So I thought it would work fine without root privileges as well so I tried to deploy both guacamole and guacd as it is on my Openshift namespaces and the results were that the guacd pod worked perfectly fine on rootless mode where as the guacamole pod issued the following error:
"mkdir: cannot create directory ‘//.guacamole’: Permission denied" Tried to understand why it's happening but honestly I'm not sure :( Just to have some context, I have a namespace in an internal Openshift cluster in which I do not have root privileges. בתאריך יום ג׳, 17 ביוני 2025 ב-16:49 מאת Mailing Lists < [email protected]>: > I can confirm guacamole runs rootlesd (tested on podman rootless) > > via Smartphone > > Am 17.06.2025 um 15:46 schrieb T Y <[email protected]>: > > > On 17.06.25 15:26, Nick Couchman wrote: > > On Tue, Jun 17, 2025 at 8:38 AM ענבל סטולרסקי < > [email protected]> wrote: > >> Hi :) >> I'm new to the guacamole world and I'm trying to deploy it on openshift >> using the docker images of guacamole and guacd. My problem is that the >> guacamole image requires root privileges that I cannot provide on my >> cluster and I'm blocked. I was wondering if there's something I can do >> about that and if there's an alternate image for guacamole that does not >> require root privileges? >> I tried to edit the image myself and work around the root permissions but >> no success. >> Thanks! >> > > When you say that it requires root privileges, what behavior are you > seeing that requires this? I admittedly have not tried running it in a > "rootless" mode, but I also don't think there's anything within the > Guacamole code or functionality that actually would require root access - > it should work fine as a non-root user/container. > > -Nick > > > I'll happily confirm it works perfectly fine in a rootless docker setup > without any modifications to the base images on both 1.5.5 and 1.6.0-RC#. > > Running the container additionally read-only will require a few exceptions > for temp volumes and such, but otherwise this also works fine. > > If you want source IP propagation for meaningful connection logging, > you'll have to use something like pasta as network driver and make sure you > set the appropriate headers on your reverse proxy. > > Of course, you won't be able to use privileged ports if you don't have the > permissions to grant that capability. So you'll have to map an appropriate > external port. > >
