Docker. Here is my resource guide I wrote. I plan on updating it in a couple months as there are some major changes I did with mounting the shares, Plex updatablity, Nextcloud, and more. But the Guac stack has not changed. It is all currently working with 11.1-U6.
 

diskdiddler

FreeNAS Guru
Joined
Jul 9, 2014
Messages
2,111
Thanks
123
#22
I have a Guac stack running with Docker. Here is my resource guide I wrote. I plan on updating it in a couple months as there are some major changes I did with mounting the shares, Plex updatablity, Nextcloud, and more. But the Guac stack has not changed. It is all currently working with 11.1-U6.

Can I confirm you did this on FreeNAS 11.2x RancherOS Docker, to boot?
 

diskdiddler

FreeNAS Guru
Joined
Jul 9, 2014
Messages
2,111
Thanks
123
#24
As stated, 11.1-U6. 11.2 is still not released and is currently RC1. I'll probably update the guide with the new UI in mind when I upgrade.
Thanks for your help.

I've followed the guide and have several suggestions (surprisingly, very little to do with 11.2) - I also am confused - can I use google auth, or duo only?
Are you ok with me giving some suggestions, I have several of them, as this took me quite a while to do.
 

dublea

FreeNAS Aware
Joined
May 27, 2015
Messages
32
Thanks
14
#25
Thanks for your help.

I've followed the guide and have several suggestions (surprisingly, very little to do with 11.2) - I also am confused - can I use google auth, or duo only?
Are you ok with me giving some suggestions, I have several of them, as this took me quite a while to do.
I mean, I won't say no, lmao! You can post it here, through the discussion for the Resource, or PM me.
 

diskdiddler

FreeNAS Guru
Joined
Jul 9, 2014
Messages
2,111
Thanks
123
#26
I mean, I won't say no, lmao! You can post it here, through the discussion for the Resource, or PM me.
Sorry, I've been meaning to but I've been so busy.

One question before I do a quick write up, you mention google authenticator, but I didn't see that part? Can we use google auth (Authy) rather than the Duo app?
 

dublea

FreeNAS Aware
Joined
May 27, 2015
Messages
32
Thanks
14
#27
... you mention google authenticator, but I didn't see that part? Can we use google auth (Authy) rather than the Duo app?
Apache Guacamole supports Duo two-factor authentication. I'm using the Duo Free subscription in my environment with a mix of some Google 2FA.
Sorry for the confusion but my intention in the statement was that I am primarily using Duo 2FA with some other hosted items using Google 2FA. Unfortunately, Nextcloud & Cisco Meraki do not support Duo 2FA or I would use it as I prefer the push option.

Per the Apache Guacamole Manual:
Guacamole supports Duo as a second authentication factor, layered on top of any other authentication extension, including those available from the main project website.
While someone could build a Google 2FA, Guacamole currently only supports Duo.
 
Last edited:

diskdiddler

FreeNAS Guru
Joined
Jul 9, 2014
Messages
2,111
Thanks
123
#28
Sorry for the confusion but my intention in the statement was that I am primarily using Duo 2FA with some other hosted items using Google 2FA. Unfortunately, Nextcloud & Cisco Meraki do not support Duo 2FA or I would use it as I prefer the push option.

Per the Apache Guacamole Manual:


While someone could build a Google 2FA, Guacamole currently only supports Duo.
That's fine, I appreciate it, at least I know.
I'll send some notes next week. I'm so busy lately, thanks though.
 

diskdiddler

FreeNAS Guru
Joined
Jul 9, 2014
Messages
2,111
Thanks
123
#29
Sorry for the confusion but my intention in the statement was that I am primarily using Duo 2FA with some other hosted items using Google 2FA. Unfortunately, Nextcloud & Cisco Meraki do not support Duo 2FA or I would use it as I prefer the push option.

Per the Apache Guacamole Manual:


While someone could build a Google 2FA, Guacamole currently only supports Duo.

Aaand here I am again, still without the guide changes suggestions.
However :(
My guac server is 'dead' - I've rebooted both the rancher VM and the entire FreeNAS machine.
I know it's guacamole, since _ALL_ my connections don't work, both SSH to my FreeNAS machine and RDP to 2 different workstations.

I can get into the guacamole UI without an issue, the 2 factor for duo is working fine.
I can add / edit connections.
I've even SSH / dockerered into the bash shell for the main guacamole docker to confirm it can ping the machine I'd like to access.
I would (ASSUME) the sqlDB is working, if the UI is coming up and my connections are 'editable'
I haven't added a firewall and I know SSH / RDP to my destination boxes is fine, via 'normal' methods


Any ideas what this might be? Seems odd it would just die, I thought dockers were kinda reliable as heck due to their design?
(Also, it was working, I have connection history for 2 of them)


Where do I start diagnosing this, without just outright following the entire guide again? Love to know why it happened so I can prevent in future. :)

Code:
"An internal error has occurred within the Guacamole server, and the connection has been terminated. If the problem persists, please notify your system administrator, or check your system logs."
 
Last edited:

diskdiddler

FreeNAS Guru
Joined
Jul 9, 2014
Messages
2,111
Thanks
123
#30

dublea

FreeNAS Aware
Joined
May 27, 2015
Messages
32
Thanks
14
#31

diskdiddler

FreeNAS Guru
Joined
Jul 9, 2014
Messages
2,111
Thanks
123
#32
I still haven't provided you with the information I wanted either, so sorry.

I got it working on my new system.

Let me just say, the biggest stumping point for me, initially, was the fact that adding a SIDEKICK container, means NOT clicking create, but scrolling back to the top and clicking the plus to attach it to the container you're working on.

Secondly, there's another point where the doco says "fire up sudo nano" and nano isn't installed, so stick consistent with VI in the docs maybe?
 

diskdiddler

FreeNAS Guru
Joined
Jul 9, 2014
Messages
2,111
Thanks
123
#33
I was looking around for the installation how to for Guac on FreeNAS jail but was unable to find one so I decided to write down the steps I took during the installation and post it here.

from http://guac-dev.org/:



Create new jail with default settings
Login to the jail Shell by clicking on shell icon in Jail section in FreeNAS gui or by doing jexec # csh from FreeNAS shell where # is the jail id that you can check by doing jls

(for all the ports below when asked leave default settings)
Code:
portsnap fetch extract
cd /usr/ports/graphics/cairo
make install clean
cd /usr/ports/net/libvncserver
make install clean
cd /usr/ports/misc/ossp-uuid
make install clean
cd /usr/ports/x11-toolkits/pango
make install clean
cd /usr/ports/security/libssh2
make install clean
cd /usr/ports/java/openjdk7
make install clean
cd /usr/ports/www/jetty
make install clean
cd /usr/ports/databases/mysql56-server
make install clean


OR if you don't want to stare on the screen for an hour you can do: (it will still take some time but will not require your interaction until it finishes)
Code:
portsnap fetch extract && cd /usr/ports/graphics/cairo && make -DBATCH install clean && cd /usr/ports/net/libvncserver && make -DBATCH install clean && cd /usr/ports/misc/ossp-uuid && make -DBATCH install clean && cd /usr/ports/x11-toolkits/pango && make -DBATCH install clean && cd /usr/ports/security/libssh2 && make -DBATCH install clean && cd /usr/ports/java/openjdk7 && make -DBATCH install clean && cd /usr/ports/www/jetty && make -DBATCH install clean && cd /usr/ports/databases/mysql56-server && make -DBATCH install clean


Thanks to Deviant0ne for this next part. Go ahead or give him a like or something on the post below.

Install older version of FreeRDP to make RDP work:
Code:
mkdir ~/old_freerdp
svn co -r 387082 svn://svn.freebsd.org/ports/head/net/freerdp ~/old_freerdp
cd ~/old_freerdp && make install clean BATCH=yes


Download Guacamole server source, Guacamole web app, Guacamole jdbc auth modules and MySQL connector for JAVA
Code:
cd ~
fetch http://sourceforge.net/projects/guacamole/files/current/source/guacamole-server-0.9.8.tar.gz
fetch http://sourceforge.net/projects/guacamole/files/current/binary/guacamole-0.9.8.war
fetch http://sourceforge.net/projects/guacamole/files/current/extensions/guacamole-auth-jdbc-0.9.8.tar.gz
fetch http://cdn.mysql.com/Downloads/Connector-J/mysql-connector-java-5.1.36.tar.gz


Extract what needs to be extracted
Code:
tar -zxvf guacamole-server-0.9.8.tar.gz
tar -zxvf guacamole-auth-jdbc-0.9.8.tar.gz
tar -zxvf mysql-connector-java-5.1.36.tar.gz


Configure, compile and install Guacamole Server
Code:
cd ~/guacamole-server-0.9.8
./configure CFLAGS="-I/usr/local/include" LDFLAGS="-L/usr/local/lib" --with-init-dir=/etc/rc.d
make install


Edit ~/.cshrc (i recommend ee ) and add this under the other setenv lines and save the file
Code:
setenv GUACAMOLE_HOME /usr/local/jetty/.guacamole


Create some directories and move some files
Code:
mkdir /usr/local/jetty/.guacamole /usr/local/jetty/.guacamole/extensions /usr/local/jetty/.guacamole/lib
mv ~/mysql-connector-java-5.1.36/*.jar /usr/local/jetty/.guacamole/lib/
mv ~/guacamole-auth-jdbc-0.9.8/mysql/*.jar /usr/local/jetty/.guacamole/extensions/
mv ~/guacamole-*.war /usr/local/jetty/webapps/guacamole.war


Start MySQL server
Code:
service mysql-server onestart


Set the database up
Code:
mysqladmin -u root password 'YOUR_NEW_ROOT_PASS_FOR_MYSQL'

mysql -u root -p
create database GUACAMOLE_DB_NAME;
create user 'GUACAMOLE_USERNAME'@'localhost' identified by 'GUACAMOLE_USER_PASS';
grant select,insert,update,delete on GUACAMOLE_DB_NAME.* to 'GUACAMOLE_USERNAME'@'localhost';
flush privileges;
quit

cd ~/guacamole-auth-jdbc-0.9.8/mysql/schema
cat ./*.sql | mysql -u root -p GUACAMOLE_DB_NAME


Edit /usr/local/jetty/.guacamole/guacamole.properties (again I recommend ee) the file will be empty (it does not exist yet) type this in and save:
Code:
# MySQL properties
mysql-hostname: localhost
mysql-port: 3306
mysql-database: GUACAMOLE_DB_NAME
mysql-username: GUACAMOLE_USERNAME
mysql-password: GUACAMOLE_USER_PASS


Start Jetty and Guacd
Code:
service jetty onestart
service guacd start


Now you should see Jetty start page on http://jour_jail_ip:8080 and Guacamole Login page at: http://your_jail_ip:8080/guacamole/

Default admin login and pass to Guacamole is guacadmin/guacadmin

If everything is working ok you can make Guacamole start automatically with your jail by doing this:

Edit /etc/rc.conf type this in at the end of file and save:
Code:
mysql_enable="YES"
jetty_enable="YES"
guacd_enable="YES"



Edit /etc/rc.d/guacd and after:
Code:
try-restart)
status && restart
;;

add this and save:
Code:
quietstart)
start
;;

Restart your jail and verify that everything is working.
I thought I might try your tutorial and sadly it breaks at this command

"
svn co -r 387082 svn://svn.freebsd.org/ports/head/net/freerdp ~/old_freerdp"

I don't have svn installed.
It was worth a shot though :(
 

diskdiddler

FreeNAS Guru
Joined
Jul 9, 2014
Messages
2,111
Thanks
123
#34
So version 1.0 is released, I think with Google Authenticator support (!!!)

Anyone got this up and running in a jail?
 
Top