DockerVM (Guacamole?) causing 'problems' for you? SMB timeouts / breaking etc. "Overcommit memory"?

[diskdiddler]

I am attempting to diagnose some very intermittent and frustrating issues on my new system.

I have mirror 480GB SSD pool, 8 cores, 32GB ECC, the memory has been memtested, the system hasn't crashed once.

If I click on a share on this drive, most of the time, it's fine, opens very snappy.
Sometimes when I click it, Windows 10 does the spinning circle. We're talking in excess of 15 seconds, sometimes 30. This is *not* a share with thousands of files(!) It has been responsive earlier in the day.

I have had my system drop to sub 300KB/s writes,......... (6x8TB WD)
As soon as I stopped the DockerVM which is hosting my guacamole install, it fixed things.

Furthermore, when I start my docker VM I'm prompted with this.
"Overcommit memory?"

Code:

Memory overcommitment allows multiple VMs to be launched when there is not enough free memory for configured RAM of all VMs. Use with caution. 

I have 32GB memory, docker VM set to only 3.5GB. I've seen this message so often, I can't recall if it's a normal message when you start a VM or mine is busted somehow.





On top of this, I have a robocopy log, clearly showing my system successfully copying hundreds of GB of data and then suddenly just breaking and SMB being unable to talk to the target (the new server)

Is anyone seeing anything remotely similar?

 

[gt2416]

Why don't you install guacamole in a jail ? It's literally like 5x faster. My ram usage for guacamole is about 2.3gb

 

[diskdiddler]

I'd gladly do it if there's a quality guide in doing it, securely?. However as someone who cares about FreeNAS, I would also love to isolate this damn issue I'm finding, it's not behaviour I'd expect from the kind of hardware I have.

 

[ClassicGOD]

Why don't you install guacamole in a jail ? It's literally like 5x faster. My ram usage for guacamole is about 2.3gb

Is there any newer guide to do this or is my post from 2015 with modifications by Schuby still usable? I was neglecting my FreeNas box (I was on Corral up to just few days ago, but had no issues so I was hesitant to change) and am a bit out of the loop.

[...]

I had similar issues when running Docker on RancherOS + Rancher Server and a Scrub at the same time.
Since then I switched to Docker on RancherOS + Portainer, installed all my containers manually and they boot much faster and run much smoother.
I'm running the VM with 2 cores and 2gb of RAM, guacamole + guac + mariadb consumes about 600mb of that.

[EDIT] - the overcommit memory message is normal and always there.

 

[diskdiddler]

Is there any newer guide to do this or is my post from 2015 with modifications by Schuby still usable? I was neglecting my FreeNas box (I was on Corral up to just few days ago, but had no issues so I was hesitant to change) and am a bit out of the loop.



I had similar issues when running Docker on RancherOS + Rancher Server and a Scrub at the same time.
Since then I switched to Docker on RancherOS + Portainer, installed all my containers manually and they boot much faster and run much smoother.
I'm running the VM with 2 cores and 2gb of RAM, guacamole + guac + mariadb consumes about 600mb of that.

[EDIT] - the overcommit memory message is normal and always there.

If your old guide works, I'll try it. I guess I need a web interface, sql, etc all in the one jail? Once it works, I best back the thing up for failure.

My system isn't scrubbing. 30 minutes ago, guacamole died, could ping the VM fine (??!) couldn't SSH into it...
Load on system only 1

 

[ClassicGOD]

My system isn't scrubbing. 30 minutes ago, guacamole died, could ping the VM fine (??!) couldn't SSH into it...
Load on system only 1

If you want to stick with Docker I recommend new RancherOS(Docker Host) VM with containers installed manually (there are tutorials all over the net for guacamole docker setup - just substitute mysql with mariadb as guacamole official container has issues with newest mysql version due to older driver) and retest.

When I was running Rancher Server I had all kinds of issues. Containers taking extremely long to boot, randomly showing degraded state, and Grafana container was showing permanent error but was running fine.

I'm writing this post from Lubuntu VM with xrdp that I connect to using guacamole running in VM on the same FreeNas instance - no problems. I'm convinced that Rancher Server is the issue.

 

[gt2416]

Heres a quick DIY for guac in a jail, assuming your on 11.2. Change setting based on your prefs.

Create the jail and login:

Code:

iocage create -n guac -r 11.2-RELEASE ip4_addr="vnet0|192.168.1.43/24" defaultrouter="192.168.1.1" vnet="on" allow_raw_sockets="1" boot="on"
iocage console guac

Install packages:

Code:

pkg install -y guacamole-client mariadb103-server wget

Copy some files around:

Code:

tar -xvf /usr/local/share/guacamole-client/guacamole-auth-jdbc.tar.gz
mkdir /usr/local/etc/guacamole-client/extensions
cp guacamole-auth-jdbc-1.0.0/mysql/guacamole-auth-jdbc-mysql-1.0.0.jar /usr/local/etc/guacamole-client/extensions/
wget https://dev.mysql.com/get/Downloads/Connector-J/mysql-connector-java-5.1.47.tar.gz
tar -xvf mysql-connector-java-5.1.47.tar.gz
mkdir /usr/local/etc/guacamole-client/lib
cp mysql-connector-java-5.1.47/mysql-connector-java-5.1.47.jar /usr/local/etc/guacamole-client/lib

Make guac run as root and autostart :

Code:

sysrc guacd_enable="yes"
sysrc tomcat8_enable="yes"
sysrc mysql_enable="yes"
sysrc guacd_user="root"

Create Database:

Code:

service mysql-server start
mysql -u root -e "CREATE DATABASE guacamole_db;"
mysql -u root  -e "CREATE USER 'guac'@'localhost' IDENTIFIED BY 'guacPass';"
mysql -u root -e "GRANT ALL PRIVILEGES ON guacamole_db.* TO 'guac'@'localhost';"
mysql -u root -e "FLUSH PRIVILEGES;"

Create default guac users:

Code:

cd /root/guacamole-auth-jdbc-1.0.0/mysql/schema &&  cat *.sql |mysql -u root -p guacamole_db

Make guacamole.properties:

Code:

cp /usr/local/etc/guacamole-client/guacamole.properties.sample /usr/local/etc/guacamole-client/guacamole.properties

Copy these lines to end of that file :

Code:

# MySQL properties
mysql-hostname: localhost
mysql-port: 3306
mysql-database: guacamole_db
mysql-username: guac
mysql-password: guacPass

Start everything:

Code:

service mysql-server start
service guacd start
service tomcat8 start

It should be working on your ip:8080/guacamole
Default login is
guacadmin
guacadmin

Setting up ssl etc is the same steps from any ubuntu guide.

 

[ClassicGOD]

Thanks. It definitely will be useful for anyone not wanting to use Docker!

 

[diskdiddler]

I will have a try at this soon, I started but got tired, sorry.

Can I confirm if it will let me do duo 2fa?

 

[ClassicGOD]

Can I confirm if it will let me do duo 2fa?

I don't se why not. Just follow the official Guacamole installation instructions. It's just an .jar module (just like the mysql driver) so it should work fine.

 

[diskdiddler]

Ok I'll get on to this.
I wonder how hard it would be to make it a plugin.

 

[ClassicGOD]

Ok I'll get on to this.
I wonder how hard it would be to make it a plugin.

Well they promised us user created plugins in the near future (11.3?) so there is hope that once they are available someone will create one :)

 

[diskdiddler]

EDIT: confused my threads, I've partially written nothing. I did (kinda) write my first plugin, but it ain't for guacamole! One day, but time is very limited right now.

I will run through the above commands today though, thanks

 

[gt2416]

Can I confirm if it will let me do duo 2fa?

After you get everything up and running with my guide you will know where the files and paths that the guac installation manual is talking about, and any feature they have can be enabled by following their guide using the paths I listed. It should be the same as any linux/ubuntu guide you can find.
Also PLEASE ask the devs over at https://redmine.ixsystems.com/projects/freenas/roadmap to create a plugin, maybe show them the code you've done already. It would be so much easier to have a plugin especially when installing guac is easy but is easily prone to human error on setup which makes it "hard".
Like seriously all the steps involved are knowing the correct paths and location to put certain files, it should be easy for a script but hard for a human.

 

[diskdiddler]

Create default guac users:

Code:

cd /root/guacamole-auth-jdbc-0.9.14/mysql/schema &&  cat *.sql |mysql -u root -p guacamole_db

That command is where this guide breaks.

I've tried.

cd /root/guacamole-auth-jdbc-0.9.14/mysql/schema && cat *.sql |mysql -u root -p guacamole_db
cd /root/guacamole-auth-jdbc-0.9.14/mysql/schema && cat *.sql |mysql -u root -p <password> guacamole_db
cd /root/guacamole-auth-jdbc-0.9.14/mysql/schema && cat *.sql |mysql -u guac -p <password> guacamole_db

etc

root@guac:~/guacamole-auth-jdbc-0.9.14/mysql/schema # cd /root/guacamole-auth-jdbc-0.9.14/mysql/schema && cat *.sql | mysql -u root -p guacamole_db
Enter password:
ERROR 1045 (28000): Access denied for user 'root'@'localhost' (using password: YES)

I'm not sure which user or password I should be using at this point?
I even reset the root password (for the jail) ?
Is it an SQL password or a jail password? I'm thinking SQL and I think it's the one from earlier in the guide which says "guacPass" which I tried 123qwe123qwe - no luck.

 

[diskdiddler]

Here is the full history of commands

Code:

    13  15:14   service mysql-server start
    14  15:14   mysql -u root -e "CREATE DATABASE guacamole_db;"
    15  15:15   mysql -u root -e "CREATE USER 'guac'@'localhost' IDENTIFIED BY '123qwe                                                                                                                         #QWE';"
    **(NOTE: I THINK it didn't like the !@# in the password)**
    16  15:15   mysql -u root -e "CREATE USER 'guac'@'localhost' IDENTIFIED BY '123qwe                                                                                                                         123qwe';"
    17  15:15   mysql -u root -e "GRANT ALL PRIVILEGES ON guacamole_db.* TO 'guac'@'lo                                                                                                                         calhost';"
    18  15:15   mysql -u root -e "FLUSH PRIVILEGES;"
    19  15:16   cd /root/guacamole-auth-jdbc-0.9.14/mysql/schema && cat *.sql | mysql                                                                                                                          -u root -p guacamole_db
    20  15:16   cd /root/guacamole-auth-jdbc-0.9.14/mysql/schema && cat *.sql | mysql                                                                                                                          -u root -p guacamole_db
    21  15:16   sudo cd /root/guacamole-auth-jdbc-0.9.14/mysql/schema && cat *.sql | m                                                                                                                         ysql -u root -p guacamole_db
    22  15:16   passwd
    23  15:16   sudo cd /root/guacamole-auth-jdbc-0.9.14/mysql/schema && cat *.sql | m                                                                                                                         ysql -u root -p guacamole_db
    24  15:16   cd /root/guacamole-auth-jdbc-0.9.14/mysql/schema && cat *.sql | mysql                                                                                                                          -u root -p guacamole_db
    25  15:16   cd /root/guacamole-auth-jdbc-0.9.14/mysql/schema && cat *.sql | mysql                                                                                                                          -u root -p guacamole_db
    26  15:17   cd /root/guacamole-auth-jdbc-0.9.14/mysql/schema && cat *.sql | mysql                                                                                                                          -u root -p 123qwe123qwe guacamole_db
    27  15:17   cd /root/guacamole-auth-jdbc-0.9.14/mysql/schema
    28  15:18   cat *.sql | mysql -u root -p guacamole_db
    29  15:18   cat *.sql | mysql -u guac -p 123qwe123qwe guacamole_db
    30  15:20   cd /root/guacamole-auth-jdbc-0.9.14/mysql/schema && cat *.sql | mysql                                                                                                                          -u root -p guacamole_db
    31  15:20   cd /root/guacamole-auth-jdbc-0.9.14/mysql/schema && cat *.sql | mysql                                                                                                                          -u root -p guacamole_db
    32  15:23   cat *.sql | mysql -u guac -p '123qwe123qwe' guacamole_db
    33  15:23   cat *.sql | mysql -u guac -p "123qwe123qwe" guacamole_db
    34  15:23   cat *.sql | mysql -u root -p "123qwe123qwe" guacamole_db
    35  15:39   history

 

[gt2416]

Ok if you cant run that command try to run the commands separably. Also the password at this point in the guide is BLANK, so when it prompts for a pass, just press enter. If it doesnt work please try to understand what im doing, I want to go to the folder with the pre-defined sql users. In our case its

cd /root/guacamole-auth-jdbc-0.9.14/mysql/schema

Then once your in the folder, the following command says output ALL files with .sql extension into guacamole_db. Using user root the password is blank. You tried with root and guac, If you use root, the password is blank just hit enter. If you use guac the password, if you follow my guide unchanged is guacPass. You dont have to put the password in the command (Not sure if thats correct syntax anyway). It should prompt for a password.

cat *.sql |mysql -u root -p guacamole_db

If your unsure if the command worked you can see it. Login to my sql with

mysql -u root -p

Again just press enter when it asks for a pass. (Unless of course you changed it)

select guacamole_db;

show tables;

and you should see

MariaDB [guacamole_db]> show tables
-> ;
+---------------------------------------+
| Tables_in_guacamole_db |
+---------------------------------------+
| guacamole_connection |
| guacamole_connection_group |
| guacamole_connection_group_permission |
| guacamole_connection_history |
| guacamole_connection_parameter |
| guacamole_connection_permission |
| guacamole_sharing_profile |
| guacamole_sharing_profile_parameter |
| guacamole_sharing_profile_permission |
| guacamole_system_permission |
| guacamole_user |
| guacamole_user_history |
| guacamole_user_password_history |
| guacamole_user_permission |
+---------------------------------------+
14 rows in set (0.000 sec)

 

[diskdiddler]

I think you're correct about it simply being a blank password.

I got way further, (I finished) - so that's good, it didn't work but, to be fair, I had messed around with junk and maybe damaged things.

So I'm doing it again, from scratch

May want to consider updating the guide just to say 'press enter at this point' (!!)
The guide is otherwise, really good, you're very helpful, thank you.

Once I've fully tested it as a dummy user, might be worth putting up on the resources page.
Leave it to someone very smart one day to 'plugin-ify' it.

I'll let you know how I get along in about 30 minutes.

 

[gt2416]

Once I've fully tested it as a dummy user, might be worth putting up on the resources page.
Leave it to someone very smart one day to 'plugin-ify' it.

I'll let you know how I get along in about 30 minutes.

Please do lol. I have been trying to get guac up since July. It was only recently that I tried again and got it to work. If it works for you ill make a proper guide. You have no idea how many guides I followed and nothing seemed to work lol, dont give up.

Ill give you an example, if you create a user say "gt2416" and give it all the permissions to EVERY SINGLE FFFUUUUCCCKKING file that guac makes. IT STILL DOESNT WORK. WT flying F. If you make guac run as root as well as tomcat you have a 50% chance of it working. (I've tried lol, 2 jails works the other 2 are broken). WTF is up with that ? Makes no sense whatso ever. I've made guides for apps that have ZERO freebsd help but yet somehow I just couldnt make guac work. Its a bit finicky on FreeNas to say the least.

 

[diskdiddler]

Please do lol. I have been trying to get guac up since July. It was only recently that I tried again and got it to work. If it works for you ill make a proper guide. You have no idea how many guides I followed and nothing seemed to work lol, don't give up.

You really have been helpful in multiple threads here in the last few months, very appreciated. Wish I knew as much, I've been here 10x longer.


Your guide works, if you want advice on it, obviously stipulate that you need only press enter when you import the schma.

Where I screwed up before? (lol) - when you paste the commands into the guacamole.properties file change it to <YOURGUACPASSWORD> - cause I simply ignored it.

I recommend if you wanna go the whole way, have them install nano as it's a much easier text editor and tell them to change directory for guac.properties.....

It's otherwise fine. I need to figure out how to load duo 2fa into it, but otherwise it's good stuff.
(Made an iocage export backup and I've made a snapshot)

EDIT: One thing which I think is super important, is security, those of us 'stuck' at a workplace where we need this tool, we're making our entire network pretty open on port 80 of all ports (!!!) so locking this down as best as we can seems important to me.
If you know any ways we can improve, besides duo 2fa, let me know.