Hi Rajesh, Creating this thread here on the user mailing list as told by you regarding the cloudstack VDI support. My current setup is as follows
management server 172.31.101.202 host1 172.31.101.202 host 2 172.31.132.132 host3 172.31.132.133 Currently I have a basic networking zone with two pods. Host 1 is in Pod 1 and host 2 and 3 are in Pod 2 I installed openldap on 172.31.101.202 machine and created some sample users on this machine and added them to LDAP.I created a VM which uses ldap authentication to mount the user directories and provide as compute node for the VDI. For that I created VNC display on the VM for these ldap authenticated users. Next using guacamole and its ldap authentication I included the vnc connections to these VM. The guacamole service runs on the same machine as the cloud server. The end user logs into guacamole webservice and is shown the connection to the VM which is included in the LDAP. I further plan to create a template to this VM and spawn multiple VMs from it. So the home directory of the user remains on a central server and we just provide the Desktops using VM to the users. This is the current architecture I am having. The problem with this architecture is that manually the vnc screens have to be created for the user and then the entry has to be inserted into ldap. This causes 2 main problems:- 1) There are many vnc screens running on the VM for user even when he is not logged in, so its mere wastage of resource. 2) Manually doing the task of creating a vnc screen everytime a new user account has to be created and replicating it on all the VMs 3) Insecure as any user can run ldapsearch command on the VM and look at all the connections and vncpasswords for all the users defined in directory So a solution to this problem I thought might be feasible creating vnc screens on the fly for the end users i.e dynamically and not statically for the end users. The only entry in ldap would be username and home directory location and password as normally is there. There should not be any need to install the guacamole ldap schema into ldap. The vncpassword for the user will be same as his account password or it can be anything that the system admin wants it to be for all users. The basic idea is to create a script which does this vnc screen creation on the fly and provide the the entry in an XML file for the connection which the guacamole service will use to provide the desktop to the end user. The service would run on the server where the guacamole web app resides. This service will have root access to the VM. So after the user logs in the service runs *su <username> and vncserver *command on the VM as the user and then returns the port number or screen number to the server machine. The entry is made into the XML file along with the user credentials which the guacamole service will then use. This is the current architecture I was thinking to have a Virtual Desktop interface for users using guacamole, vnc and ldap on cloudstack. To implement it I was having the idea that we wrap the guacamole webserver inside another webservice. The user logs into this webservice, the authentication is done using LDAP. Then the script I defined above is run on the VM which has the least number on Xvnc services running. The script returns to us the vncscreen number for the vnc screen instantiated on the VM. The screen number along with the the user credentials are written in a config file and then the credentials are passed onto the guacamole web application to display the remote desktop on the browser. Now when the user has completed his work we can provide him an option to either keep his session for later use or destroy it. If he chooses to destroy it we can run *vncscreen -kill :<screennnumber>* on the VM thus destroying the Xvnc session. Also we will remove there connection entry from the XML file. For the purpose we will have to maintain some information. We would have to maintain the IPs of all the VM which we will use for VDI support and the number of Xvnc screens currently present on each VM. We will also have to maintain a user table for the users who have not destroyed their screen even after logging out from the system. For such users we wont have to run the vncscreen creation script again and the previous information in the xml is used to display the same desktop screen session as earlier used by the user. Let me know what you think about it. Any suggestions to improve upon this idea are highly appreciable. If you want I can show you the current setup through team viewer. Regards
