This guide replaces any previous guacamole docker deployment guides on cb-net and will be kept up-to-date as new releases emerge.
Updated: 22/01/18 : New Guacamole release 0.9.14
Use this guide to deploy a fresh/ new install of guacamole on Ubuntu using Docker containers, instructions include Docker CE installation, Duo MFA configuration (if wanted, can be skipped) and Guacamole/ pre-requisite container deployment to get you up and running. Scenarios:
- No Docker, and want to use Duo MFA: follows sections one, two and three
- No Docker, but don’t want to use Duo MFA: follow section one and three only
- Already have Docker and want to use MFA: follow sections two and three only
- Already have Docker and don’t want to use MFA: follow section three only
1. Docker Installation
Follow the instructions here to get Docker CE installed and running on your Ubuntu host: https://www.cb-net.co.uk/devops/installing-docker-ce-ubuntu-16-04-3-lts-17-10/
2. Duo Registration
First, you’ll need to register for a Free Duo account, go to: https://duo.com/
Create a new “Auth API” application: Dashboard > Applications > Protect an Application > Web SDK
- Scroll down, under Settings and change the name to “Guacamole,” or something of your choice.
- Copy out the following information (you’ll need this for the guacamole.properties file):
- Integration Key
- Secret Key
- API hostname
Next, generate a duo “application key” on your docker host – note you do not have to input this anywhere on your Duo configuration, use this within your duo.com Auth API definition to identify the source application (or container in this case) for MFA requests.
dd if=/dev/random count=1 | sha256sum
Now finally, install the Duo MFA application on your smart phone.
3. Guacamole Deployment
The commands below should only be used if you have registered for a Duo.com account/ have the required configuration parameters as-per section two of this guide. If you are not using Duo MFA, skip this part:
#################### # Duo MFA Specific Configuration #################### # Create volumes sudo docker volume create guac-config # Create guacamole.properties sudo vi /var/lib/docker/volumes/guac-config/_data/guacamole.properties ### Duo MFA Config duo-api-hostname: <as per duo config> duo-integration-key: <as per duo config> duo-secret-key: <as per duo config> duo-application-key: <generate using command above, in section two> # Now save/ close this file # Download the DUO MFA extension and pace within Docker Volume sudo mkdir /var/lib/docker/volumes/guac-config/_data/extensions URL="http://apache.org/dyn/closer.cgi?action=download&filename=guacamole/0.9.14/binary/guacamole-auth-duo-0.9.14.tar.gz" wget -O guacamole-auth-duo-0.9.14.tar.gz "$URL" tar zxvf guacamole-auth-duo-0.9.14.tar.gz sudo mv guacamole-auth-duo-0.9.14/guacamole-auth-duo-0.9.14.jar /var/lib/docker/volumes/guac-config/_data/extensions #################### # END Duo MFA Specific Configuration ####################
Use the commands below to deploy the required MySQL, GUACD and Guacamole containers – remember to change the <mysql_root_password> and <mysql_guacamole_password> values:
#################### # Guacamole Configuration/ Deployment #################### # Create volumes sudo docker volume create guac-mysql # Uncommment this line if you skipped section two # sudo docker volume create guac-config # Generate mysql initialisation script mkdir /tmp/scripts sudo docker run --rm guacamole/guacamole /opt/guacamole/bin/initdb.sh --mysql > initdb.sql # Create persistent MySQL container sudo docker run --name guac-mysql \ --mount source=guac-mysql,target=/var/lib/mysql \ -v /tmp/scripts:/tmp/scripts \ -e MYSQL_ROOT_PASSWORD='<mysql_root_password>' \ --restart=always \ -d mysql:latest # Create Guacamole Database sudo docker exec -it guac-mysql /bin/bash mysql -u root -p'<mysql_root_password>' CREATE DATABASE guacamole; CREATE USER 'guacamole' IDENTIFIED BY '<mysql_guacamole_password>'; GRANT SELECT,INSERT,UPDATE,DELETE ON guacamole.* TO 'guacamole'; FLUSH PRIVILEGES; quit cat /tmp/scripts/initdb.sql | mysql -u root -p'<mysql_root_password>' guacamole history -c exit # Create/ start the guacd container sudo docker run --name guacd \ --restart=always \ -d guacamole/guacd # Create/ start the guacamole container sudo docker run --name guacamole \ --link guacd:guacd \ --link guac-mysql:mysql \ -e MYSQL_DATABASE='guacamole' \ -e MYSQL_USER='guacamole' \ -e MYSQL_PASSWORD='<mysql_guacamole_password>' \ --mount source=guac-config,target=/config \ -e GUACAMOLE_HOME=/config \ --restart=always \ -d -p 8080:8080 guacamole/guacamole #################### # END Guacamole Configuration/ Deployment ####################
You’re now good to go, access Guacamole using http://<docker host name/ IP>:8080/guacamole/ – remember to configure your host firewall, if required, to enable access.
3 replies on “Deploying Guacamole (and Duo MFA) via Docker Containers on Ubuntu”
[…] Replaced by updated post / article: https://www.cb-net.co.uk/linux/deploying-guacamole-duo-mfa-via-docker-containers-ubuntu/ […]
[…] For a fresh, Duo MFA enabled installation of Guacamole, follow instructions outlined here: https://www.cb-net.co.uk/linux/deploying-guacamole-duo-mfa-via-docker-containers-ubuntu/ […]
[…] This guide assumes you have guacamole up and running, see here if you do not! […]