------ Original Message ------
From: "Nick Couchman" <vn...@apache.org>
To: user@guacamole.apache.org; "Jason Keltz" <j...@eecs.yorku.ca>
Sent: 5/24/2020 1:41:59 PM
Subject: Re: Re[2]: concurrency limits for organizational groups
On Thu, May 21, 2020 at 4:42 PM Jason Keltz <j...@eecs.yorku.ca> wrote:
------ Original Message ------
From: "Nick Couchman" <vn...@apache.org>
To: user@guacamole.apache.org; "Jason Keltz" <j...@eecs.yorku.ca>
Sent: 5/21/2020 4:16:08 PM
Subject: Re: concurrency limits for organizational groups
On Thu, May 21, 2020 at 2:41 PM Jason Keltz <j...@eecs.yorku.ca>
wrote:
Hi.
Because of issues with balancing groups in my implementation, I am
using organizational groups. However, the concurrency limits at the
group level apply to balancing groups only. In the GUI, it actually
says: "CONCURRENCY LIMITS (BALANCING GROUPS)". I'm not sure why?
It makes sense to me to be able to still restrict users to a certain
number of connections within a connection group. I can limit to a
number of connections to an individual machine, but not at the group
level. Isn't the code similar anyway?
This was covered in another recent thread, but the concurrency limits
only apply to connections made directly to a balancing group. So, if
you have a balancing group, and you set the connection limit on that
group to a maximum of 5 connections, and 1 connection per user, but
you give users the ability to see and access the underlying
connections within that balancing group, the limits you set at the
balancing group level *will not apply* to the connections made
directly to the underlying connection.
The limits are not intended to be a hierarchical set of limits that
are inherited down through the connections or summed up at the top -
they apply only to whatever object you are connecting to. Since an
organizational group does not support having connections made
directly to it, setting limits on it doesn't have any effect.
Nick,
I understand this is the intended mode of operation. What I'm
wondering is whether I can add a feature request to extend this
behaviour to the organizational groups or whether I'm wasting my time
because this won't be considered. Imagine the case of a computer lab
with 100 machines. All of these machines are available on Guacamole.
At times, there are problems with some of the machines - problems that
Guacamole doesn't see. If the user disconnects (and session affinity
is enabled), and the user reconnects, they will get the same machine.
With an organizational group, at least if one machine fails, the user
can try another, and another, and another.... It makes sense. It
would just be the icing on the cake to be able to limit the number of
connects they can simultaneously connect to from within the group.
The information on active connections is already there. I can
understand how this could get complicated with multi hierarchical
groups.
Thanks for the clarification. I guess my initial question would be
this - in the case you mentioned, where you have a lab with 100
machines, is there some reason you wouldn't just have users connect to
the balancing group rather than allow/encourage them to connect to
individual systems? Why not just abstract that away from the users and
have Guacamole manage it? I believe in a recent discussion on this
Mike mentioned that, even with session affinity enabled, if the
original machine the user is trying to connect to is not available
Guacamole will move on to the next in the load balancing algorithm.
So, is there some reason this doesn't work in your scenario?
(As an aside, I'll point out that you could achieve something close to
the functionality you're seeking by using Guacamole + Haproxy, and
enable RDP Cookies within HAProxy. This should give you both session
affinity along with system up/down detection that would push users on
to the next system. I think, anyway - now that I'm typing that I'm
wondering if the RDP Cookie portion would actually function correctly -
that might be something we'd have to look at implementing within
Guacamole, as well...)
That aside, as far as whether we'd consider adding such a feature to
non-load-balancing groups, my concern is that this is a more
fundamental change to the way those groups are handled, as it
introduces more of an inheritance model to those attributes at the
group-level that are then applied downward to connections underneath.
I'm not necessarily opposed - in the past I had advocated for
introducing group-based template/inheritance into Guacamole, but we
decided not to go that route. If we consider doing something like
you're suggesting, here, it seems to me like we'd need to re-address
the overall question of inheritance and take a very close look at how
and when that is implemented, and what other implications might be.
I'm certainly open to the discussion, and I do not have a strong
personal preference one way or the other, just cautioning that I think
it would be a rather fundamental change in how the client behaves.
Hi Nick,
There are a couple of reasons I'm not using balanced groups..
1) I've seen cases where-by a student connects to a system that looks to
be available to Guacamole, but there are underlying issues with that
system so it's not *really* available. For example, on one Windows
system, it would accept a username and password, and hang in the login
process because there was some temporary issue with networking (resolved
after a reboot). There have been other similar problems as well.
Because that system was "available", Guacamole doesn't know it's not
really available. As a result, a student would get that system when
logging in and would potentially be stuck with that system. With
organizational group, the student could try one system, see it doesn't
work, and then try the next system which likely will be fine. It's not
ideal, but it makes sense to me.
2) This second scenario likely doesn't affect many people. I need to
be able to reserve certain systems for certain classes at certain times.
Even though there are say, 100 systems in one group, maybe I may need
to reserve 10, 40, or 50 of them at different times. The rest of the
systems are available for everyone. Since the amount of systems to be
reserved differs based on the students in the class, and course
requirements, it's difficult to build a group specifically for the hosts
to be reserved (without playing the game of moving hosts into different
groups for the duration of the reservation - something that I definately
considered doing, but would rather not do). With a balanced group, if
the user gets a system in the group that they are not allowed to access
at this point in time - a system that is up and available in every other
way - they will be stuck, even though there may be 50 other systems they
can use! I understand that the systems in the balanced group are all
supposed to be available to the user. I can't guarantee that. At least
if I use an organizational group, I can pop up a message that says -
"Sorry - you can't use host 1-50 right now , but host 51-100" are
available for your use. With a balanced group, they would be stuck.
[As a side note, I wish^100 that Guacamole would allow me to have
"notices" on the host screen. It would be so great if I could add them
somewhere - DB or or text file or wherever and they appear for all users
logging in. This way, I could dynamically update information for them:
"05/24/2000 10:00 AM - Hosts 1-50 are reserved for class X right now -
but hosts 51-100 are available."
"05/24/2000 10:00 AM - Hosts in the Windows group are presently
unavailable. We are presently investigating the cause." ...
3) Another unique scenario that affects me is one that I mentioned on
the list before. This is the case where I had users in one of my
initially balanced groups logging into guac with their individual AD
credentials, but then guac would login to xrdp with one common user.
This environment is setup a certain way, and configuration reset between
logins. Remember I had an issue here where-by because the login via xrdp
was the same on all systems, if a user was disconnected from one
session, someone else could connect and take over their session. One
way you recommended I could resolve this problem was by terminating
disconnected sessions. Given the nature of the environment (ie. that
the student will lose their work if the environment resets), I didn't
have the heart to logout disconnected sessions. I fixed the identical
user issue by allowing logins from these AD accounts into the system,
but then switching the "common" user during the login session. Now, if
a user was disconnected, another user couldn't come along and get
*their* session, but they *could* come along and get their *host*
(because on another discussion, I understood that Guacamole allows
another user to connect to a host with a disconnected session). I dealt
with this problem by making it so that it only allows the user who
disconnected from the session to reconnect. If a different user
connects to that host, it tells them that the system is presently
unavailable and with a list of other hosts that are available. It gives
10 minutes for the original user to come back before terminating the
session (and keeps their data which I can restore separately if they
come back later). With a balanced group, if a user tries to connect to
a host with a disconnected session, even if other systems were
available, they wouldn't be able to connect to them.
4) With balanced groups, I believe at least the history shows the user
as connecting to the "balanced group" name and not the individual host
within the group. I already have to deal with vague requests like "my
machine is not working properly". It makes it harder for me to debug.
By using the organization group, the history shows me where the user was
logged in. It saves extra back and forth with the user trying to figure
out which machine they were using - a detail they probably forgot
anyway.
I understand that all of these scenarios are not necessarily the typical
use case. It might be useful to submit the request, so there's a log of
the potential desire for this functionality. Other users who may want
similar functionality now or in the future could determine whether this
is something that would be useful to them as well. Guacamole is so
amazing anyway. I appreciate all the effort put into it. You win some,
and you lose some! :)
Jason.