Re: Companies Using Guacamole

[Lee Doughty]

It might be helpful to know what your seeking to learn from your inquiry.


There are many many organizations using guacamole... AWS is using guacamole
with a custom auth (& likely other components) under the hood to provide
access for whatever they call their web connection serial console option.

I see people reporting with stats on sizing, is that actually what you want
to know? Are you targeting a specific cloud, or going on prem?


Much of what has been said is applicable. Sean is showcasing a likely worst
case scenario, but it really depends on your workload and design. It
certainly also helps if you can implement auto off/on... Or just in time
provisioning... Watch your costs costly at first and you should be okay.
It's tricky to estimate costs without knowing workloads...

If you're trying to replicate workspaces, the cost I would watch out for
would be disk storage. The storage cost can sneak up on you if you are just
planning to give each user their own independent workspace. Most solutions
resolve this by mounting a user folder/volume at (just in time)
provisioning/login it seems. If this doesn't sound like something you're
planning to do, the storage will probably end up costing far far more than
guacamole.

-Lee


On Fri, Jul 19, 2024, 11:59 AM Justin Kocian 
wrote:

> Hello,
>
> I'm working on a writeup for our move to Apache Guacamole from AWS
> Workspaces, and am trying to locate a list of companies using Guacamole.
> Does anyone know of such a thing, or can anyone provide examples? We're a
> relatively small company, with less than 100 users, so the comparison
> doesn't *need* to be large companies (though that helps my case).
>
> Thanks!!
>
> --
>
> [image: ICANotes]  *Justin Kocian*
> *IT *
> Direct:
> 
>

Re: Guacamole HA

[Lee Doughty]

Whenever I've seen the topic of HA come up, it's always been similar to
what Nick just said. There really doesn't seem to be a good way to get true
high availability.

It seems the best you can do is "shard" your guacamole+guacd stacks so that
a failure in one of them only takes out a small portion of your end users.

Since the loss of a tomcat server means all guacd sessions passing through
it are toast.. to get the best "sharding", the logic to me seems to
encourage lots of small guacamole+guacd paired servers... If you scale
horizontally like this (which obviously allows for weaker/cheaper
individual servers).. then losing 1 of 10 servers impacts only 10% of users.

On Sat, Oct 7, 2023, 7:18 PM Nick Couchman  wrote:

>
>
> On Sat, Oct 7, 2023 at 4:23 PM Maciej Konigsman
>  wrote:
>
>> Hi,
>>
>> I would like to run Guacamole in HA.
>> I identified four services to achieve HA:
>> 1. Load balancer
>> 2. Web UI (Tomcat)
>> 3. Guacd
>> 4. DB (MySQL)
>>
>> I know how to configure HA for 1, 2 and 4
>> I'm having an issue with understanding/finding documentation or examples
>> for guacd. My main concern is how to keep a session (including recording)
>> if a container with guacd fails or gets restarted.
>>
>
> The first thing to note would be that there's no way to
> synchronize session information between instances of guacd. So, if a system
> running guacd crashes, or guacd itself crashes completely, you won't be
> able to maintain those sessions - the users will get disconnected and will
> have to re-establish connections with working guacd instances. This is also
> true of the Web UI (Tomcat) portion of Guacamole - users logged in and
> sessions established on one of the Web front-ends will not be visible to or
> synchronized with sessions and users on the other web front-end. This will
> also impact your ability use connection sharing effectively, as users on
> one web front-end and/or guacd instance will not be able to share their
> connections with users who happen to log in to a different web front end,
> or who connect through a different guacd.
>
> As far as how to load-balance guacd, you can use a network load balancer
> (like HAProxy) and then use session "stickiness" to make sure that your web
> front-end systems get consistently connected to the same guacd instance.
>
> -Nick
>
>>

Re: New to Guacamole and looking for guidance

[Lee Doughty]

> I have already spent a few working days diving into Guacamole's docs
(installation, configuration, usage...) and into the repository above
(checking configuration files, contents of docker containers, logs...) to
no avail.

It's a fairly common misconception -- Guacamole can't work around OS
limitations on concurrent sessions. Really it's the OS that decides how to
handle a second session, not Guacamole... Guacamole can do a view only
share (I believe, I don't use the feature) but I think that's it. So if you
want 2 people interactively using the same server at the same time, using
RDP, you need to look into your OS options around that.

I'm not up to date on Windows, but I believe only Terminal Services
supported multiple RDP connections.. though I imagine things have changed
in the last decade.


On Mon, Jul 17, 2023, 9:08 PM Nick Couchman  wrote:

> On Mon, Jul 17, 2023 at 11:31 AM Aaron Contreras 
> wrote:
>
>> Hello there,
>>
>> first of all, I am not sure this is the proper channel to raise this kind
>> of request, so I apologise in advance if it isn't and would appreciate
>> being redirected to the proper channels (if any such channel exists.)
>>
>> I am quite new to Apache Guacamole, I have barely just installed it using
>> a docker-compose setup found on GitHub
>> , which
>> at first glance looked OK for starters.
>>
>> Problem is, after creating some RDP connections, I am not able to have
>> some basic functionality working (such as initial program or concurrent
>> sessions...). I have already spent a few working days diving into
>> Guacamole's docs (installation, configuration, usage...) and into the
>> repository above (checking configuration files, contents of docker
>> containers, logs...) to no avail.
>>
>> I understand this is way too generic for anyone to provide an answer, but
>> I would really appreciate it if someone could point me in the right
>> direction to start debugging my installation or to get a better
>> understanding of what may be happening under the hood.
>>
>
> This mailing list is a great place to start - hopefully the community,
> here, can help get you going in the right direction. In addition to that,
> the Guacamole Manual (Guacamole User Guide, or GUG), is a good place to
> start reading:
>
> https://guacamole.apache.org/doc/gug/
>
> Beyond that, yeah, we're going to need some additional detail from you,
> probably log entries, or, at the very least, some very specific
> descriptions of the behavior you're seeing.
>
> -Nick
>
>>

Re: Problem with Guacamole and SSH connections

[Lee Doughty]

As a note, this is a user mailing list, not a support help desk. Most
people receiving your request for help are users like yourself.


Our team upgraded from 1.3 to 1.5 over the last month and had no issues
like you describe reported from our user base. We run on AWS EC2/ECS using
the docker image as a base, with slight modifications only for our custom
user authorization on the front end side.



Your error log points to a SSH key problem. There was a similar issue
reported in
https://issues.apache.org/jira/plugins/servlet/mobile#issue/GUACAMOLE-1540

While this mentions docker, since it's talking about installed packages, it
is still applicable to non-containerized installs.

I'm otherwise not very familiar with this particular issue so I can't
provide much more, this is just what I can see from Google searching. Your
update has two major variables: a guacamole update and an OS update. I
would wager that this issue relates to the OS change and the packages
installed -- you might actually benefit from looking at what packages the
docker version installs as guidance on packages you need.

-Lee


On Sun, Apr 30, 2023, 9:45 PM Rhodes, Fego  wrote:

> Hi Support
>
>
>
> We are using Guacamole in AWS EC2, we upgraded from 1.4033 r09 on Debian
> 10 to 1.5.0-r06 on Debian 11.
>
>
>
> We are having an issue with connect to all ssh endpoints, the error we get
> is shown below from syslog.
>
>
>
> May 1 00:30:24 ip-10-0-20-10 guacd[1447]: Creating new client for protocol
> "ssh"
>
> May 1 00:30:24 ip-10-0-20-10 guacd[1447]: Connection ID is
> "$4e0597ef-abd3-4af8-8a50-473f4cbf74ec"
>
> May 1 00:30:24 ip-10-0-20-10 guacd[183380]: User
> "@5f13f0a8-867f-4620-8acb-2c676351b7dd" joined connection
> "$4e0597ef-abd3-4af8-8a50-473f4cbf74ec" (1 users now present)
>
> May 1 00:30:24 ip-10-0-20-10 guacd[183380]: Auth key successfully imported.
>
> May 1 00:30:24 ip-10-0-20-10 guacd[183380]: No known host keys provided;
> host identity will not be verified.
>
> May 1 00:30:24 ip-10-0-20-10 guacd[183380]: Public key authentication
> failed: Unable to extract public key from private key.
>
> May 1 00:30:24 ip-10-0-20-10 guacd[183380]: User
> "@5f13f0a8-867f-4620-8acb-2c676351b7dd" disconnected (0 users remain)
>
> May 1 00:30:24 ip-10-0-20-10 guacd[183380]: Last user of connection
> "$4e0597ef-abd3-4af8-8a50-473f4cbf74ec" disconnected
>
> May 1 00:30:24 ip-10-0-20-10 guacd[1447]: Connection
> "$4e0597ef-abd3-4af8-8a50-473f4cbf74ec" removed.
>
>
>
> I have tried many things to resolve it such as adding the lines below to
> the sshd_config on your guacamole server.
>
>
>
> echo "PubkeyAcceptedAlgorithms=+ssh-rsa" >> /etc/ssh/sshd_config
>
>
>
> echo "HostKeyAlgorithms +ssh-rsa" >> /etc/ssh/sshd_config
>
>
>
> Nothings has worked and it is a lot frustrating, has anyone experienced
> this before and any ideas on how to resolve this please?
>
>
>
> Thank you.
>
>
>
> Fego Rhodes
>
>
>

Re: Apache Guacamole 1.5.0 docker image

[Lee Doughty]

Michael clearly stated "latest 8.5.x"

Tomcat 8.5.85 was released January 11th.

Just because it's not "9" does not mean it's not a production ready and
well maintained.




On Sun, Feb 19, 2023, 9:13 PM Sean Hulbert
 wrote:

> Thought Tomcat at 9.3.72
>
>
>
> Sent by Android Ai hijacked INS communications 6G
>
>
>  Original message 
> From: Michael Jumper 
> Date: 2/19/23 3:53 PM (GMT-08:00)
> To: user@guacamole.apache.org
> Subject: Re: Apache Guacamole 1.5.0 docker image
>
> On Sun, Feb 19, 2023, 2:48 PM Luis Cascales 
> wrote:
>
>> Hi,
>>
>
>> With this latest release of Guacamole, the docker image will be running
>> with Tomcat 8 still?
>>
>
> The images use the latest version of Tomcat 8.5.x and are rebuilt nightly.
>
>
>> Also, to test the LDAP and AD functionality, do I need to compile the
>> extensions with "mvn package", or the provided guacamole war file already
>> includes all the extensions?
>>
>
> The .war file never includes any extensions.
>
> If deploying manually, you would download and install them in
> /etc/guacamole/extensions. You don't need to build them - they are linked
> in the release notes / download page.
>
> If using the Docker image, they are bundled and automatically installed.
>
> - Mike
>
>

Re: File transfer over vnc

[Lee Doughty]

The key word of that document are the "or SFTP"

VNC does not support file transfer natively, so you'd need to set up the
target system to support SFTP, and go that route... I have not done that
for Windows, so I cannot help there.. however if you used RDP file transfer
should work.

-Lee

On Sun, Oct 9, 2022, 12:53 PM Giuseppe Giardina 
wrote:

> Hi everyone,
>
> I'm new in apache guacamole. I installed a server and webclient on
> oracle linux 8 and I succesfully connect to a windows machine with vnc
> server. I don't uderstand how can I upload file.
>
> On documentation
> (
> https://guacamole.apache.org/doc/gug/using-guacamole.html#transferring-files)
>
> it's wrote it is possobile use native transfer but how?
>
> --
> Proteggimi dal sapere quel che non ho bisogno di sapere. Proteggimi anche
> dal sapere che bisognerebbe sapere quello che non so. Proteggimi dal sapere
> quello che ho deciso di non sapere. Le cose che ho deciso di non sapere...
> Signore
> Proteggimi dalle conseguenze della succitata preghiera. [Douglas Adams]
>
>
> -
> To unsubscribe, e-mail: user-unsubscr...@guacamole.apache.org
> For additional commands, e-mail: user-h...@guacamole.apache.org
>
>

Re: High memory usage on idle server

[Lee Doughty]

Sean,

To restate what Philip said:
"Linux uses available Memory as file cache"

You are misunderstanding the buff/cache item and assuming there's a problem
-- this is an very common (but also incorrect) assumption

Please read more on the topic here: https://www.linuxatemyram.com/

Linux is doing smart things to make the server operate faster, this does
not have a negative impact on your system, in fact, it is speeding up
access times for files since they can be read from memory instead of
pulling data from disk/NFS.

-Lee


On Tue, Sep 13, 2022, 1:21 PM Sean Hulbert
 wrote:

>
>
> Thanks for a quick reply Philipp
>
>
>
> Looks like there is 8.8G free, however 7.7G in idle seems a bit excessive,
> unless I am reading this wrong.
>
>
>
>
>
> *From:* Philipp Zeitschel [mailto:phil...@zeitschel.net.INVALID]
> *Sent:* Tuesday, September 13, 2022 10:11 AM
> *To:* user@guacamole.apache.org
> *Subject:* Re: High memory usage on idle server
>
>
>
> Hi,
>
>
>
> Linux uses available Memory as file cache
>
> Look at „available“
>
> There you can see that you‘ve got more than 9GB free Memory
>
>
>
> Regards
>
>
>
> Philipp
>
>
>
> Am 13.09.2022 um 19:07 schrieb Sean Hulbert <
> shulb...@securitycentric.net.invalid>:
>
> 
>
>
>
> Hello
>
>
>
> I am running Guacamole 1.4.0 (Ubuntu 20.04 TLS) with MySQL and MFA, we
> have 12G memory allocated to the server and its peaking 11G in usage when
> there are no connections.
>
> What is interesting, our other servers we have allocated 64G ram and on
> idle they consume 10G-12G; any thoughts on why these processes are such
> pigs?
>
>
>
> Here is a TOP Image
>
> [image: image001.png]
>
>
>
>

-
To unsubscribe, e-mail: user-unsubscr...@guacamole.apache.org
For additional commands, e-mail: user-h...@guacamole.apache.org

Re: Web analytics

[Lee Doughty]

I don't think the head section is modifiable in that way.. you could
probably use "body" selector and get it to load early in the page.

On Wed, Sep 7, 2022, 2:16 AM Kiel Hurley 
wrote:

> We have multiple Guacamole servers and I’d like to do web analytics to see
> how much they’re being used, and when.
>
>
>
> umami (and it would be similar for Google Analytics) requires adding a
> script into the  section (https://umami.is/docs/collect-data). I
> created an extension with the following html file, and was hoping it would
> work:
>
> 
>
> https://analytics.example.com/umami.js";>
>
>
>
> The Tomcat log says the extension loaded but it didn’t appear to work, as
> meta is trying to insert the line before the children of a CSS tag called
> “head” (
> https://guacamole.apache.org/doc/gug/guacamole-ext.html#updating-existing-html),
> which doesn’t exist.
>
>
>
> I considered using the js extension resource instead of html, to copy the
> JavaScript file, but I need to include the GUID for the website so I’m not
> sure this would work.
>
>
>
> Is there a way to insert the script line into the head using an extension?
> Or could there another way to achieve something similar?
>
>
>
> Thanks
>

Re: Permissions

[Lee Doughty]

Sean, I think there is a mixup on the words, or your intention is unclear.

You would like to scan the file from the target server before the user has
selected the file to upload?

The order of operations in this case *must* be:
1) User select the file by drag & drop to the VM
2) Upload occurs
3) Target server receives file and is able to scan it

Any other order, scanning from the target side, is simply impossible -- the
server can't scan a file it does not have, and Guacamole cannot upload an
undefined file.

If you're talking about trying to intercept the file *after* upload, before
the user can execute/see it, that's on the OS/target side, outside of
Guacamole's reach... Guacamole is simply uploading the file over the
defined protocol, and I'm not aware of a protocol that allows an uploader
to force the recipient to begin an AV scan after upload.

-Lee


On Wed, Aug 24, 2022 at 8:59 PM Sean Hulbert
 wrote:

> Ok figured it out, permissions ok, however if you have ClamAV running and
> scanning Ondemand enabled it will automatically fail the upload.
>
>
>
> So now my question is this; is there a way to scan uploaded files after
> they completed uploading to the GUAC_UASERNAME directory before users drag
> them in to the environment?
>
>
>
>
>
>
>
> *Thank You*
>
> *Sean Hulbert*
>
>
>
>
>
> *From:* Sean Hulbert [mailto:shulb...@securitycentric.net.INVALID]
> *Sent:* Wednesday, August 24, 2022 5:42 PM
> *To:* user@guacamole.apache.org
> *Subject:* Permissions
>
>
>
> Hello
>
>
>
> Is there any reason why the GUAC_USERNAME for the file uploads permission
> cant be set to write only when dragging and dropping files in to the
> environment?
>
>
>
>
>
>
>
> *Thank You*
>
> *Sean Hulbert*
>
>
>
>
>

Re: A question about performance.

[Lee Doughty]

It sounds like you're saying the target system has this CPU issue, but the
target system is not the system running any guacamole or guacd software?

If that's the case, then this isn't a guacamole issue, and for "methods to
resolve" this, you might have better luck NOT including guacamole in any
debug searching you do... And instead searching for "RDP", "Linux", and
"performance“

The only part of guacamole that really would be in question is which
extensions to RDP are supported (such as MS-RDPEVOR for video).. but if
guacamole doesn't support it, it's likely also an issue with the target OS
too, since there a good chance they both use roughly the same RDP library
under the hood of I'm understanding how it works correctly.

In terms of RDP performance issues, the most likely issue is the lack of a
video card, forcing it to do CPU-based emulation instead of offloading that
to a GPU optimized for that work... I would also check that the connection
between all systems in the chain have sufficient bandwidth -- which is also
dependent on the size of your viewport for the RDP session. If your using a
4k monitor and a full screen browser tab, then the RDP connection will be
nearly 4k resolution itself. This would increase the burden on the target
system's CPU.

-Lee



On Fri, Aug 12, 2022, 4:11 AM tong13005572...@gmail.com <
tong13005572...@gmail.com> wrote:

> Hi~
>
> My os enviroment:
> OS: Rocky Linux release 8.5 (Green Obsidian)
> CPU:   Intel(R) Core(TM) i7-6700 CPU @ 3.40GHz
> Memory: 8GB
>
> After the client establishes an RDP connection (only one connection), I
> observe the CPU utilization rate through the top command in the Linux
> system.
> When the content of the client window changes a lot, such as playing video
> and dragging the window quickly, I can see that the single core CPU
> utilization rate reaches 100%, and the memory utilization rate is not high.
> I want to know what methods can be used to solve this situation and
> replace it with a better CPU or GPU?
>
> --
> tong13005572...@gmail.com
>

Re: guacd performance

[Lee Doughty]

Could you please provide a detailed statement about your use case &
concerns?

What protocols do you expect to be used? Are there specific features that
you need to use (such as session recording or file transfer)? Are you users
going to be located close to the machines that they are interacting with?
Do you already have equipment such as servers and/or load balancers? Is
there a particular aspect that you're concerned about? What's your
experience level with system administration and load balancing? Do you have
constraints, such as using a cloud provider, or LDAP authentication? Have
you ever worked with guacamole, and is this just a request for fine tuning?

The people in the mailing list are generally very helpful, but more
specific questions would likely get you better answers and a faster
response to those questions.

-Lee


On Wed, Jul 13, 2022, 7:17 AM Ravichandran S
 wrote:

> Hi Team,
>
> I need to support 500 session launches at a time. please help me to
> configure guacd and how I can monitor the performance.
>
> Thank you.
>
> Thanks,
> Ravichandran
>

Re: reverse proxy and SAML SSO

[Lee Doughty]

It contains "guacamole" in the path because that's what Tomcat does... it
infers paths by the name of the file, as you see.

If it's easier, you can also achieve this by setting WEBAPP_CONTEXT in the
environment:

https://github.com/apache/guacamole-client/blob/1.4.0/guacamole-docker/bin/start.sh#L728

On Thu, Jun 30, 2022 at 7:20 AM Vieri  wrote:

> The problem seems to be with the onelogin library:
>
> java-saml/core/src/main/java/com/onelogin/saml2/authn/SamlResponse.java
>
> contains:
>
> protected void validateDestination(final Element element) throws
> ValidationError {
> if (element.hasAttribute("Destination")) {
> final String destinationUrl =
> element.getAttribute("Destination");
> if (destinationUrl != null) {
> if (destinationUrl.isEmpty()) {
> throw new ValidationError("The
> response has an empty Destination value",
> ValidationError.EMPTY_DESTINATION);
> } else if
> (!destinationUrl.equals(currentUrl)) {
> throw new ValidationError("The
> response was received at " + currentUrl + " instead of " + destinationUrl,
> ValidationError.WRONG_DESTINATION);
> }
> }
> }
> }
>
> Now, considering my Apache reverse proxy config and the "Destination"
> field in the SAML response here below:
>
>   Destination="
> https://guac.mydomain.org/api/ext/saml/callback;
>  ID="_f53e5bfaf4fae92d0cc4c602f59b8a98"
>
> InResponseTo="ONELOGIN_515df37e-aaa0-4024-bd29-8c869fb7ea95"
>  IssueInstant="2022-06-30T06:44:57.465Z"
>  Version="2.0"
>  >
>
> I guess that's why it's "failing" because currentUrl != destinationUrl.
>
> Now, how come currentUrl is
> https://guac.mydomain.org/guacamole/api/ext/saml/callback ?
> Who is requesting that URL and why does it contain "guacamole" in the path?
> Neither the IdP nor the guacamole SP ever mention that the callback should
> be https://guac.mydomain.org/guacamole/api/ext/saml/callback.
>
>
> -
> To unsubscribe, e-mail: user-unsubscr...@guacamole.apache.org
> For additional commands, e-mail: user-h...@guacamole.apache.org
>
>

Re: reverse proxy and SAML SSO

[Lee Doughty]

 you mentioned
https://guacamole.apache.org/doc/0.9.7/gug/proxying-guacamole.html -- which
is for 0.9.7

If you were on 0.9.7 I would not expect you to be able to do SAML, so I
pointed it out.

The updated docs might or might not provide more guidance for you since you
are on 1.4.. or maybe someone else will chime in with more help.

On Wed, Jun 29, 2022, 7:22 AM Vieri  wrote:

>
> On Wednesday, June 29, 2022 at 12:57:44 PM GMT+2, Lee Doughty <
> l...@virginiacyberrange.org> wrote:
>
> > I don't believe guacamole 0.9x has support for SAML...
> > Can you upgrade to 1.4 and look at the latest guacamole manual?
>
> Hi,
>
> Why did you assume I was using 0.9x. I am using 1.4, and everything is
> working fine without the reverse proxy. The SAML callback URL seems to be
> the culprit, but I don't know why.
>
> Thanks,
>
> Vieri
>
> -
> To unsubscribe, e-mail: user-unsubscr...@guacamole.apache.org
> For additional commands, e-mail: user-h...@guacamole.apache.org
>
>

Re: reverse proxy and SAML SSO

[Lee Doughty]

I don't believe guacamole 0.9x has support for SAML...

Can you upgrade to 1.4 and look at the latest guacamole manual?

https://guacamole.apache.org/doc/gug/

I believe SAML support was not added until 1.1 or 1.2

-Lee

On Wed, Jun 29, 2022, 6:40 AM Vieri  wrote:

> Hi,
>
> When using the "new-path" example config in
> https://guacamole.apache.org/doc/0.9.7/gug/proxying-guacamole.html, how
> would one define the saml* options in guacamole.properties, ie.
> saml-callback-url?
>
> This is what I set:
>
> saml-entity-id: whatever (same as defined in IdP)
> saml-callback-url: https://guac.mydomain.org/
>
>
> I'm asking because my SAML requests contains:
>
> AssertionConsumerServiceURL="
> https://guac.mydomain.org/api/ext/saml/callback;
>
> but I am unable to log-in because I get an HTTP error 405 when calling
> https://guac.mydomain.org/api/ext/saml/callback.
>
> My apache config contains:
>
> ProxyRequests Off
> ProxyPreserveHost On
>
> 
> Require all granted
> ProxyPass https://localhost:8543/guacamole/ flushpackets=on
> ProxyPassReverse https://localhost:8543/guacamole/
> ProxyPassReverseCookiePath /guacamole/ /
> 
>
> 
> Require all granted
> ProxyPass wss://localhost:8543/guacamole/websocket-tunnel
> ProxyPassReverse
> wss://localhost:8543/guacamole/websocket-tunnel
> 
>
>
> Any thoughts?
>
> Regards,
>
> Vieri
>
>
> -
> To unsubscribe, e-mail: user-unsubscr...@guacamole.apache.org
> For additional commands, e-mail: user-h...@guacamole.apache.org
>
>

Re: Guacamole Docker Install Error

[Lee Doughty]

This is really a docker question, this fails before guacamole even has a
chance to start. I only mention this because the expertise here on this
guacamole mailing list might only by chance include docker skills, so you
might not get the *most correct* answers

In short, that error message clearly indicates there's a naming conflict.
You can get this conflict in docker if you rename containers (I've seen
this exact error message when renaming a docker-compose container without
destroying the old one).

I can't tell you WHY it thinks great_solomon is some-guacd, I'd expect the
container IDs to match, that's where I point to my previous statement: "we
are not a docker mailing list". If you want that answer, you'd need to go
to them.

If you just want a solution, I expect this would work:

`docker system prune` (to go nuclear)

or

`docker container prune` (which should work if no containers are running)

In the future, I recommend you ALWAYS use the "--rm" (remove) flag with
`docker run`, this will remove the container when done.

If you want to keep the container between sessions, then you need to use
`docker start|stop` after the run command, and you'll need to `docker rm`
containers manually when you want to `docker run` a new one.

Hope this helps.

-Lee



On Thu, Jun 23, 2022 at 7:08 PM Ivanmarcus 
wrote:

> Darren,
>
> I'm far from a Docker expert but that command string looks corrupted
> from where I'm sitting?
>
> As I see it the system believes there's a container running with the
> same name you're trying to run, and it's giving the container ID.
>
> You can use 'docker images' to check that out (ie. that you have such a
> container), and from there'd I use 'docker ps' followed by 'docker
> inspect [container ID]' in order to look into things further.
>
> If it were me I'd close any containers you have running presently, then
> just start the one you want first and check that's ok before carrying on
> with an others. Given the questionmark (to me) from your output I think
> that's warranted...
>
> Aside from the specific issue you have I found that Docker took a while
> to get my hear around it, and as with many things computer some of the
> commands were a bit cryptic, or didn't do exactly what I expected. I'm
> still not that au fait with it, but some reading of multiple information
> sources usually helps me through :-)
>
> On 24/06/22 06:42, Woods, Darren L wrote:
> > sudo docker container list -all
> >
> > CONTAINER ID   IMAGE COMMAND  CREATED
> > STATUS PORTS  NAMES
> >
> > 51b04782c0f9   guacamole/guacd   "/bin/sh -c '/usr/lo…"   2 hours
> > ago   Up 2 hours (healthy)   4822/tcp   great_solomon
> >
> > I don’t see that container named some-guacd.
> >
> > Darren
> >
> > *From:* Nick Couchman 
> > *Sent:* Thursday, June 23, 2022 12:41 PM
> > *To:* user@guacamole.apache.org
> > *Subject:* Re: Guacamole Docker Install Error
> >
> > **THIS EMAIL IS FROM AN EXTERNAL SENDER OUTSIDE OF THE ALAMO COLLEGES.
> > Be cautious before clicking links or opening attachments from unknown
> > sources. Do not provide personal or confidential information.**
> >
> > On Thu, Jun 23, 2022 at 1:23 PM Woods, Darren L  > > wrote:
> >
> > I’m getting this error message when I run the command:
> >
> > sudo docker run --name some-guacd -d -p 4822:4822 guacamole/guacd
> >
> > docker: Error response from daemon: Conflict. The container name
> > "/some-guacd" is already in use by container
> > "8062906e4e1eaee1e1433043042ce349201da78eef0f6e5d893d6c9956ca1f8e".
> > You have to remove (or rename) that container to be able to reuse
> > that name.
> >
> > See 'docker run --help'.
> >
> > Try "docker container list --all" and see if you see the container
> > already called "some-guacd".
> >
> > -Nick
> >
>
> -
> To unsubscribe, e-mail: user-unsubscr...@guacamole.apache.org
> For additional commands, e-mail: user-h...@guacamole.apache.org
>
>

Re: Weird behaviour - RDP timeout

[Lee Doughty]

I agree with Nick here...

My coworker had a task to evaluate performance from Australia to our
guacamole in Northern Virginia. Despite using a VPN to jump to Australia
before circling back (VA-> Australia->VA), the latency he observed was in
the ~1-2 second range. Even if satellites are involved, I can't see a round
trip time over 4 seconds being possible without an underlying problem.

In my experience, guacamole has rarely been the failure point if anyone
else can access the same connection. It almost always is a problem on the
users side... Either network, plug-in/extension, security software, or ISP
problem.

-Lee


On Wed, Jun 22, 2022, 12:21 PM Nick Couchman  wrote:

> On Tue, Jun 14, 2022 at 3:17 PM Stefan Bogdan Cimpeanu <
> bog...@cimpeanu.org> wrote:
>
>> Hi Antony,
>> I agree it could be that, however, it does not explain (in my mind) why
>> would the Guacamole server behave differently when the user is from Europe
>> or from Australia if the target is still in Australia.
>> Is there any special connection happening from the end user all the way
>> to the target somehow?
>>
>> Additionally, can that 15 seconds timeout be increased somehow?
>>
>>
> At this point I do not believe the 15 second time limit can be increased,
> but I'd also be surprised if it's actually taking 15 seconds to connect to
> the server, even if it's going Australia -> Europe -> Australia. I run a
> Guacamole instance in Ashburn, Virginia, and access servers in Singapore
> and Australia from that instance, and I don't see intermittent or
> consistent issues with that.
>
> When you hit the failure, check the guacd logs, and possibly start guacd
> in debug mode, and see what the error is. Is it really timing out, or is it
> throwing some other error? Is there an Azure firewall, ACL, or network
> route in place that could be stopping or disrupting traffic from the
> Guacamole server to the target server?
>
> -Nick
>

Re: Guacamole/Json - trouble

[Lee Doughty]

You could use docker-compose to "volume" mount the user-mapping.xml file to
/etc/guacamole, and that should work for what you're trying to accomplish.
If you don't provide it postgres or any hints that your trying to do
another auth system, it should fall back to the XML file. (See
https://guacamole.apache.org/doc/gug/configuring-guacamole.html )


You shouldn't need any of the postgres and environment rewrites or your
extension...I don't think the JSON approach is a great idea based on your
requirements, it's probably overall more complicated than using postgres,
as it has a different use case



On Mon, Jun 13, 2022, 3:35 AM Rick .  wrote:

> Hi
> What I'm trying to do is to run guacamole in docker and then feed it with
> a list of connections on startup in a simple way.
>
> A couple of questions:
>
> 1. I found a github repository (
> https://github.com/boschkundendienst/guacamole-docker-compose) that sets
> things up pretty nicely. It has a docker-compose that uses guacd, postgres,
> guacamole and nginx containers. Would it be possible to replace the use of
> postgres with json in this scenario (for authentication and feeding the
> container with connections)?
>
> 2. Assuming that should work. What is the best way to enable
> json-authentification when running things in docker?
>
> When I try to understand the documentation it seems I would need to
> override GUACAMOLE_HOME in some way. So I tried creating a .guacamole
> folder in the home directory where I put a guacamole-properties file only
> containing the following line: json-secret-key: < value key>>. I also created an extensions folder where I put the
> guacamole-auth-json-1.4.0.jar file. And in the docker-compose file I
> replace the POSTGRES-variables with "GUACAMOLE: ~/.guacamole" to the
> environment part for the guacamole container But then the guacamole
> container won't start and when checking by clicking on the container in
> docker desktop it gives the folowing error:
>
> "FATAL: No authentication configured
> The Guacamole Docker container needs at least one authentication mechanism
> in order to function, such as a MySQL database,
> PostgreSQL database, LDAP directory or RADIUS server. Please specify at
> least the MYSQL_DATABASE or POSTGRES_DATABASE environment
> variables, or check Guacamole's Docker documentation regarding configuring
> LDAP and/or custom extensions."
>
> So it seems that my attempt at overriding doesn't quite take effect...
>
> I have also attempted to run the compose as is (but with the "GUACAMOLE:
> ~/.guacamole" part added) and then running
> "curl --data-urlencode "<>"
> http://localhost:8443/guacamole/api/tokens; in an attempt to feed it with
> connections but then there is an authentication issue for that... Which I
> assume is also because my attempt at an override isn't working.
>
> TL;DR
> 1. Is it possible to run a combo of guacd, guacamole, nginx in docker and
> using json for authentication and feeding the guacamole container with
> users/connections?
> 2. If possible: how do I enable json-authentification when running
> guacamole in a docker container?
>
> Oh, and please explain to me like i'm 10. New to docker and very new to
> guacamole...
>
> /Rick
>

Re: Request users to confirm/extend sessions

[Lee Doughty]

Good points Nick, appreciate the response.

I think you're solution is probably good for *MOST* of our users, but I
liked guacamole as an option for a few reasons, which I'm making more
generic to show value for a wider audience:

1) root/admin users on targets could change their ssh/RDP logout timer --
but they can't change the guacamole connection settings.

2) Guacamole admins might not be admins on target machines, and incapable
of setting this maximum session duration, but still want/need to enforce a
kick-out/re-auth.

3) Can configure it per-target, without actually having admin access to the
target -- for instance, production systems can have a 1 hour idle timeout,
and development servers have none

4) Guacamole is a convenient one-place way to set and enforce this...
(basically a rehash of above):
- no need to ensure every target is built to the policy requirements...
which helps in semi-silo'ed organizations where there might be several
groups sharing a managed Guacamole
- no need to work with various departments on building machines and making
an enforcement mechanism... similar to the above item.

5) Many users here seem to use guacamole with on-demand resources, and
having an easy idle timer set by the DB/Connections area is probably a lot
easier for system admins to work with than re-writing UI code like the
"hack" put in place for GUAC-1126 in an attempt to stop idle sessions.

Just a few reasons why having this as a guacamole feature would be helpful!


On Wed, Jun 8, 2022, 4:27 PM Nick Couchman  wrote:

> On Wed, Jun 8, 2022 at 11:16 AM Lee Doughty 
> wrote:
>
>> Lots of activity on the mailing list the last 2-3 weeks. Recent
>> discussions got me thinking (again) about a more specific/pointed feature
>> request that helps alleviate some issues that I think many of us Guacamole
>> administrators would like:
>>
>> I think it would be a nice feature to:
>> 1) Monitor for some kind of real-user-to-vm activity, and having the
>> connection disconnect if it sits idle for a configured period of time
>> 2) and/or: a feature to require the user to take an action to extend
>> their session after a configured amount of time
>>
>> This seems to also address some of the pushback and use cases mentioned
>> on https://issues.apache.org/jira/browse/GUACAMOLE-1126 -- where many of
>> us are trying to balance resources & costs, and user activity / action is
>> what determines if we have a user's VM loaded/online/existing.
>>
>> * Mark Nolan noted he spins up VMs on connection, and presumably then,
>> turns them off after some period when the user is not connected. This is
>> very similar to my use case.
>>
>> * Alexander Fischer noted that inactive users trigger reconnection, which
>> might be a cause of an issue for him... but would also likely be mitigated
>> if reconnection factored in the last time the user seems to have used
>> guacamole when deciding to try and reconnect.
>>
>> * Edgardo Rodriguez noted in his initial description of G-1126 that users
>> walk/tab away from Guacamole (also a pain point I feel regularly)... This
>> kind of feature would likely reduce the need for limiting retry attempts
>> (though I think _a_ limit on retry attempts is a nice feature on its own)
>>
>> Basically, identify when a user is not actually using the machine
>> anymore, and allow the guacamole server to go through the connection
>> close-out process. This saves on guacamole server resources, and can allow
>> those of us with hooks on connection states to perform our desired actions
>> (like freeing the target for a new user, shutting down the VM, etc.).
>>
>> This is obviously also a help for budgeting & resource management -- do I
>> really have 500 active guacamole sessions, or 300 active guacamole sessions
>> and 200 connections that are idle for 6+ hours, or days? Without snooping
>> on the sessions, or the target VMs, I'm not aware of an ability to extract
>> this information right now. If I could say I want sessions that are idle
>> for 3 hours to be closed out, I can at least be sure the connections have
>> seen activity in that time window.
>>
>> This doesn't exactly address what "activity" is, but I think it would be
>> safe to assume that automated re-connection is not user activity... we'd
>> probably want to see the mouse move in the guacamole tab, or a keypress.
>>
>> Would love to hear others thoughts on this kind of feature
>>
>>
> My biggest question, here, is why we would re-invent this wheel? For RDP,
> at least, and possibly for other protocols, the destination/remote system
> itself is able to detect when a user is active, and set either sessi

Re: Guacamole re-connection attempts never stop... they should?

[Lee Doughty]

Sean, thanks for the clarification.

>From that reply, you've made it clear you do understand the issue, and that
you've modified the guacamole-client in a way that is similar to this
feature request -- making guacamole-client stop requesting your
guacamole-hosts poll your back end targets once they appear to be dead (by
some configurable parameter). You achieved this by writing an extension
that handles this more intelligently and for your specific use case,
whereas G-1126 and this email chain are saying that some portion of that
logic should be inside guacamole by default as a matter of good practice so
the go-to answer to resolve it isn't to write an extension, or write your
own UI.

I believe you're trying to highlight the issue of performance issues
because of the mention of resource constraints/load -- I think those of us
facing this issue are not having an *active* issue with the Guacamole
server load constraints, just seeing inefficiency that can be improved. The
real constraint (to my team) is that we have to deal with log noise, and
graphing and alarms based on log events/frequency are less useful since a
single user stuck in an infinite loop generates a lot of noise...

This issue is also closely related to how some of us are trying to manage
the *target* *resource* constraints... and forcing idle users out can
contribute to this issue appearing more frequently. The real fix is here
better activity monitoring, which is why I started a separate discussion on
that.

-Lee

On Wed, Jun 8, 2022 at 11:24 AM Sean Hulbert
 wrote:

> Understood, and we don’t see this. However we have modified the
> responders, by making guacamole aware if a VM is up and running.
>
> We wrote an executable that runs on the guest VM system that notifies our
> platform (StormCloud) it is up and running and awaiting a connection, once
> the connection is established the program then sets a flag in the database
> as in use.  Once a user is done our system will do 1 of 2 things based on
> initial parameters being set during the template build, hold session VM
> state (persistent state), or reset state of VM to zero (Ondemand).  We also
> place a timer on failed attempts to 3 minutes, if an attempt moves in to
> failed connection state we are notified, then our system will auto
> remediate, by resetting connection tunnels, then reboot the VM, generally
> this corrects the issue.
>
>
>
> Now if you’re in a high VM saturated environment (or Starved resources)
> you will have connections issues due to lack of resources and/or CPU
> scheduling.
>
>
>
> This works for all the connection methods.
>
>
>
> One main difference is we do not use Docker, we use a full VDI on Ubuntu
> 20/22.04LTS for greater security.
>
>
>
> Specs on we use on Guacamole,
>
> vCPU 4x8 (32 cores)
>
> RAM 64G
>
> NIC 10G
>
> Drive 25GB
>
>
>
> This will handle about 1000 connections at once, we run anywhere from 5 to
> 8 guacamole servers which our platform load balances the connection to the
> Guacamole systems.
>
>
>
> This should help clear up on why we don’t see this issue.
>
>
>
> *Thank You*
>
> *Sean Hulbert*
>
>
>
>
>
> *www.securitycentric.net <http://www.securitycentric.net/>*
>
> *A Cybersecurity Enablement Company*
>
> *We don't just run you through the motions, Our labs teach you how to
> think!*
>
>
>
>  [image: logo-acad400]
>
>
>
> System Award Management
>
> *CAGE:** 8AUV4*
>
>
>
> *AFCEA San Francisco Chapter V.P.*
>
>
>
> If you have heard of a hacker by name, he/she has failed, fear the hacker
> you haven’t heard of!
>
>
>
> *CONFIDENTIALITY NOTICE:* This communication with its contents may
> contain confidential and/or legally privileged information. It is solely
> for the use of the intended recipient(s). Unauthorized interception,
> review, use or disclosure is prohibited and may violate applicable laws
> including the Electronic Communications Privacy Act. If you are not the
> intended recipient, please contact the sender and destroy all copies of the
> communication. Content within this email communication is not legally
> binding as a contract and no promises are guaranteed unless in a formal
> contract outside this email communication.
>
>
>
> igitur qui desiderat pacem, praeparet bellum!!!
>
> Epitoma Rei Militaris
>
>
>
> *From:* Lee Doughty [mailto:l...@virginiacyberrange.org]
> *Sent:* Wednesday, June 8, 2022 7:43 AM
> *To:* user@guacamole.apache.org
> *Subject:* Re: Guacamole re-connection attempts never stop... they should?
>
>
>
> Sean, I don't think you're seeing the problem area correctly on this
> issue..
>
>
>
>
>
> The issue is that guacamole-client -

Request users to confirm/extend sessions

[Lee Doughty]

Lots of activity on the mailing list the last 2-3 weeks. Recent discussions
got me thinking (again) about a more specific/pointed feature request that
helps alleviate some issues that I think many of us Guacamole
administrators would like:

I think it would be a nice feature to:
1) Monitor for some kind of real-user-to-vm activity, and having the
connection disconnect if it sits idle for a configured period of time
2) and/or: a feature to require the user to take an action to extend their
session after a configured amount of time

This seems to also address some of the pushback and use cases mentioned on
https://issues.apache.org/jira/browse/GUACAMOLE-1126 -- where many of us
are trying to balance resources & costs, and user activity / action is what
determines if we have a user's VM loaded/online/existing.

* Mark Nolan noted he spins up VMs on connection, and presumably then,
turns them off after some period when the user is not connected. This is
very similar to my use case.

* Alexander Fischer noted that inactive users trigger reconnection, which
might be a cause of an issue for him... but would also likely be mitigated
if reconnection factored in the last time the user seems to have used
guacamole when deciding to try and reconnect.

* Edgardo Rodriguez noted in his initial description of G-1126 that users
walk/tab away from Guacamole (also a pain point I feel regularly)... This
kind of feature would likely reduce the need for limiting retry attempts
(though I think _a_ limit on retry attempts is a nice feature on its own)

Basically, identify when a user is not actually using the machine anymore,
and allow the guacamole server to go through the connection close-out
process. This saves on guacamole server resources, and can allow those of
us with hooks on connection states to perform our desired actions (like
freeing the target for a new user, shutting down the VM, etc.).

This is obviously also a help for budgeting & resource management -- do I
really have 500 active guacamole sessions, or 300 active guacamole sessions
and 200 connections that are idle for 6+ hours, or days? Without snooping
on the sessions, or the target VMs, I'm not aware of an ability to extract
this information right now. If I could say I want sessions that are idle
for 3 hours to be closed out, I can at least be sure the connections have
seen activity in that time window.

This doesn't exactly address what "activity" is, but I think it would be
safe to assume that automated re-connection is not user activity... we'd
probably want to see the mouse move in the guacamole tab, or a keypress.

Would love to hear others thoughts on this kind of feature

-Lee

Re: Guacamole re-connection attempts never stop... they should?

[Lee Doughty]

Sean, I don't think you're seeing the problem area correctly on this issue..


The issue is that guacamole-client -- the javascript for the front-end that
the server gives to users -- has an infinite loop on retrying connections.
You can modify guacamole yourself to get away from this problem (that's
what GUACAMOLE-1126 shows), but if you are using stock guacamole-client,
you have the *possibility* for this infinite loop

In order to trigger this, the target machine must disconnect the user
forcefully... Such as the target experiencing a hardware failure, or the
target machine otherwise no longer working over the designated protocol
(firewall rule, or disabling the protocol's service), or the machine
"bouncing" due to a power failure (and possibly now being on a different IP
address) -- These are actions/events/issues on the target VM, which might
be performed by the user utilizing the connection, or by some other
out-of-band process/error.

Once the machine is effectively offline/unreachable by guacamole, the
user's browser will continue to poll the guacamole server every 15 seconds
with an attempt to restart the session to the target. The connection
attempt usually takes some time to fail, which adds some delay on the loop
(typically ~60 seconds, I think).

The server getting hassled by this process is simply the result of being
the middle-man between an open browser tab on the user side trying to
connect to a VM behind guacamole that was, but is no longer, available.

My use case heavily involves education of students around firewalls, server
security, etc., so we see dozens of different ways the target machine can
fail. USUALLY the students realize the connection is not recoverable and
stop the loop themselves after a few minutes (and recovery of the target VM
is outside the scope of guacamole), but sometimes they walk (or tab) away,
and guacamole retries indefinitely (which some people view as undesirable
behaviour).

The default for guacamole works very well if you connect users to always-on
machines who are utilizing unprivileged user accounts or are otherwise
skilled administrators... but starts to have the above issue for
ephemeral/on-demand targets, or when users can cause their
machines/connections to become unstable -- which admittedly are not
guacamole problems -- but I believe the fact guacamole assumes machines
will always be available or recoverable and never stops trying IS a
guacamole issue.

-Lee

On Tue, Jun 7, 2022 at 7:18 PM Sean Hulbert
 wrote:

> This has to be a Docker image issue,
>
>
>
> We run a few guacamole servers and never experienced this issue, however
> we did built them from scratch and modified the kernels.
>
>
>
>
>
> *Thank You*
>
> *Sean Hulbert*
>
>
>
> *Founder / CEO*
>
> *Work Ph: 925.292.4309*
>
>
>
> *www.securitycentric.net <http://www.securitycentric.net/>*
>
> *A Cybersecurity Enablement Company*
>
> *We don't just run you through the motions, Our labs teach you how to
> think!*
>
>
>
>  [image: logo-acad400]
>
>
>
> System Award Management
>
> *CAGE:** 8AUV4*
>
>
>
> *AFCEA San Francisco Chapter V.P.*
>
>
>
> If you have heard of a hacker by name, he/she has failed, fear the hacker
> you haven’t heard of!
>
>
>
> *CONFIDENTIALITY NOTICE:* This communication with its contents may
> contain confidential and/or legally privileged information. It is solely
> for the use of the intended recipient(s). Unauthorized interception,
> review, use or disclosure is prohibited and may violate applicable laws
> including the Electronic Communications Privacy Act. If you are not the
> intended recipient, please contact the sender and destroy all copies of the
> communication. Content within this email communication is not legally
> binding as a contract and no promises are guaranteed unless in a formal
> contract outside this email communication.
>
>
>
> igitur qui desiderat pacem, praeparet bellum!!!
>
> Epitoma Rei Militaris
>
>
>
> *From:* Lee Doughty [mailto:l...@virginiacyberrange.org]
> *Sent:* Tuesday, June 7, 2022 2:46 PM
> *To:* user@guacamole.apache.org
> *Subject:* Re: Guacamole re-connection attempts never stop... they should?
>
>
>
> Nick,
>
>
>
> I agree https://issues.apache.org/jira/browse/GUACAMOLE-1126 looks in the
> ballpark.
>
>
>
> I have no personal investment in the implementation, I would simply like
> the endless server pings to stop so we can more easily monitor application
> logs, have less "errors" in our logs, and reduce the baseline load on the
> servers.
>
>
>
> We do somewhat inflict this problem on ourselves (I think), because we
> shut down the VMs people are using, but we do so because we reasonably
> believe the user is idle and w

Re: Guacamole re-connection attempts never stop... they should?

[Lee Doughty]

Nick,

I agree https://issues.apache.org/jira/browse/GUACAMOLE-1126 looks in the
ballpark.

I have no personal investment in the implementation, I would simply like
the endless server pings to stop so we can more easily monitor application
logs, have less "errors" in our logs, and reduce the baseline load on the
servers.

We do somewhat inflict this problem on ourselves (I think), because we shut
down the VMs people are using, but we do so because we reasonably believe
the user is idle and wasting resources...

I suppose if there was a "guacamole session time limit" that could be set
when the user initially authenticates, and they get kicked out and forced
to re-authenticate at that point (or at least click a button to extend
their session) that would resolve my issue too... as I understand the
auth process now, once they have a guacamole-guacd session successfully
established, that seems to be almost entirely independent of their user
account or the connection's properties... I have not tried it, but I
suspect you could delete either of them, and guacamole would still let the
user continue their current session.

-Lee

On Wed, Jun 1, 2022 at 5:18 AM Jürgen Kuri  wrote:

> Suggestion:
>
> 1) keep endless reconnect as default
>
> 2) have two connection specific and / or global parameter:
> a. number of retries
> b. retry interval
>
> 3) if we have these parameters as global and on connection level, global
> is overwritten for specific connection if defined
>
> El 31.05.22 a las 22:44, Lee Doughty escribió:
> > Hello Guacamole Community,
> >
> > I tried asking this a few weeks ago, but it looks like there was not a
> lot of traction on this idea.. but I wanted to try one more time before I
> gave up on it.
> >
> > I think it would be a great feature to stop auto-reconnect attempts that
> are simply not connecting after several dozen attempts. I've seen in our
> logs that some users hit the "Reconnect" button or otherwise get into a
> reconnect loop, then leave the tab open for hours *or days*. This results
> in our guacamole server getting a ping every minute or so from a user
> trying to connect to a VM that is not available, and they just leave it
> retrying over and over again.
> >
> > It would be nice to at least require user interaction to resume the
> connection attempts... So users have to return to the tab every N attempts
> to restart the countdown, instead of the current never-ending loop... I'm
> not suggesting any value for N... because any reasonable value would be
> nice over infinite. My record was somewhere in the ballpark of 7,000
> attempts (5 days) before the user was kind enough to close the tab and stop
> poking our Guacamole server.
> >
> > Is this something that can make it into an upcoming Guacamole release?
> >
> > -Lee
> >
> --
> Jürgen
>
> -
> To unsubscribe, e-mail: user-unsubscr...@guacamole.apache.org
> For additional commands, e-mail: user-h...@guacamole.apache.org
>
>

Re: Combine recordings

[Lee Doughty]

I don't believe there's a good way to automatically merge recordings... If
guacamole is in a distributed system, the reconnection might build a new
connection through a different guacamole/guacd that are not aware an
existing session is partially recorded and held open. There would also be a
race condition between the finishing of the previous write, and the reopen
of the file to continue it even if the previous problem was resolved.

Without knowing the ultimate goal, it's hard to suggest a overarching
solution.. But ffmpeg should be able to merge the files.. and can probably
devise a cron for a low-effort solution that could more easily allow
offloading the recording rewrite work to another server (assuming you're
writing to a network drive)... A fancier solution would likely be a
guacamole extension... Which opens up a lot of options but requires more
work.

On Mon, Jun 6, 2022, 2:57 AM Abramson, Eli
 wrote:

> When I restart a connection, the recording is being saved into a new file
> (i.e. myrec, myrec.1, myrec.2, myrec.3…). Is it possible to force the
> recording to continue with the same file? If not, is there a way to
> concatenate these recordings into a single file?
>
> Thanks!
>

Re: How to restrict User from accessing connections

[Lee Doughty]

This would be where the custom authentication extensions would come into
play. You'd need to write your own UI and connect it to Guacamole.

There are some vendors that do this, but I've only seen it packaged with
some larger scope project that is more than just authentication.. auch as
buying a fully managed seats-on-VMs product, or paired with training, or
similar options.

-Lee

On Sat, Jun 4, 2022, 3:22 PM Arkaprabha Chakraborty <
chakrabortyarkaprabha...@gmail.com> wrote:

> Also if I want to create an authenticated workflow. Like say a user wants
> to access an RDP so it makes a request to the admin. The admin checks it
> and accepts it and the user has the access to the RDP. Is it possible to
> setup using guacamole or are there any related apps built on guacamole that
> can do this?
>
> On Sat, Jun 4, 2022, 11:41 PM Michael Jumper  wrote:
>
>> On Sat, Jun 4, 2022, 03:04 Arkaprabha Chakraborty <
>> chakrabortyarkaprabha...@gmail.com> wrote:
>>
>>> I have a user group with sub-user groups in guacamole. I want to
>>> restrict some of the connections to this sub-user group. How to do so?
>>>
>>
>> You would need to remove that group from its parent group. The members of
>> a user group will always inherit the permissions of that group, whether the
>> members are users or other groups.
>>
>> - Mike
>>
>>

Guacamole re-connection attempts never stop... they should?

[Lee Doughty]

Hello Guacamole Community,

I tried asking this a few weeks ago, but it looks like there was not a lot
of traction on this idea.. but I wanted to try one more time before I gave
up on it.

I think it would be a great feature to stop auto-reconnect attempts that
are simply not connecting after several dozen attempts. I've seen in our
logs that some users hit the "Reconnect" button or otherwise get into a
reconnect loop, then leave the tab open for hours *or days*. This results
in our guacamole server getting a ping every minute or so from a user
trying to connect to a VM that is not available, and they just leave it
retrying over and over again.

It would be nice to at least require user interaction to resume the
connection attempts... So users have to return to the tab every N attempts
to restart the countdown, instead of the current never-ending loop... I'm
not suggesting any value for N... because any reasonable value would be
nice over infinite. My record was somewhere in the ballpark of 7,000
attempts (5 days) before the user was kind enough to close the tab and stop
poking our Guacamole server.

Is this something that can make it into an upcoming Guacamole release?

-Lee

Feature idea for guacamole

[Lee Doughty]

I was told this might be a good place to protist a feature idea to gauge
interest before making a ticket.

Would it be difficult to add a feature/option to fall back to user input on
connections.. or to disable features that are unavailable if they are not
available?

When our users log in, we set up auto login RDP with file transfer support
to try and make the users experience more friendly... However, this is
fragile to users changing their password or, in the case of file transfer,
modifying their authorized keys.

It would be nice if we could allow the connection to continue if the user
breaks these features

-Lee

Stopping connection retry eventually

[Lee Doughty]

Hello,

What does the community think about adding at least an option to stop
retrying connections if they fail for to long?

I know a lot of us have automation to shut down machines, which is not
always connected to guacamole intelligently.

When they hit retry, it never stops. I've had log messages last for 5 days
with a user trying every 15 seconds... Made me think this feature might be
useful.

I would suggest the retry cutoff be a # of attempts, that is
configurable... Maybe add a connection property? Or maybe a server config

-Lee

Stop attempting reconnection after a while

[Lee Doughty]

Hello!

I was wondering if there was some way to prevent the auto-reconnect
dialogue from continuing the poll after it has failed for some duration or
count?

There's some cases where, upon issue, it immediately goes into a 15-second
countdown to try and reconnect. This will retry forever if you let it. We
see this a lot with our users since we force their machines offline after
8+ hours (since, for our use case, that typically means they left the tab
open and walked away)

This generates noise... sometimes for days... While this is really just an
annoyance, we do use messages from connection events to estimate usage, and
it's hard to distinguish these failed connections from real connections in
isolation.

-Lee