Deploying Guacamole (and Duo MFA) via Docker Containers on Ubuntu

This guide replaces any previous guacamole docker deployment guides on cb-net and will be kept up-to-date as new releases emerge.

Updated: 22/01/18 : New Guacamole release 0.9.14

Use this guide to deploy a fresh/ new install of guacamole on Ubuntu using Docker containers, instructions include Docker CE installation, Duo MFA configuration (if wanted, can be skipped) and Guacamole/ pre-requisite container deployment to get you up and running. Scenarios:

  • No Docker, and want to use Duo MFA: follows sections one, two and three
  • No Docker, but don’t want to use Duo MFA: follow section one and three only
  • Already have Docker and want to use MFA: follow sections two and three only
  • Already have Docker and don’t want to use MFA: follow section three only

1. Docker Installation

Follow the instructions here to get Docker CE installed and running on your Ubuntu host: https://www.cb-net.co.uk/devops/installing-docker-ce-ubuntu-16-04-3-lts-17-10/

2. Duo Registration

First, you’ll need to register for a Free Duo account, go to: https://duo.com/

Create a new “Auth API” application: Dashboard > Applications > Protect an Application > Web SDK

  • Scroll down, under Settings and change the name to “Guacamole,” or something of your choice.
  • Copy out the following information (you’ll need this for the guacamole.properties file):
    • Integration Key
    • Secret Key
    • API hostname

Next, generate a duo “application key” on your docker host – note you do not have to input this anywhere on your Duo configuration, use this within your duo.com Auth API definition to identify the source application (or container in this case) for MFA requests.

dd if=/dev/random count=1 | sha256sum

Now finally, install the Duo MFA application on your smart phone.

3. Guacamole Deployment

The commands below should only be used if you have registered for a Duo.com account/ have the required configuration parameters as-per section two of this guide. If you are not using Duo MFA, skip this part:

####################
# Duo MFA Specific Configuration
####################

# Create volumes
sudo docker volume create guac-config

# Create guacamole.properties
sudo vi /var/lib/docker/volumes/guac-config/_data/guacamole.properties

### Duo MFA Config
duo-api-hostname: <as per duo config>
duo-integration-key: <as per duo config>
duo-secret-key: <as per duo config>
duo-application-key: <generate using command above, in section two>

# Now save/ close this file

# Download the DUO MFA extension and pace within Docker Volume
sudo mkdir /var/lib/docker/volumes/guac-config/_data/extensions
URL="http://apache.org/dyn/closer.cgi?action=download&filename=guacamole/0.9.14/binary/guacamole-auth-duo-0.9.14.tar.gz"
wget -O guacamole-auth-duo-0.9.14.tar.gz "$URL"
tar zxvf guacamole-auth-duo-0.9.14.tar.gz
sudo mv guacamole-auth-duo-0.9.14/guacamole-auth-duo-0.9.14.jar /var/lib/docker/volumes/guac-config/_data/extensions
####################
# END Duo MFA Specific Configuration
####################

Use the commands below to deploy the required MySQL, GUACD and Guacamole containers – remember to change the <mysql_root_password> and <mysql_guacamole_password> values:

#################### 
# Guacamole Configuration/ Deployment
####################

# Create volumes
sudo docker volume create guac-mysql
# Uncommment this line if you skipped section two
# sudo docker volume create guac-config
# Generate mysql initialisation script
mkdir /tmp/scripts
sudo docker run --rm guacamole/guacamole /opt/guacamole/bin/initdb.sh --mysql > initdb.sql

# Create persistent MySQL container
sudo docker run --name guac-mysql \
--mount source=guac-mysql,target=/var/lib/mysql \
-v /tmp/scripts:/tmp/scripts \
-e MYSQL_ROOT_PASSWORD='<mysql_root_password>' \
--restart=always \
-d mysql:latest

# Create Guacamole Database
sudo docker exec -it guac-mysql /bin/bash
mysql -u root -p'<mysql_root_password>'
CREATE DATABASE guacamole;
CREATE USER 'guacamole' IDENTIFIED BY '<mysql_guacamole_password>';
GRANT SELECT,INSERT,UPDATE,DELETE ON guacamole.* TO 'guacamole';
FLUSH PRIVILEGES;
quit
cat /tmp/scripts/initdb.sql | mysql -u root -p'<mysql_root_password>' guacamole
history -c
exit

# Create/ start the guacd container
sudo docker run --name guacd \
--restart=always \
-d guacamole/guacd

# Create/ start the guacamole container
sudo docker run --name guacamole \
--link guacd:guacd \
--link guac-mysql:mysql \
-e MYSQL_DATABASE='guacamole' \
-e MYSQL_USER='guacamole' \
-e MYSQL_PASSWORD='<mysql_guacamole_password>' \
--mount source=guac-config,target=/config \
-e GUACAMOLE_HOME=/config \
--restart=always \
-d -p 8080:8080 guacamole/guacamole

#################### 
# END Guacamole Configuration/ Deployment
####################

You’re now good to go, access Guacamole using http://<docker host name/ IP>:8080/guacamole/ – remember to configure your host firewall, if required, to enable access.