Differences

This shows you the differences between two versions of the page.

Link to this comparison view

--- docpublic:systemes:remotelabsguacamole [2020/06/17 13:09]
procacci@tem-tsp.eu [webapp tomcat]
+++ docpublic:systemes:remotelabsguacamole [2020/06/18 15:25] (current)
procacci@tem-tsp.eu [packages repositories]
@@ Line 6: / Line 6: @@
   * https://www.byteprotips.com/?p=2391
+==== environement ====
+installation faite en centos 8 et tomcat 9 (tar.gz dans /opt/tomcat)
 ==== packages repositories ====
@@ Line 18: / Line 22: @@
 <code>
 [root@rlab ~]# dnf install --nogpgcheck https://download1.rpmfusion.org/free/el/rpmfusion-free-release-8.noarch.rpm https://download1.rpmfusion.org/nonfree/el/rpmfusion-nonfree-release-8.noarch.rpm
-[root@rlabw ~]# yum install dnf-plugins-core
+[root@rlab ~]# yum install dnf-plugins-core
-[root@rlabw ~]# dnf config-manager --enable PowerTools
+[root@rlab ~]# dnf config-manager --enable PowerTools
 </code>
@@ Line 1022: / Line 1026: @@
 </Location>
 </code>
+=== apache log ===
+il est inutile de loger toutes les requetes http de courte durée du aux steams dans le http-tunnel (si pas de websockets)
+<code>
+[root@rlab conf.d]# vim /etc/httpd/conf.d/ssl.conf
+<VirtualHost _default_:443>
+SetEnvIf Request_URI "^/guacamole/tunnel" dontlog
+CustomLog  /var/log/httpd/guac.log common env=!dontlog
+</code>
+==== database ====
+afin de permettre a plusieurs utilisateurs de se conencter et enregistrer des preferences il convient de definir une database
+=== arborescence extension ===
+la database ou autre modules d'authentification (ldap, cas ) sont fournit sous forme de module quil faut deployer dans une arborescence specifique que nous créons dans /usr/share/tomcat/.guacamole
+<code>
+[root@rlab etc]# mkdir -p /usr/share/tomcat/.guacamole/{extensions,lib}
+</code>
+=== modules ===
+recuperation et deploiement des modules pour la database
+<code>
+[root@rlab ~]# wget https://dev.mysql.com/get/Downloads/Connector-J/mysql-connector-java-8.0.20-1.el8.noarch.rpm
+[root@rlab ~]# yum install mysql-connector-java-8.0.20-1.el8.noarch.rpm
+[root@rlab ~]# cp /usr/share/java/mysql-connector-java.jar /usr/share/tomcat/.guacamole/lib/
+</code>
+<code>
+[root@rlab ~]# wget https://downloads.apache.org/guacamole/1.1.0/binary/guacamole-auth-jdbc-1.1.0.tar.gz
+[root@rlab ~]# tar xvfz guacamole-auth-jdbc-1.1.0.tar.gz ^C
+[root@rlab ~]# cp guacamole-auth-jdbc-1.1.0/mysql/guacamole-auth-jdbc-mysql-1.1.0.jar /usr/share/tomcat/.guacamole/extensions/
+</code>
+==== mariaDB ====
+apres installation de mariadb-server , on va le securiser
+<code>
+[root@rlab ~]# systemctl start mariadb.service
+[root@rlab ~]# mysql_secure_installation
+Set root password? [Y/n] Y
+New password:
+Re-enter new password: Secret Pa U g... S.. ip5 d Da
+Password updated successfully!
+Reloading privilege tables..
+ ... Success!
+Remove anonymous users? [Y/n] y
+ ... Success!
+Normally, root should only be allowed to connect from 'localhost'.  This
+ensures that someone cannot guess at the root password from the network.
+Disallow root login remotely? [Y/n] y
+ ... Success!
+Remove test database and access to it? [Y/n] y
+ - Dropping test database...
+ ... Success!
+ - Removing privileges on test database...
+ ... Success!
+Reload privilege tables now? [Y/n] y
+Thanks for using MariaDB!
+</code>
+<code>
+[root@rlab ~]# mysql -u root -p
+MariaDB [(none)]> CREATE DATABASE IF NOT EXISTS guacdb DEFAULT CHARACTER SET utf8 COLLATE utf8_general_ci;
+Query OK, 1 row affected (0.000 sec)
+MariaDB [(none)]> GRANT SELECT,INSERT,UPDATE,DELETE ON guacdb.* TO 'guacuser'@'localhost' IDENTIFIED BY 'secretUg...G...d' WITH GRANT OPTION;
+Query OK, 0 rows affected (0.000 sec)
+MariaDB [(none)]> flush privileges;
+Query OK, 0 rows affected (0.000 sec)
+MariaDB [(none)]> quit
+</code>
+creation des table et user :
+<code>
+[root@rlab ~]# cat /root/guacamole-auth-jdbc-1.1.0/mysql/schema/001-create-schema.sql | mysql -u root -p guacdb
+[root@rlab ~]# cat /root/guacamole-auth-jdbc-1.1.0/mysql/schema/002-create-admin-user.sql | mysql -u root -p guacdb
+</code>
+=== configuration / properties ===
+<code>
+[root@rlab ~]# mkdir -p /etc/guacamole/ && vi /etc/guacamole/guacamole.properties
+[root@rlab ~]# cat /etc/guacamole/guacamole.properties
+# MySQL properties
+mysql-hostname: localhost
+mysql-port: 3306
+mysql-database: guacdb
+mysql-username: guacuser
+mysql-password: secret
+#Additional settings
+mysql-default-max-connections-per-user: 0
+mysql-default-max-group-connections-per-user: 0
+</code>
+=== permissions ===
+<code>
+[root@rlab ~]# chmod 0400 /etc/guacamole/guacamole.properties
+[root@rlab ~]# chown tomcat:tomcat /etc/guacamole/guacamole.properties
+[root@rlab ~]# ln -s /etc/guacamole/guacamole.properties /usr/share/tomcat/.guacamole/
+[root@rlab ~]# chown tomcat:tomcat /opt/tomcat/webapps/guacamole-1.1.0.war
+</code>
+==== GUACAMOLE_HOME ====
+Tres imprtant pour la configurations des plugins/modules , il faut s'assurer que tomcat charge bien les paremtrages definit dans guacamole.properties. ceci se fait grace à la variable  GUACAMOLE_HOME qui est fixé par defaut a /etc/guacamole/
+comme ci-dessus nus avons definit les propriété dans /usr/share/tomcat/.guacamole/ avec un jeux de liens, et que le homedir du user tomcat dans mon installation est ici dans /opt/tomcat, il convient egalement de créé un lien depuis /opt/tomcat/.guacamole vers  /usr/share/tomcat/.guacamole
+cf https://guacamole.apache.org/doc/gug/configuring-guacamole.html Overriding GUACAMOLE_HOME => Creating a directory named .guacamole, within the home directory of the user running the servlet container. This directory will automatically be used for GUACAMOLE_HOME if it exists.
+<code>
+[root@rlab /opt/tomcat]# ln -s /usr/share/tomcat/.guacamole .guacamole
+</code>
+Apres redemarrage de tomcat , on peut enfin se connecter avec la compte guacadmin (cf fichier d'import sql : 002-create-admin-user.sql) et ainsi changer le password de cet administrateur
+https://rlab.domain.top/guacamole/#/settings/preferences

docpublic/systemes/remotelabsguacamole.1592399344.txt.gz · Last modified: 2020/06/17 13:09 by procacci@tem-tsp.eu

Show page Old revisions

[unknown link type]Back to top