RE: Server Out Of Memory
Hi Nick Thanks for your response. After sending off this message I did some digging. I am using JDBC and LDAP auth together. I was digging around the Server Heap error and think that you are on the right track with Xmx value. It was out of the box (from apt-get) set to -Xmx128m, I have adjusted this to 1024m for now and will monitor We concurrently have around 7 users, each user may be accessing 4-5 VM’s at once. Thanks again for the quick response Nick James Fraser • Microsoft Systems Engineer From: Nick Couchman [mailto:nick.couch...@yahoo.com] Sent: Friday, 4 August 2017 10:52 AM To: user@guacamole.incubator.apache.org Subject: Re: Server Out Of Memory Okay, let me try to take these one at a time... On Thursday, August 3, 2017, 8:16:09 PM EDT, James Fraser <james.fra...@veritec.com.au<mailto:james.fra...@veritec.com.au>> wrote: > I recently upgraded to 0.9.13 and am experiencing an issue with my Production > server. > This is potentially a Tomcat issue or JDBC driver issue. What extensions do you have loaded? Looks like MySQL JDBC - anything else? > WARNING: The web application [guacamole] appears to have started a thread > named [Abandoned connection cleanup thread] but has failed to stop it. This > is very likely to create a memory leak. Stack trace of thread: > java.lang.Object.wait(Native Method) > java.lang.ref.ReferenceQueue.remove(ReferenceQueue.java:143) > com.mysql.jdbc.AbandonedConnectionCleanupThread.run(AbandonedConnectionCleanupThread.java:43) > ... I use PostgreSQL and see these messages periodically, too, but they've never led to any adverse behavior. > Which leads too > Aug 03, 2017 10:04:16 PM org.apache.tomcat.util.net.NioEndpoint$Poller run > SEVERE: > java.lang.OutOfMemoryError: Java heap space Yeah, that's not good, but it doesn't mean your server is running out of memory, it means the JavaVM is running out of heap space. Those are different things. What parameters do you have set for memory in Java in your Tomcat startup? Look for the -Xmx flag either in the ps output for the PID of Java associated with Tomcat or in the Tomcat startup.sh file. If you don't see it, then the default is 1/4 of your total RAM, so 1GB. You can add the -Xmx flag to the java runtime parameters for Tomcat and bump it up to 2GB or something like that and see if that helps. If run out of RAM after bumping it up to 2 or 3GB, then you may have run into a memory leak, but I'd give that a shot, first. When you set it, you can use abbreviations for various byte multiples - for example, -Xmx1024m is 1024MB or 1GB. So, you might want to start with -Xmx2048m to bump up to 2GB and see if that helps. > The server has 4GB of ram I ran Guacamole 0.9.12 and the development versions of 0.9.13 on a system with 4GB of RAM for quite some time and never had any issues. How many connections do you have? How many users connecting concurrently? > root@MGMT-GUAC-01:/var/log/tomcat8# free -h > totalusedfree shared buff/cache available > Mem: 3.4G939M128M 22M2.3G > 2.1G > Swap:0B 0B 0B > A restart of tomcat resolves the issue for a period of time, I have just > written a cron job that restarts tomcat on appearance of this issue. I've done Linux system admin/engineering for many years, and, from my point of view, those numbers from the output of free look just fine. While it's easy to look at the "free" column and see 128M and think your system is short on RAM, the "available" column is what really counts. Linux uses available RAM to cache and buffer things like disk and network I/O, and your system is consuming 2-ish GB for that. Memory allocated for buffer/cache can be easily freed when applications need it, so that's why the available column shows 2.1GB. So, whenever you ran the "free" command on your system, the system itself is fine on RAM (for the moment) - it's most likely a Java heap size issue (-Xmx flag needs to be set). -Nick
Server Out Of Memory
Hi All I recently upgraded to 0.9.13 and am experiencing an issue with my Production server. This is potentially a Tomcat issue or JDBC driver issue. If anyone can comment that would be great. Looking at the Catalina.out file I found WARNING: The web application [guacamole] appears to have started a thread named [Abandoned connection cleanup thread] but has failed to stop it. This is very likely to create a memory leak. Stack trace of thread: java.lang.Object.wait(Native Method) java.lang.ref.ReferenceQueue.remove(ReferenceQueue.java:143) com.mysql.jdbc.AbandonedConnectionCleanupThread.run(AbandonedConnectionCleanupThread.java:43) SEVERE: The web application [guacamole] created a ThreadLocal with key of type [com.google.inject.internal.InjectorImpl$1] (value [com.google.inject.internal.InjectorImpl$1@2c0acdd7]) and a value of type [java.lang.Object[]] (value [[Ljava.lang.Object;@2ee3d179]) but failed to remove it when the web application was stopped. Threads are going to be renewed over time to try and avoid a probable memory leak. Aug 02, 2017 8:25:43 PM org.apache.catalina.loader.WebappClassLoaderBase checkThreadLocalMapForLeaks SEVERE: The web application [guacamole] created a ThreadLocal with key of type [com.google.inject.internal.InjectorImpl$1] (value [com.google.inject.internal.InjectorImpl$1@1b5b9da0]) and a value of type [java.lang.Object[]] (value [[Ljava.lang.Object;@b5aea9c]) but failed to remove it when the web application was stopped. Threads are going to be renewed over time to try and avoid a probable memory leak. Which leads too Aug 03, 2017 10:04:16 PM org.apache.tomcat.util.net.NioEndpoint$Poller run SEVERE: java.lang.OutOfMemoryError: Java heap space I am just running the standard apt-get configuration of Tomcat 8 on Ubuntu server 16.4 The server has 4GB of ram Here is the output of Free root@MGMT-GUAC-01:/var/log/tomcat8# free -h totalusedfree shared buff/cache available Mem: 3.4G939M128M 22M2.3G2.1G Swap:0B 0B 0B A restart of tomcat resolves the issue for a period of time, I have just written a cron job that restarts tomcat on appearance of this issue. Any advice greatly appreciated.
RE: Identify if a machine is online
The machines are powered off automatically on a nightly basis, lots of these servers are just available for building applications or testing SQL or Websites etc. The automation script used to power them off has the ability to power them on, the reason this is not done is because if a server is not going to be used then it should remain off to stop charges being incurred These servers can be powered on by a developer (who doesn’t have admin access in guac, no shell access etc) via webhooks. In most scenarios a server or group of servers (eg. DC, SQL, WEB) are all isolated to their own network with only HTTPS access available to the web server, the developers are accessing these servers via guacamole. If we had machines running that were not utilised we would incur thousands of dollars in idle compute. I was just curios if it was possible to make this visible, this Is a pretty niche scenario and probably not something that has even been requested in the past? I have had some thoughts but have been to busy to play around with anything. My potential thoughts were: In the interface where it states – Number of connections a server has in use could potentially display OFFLINE if a ping request from the guacamole server was unable to talk to the endpoint, this then changes the SQL DB to display that message via a cron job. Anyways thanks for the replies. James Fraser • Microsoft Systems Engineer From: Tomas Maggio [mailto:tomasmag...@gmail.com] Sent: Tuesday, 15 August 2017 6:51 PM To: user@guacamole.incubator.apache.org Subject: Re: Identify if a machine is online Hi James, Who/what powers off these servers? I think you could script it to ping them and with that enable/disable them on the guacamole db? Is this what you are trying to achieve? Cheers On 15 Aug 2017 5:47 p.m., "James Fraser" <james.fra...@veritec.com.au<mailto:james.fra...@veritec.com.au>> wrote: Hi All Just wondering if there was a possible way for Guacamole to display if a machine is online/reachable from the Guacamole server. E.g. a lot of our servers are test servers and reside within Azure subscriptions, due to the nature of Azure billing it is cost effective to power off these machines. Some of the Dev’s have requested the ability to view if the machine is online or offline without visiting the Azure Portal Is this something that is on the horizon or has anyone attempted engineering this feature? Cheers James Fraser • Microsoft Systems Engineer
Identify if a machine is online
Hi All Just wondering if there was a possible way for Guacamole to display if a machine is online/reachable from the Guacamole server. E.g. a lot of our servers are test servers and reside within Azure subscriptions, due to the nature of Azure billing it is cost effective to power off these machines. Some of the Dev's have requested the ability to view if the machine is online or offline without visiting the Azure Portal Is this something that is on the horizon or has anyone attempted engineering this feature? Cheers James Fraser * Microsoft Systems Engineer
RE: LDAP_USER_BASE_DN pointing to an AD Security Group
Hi I resolved this issue from another ticket comment from Nick On Wed, Aug 9, 2017 at 2:31 PM, Nick Couchman <nick.couch...@yahoo.com<mailto:nick.couch...@yahoo.com>> wrote: Are you getting any errors in your Tomcat log files? Can you try pointing at port 3268 on your AD server, instead of the default 389? There's an issue with querying the global catalog that is in the process of being fixed (PR is open for it), and I think querying the non-GC-port sometimes works. -Nick Changing to 3268 seems to have resolved my issue. Cheers James Fraser • Microsoft Systems Engineer From: James Fraser [mailto:james.fra...@veritec.com.au] Sent: Monday, 14 August 2017 11:31 AM To: user@guacamole.incubator.apache.org Subject: RE: LDAP_USER_BASE_DN pointing to an AD Security Group Hi All I am currently experiencing the same issue here, if targeting a specific OU in Active Directory it works as required however I am now implementing Guac for another client and require targeting multiple OU’s and using the BASE OU and a few groups was the idea but if I don’t specify the OU that the users live in then I can not seem to get it to work and get the same ERROR o.a.g.a.l.AuthenticationProviderService - Cannot bind with LDAP server: Error while query user DNs. James Fraser • Microsoft Systems Engineer From: Mariano Di Girolamo [mailto:m.digirol...@tecnodata-srl.it] Sent: Thursday, 3 August 2017 12:46 AM To: user <user@guacamole.incubator.apache.org<mailto:user@guacamole.incubator.apache.org>> Subject: Re: LDAP_USER_BASE_DN pointing to an AD Security Group The user used in bind is member of administrator. I installed the new version of guacamole (0.9.13) but I have the same problem. If I configure the base-dn like "DC=test,DC=local" I have this error on catalina.out ERROR o.a.g.a.l.AuthenticationProviderService - Cannot bind with LDAP server: Error while query user DNs. Di Girolamo Mariano cell. +39 329 <callto:+39%20360%20959573> 0552286 tel. +39 0735 762626<callto:+39%200735%207626267>3 [cid:image001.jpg@01D314F3.285BCE30] Tecnodata s.r.l. - Via Val Tiberina, 23A - 63074 San Benedetto del Tronto (AP) Italy tel. +39 0735 7626261<callto:+39%200735%207626261> - www.tecnodata-srl.it<http://www.tecnodata-srl.it/> Il contenuto di questa e-mail e degli eventuali allegati, è strettamente confidenziale, non producibile in giudizio e destinato alla/e persona/e a cui è indirizzato. Se avete ricevuto per errore questa e-mail, Vi preghiamo di segnalarcelo immediatamente e di cancellarla dal vostro computer. E' fatto divieto di copiare e divulgare il contenuto di questa e-mail. Ogni utilizzo abusivo delle informazioni qui contenute da parte di persone terze o comunque non indicate nella presente e-mail, potrà essere perseguito ai sensi di legge. Da: "Nick Couchman" <nick.couch...@yahoo.com<mailto:nick.couch...@yahoo.com>> A: "user" <user@guacamole.incubator.apache.org<mailto:user@guacamole.incubator.apache.org>> Inviato: Lunedì, 31 luglio 2017 15:24:06 Oggetto: Re: LDAP_USER_BASE_DN pointing to an AD Security Group Hmmm...that's not very useful. Does the user account you're using to bind for the search have access to the other OUs? Generally they do, unless you've specifically locked down that users permissions. Any error messages in the log file for your application server (Tomcat, JBoss - whatever you're using)? -Nick == He has shown you, O man, what is good; And what does the LORD require of you But to do justly, To love mercy, And to walk humbly with your God? --Micah 6:8-- == On Monday, July 31, 2017, 3:29:36 AM EDT, Mariano Di Girolamo <m.digirol...@tecnodata-srl.it<mailto:m.digirol...@tecnodata-srl.it>> wrote: Hi Nick, thanks for your reply. I changed the ldap-user-base-dn like your suggestion (DC=test,DC=local), but now nobody can access to guacamole. I don't use LDAP but samba4 domain controller. Di Girolamo Mariano cell. +39 329 <callto:+39%20360%20959573> 0552286 tel. +39 0735 762626<callto:+39%200735%207626267>3 [cid:image001.jpg@01D314F3.285BCE30] Tecnodata s.r.l. - Via Val Tiberina, 23A - 63074 San Benedetto del Tronto (AP) Italy tel. +39 0735 7626261<callto:+39%200735%207626261> - www.tecnodata-srl.it<http://www.tecnodata-srl.it/> Il contenuto di questa e-mail e degli eventuali allegati, è strettamente confidenziale, non producibile in giudizio e destinato alla/e persona/e a cui è indirizzato. Se avete ricevuto per errore questa e-mail, Vi preghiamo di segnalarcelo immediatamente e di cancellarla dal vostro computer. E' fatto divieto di copiare e divulgare il contenuto di questa e-mail. Ogni utilizzo abusivo delle informazioni qui contenute da parte di persone terze o comunque non indicate nella presente e-mail, potrà essere perseguito ai sensi di legge.
RE: LDAP_USER_BASE_DN pointing to an AD Security Group
Hi All I am currently experiencing the same issue here, if targeting a specific OU in Active Directory it works as required however I am now implementing Guac for another client and require targeting multiple OU’s and using the BASE OU and a few groups was the idea but if I don’t specify the OU that the users live in then I can not seem to get it to work and get the same ERROR o.a.g.a.l.AuthenticationProviderService - Cannot bind with LDAP server: Error while query user DNs. James Fraser • Microsoft Systems Engineer From: Mariano Di Girolamo [mailto:m.digirol...@tecnodata-srl.it] Sent: Thursday, 3 August 2017 12:46 AM To: user <user@guacamole.incubator.apache.org> Subject: Re: LDAP_USER_BASE_DN pointing to an AD Security Group The user used in bind is member of administrator. I installed the new version of guacamole (0.9.13) but I have the same problem. If I configure the base-dn like "DC=test,DC=local" I have this error on catalina.out ERROR o.a.g.a.l.AuthenticationProviderService - Cannot bind with LDAP server: Error while query user DNs. Di Girolamo Mariano cell. +39 329 <callto:+39%20360%20959573> 0552286 tel. +39 0735 762626<callto:+39%200735%207626267>3 [cid:image001.jpg@01D314F0.C2A42440] Tecnodata s.r.l. - Via Val Tiberina, 23A - 63074 San Benedetto del Tronto (AP) Italy tel. +39 0735 7626261<callto:+39%200735%207626261> - www.tecnodata-srl.it<http://www.tecnodata-srl.it/> Il contenuto di questa e-mail e degli eventuali allegati, è strettamente confidenziale, non producibile in giudizio e destinato alla/e persona/e a cui è indirizzato. Se avete ricevuto per errore questa e-mail, Vi preghiamo di segnalarcelo immediatamente e di cancellarla dal vostro computer. E' fatto divieto di copiare e divulgare il contenuto di questa e-mail. Ogni utilizzo abusivo delle informazioni qui contenute da parte di persone terze o comunque non indicate nella presente e-mail, potrà essere perseguito ai sensi di legge. Da: "Nick Couchman" <nick.couch...@yahoo.com<mailto:nick.couch...@yahoo.com>> A: "user" <user@guacamole.incubator.apache.org<mailto:user@guacamole.incubator.apache.org>> Inviato: Lunedì, 31 luglio 2017 15:24:06 Oggetto: Re: LDAP_USER_BASE_DN pointing to an AD Security Group Hmmm...that's not very useful. Does the user account you're using to bind for the search have access to the other OUs? Generally they do, unless you've specifically locked down that users permissions. Any error messages in the log file for your application server (Tomcat, JBoss - whatever you're using)? -Nick == He has shown you, O man, what is good; And what does the LORD require of you But to do justly, To love mercy, And to walk humbly with your God? --Micah 6:8-- == On Monday, July 31, 2017, 3:29:36 AM EDT, Mariano Di Girolamo <m.digirol...@tecnodata-srl.it<mailto:m.digirol...@tecnodata-srl.it>> wrote: Hi Nick, thanks for your reply. I changed the ldap-user-base-dn like your suggestion (DC=test,DC=local), but now nobody can access to guacamole. I don't use LDAP but samba4 domain controller. Di Girolamo Mariano cell. +39 329 <callto:+39%20360%20959573> 0552286 tel. +39 0735 762626<callto:+39%200735%207626267>3 [cid:image001.jpg@01D314F0.C2A42440] Tecnodata s.r.l. - Via Val Tiberina, 23A - 63074 San Benedetto del Tronto (AP) Italy tel. +39 0735 7626261<callto:+39%200735%207626261> - www.tecnodata-srl.it<http://www.tecnodata-srl.it/> Il contenuto di questa e-mail e degli eventuali allegati, è strettamente confidenziale, non producibile in giudizio e destinato alla/e persona/e a cui è indirizzato. Se avete ricevuto per errore questa e-mail, Vi preghiamo di segnalarcelo immediatamente e di cancellarla dal vostro computer. E' fatto divieto di copiare e divulgare il contenuto di questa e-mail. Ogni utilizzo abusivo delle informazioni qui contenute da parte di persone terze o comunque non indicate nella presente e-mail, potrà essere perseguito ai sensi di legge. Da: "Nick Couchman" <nick.couch...@yahoo.com<mailto:nick.couch...@yahoo.com>> A: "user" <user@guacamole.incubator.apache.org<mailto:user@guacamole.incubator.apache.org>> Inviato: Venerdì, 28 luglio 2017 23:11:39 Oggetto: Re: LDAP_USER_BASE_DN pointing to an AD Security Group In order to accomplish what you're trying to do, you need to change your base DN to a higher-level. So, the following line: ldap-user-base-dn: OU=guacamoleou,DC=test,DC=local would need to be changed to: ldap-user-base-dn: DC=test,DC=local Another option is to leave the base DN as you have it, enable Alias Dereferencing (see the manual) and then link any additional users into the guacamoleou OU object. Finally, there is a JIRA issue out there for changing LDAP behavior such that you can put multiple OUs in, but
RE: Implement HA on Guacamole Server
Hi Thiago I have a "HA" setup currently running within Azure We found to many timeout issues with using a PAAS solution for MYSQL so instead are running a simpler solution at the moment. We have two servers, one is the Master and one is the slave. We have a load balancer (traffic manager for setting priority) Which selects server number 1 (master) We are locking down the environment using oauth2 followed by LDAP and MYSQL. Server 1 (Master) has a RW database and syncs data to Server 2 (Slave) Guacamole on server 2 only have Read Only access to its database. If server 1 goes off line, server 2 can and will continue to allow connectivity however it will not allow creation of new users or connections, nor will it log who is logged on etc It is not a perfect but it does allow server 1 to be patched and/or go offline. From: Thiago dos Santos Nunes [mailto:thi...@digitalinformatica.com.br] Sent: Friday, 21 July 2017 1:21 AM To: user@guacamole.incubator.apache.org Subject: Implement HA on Guacamole Server Hi everyone, Pax! I need a lot of help. We have a guacamole setting with approximately 100-200 simultaneous connections. And we're investigating the option of creating client high availability using Hazelcast or memcached (Nick's tip). Has anyone tried this? Could you share how it was? Because I've never worked with it. Another essential thing is the server side. We need to implement some High Availability schema for the server. And it would have to be something without downtime if possible. I had already created a ticket for the HA issue on the guacamole server, in case there is a need to change the code. This would be an exceptional feature for medium to large environments. Https://issues.apache.org/jira/browse/GUACAMOLE-283 Please help me in this, because the environment has fallen sometimes and the users get very frustrated And customers wanting to paralyze services for this. Stay with GOD! Aude et Effice! Thiago.
RE: Implement HA on Guacamole Server
Hi Thiago In answer to your questions we do not have load balancing for spreading load we have a load balancer for active/passive failover. If we were able to have a PAAS solution for MySQL that was stable OR we stored all objects in active directory then we would essentially round robin the LB between servers. I do not believe there would be any way to keep alive a connection in the event of a server crash as it's a persistent connection to that server, the best outcome that I could see is the user refreshes the browser and reconnects to the next host. Sorry if this was not what you wanted to hear. From: Thiago dos Santos Nunes [mailto:thi...@digitalinformatica.com.br] Sent: Monday, 24 July 2017 10:48 PM To: user@guacamole.incubator.apache.org Subject: RES: Implement HA on Guacamole Server Thanks for sharing James (We have a same name but in another languages...). My problem is not the Database server, but with Guacamole Server and the client. How you address this questions: - How to create session persistent in many guacamole client if one server goes down? - How to not disconnect my users i fone guacamole server goes down? - How to loadbalance the connections with many guacamole servers and many guacamole clients equality? Fique com DEUS! Aude et Effice! [Assinatura E-mail] De: James Fraser [mailto:james.fra...@veritec.com.au] Enviada em: domingo, 23 de julho de 2017 20:00 Para: user@guacamole.incubator.apache.org<mailto:user@guacamole.incubator.apache.org> Assunto: RE: Implement HA on Guacamole Server Hi Thiago I have a "HA" setup currently running within Azure We found to many timeout issues with using a PAAS solution for MYSQL so instead are running a simpler solution at the moment. We have two servers, one is the Master and one is the slave. We have a load balancer (traffic manager for setting priority) Which selects server number 1 (master) We are locking down the environment using oauth2 followed by LDAP and MYSQL. Server 1 (Master) has a RW database and syncs data to Server 2 (Slave) Guacamole on server 2 only have Read Only access to its database. If server 1 goes off line, server 2 can and will continue to allow connectivity however it will not allow creation of new users or connections, nor will it log who is logged on etc It is not a perfect but it does allow server 1 to be patched and/or go offline. From: Thiago dos Santos Nunes [mailto:thi...@digitalinformatica.com.br] Sent: Friday, 21 July 2017 1:21 AM To: user@guacamole.incubator.apache.org<mailto:user@guacamole.incubator.apache.org> Subject: Implement HA on Guacamole Server Hi everyone, Pax! I need a lot of help. We have a guacamole setting with approximately 100-200 simultaneous connections. And we're investigating the option of creating client high availability using Hazelcast or memcached (Nick's tip). Has anyone tried this? Could you share how it was? Because I've never worked with it. Another essential thing is the server side. We need to implement some High Availability schema for the server. And it would have to be something without downtime if possible. I had already created a ticket for the HA issue on the guacamole server, in case there is a need to change the code. This would be an exceptional feature for medium to large environments. Https://issues.apache.org/jira/browse/GUACAMOLE-283 Please help me in this, because the environment has fallen sometimes and the users get very frustrated And customers wanting to paralyze services for this. Stay with GOD! Aude et Effice! Thiago.
RE: Official release of 0.9.13
Thanks for the response Mike. -Original Message- From: Mike Jumper [mailto:mike.jum...@guac-dev.org] Sent: Thursday, 6 July 2017 4:59 AM To: user@guacamole.incubator.apache.org Subject: Re: Official release of 0.9.13 Hi James, There is no release schedule, however once that staging/VERSION branch exists, the release process is underway, and timing is a matter of who has time to do what. At the current stage of the process, an RC has been tagged, and the release notes are being drafted. Once the notes are in place, a vote will be called. If curious, the overall release process is documented step-by-step on the website: http://guacamole.incubator.apache.org/release-procedures-part1/ (finalization of scope) http://guacamole.incubator.apache.org/release-procedures-part2/ (release candidate / candidates) http://guacamole.incubator.apache.org/release-procedures-part3/ (promoting the final release candidate to release) http://guacamole.incubator.apache.org/release-procedures-part4/ (announcing the release) We are currently at: http://guacamole.incubator.apache.org/release-procedures-part2/#upload-docs - Mike On Tue, Jul 4, 2017 at 5:20 PM, James Fraser <james.fra...@veritec.com.au> wrote: > Hi All > > > Whilst I understand (and have in my sandbox) I can build 0.9.13 from > Git I am just wondering if there is an official release date from 0.9.13? > > > > Cheers > >
Official release of 0.9.13
Hi All Whilst I understand (and have in my sandbox) I can build 0.9.13 from Git I am just wondering if there is an official release date from 0.9.13? Cheers
RE: Guac 0.9.13
Hi Nick Thanks for your response, I have just built 0.9.13 and setting up a couple of AD domains, just chasing a bit of guidance of how to target the two different directories if its possible. Cheers James Fraser • Microsoft Systems Engineer From: Nick Couchman [mailto:nick.couch...@yahoo.com] Sent: Monday, 31 July 2017 9:59 AM To: user@guacamole.incubator.apache.org Subject: Re: Guac 0.9.13 James, The LDAP filtering is possible as of the as-yet-unreleased 0.9.13-incubating version of Guacamole. Hopefully that'll be released, soon, maybe even sometime this week. Don't quote me on that, but I know the process to get the release approved is moving along right now, so it shouldn't be too long. The multiple directory lookup has *not,* yet, been incorporated. I can't remember if there's a separate JIRA issue for that one - I feel like there is - if not, you should definitely open one so we can track status on that. Regards, Nick On Sunday, July 30, 2017, 7:04:03 PM EDT, James Fraser <james.fra...@veritec.com.au<mailto:james.fra...@veritec.com.au>> wrote: I have been reviewing 0.9.13 In particular https://issues.apache.org/jira/browse/GUACAMOLE-101 I am curious if this is now possible? Is it potentially possible to lookup between multiple directories? James Fraser • Microsoft Systems Engineer
RE: RE: Guac 0.9.13
Hi Nick Thanks for your reply Unfortunately we do not have any trusts setup between domains, our Gaucamole instance is in a Azure Subscription and we have peers to other subscriptions and domains that are not part of our company but we give access to the servers over Guacamole, this prevents the servers requiring public IP addresses to connect to them. I will have a look at OpenLDAP with Meta and see how I go, I will report back. Cheers James Fraser • Microsoft Systems Engineer From: Nick Couchman [mailto:nick.couch...@yahoo.com] Sent: Monday, 31 July 2017 11:14 AM To: user@guacamole.incubator.apache.org Subject: Re: RE: Guac 0.9.13 Under the current version you, unfortunately, do not have any options inside Guacamole itself to accomplish this. The way I can think of at this point would be to use OpenLDAP with the Meta or Proxy back-end, and have OpenLDAP present both directory trees under a single server/tree to Guacamole. That's not the ideal solution and we certainly want to get Guacamole to the point where it can handle multiple trees in the same config, but it will work. I've used the Meta backend before, and it allows you to take two directory trees - say dc=ad1,dc=com and dc=ad2,dc=com - and combine them in such a way that ad1 appears at dc=ad1,dc=ldap,dc=com and ad2 at dc=ad2,dc=ldap,dc=com. You can then query the OpenLDAP instance at the dc=ldap,dc=com level and it will traverse both trees. IIRC, it's also smart enough to handle passing through bind requests - so, once a user is found if dc=ad2,dc=ldap,dc=com, for example, when the bind request is sent it will translate that to the correct user on the dc=ad2,dc=com side and proxy the request. It takes a little work to get set up, but it isn't too bad. If you have both your AD trees set up in a single forest you can probably accomplish the same thing - if one is at the root and the other is a tree somewhere in the forest, I'm fairly certain you can have a LDAP server that has access to both trees. I'm not an expert on Active Directory, so I've never gone that route before and cannot speak to how it's accomplished or even for sure that it's possible, but I believe that was one of the key features behind AD was the ability to further sub-divide the domains while still maintaining some sort of top-level authority and view of the entire system. Anyway, those are a couple of ideas - like I said, unfortunately, nothing native to Guacamole at this point that will help you out. Regards, Nick On Sunday, July 30, 2017, 8:37:37 PM EDT, James Fraser <james.fra...@veritec.com.au<mailto:james.fra...@veritec.com.au>> wrote: Hi Nick Thanks for your response, I have just built 0.9.13 and setting up a couple of AD domains, just chasing a bit of guidance of how to target the two different directories if its possible. Cheers James Fraser • Microsoft Systems Engineer From: Nick Couchman [mailto:nick.couch...@yahoo.com] Sent: Monday, 31 July 2017 9:59 AM To: user@guacamole.incubator.apache.org<mailto:user@guacamole.incubator.apache.org> Subject: Re: Guac 0.9.13 James, The LDAP filtering is possible as of the as-yet-unreleased 0.9.13-incubating version of Guacamole. Hopefully that'll be released, soon, maybe even sometime this week. Don't quote me on that, but I know the process to get the release approved is moving along right now, so it shouldn't be too long. The multiple directory lookup has *not,* yet, been incorporated. I can't remember if there's a separate JIRA issue for that one - I feel like there is - if not, you should definitely open one so we can track status on that. Regards, Nick On Sunday, July 30, 2017, 7:04:03 PM EDT, James Fraser <james.fra...@veritec.com.au<mailto:james.fra...@veritec.com.au>> wrote: I have been reviewing 0.9.13 In particular https://issues.apache.org/jira/browse/GUACAMOLE-101 I am curious if this is now possible? Is it potentially possible to lookup between multiple directories? James Fraser • Microsoft Systems Engineer
RE: Server Out Of Memory
) at com.sun.jersey.spi.container.servlet.WebComponent$Writer.flush(WebComponent.java:315) at com.sun.jersey.spi.container.ContainerResponse$CommittingOutputStream.flush(ContainerResponse.java:145) at org.codehaus.jackson.impl.Utf8Generator.flush(Utf8Generator.java:1085) at org.codehaus.jackson.map.ObjectMapper.writeValue(ObjectMapper.java:1606) Followed by SEVERE:Memory usage is low, parachute is non existent, your system may start failing. java.lang.OutOfMemoryError: Java heap space SEVERE:Memory usage is low, parachute is non existent, your system may start failing. java.lang.OutOfMemoryError: Java heap space SEVERE:Memory usage is low, parachute is non existent, your system may start failing. java.lang.OutOfMemoryError: Java heap space SEVERE:Memory usage is low, parachute is non existent, your system may start failing. java.lang.OutOfMemoryError: Java heap space SEVERE:Memory usage is low, parachute is non existent, your system may start failing. java.lang.OutOfMemoryError: Java heap space SEVERE:Memory usage is low, parachute is non existent, your system may start failing. java.lang.OutOfMemoryError: Java heap space SEVERE:Memory usage is low, parachute is non existent, your system may start failing. java.lang.OutOfMemoryError: Java heap space SEVERE:Memory usage is low, parachute is non existent, your system may start failing. java.lang.OutOfMemoryError: Java heap space SEVERE:Memory usage is low, parachute is non existent, your system may start failing. java.lang.OutOfMemoryError: Java heap space SEVERE:Memory usage is low, parachute is non existent, your system may start failing. java.lang.OutOfMemoryError: Java heap space SEVERE:Memory usage is low, parachute is non existent, your system may start failing. I will adjust the dump for next time. As noted the machine has 4GB of ram and around 7 users with 3-4 concurrent connections. In 4 months on 0.9.12 I experienced an issue once which required blipping tomcat but did not delve into it so cannot confirm if the issue was related. Looking at the glaring error it appears to be JDBC/MYSQL related. To give some knowledge I did upgrade the database schema and also downloaded the 5.1.43 JDBC driver. Anyway it is late here in Australia and I need to get some sleep. Will update tomorrow with MYSQL version etc if requested. Cheers JAMES FRASER • MICROSOFT SYSTEMS ENGINEER -Original Message- From: Mike Jumper [mailto:mike.jum...@guac-dev.org] Sent: Friday, 4 August 2017 12:05 PM To: user@guacamole.incubator.apache.org Subject: Re: Server Out Of Memory On Thu, Aug 3, 2017 at 6:54 PM, Mike Jumper <mike.jum...@guac-dev.org> wrote: > On Thu, Aug 3, 2017 at 6:50 PM, James Fraser > <james.fra...@veritec.com.au> wrote: >> Hi Nick >> >> Thanks for your response. >> >> After sending off this message I did some digging. >> >> I am using JDBC and LDAP auth together. >> >> I was digging around the Server Heap error and think that you are on >> the right track with Xmx value. >> >> It was out of the box (from apt-get) set to -Xmx128m, I have adjusted >> this to 1024m for now and will monitor >> >> We concurrently have around 7 users, each user may be accessing 4-5 >> VM’s at once. >> > > Would you be able to take a heap dump to see what is using up so much space? > > 7 users is relatively light, and having to manually increase the heap > shouldn't be necessary in practice. In past versions of Java, they can > cause more problems than they solve (lengthy GCs), and recent versions > of Java will ignore these options. > Correction: it's permgen that vanished in recent versions of Java, not heap limits. My other points still stand though. ;)
RE: groups for user .
Hi Goncalo You might find you can accomplish what you want with posh ssh module for ssh in powershell https://github.com/darkoperator/Posh-SSH -Original Message- From: Goncalo Rosa [mailto:goncalo.r...@v2s.us] Sent: Tuesday, 20 June 2017 5:15 PM To: user@guacamole.incubator.apache.org Subject: RE: groups for user . Hi, I am using Guacamole on a lab environment, where Guacamole servers are staying in a DMZ. So I don't want to integrate with our lab domain, since don't want to expose it to the DMZ. Instead I decided to implement local mariadb database for each guacamole server. On the other hand I have around 200 users being weekly assigned to lab environments dynamically. And I have a centralized windows 2008 R2 server that provides management to all lab environment components. So I constantly need to add and remove connections to users from this Windows 2008 R2 servers on Guacamole servers. The way I did it and works great, was using powershell scripts, that uses ssh to remotely run bash scripts on each guacamole server, that on their hand execute SQL statements against MariaDB database. And actually just work great with no errors and quite clean. I also tried to run powershell commands straight to MariaDB with mysql connector, however didn't work, since most of the sql statements requires multiple instructions per connection and I couldn't find a way to make it happen through mysql-connector invoked from powershell. So I would suggest you to think in a solution as such, that would allow you to manage your connections around easily and smoothly. Cheers Gonçalo Rosa W: www.v2s.us Skype: goncalo_rosa -Original Message- From: s1324 [mailto:steve_al...@csx.com] Sent: Tuesday, June 20, 2017 01:25 To: user@guacamole.incubator.apache.org Subject: RE: groups for user . Did you get this issue resolved? I am having the same challenge. -- View this message in context: http://apache-guacamole-incubating-users.2363388.n4.nabble.com/groups-for-user-tp407p1177.html Sent from the Apache Guacamole (incubating) - Users mailing list archive at Nabble.com.
RE: Disable Auto Reconnect
Hi Mike Thanks for this I will try out latest 0.9.13 build in my sandbox ☺ From: Mike Jumper [mailto:mike.jum...@guac-dev.org] Sent: Thursday, 22 June 2017 2:41 AM To: user@guacamole.incubator.apache.org Subject: Re: Disable Auto Reconnect The relevant changes are: https://issues.apache.org/jira/browse/GUACAMOLE-208 On Wed, Jun 21, 2017 at 9:40 AM, Mike Jumper <mike.jum...@guac-dev.org<mailto:mike.jum...@guac-dev.org>> wrote: Mind retrying with a build from git master or staging/0.9.13-incubating? There have been recent changes expanding handling of RDP disconnections which take into account the disconnect reason code returned by the RDP server. I believe the automatic reconnect behavior is now specifically excluded for cases where the disconnect is forced by the server, such as the idle timeout. - Mike On Thu, Jun 15, 2017 at 9:46 PM, James Fraser <james.fra...@veritec.com.au<mailto:james.fra...@veritec.com.au>> wrote: Hi Guac users Is there a way to disable the 15 second auto reconnect? We are trying to setup a 30 minute idle disconnect/1 hour idle log off rule in group policy However guacamole is just reconnecting after the 30 minute disconnect. Cheers
Re: Issues with Guacamole Disconnecting RDP sessions for remote user
Thanks for the Suggestion This is a home user but that does not conclude its not the router, I have requested this user to test using 4G internet and report back to me as it is very stable for me from my house and I am on only 2mbit down 1/4mbit upload and I sustain connections fine. From: Christian Kraus <christian.kr...@ckc-it.at> Sent: Wednesday, June 14, 2017 7:15:45 PM To: user@guacamole.incubator.apache.org Subject: AW: Issues with Guacamole Disconnecting RDP sessions for remote user Is it possible that on this remote users there is a https spoofing configured on there firewall ? I had the same behaviour on one client with https checking rg Christian -Ursprüngliche Nachricht- Von: James Fraser <james.fra...@veritec.com.au> Gesendet: Mittwoch 14 Juni 2017 06:51 An: user@guacamole.incubator.apache.org Betreff: RE: Issues with Guacamole Disconnecting RDP sessions for remote user It might also be worth nothing that we are using Ubuntu 16.04 and Guacamole 0.9.12 From: James Fraser [mailto:james.fra...@veritec.com.au] Sent: Wednesday, 14 June 2017 2:30 PM To: user@guacamole.incubator.apache.org Subject: Issues with Guacamole Disconnecting RDP sessions for remote user Hi All Long time user of Guacamole here. I have recently developed and deployed a Proof Of Concept The design is running out of Microsoft Azure and the following is happening NGINX is being used to run SSL and Auth Auth to NGINX is done via the oauth2 proxy which is authing against our Azure AD (As a “webapp’ in Azure AD) Once passing NGINX Auth you are handed over to Guacamole which is using LDAP authentication via Azure Active Directory Domain Services. Our main office has really good internet 500/500 mbit and connection to servers via Guacamole from this location is silky smooth and nice and fast. We have peers connected to the Guacamole Zone allowing us to access servers that are not internet facing and the proof of concept is working awesomely. Except we have a few remote users who do not have the best internet connection but still capable of 10 mbits and ping latency of around 35ms (to the guac servers) These users are experiencing RDP Disconnects, the type that does not auto prompt 15 seconds to reconnect but the grey window that just offers reconnect/home/logout If they reconnect it reconnects fine for a short period but is happening every 1-2 minutes I have so far tried the following unsuccessfully: * Firefox/Chrome/Internet Exploder * Bypassing NGINX and having this user connect to Tomcat on 8080 over HTTP The tomcat log shows the following: Exception in thread "Thread-208" java.lang.IllegalStateException: Message will not be sent because the WebSocket session has been closed at org.apache.tomcat.websocket.WsRemoteEndpointImplBase.writeMessagePart(WsRemoteEndpointImplBase.java:384) at org.apache.tomcat.websocket.WsRemoteEndpointImplBase.startMessage(WsRemoteEndpointImplBase.java:340) at org.apache.tomcat.websocket.WsRemoteEndpointImplBase$TextMessageSendHandler.write(WsRemoteEndpointImplBase.java:755) at org.apache.tomcat.websocket.WsRemoteEndpointImplBase.sendPartialString(WsRemoteEndpointImplBase.java:252) at org.apache.tomcat.websocket.WsRemoteEndpointImplBase.sendString(WsRemoteEndpointImplBase.java:195) at org.apache.tomcat.websocket.WsRemoteEndpointBasic.sendText(WsRemoteEndpointBasic.java:37) at org.apache.guacamole.websocket.GuacamoleWebSocketTunnelEndpoint$2.run(GuacamoleWebSocketTunnelEndpoint.java:169) Guacd does not seem to be logging anything worth mentioning to the syslog I will note the RDP connections are to Server 2016 servers utilising NLA (With certificate ignored) If anyone could shed some light on trouble shooting this would be excellent. James Fraser • Microsoft Systems Engineer P +61 2 6175 9200 • M 0402 260 606 E james.fra...@veritec.com.au<mailto:james.fra...@veritec.com.au> • W veritec.com.au<http://www.veritec.com.au> -- This email was Malware checked by UTM 9. http://www.sophos.com -- This email was Malware checked by UTM 9. http://www.sophos.com
Issues with Guacamole Disconnecting RDP sessions for remote user
Hi All Long time user of Guacamole here. I have recently developed and deployed a Proof Of Concept The design is running out of Microsoft Azure and the following is happening NGINX is being used to run SSL and Auth Auth to NGINX is done via the oauth2 proxy which is authing against our Azure AD (As a "webapp' in Azure AD) Once passing NGINX Auth you are handed over to Guacamole which is using LDAP authentication via Azure Active Directory Domain Services. Our main office has really good internet 500/500 mbit and connection to servers via Guacamole from this location is silky smooth and nice and fast. We have peers connected to the Guacamole Zone allowing us to access servers that are not internet facing and the proof of concept is working awesomely. Except we have a few remote users who do not have the best internet connection but still capable of 10 mbits and ping latency of around 35ms (to the guac servers) These users are experiencing RDP Disconnects, the type that does not auto prompt 15 seconds to reconnect but the grey window that just offers reconnect/home/logout If they reconnect it reconnects fine for a short period but is happening every 1-2 minutes I have so far tried the following unsuccessfully: * Firefox/Chrome/Internet Exploder * Bypassing NGINX and having this user connect to Tomcat on 8080 over HTTP The tomcat log shows the following: Exception in thread "Thread-208" java.lang.IllegalStateException: Message will not be sent because the WebSocket session has been closed at org.apache.tomcat.websocket.WsRemoteEndpointImplBase.writeMessagePart(WsRemoteEndpointImplBase.java:384) at org.apache.tomcat.websocket.WsRemoteEndpointImplBase.startMessage(WsRemoteEndpointImplBase.java:340) at org.apache.tomcat.websocket.WsRemoteEndpointImplBase$TextMessageSendHandler.write(WsRemoteEndpointImplBase.java:755) at org.apache.tomcat.websocket.WsRemoteEndpointImplBase.sendPartialString(WsRemoteEndpointImplBase.java:252) at org.apache.tomcat.websocket.WsRemoteEndpointImplBase.sendString(WsRemoteEndpointImplBase.java:195) at org.apache.tomcat.websocket.WsRemoteEndpointBasic.sendText(WsRemoteEndpointBasic.java:37) at org.apache.guacamole.websocket.GuacamoleWebSocketTunnelEndpoint$2.run(GuacamoleWebSocketTunnelEndpoint.java:169) Guacd does not seem to be logging anything worth mentioning to the syslog I will note the RDP connections are to Server 2016 servers utilising NLA (With certificate ignored) If anyone could shed some light on trouble shooting this would be excellent. James Fraser * Microsoft Systems Engineer P +61 2 6175 9200 * M 0402 260 606 E james.fra...@veritec.com.au<mailto:james.fra...@veritec.com.au> * W veritec.com.au<http://www.veritec.com.au>
RE: Issues with Guacamole Disconnecting RDP sessions for remote user
It might also be worth nothing that we are using Ubuntu 16.04 and Guacamole 0.9.12 From: James Fraser [mailto:james.fra...@veritec.com.au] Sent: Wednesday, 14 June 2017 2:30 PM To: user@guacamole.incubator.apache.org Subject: Issues with Guacamole Disconnecting RDP sessions for remote user Hi All Long time user of Guacamole here. I have recently developed and deployed a Proof Of Concept The design is running out of Microsoft Azure and the following is happening NGINX is being used to run SSL and Auth Auth to NGINX is done via the oauth2 proxy which is authing against our Azure AD (As a "webapp' in Azure AD) Once passing NGINX Auth you are handed over to Guacamole which is using LDAP authentication via Azure Active Directory Domain Services. Our main office has really good internet 500/500 mbit and connection to servers via Guacamole from this location is silky smooth and nice and fast. We have peers connected to the Guacamole Zone allowing us to access servers that are not internet facing and the proof of concept is working awesomely. Except we have a few remote users who do not have the best internet connection but still capable of 10 mbits and ping latency of around 35ms (to the guac servers) These users are experiencing RDP Disconnects, the type that does not auto prompt 15 seconds to reconnect but the grey window that just offers reconnect/home/logout If they reconnect it reconnects fine for a short period but is happening every 1-2 minutes I have so far tried the following unsuccessfully: * Firefox/Chrome/Internet Exploder * Bypassing NGINX and having this user connect to Tomcat on 8080 over HTTP The tomcat log shows the following: Exception in thread "Thread-208" java.lang.IllegalStateException: Message will not be sent because the WebSocket session has been closed at org.apache.tomcat.websocket.WsRemoteEndpointImplBase.writeMessagePart(WsRemoteEndpointImplBase.java:384) at org.apache.tomcat.websocket.WsRemoteEndpointImplBase.startMessage(WsRemoteEndpointImplBase.java:340) at org.apache.tomcat.websocket.WsRemoteEndpointImplBase$TextMessageSendHandler.write(WsRemoteEndpointImplBase.java:755) at org.apache.tomcat.websocket.WsRemoteEndpointImplBase.sendPartialString(WsRemoteEndpointImplBase.java:252) at org.apache.tomcat.websocket.WsRemoteEndpointImplBase.sendString(WsRemoteEndpointImplBase.java:195) at org.apache.tomcat.websocket.WsRemoteEndpointBasic.sendText(WsRemoteEndpointBasic.java:37) at org.apache.guacamole.websocket.GuacamoleWebSocketTunnelEndpoint$2.run(GuacamoleWebSocketTunnelEndpoint.java:169) Guacd does not seem to be logging anything worth mentioning to the syslog I will note the RDP connections are to Server 2016 servers utilising NLA (With certificate ignored) If anyone could shed some light on trouble shooting this would be excellent. James Fraser * Microsoft Systems Engineer P +61 2 6175 9200 * M 0402 260 606 E james.fra...@veritec.com.au<mailto:james.fra...@veritec.com.au> * W veritec.com.au<http://www.veritec.com.au>
