On Sun, Aug 22, 2021 at 12:21 PM Ciro Iriarte <[email protected]> wrote:
> Hello!, > > I'm working on a lab environment for coworkers & given the requirements > are GUI Jumphosts & no licenses for OS we settled on Linux+VNC & > Loadbalancing pools with Guacamole. > > All the OS users will be named, authenticated to FreeIPA and potentially a > NFS based $HOME. Guacamole also authenticating with LDAP+OTP and > JDBC-stored connections. > > I've struggled setting up VNC with openSUSE 15.3 and their KDE desktop > (SDDM). Have a slightly better outcome with XDM (uglier but works somehow). > The desktops/jumphosts are running as PVE VMs, so also tested with KVM/QEMU > VNC support. The experience with that case is way better, rock solid VNC > session, even manual screen resize works, there's one annoying bit > (keyboard mapping for es-latam) and a major roadblock: it's the VM console, > user2 could land on the already logged in session for user1. > > Yes, here you have run up against one of the chief drawbacks of VNC - lack of session management. > I imagine I could create the loadbalancing group with 1 connection per > user with session "stickiness" & then setup OS level timeouts to lock the > GUI session after no activity. That & fixing the keyboard mapping with > guacamole-> QEMU VNC console would make it, but feels like having a lot of > moving parts. > > Yeah, if you're going to go this route, you're essentially going to have to rely upon Guacamole to manage the sessions, which means not load balancing groups and session stickiness, but also logouts. I would say that you need to log out as soon as Guacamole disconnects, not just lock, because you could still run into the same scenario. > Any smarter approach to this?. Could anybody share their recipe for > similar scenarios?. > > In personal experience, where I need access to Linux systems remotely, I tend toward xrdp instead of VNC. While xrdp is certainly far from a perfect RDP server implementation, it does feature TLS encryption, some basic session management (disconnect/reconnect and multi-user access to a single system), and there's even a native Xorg xrdp driver that I generally use that avoids having to go through the pain of setting up VNC to back xrdp (which was the way it was originally deployed). You'll still have to rely upon some of Guacamole's features to manage sessions - particularly if you want to load balance and split to multiple hosts, Guacamole's load balancing and session stickiness will still be required to help handle those things. And, if you go that route, you'll still have some challenges with users getting disconnected from one host and then logged on to a different host, where their session will essentially be "lost" (even if it's still running). xrdp does not have any inter-server communications mechanisms (that I know of, anyway) that would help with this, so it really would rely on Guacamole to handle that part of session management. Hope this helps - I'm not saying this is the "right" way to do it, just how I've settled on remote, graphical access to Linux systems over the past couple of years, and it works well for me. -Nick >
