DockerVM (Guacamole?) causing 'problems' for you? SMB timeouts / breaking etc. "Overcommit memory"?

[gt2416]

Thanks, when I make a proper guide ill include everything to make it secure. I just want to make it work at this point lol. Im not an expert either. Ill deferentially look into 2fa for my guide. Thanks for the feedback, ill use all of it cause the diy I posted in this thread, you need some technical knowledge unlike @dureal99d nextcloud guide which I could follow before I even knew what shell was lol. Thats quality content.
Quick shout out to that guy cause hes the only reason I decided to stick with FreeNAS and join the forum.

 

[diskdiddler]

Thanks, when I make a proper guide ill include everything to make it secure. I just want to make it work at this point lol. Im not an expert either. Ill deferentially look into 2fa for my guide. Thanks for the feedback, ill use all of it cause the diy I posted in this thread, you need some technical knowledge unlike @dureal99d nextcloud guide which I could follow before I even knew what shell was lol. Thats quality content.
Quick shout out to that guy cause hes the only reason I decided to stick with FreeNAS and join the forum.

I've now switched to it, instead of the dockerVM with 3 guac containers. Regardless of the lack of duo (fingers crossed for a few days)

I suspect that scripting the plugin would be difficult for end users, mostly due to specifying unique passwords?
Perhaps a plugin could simply perform most of the actions and then instructions on how to login and change passwords would be best.

I've made 1 plugin, it's not THAT hard actually. I'd actually love to do it for guac, but I am so so tight for time right now.

I recommend you look up the original guacamole thread I was posting in (I think you did too?) that thread has instructions on how to do the duo 2fa.

 

[diskdiddler]

Guacamole 1.0 is now released, this version supports Google Authenticator.

Anyone tried it yet? I'm going to maybe in a couple of weeks when I get some free time.
Would it be wise to update existing jail or a new one? (I suspect I'd clone my jail just in case)

 

[diskdiddler]

Wait I just realised.


Does this need to be updated first ?

https://www.freshports.org/www/guacamole-client/

 

[gt2416]

Wait I just realised.


Does this need to be updated first ?

https://www.freshports.org/www/guacamole-client/

Yes we do, I tried to update but it says I have the latest version, even tho freshports has 1.0 for server and client. I changed my repo to latest insteade of quarterly, so Im not sure why I cant install the new version.
Also the new version requires a new sql connector and we have to run a script to update our database to the new schema.

 

[diskdiddler]

I asked Jailer, there's some kind of FreeBSD reason, I have no idea what that reason is, it's complicated programmer packaging linux FreeBSD stuff. I try reading articles on it but it all seems .... well it's not dumbed down. I wish someone would explain it in Windows or even DOS terms.

(I don't understand how someone can publish files, on a web / ftp server and I can tell my OS "yeah I'm ok with the latest files" and it won't pull them down)

He's explained it here:
https://forums.freenas.org/index.ph...troller-with-lets-encrypt-iocage.60375/page-3


I was going to re-run your entire tutorial, inside a new jail initially, rather than break my initial one.

 

[gt2416]

No need to recreate it !
I cloned my guac jail for this. zfs snapshots are amazing :)
stop your current jail with iocage stop jailname
Then clone it with iocage clone jailname --name CloneName
Then you can use the jail CloneName to test.

 

[gt2416]

(I don't understand how someone can publish files, on a web / ftp server and I can tell my OS "yeah I'm ok with the latest files" and it won't pull them down)

He's explained it here:
https://forums.freenas.org/index.ph...troller-with-lets-encrypt-iocage.60375/page-3


I was going to re-run your entire tutorial, inside a new jail initially, rather than break my initial one.

Ok, just read that post. The port is available now but we are not using ports in my tutorial. pkg does not build from ports.
Pkg is a ready made installer of sorts for ports, so the pkg is not ready yet.
If you really want you could build it from ports but guac takes like 2 hours to build on my machine and then you need to config everything. I think its better to wait a few days for pkg to have the latest version. Ill def post an update when that happens, Ill check everyday.

 

[diskdiddler]

No need to recreate it !
I cloned my guac jail for this. zfs snapshots are amazing :)
stop your current jail with iocage stop jailname
Then clone it with iocage clone jailname --name CloneName
Then you can use the jail CloneName to test.

Sure but I still can't pull down 1.0 yet.

 

[diskdiddler]

Ok, just read that post. The port is available now but we are not using ports in my tutorial. pkg does not build from ports.
Pkg is a ready made installer of sorts for ports, so the pkg is not ready yet.
If you really want you could build it from ports but guac takes like 2 hours to build on my machine and then you need to config everything. I think its better to wait a few days for pkg to have the latest version. Ill def post an update when that happens, Ill check everyday.

Wait I think I get it.
That URL is for ports (hence, Freshports)
So is it implied, that all ports at Freshports, will end up as a PKG?
What URL / FTP server do I check for a listing of all PKGs instead of Ports?

 

[diskdiddler]

Ok, just read that post. The port is available now but we are not using ports in my tutorial. pkg does not build from ports.
Pkg is a ready made installer of sorts for ports, so the pkg is not ready yet.
If you really want you could build it from ports but guac takes like 2 hours to build on my machine and then you need to config everything. I think its better to wait a few days for pkg to have the latest version. Ill def post an update when that happens, Ill check everyday.

According to this page:
https://www.freshports.org/www/guacamole-client/
I just need to type this:

"To install the port: cd /usr/ports/www/guacamole-client/ && make install clean "

Understandably, I guess I'm pulling down the source and compiling it then? It would be, very very slow, right?
I mean would there be ANY other difference though? if I did that, between that and the PKG?

 

[gt2416]

It would be the same as pkg, but it will be really slow and guacamole builds a ton of other dependencies, all of which take a good amount of time to compile.

 

[diskdiddler]

Yeah but I got a nice CPU and time to burn.

That being said, I'd rather wait for your guide anyhow - so I'll wait :)

 

[gt2416]

pkg has been updated ! If you want to recreate the jail just follow the previous tutorial, I updated it to match version 1.0.0
To upgrade from 0.9.14 do this:

Get new version:

pkg update && pkg upgrade

Copy new driver and delete old one:

Code:

tar -xvf /usr/local/share/guacamole-client/guacamole-auth-jdbc.tar.gz
cp guacamole-auth-jdbc-1.0.0/mysql/guacamole-auth-jdbc-mysql-1.0.0.jar /usr/local/etc/guacamole-client/extensions/
rm /usr/local/etc/guacamole-client/extensions/guacamole-auth-jdbc-mysql-0.9.14.jar

Upgrade sql schema:

Code:

cd /root/guacamole-auth-jdbc-1.0.0/mysql/schema/upgrade &&  cat upgrade-pre-1.0.0.sql |mysql -u root -p guacamole_db

(root password is BLANK unless you changed it)

Restart the jail and you should be up and running 1.0

 

[diskdiddler]

What about the Google authenticator stuff?

 

[gt2416]

Oh for that just download and paste the jar file in the jail location below, the file to download is guacamole-auth-totp-1.0.0.tar.gz
/usr/local/etc/guacamole-client/extensions/

I used putty for that, just drag and drop that file to the right location or use cli to download it and paste it there, same for any other extensions, just have to put the jar files in that location.
Also that's just a 2 factor auth plugin. Has nothing to do with using google to login. Google just has a 2-fa app but honesty use any 2-fa app from the app store that does not track you the way google does. Makes no diff what 2-fa app you use. Google's would be my last option.

 

[diskdiddler]

I'll do a clone and try the upgrade method, give me an hour!

Thx!

 

[gt2416]

I'll do a clone and try the upgrade method, give me an hour!

Thx!

Wait dont clone the jail, just make a new one or try the upgrade on your original one. Dont clone tho
Im encountering a problem where I cant promote the new jail as the main one. Which means If i delete my original guac 0.9.14 jail, I have to delete the new one as well. NOT IDEAL !! Ill start a new thread on this.

 

[diskdiddler]

well all your tips here work excellently, thank you.

I use Authy, which supports the Google Authenticator method? Idunno - it's a really really good package.
Don't know how Google tracks me, prefer they don't - but I really want 2FA to be hoenst

Very happy with your guides, so very helpful - you should consider writing plugins, if I can do it, maybe you can!?

Thanks again - I hope the new version works as well or better than the last one (which I eventually got working really well, you literally coudlnt' tell my second monitor, at work, wasn't my work PC - set the resolution identical to the monitor, open a new tab next to it, run full screen then switch left - bingo)

 

[diskdiddler]

Wait don't clone the jail, just make a new one or try the upgrade on your original one. don't clone tho
Im encountering a problem where I can't promote the new jail as the main one. Which means If i delete my original guac 0.9.14 jail, I have to delete the new one as well. NOT IDEAL !! Ill start a new thread on this.

So the cloned jail, depends on the first jail?

Define promote? I was just going to change the FWD on my router from port 80 -> 192.168.0.OLDGUACIP to port 80 -> 192.168.0.NEWGUAC-CLONE