Can't get Guacamole working

sgvfr · February 23, 2019, 8:37pm

Guacamole is not working on a fresh install UCS 4.3

I have tried to access directly by IP address,and port the ports… no luck.

# Proxy Error

The proxy server received an invalid response from an upstream server.
The proxy server could not handle the request  *[GET /guacamole/](http://10.10.50.2/guacamole/)* .

Reason:  **Error reading from remote server**

Apache/2.4.25 (Univention) Server at 10.10.50.2 Port 80

root@ucs2:/etc/apache2/sites-available# cat 000-default.conf
# comments removed to clean it up...
<VirtualHost *:80>
        IncludeOptional /etc/apache2/ucs-sites.conf.d/*.conf
        ProxyPass /guacamole/ http://127.0.0.1:40001/guacamole/ retry=0
        ProxyPassReverse /guacamole/ http://127.0.0.1:40001/guacamole/
</VirtualHost>
root@ucs2:/etc/apache2/sites-available#

root@ucs2:/etc/apache2/sites-available# ls
000-default.conf  000-default.conf.debian  default-ssl.conf  default-ssl.conf.debian  univention.conf  univention-portal.conf  univention-proxy.conf  univention-saml.conf  univention-server-overview.conf
root@ucs2:/etc/apache2/sites-available# cat default-ssl.conf
# Comments all removed to clean it up.
<IfModule mod_ssl.c>

<VirtualHost *:443>
        IncludeOptional /etc/apache2/ucs-sites.conf.d/*.conf
        SSLEngine on
        SSLProxyEngine on
        SSLProxyCheckPeerCN off
        SSLProxyCheckPeerName off
        SSLProxyCheckPeerExpire off
        SSLCertificateFile /etc/univention/ssl/ucs2.sgvfr.lan/cert.pem
        SSLCertificateKeyFile /etc/univention/ssl/ucs2.sgvfr.lan/private.key
        SSLCACertificateFile /etc/univention/ssl/ucsCA/CAcert.pem

        ProxyPass /guacamole/ http://127.0.0.1:40001/guacamole/ retry=0
        ProxyPassReverse /guacamole/ http://127.0.0.1:40001/guacamole/
</VirtualHost>
</IfModule>

root@ucs2:/etc/apache2/sites-available# ls -al ../sites-enabled/
total 8
drwxr-xr-x  2 root root 4096 Jan 22 10:03 .
drwxr-xr-x 10 root root 4096 Jan 20 22:08 ..
lrwxrwxrwx  1 root root   35 Apr  4  2017 000-default.conf -> ../sites-available/000-default.conf
lrwxrwxrwx  1 root root   35 Mar 27  2018 default-ssl.conf -> ../sites-available/default-ssl.conf
lrwxrwxrwx  1 root root   34 Apr  4  2017 univention.conf -> ../sites-available/univention.conf
lrwxrwxrwx  1 root root   41 Nov 25 14:58 univention-portal.conf -> ../sites-available/univention-portal.conf
lrwxrwxrwx  1 root root   39 Sep 20  2017 univention-saml.conf -> ../sites-available/univention-saml.conf
lrwxrwxrwx  1 root root   50 Jul 13  2018 univention-server-overview.conf -> ../sites-available/univention-server-overview.conf
root@ucs2:/etc/apache2/sites-available#

root@ucs2:~# docker ps
CONTAINER ID        IMAGE                                                                   COMMAND                  CREATED             STATUS              PORTS                     NAMES
49408d41f649        docker.software-univention.de/guacamole-guacamole:0.9.13-univention13   "/opt/guacamole/bi..."   About an hour ago   Up About an hour    0.0.0.0:40001->8080/tcp   guacamole_guacamole_1
e3b12922d903        docker.software-univention.de/guacamole-guacd:0.9.13-univention13       "/usr/local/sbin/g..."   About an hour ago   Up About an hour    4822/tcp                  guacamole_guacd_1

root@ucs2:/etc/apache2/sites-available# ucr search guac
appcenter/apps/guacamole/container: 49408d41f649db4b263037f300761c47a63d6f5592f00a37a4bfd5d2c5096f51

appcenter/apps/guacamole/hostdn: cn=guaca-51894346,cn=memberserver,cn=computers,dc=sgvfr,dc=lan

appcenter/apps/guacamole/image: docker.software-univention.de/guacamole-guacamole:0.9.13-univention13

appcenter/apps/guacamole/ports/8080: 40001

appcenter/apps/guacamole/status: installed

appcenter/apps/guacamole/ucs: 4.3

appcenter/apps/guacamole/version: 0.9.13-univention14

ucs/web/overview/entries/service/guacamole/description/de: Guacamole ist ein clientloses fern Desktop-Gateway
 Defines the description of the corresponding entry of the UCS start site (optionally localized). Full format: ucs/web/overview/entries/{admin,service}/<entryID>/description[/<locale>].

ucs/web/overview/entries/service/guacamole/description: Guacamole is a clientless remote desktop gateway
 Defines the description of the corresponding entry of the UCS start site (optionally localized). Full format: ucs/web/overview/entries/{admin,service}/<entryID>/description[/<locale>].

ucs/web/overview/entries/service/guacamole/icon: /univention/js/dijit/themes/umc/icons/scalable/apps-guacamole_20180525181438.svg
 Defines the URL for the icon of the corresponding entry of the UCS start site (can also be a data URL). Full format: ucs/web/overview/entries/{admin,service}/<entryID>/icon.

ucs/web/overview/entries/service/guacamole/label/de: Guacamole
 Defines the label of the corresponding entry of the UCS start site (optionally localized). Full format: ucs/web/overview/entries/{admin,service}/<entryID>/label[/<locale>].

ucs/web/overview/entries/service/guacamole/label: Guacamole
 Defines the label of the corresponding entry of the UCS start site (optionally localized). Full format: ucs/web/overview/entries/{admin,service}/<entryID>/label[/<locale>].

ucs/web/overview/entries/service/guacamole/link: /guacamole/
 Defines the link URL of the corresponding entry of the UCS start site. Full format: ucs/web/overview/entries/{admin,service}/<entryID>/link.

ucs/web/overview/entries/service/guacamole/port_http: 80
 Forces the port for URL of the corresponding entry of the UCS start site. Used when the start site is opened with HTTP or when no port_https variable is set. Full format: ucs/web/overview/entries/{admin,service}/<entryID>/port_http.

ucs/web/overview/entries/service/guacamole/port_https: 443
 Same as ucs/web/overview/entries/.*/port_http, but used when opening the start site with HTTPS or when no port_http variable is set. Full format: ucs/web/overview/entries/{admin,service}/<entryID>/port_https.

root@ucs2:/etc/apache2/sites-available#

root@ucs2:/etc/apache2/sites-available# docker logs 49408d41f649
root@ucs2:/etc/apache2/sites-available# docker logs e3b12922d903
guacd[1]: INFO: Guacamole proxy daemon (guacd) version 0.9.13-incubating started
guacd[1]: INFO: Listening on host 0.0.0.0, port 4822
root@ucs2:/etc/apache2/sites-available#

I’m going to assume the containers are mounted? I don’t know much about how containers work.

root@ucs2:/etc/apache2/sites-available# df -h
Filesystem                                                    Size  Used Avail Use% Mounted on
udev                                                           10M     0   10M   0% /dev
tmpfs                                                         300M   19M  282M   7% /run
/dev/mapper/vg_ucs-root                                        46G   26G   19G  59% /
tmpfs                                                         750M  4.0K  750M   1% /dev/shm
tmpfs                                                         5.0M     0  5.0M   0% /run/lock
tmpfs                                                         750M     0  750M   0% /sys/fs/cgroup
/dev/sda1                                                     472M  108M  340M  25% /boot
10.10.100.10:/srv/data/export/NFS/ucs2/var/univention-backup  1.8T  702G  1.1T  41% /var/univention-backup
overlay                                                        46G   26G   19G  59% /var/lib/docker/overlay/bf434cd0d94f28bbd122f74ebbd14dc4aaaa3e1056322944bffb3dfbfd985675/merged
shm                                                            64M     0   64M   0% /var/lib/docker/containers/e3b12922d903df6943c4b5a88abea56a7b17172a087621092dac7d0a21baed61/shm
overlay                                                        46G   26G   19G  59% /var/lib/docker/overlay/d419c7f29cea9c4a1030578e93a0858f04df7f28f29966275266805e32876d05/merged
shm                                                            64M     0   64M   0% /var/lib/docker/containers/49408d41f649db4b263037f300761c47a63d6f5592f00a37a4bfd5d2c5096f51/shm
root@ucs2:/etc/apache2/sites-available#

I"m not sure what else I can look at for this… I would really love to get rid of the dedicated VPN and port forwarding for RDP if Guacamole passes all my testing.

sgvfr · February 25, 2019, 1:12am

Well… I uninstalled guacamole but it seems the containers are not touched or removed.

Is this normal??

root@ucs2:/var/log/univention# univention-app remove guacamole
Going to remove Guacamole (0.9.13-univention14)
Password for Administrator:
Configuring guacamole=0.9.13-univention14
Executing interface configure for guacamole
No interface defined
Starting guacd ...
Starting guacamole ...
 tarting guacamole ... done
Stopping guacamole_guacamole_1 ...
Stopping guacamole_guacd_1 ...
 topping guacamole_guacd_1 ... donedone
Stopping guacamole_guacamole_1 ...
Stopping guacamole_guacd_1 ...
 topping guacamole_guacd_1 ... donedone
Stopping guacamole_guacamole_1 ...
Stopping guacamole_guacd_1 ...
 topping guacamole_guacd_1 ... donedone
Stopping guacamole_guacamole_1 ...
Stopping guacamole_guacd_1 ...
 topping guacamole_guacd_1 ... donedone
No stopped containers
Removing localhost from LDAP object
File: /etc/univention/service.info/services/univention-appcenter.cfg
Module: create_portal_entries
Multifile: /etc/postgresql/9.4/main/pg_hba.conf
Multifile: /etc/apache2/sites-available/000-default.conf
Multifile: /etc/apache2/sites-available/default-ssl.conf
File: /usr/share/univention-portal/apps.json
Reloading apache2 configuration (via systemctl): apache2.service.
Uninstalling /usr/lib/univention-install/50guacamole.inst
Search LDAP binddn  done
Running 01univention-ldap-server-init.inst skipped (already executed)
Running 02univention-directory-notifier.inst skipped (already executed)
Running 03univention-directory-listener.inst skipped (already executed)
Running 04univention-ldap-client.inst skipped (already executed)
Running 05univention-bind.inst skipped (already executed)
Running 08univention-apache.inst skipped (already executed)
Running 10univention-ldap-server.inst skipped (already executed)
Running 11univention-heimdal-init.inst skipped (already executed)
Running 11univention-pam.inst skipped (already executed)
Running 15univention-directory-notifier-post.inst skipped (already executed)
Running 15univention-heimdal-kdc.inst skipped (already executed)
Running 18python-univention-directory-manager.inst skipped (already executed)
Running 20univention-directory-policy.inst skipped (already executed)
Running 20univention-join.inst skipped (already executed)
Running 26univention-nagios-common.inst skipped (already executed)
Running 30univention-appcenter.inst skipped (already executed)
Running 30univention-nagios-client.inst skipped (already executed)
Running 31univention-nagios-s4-connector.inst skipped (already executed)
Running 31univention-nagios-samba.inst skipped (already executed)
Running 33univention-portal.inst skipped (already executed)
Running 34univention-management-console-server.inst skipped (already executed)
Running 35univention-appcenter-docker.inst skipped (already executed)
Running 35univention-management-console-module-appcenter.inst skipped (already executed)
Running 35univention-management-console-module-diagnostic.inst skipped (already executed)
Running 35univention-management-console-module-ipchange.inst skipped (already executed)
Running 35univention-management-console-module-join.inst skipped (already executed)
Running 35univention-management-console-module-lib.inst skipped (already executed)
Running 35univention-management-console-module-mrtg.inst skipped (already executed)
Running 35univention-management-console-module-quota.inst skipped (already executed)
Running 35univention-management-console-module-reboot.inst skipped (already executed)
Running 35univention-management-console-module-services.inst skipped (already executed)
Running 35univention-management-console-module-setup.inst skipped (already executed)
Running 35univention-management-console-module-sysinfo.inst skipped (already executed)
Running 35univention-management-console-module-top.inst skipped (already executed)
Running 35univention-management-console-module-ucr.inst skipped (already executed)
Running 35univention-management-console-module-udm.inst skipped (already executed)
Running 35univention-management-console-module-updater.inst skipped (already executed)
Running 35univention-server-overview.inst skipped (already executed)
Running 36univention-management-console-module-apps.inst skipped (already executed)
Running 40univention-postgresql.inst skipped (already executed)
Running 40univention-virtual-machine-manager-schema.inst skipped (already executed)
Running 67univention-mail-server.inst skipped (already executed)
Running 81univention-nfs-server.inst skipped (already executed)
Running 82univention-mail-dovecot.inst skipped (already executed)
Running 90univention-bind-post.inst skipped (already executed)
Running 91univention-saml.inst skipped (already executed)
Running 92univention-management-console-web-server.inst skipped (already executed)
Running 96univention-samba4.inst skipped (already executed)
Running 97univention-s4-connector.inst skipped (already executed)
Running 98univention-pkgdb-tools.inst skipped (already executed)
Running 98univention-samba4-dns.inst skipped (already executed)
Running 98univention-samba4-saml-kerberos.inst skipped (already executed)
File: /usr/share/univention-management-console/modules/apps.xml

File: /usr/share/univention-management-console/i18n/de/apps.mo

File: /etc/apt/apt.conf.d/55user_agent
root@ucs2:/var/log/univention#

root@ucs2:/var/log/univention# docker ps
CONTAINER ID        IMAGE                                                                   COMMAND                  CREATED             STATUS              PORTS                     NAMES
49408d41f649        docker.software-univention.de/guacamole-guacamole:0.9.13-univention13   "/opt/guacamole/bi..."   30 hours ago        Up 30 hours         0.0.0.0:40001->8080/tcp   guacamole_guacamole_1
e3b12922d903        docker.software-univention.de/guacamole-guacd:0.9.13-univention13       "/usr/local/sbin/g..."   30 hours ago        Up 30 hours         4822/tcp                  guacamole_guacd_1
root@ucs2:/var/log/univention#

sgvfr · February 28, 2019, 11:22pm

bump ?? Is there anything else that I could try or help troubleshoot?

sgvfr · March 2, 2019, 8:37pm

Is there nobody that can help?? I see a few posts with Guacamole not working. It doesn’t appear to be an isolated issue…

some more troubleshooting

root@ucs2:~# wget http://localhost:8080/guacamole
--2019-03-02 12:39:39--  http://localhost:8080/guacamole
Resolving localhost (localhost)... ::1, 127.0.0.1
Connecting to localhost (localhost)|::1|:8080... failed: Connection refused.
Connecting to localhost (localhost)|127.0.0.1|:8080... failed: Connection refused.

but 40001 seems to work

root@ucs2:~# wget http://localhost:40001/guacamole
--2019-03-02 12:38:56--  http://localhost:40001/guacamole
Resolving localhost (localhost)... ::1, 127.0.0.1
Connecting to localhost (localhost)|::1|:40001... connected.
HTTP request sent, awaiting response... 302 Found
Location: http://localhost:40001/guacamole/ [following]
--2019-03-02 12:38:56--  http://localhost:40001/guacamole/
Reusing existing connection to [localhost]:40001.
HTTP request sent, awaiting response... 200 OK
Length: 4464 (4.4K) [text/html]
Saving to: ‘guacamole’

guacamole                                                100%[============================================================================================================================

2019-03-02 12:38:57 (8.58 MB/s) - ‘guacamole’ saved [4464/4464]

root@ucs2:~# cat guacamole
<!DOCTYPE html>
<!--
    Licensed to the Apache Software Foundation (ASF) under one
    or more contributor license agreements.  See the NOTICE file
    distributed with this work for additional information
    regarding copyright ownership.  The ASF licenses this file
    to you under the Apache License, Version 2.0 (the
    "License"); you may not use this file except in compliance
    with the License.  You may obtain a copy of the License at

      http://www.apache.org/licenses/LICENSE-2.0

    Unless required by applicable law or agreed to in writing,
    software distributed under the License is distributed on an
    "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
    KIND, either express or implied.  See the License for the
    specific language governing permissions and limitations
    under the License.
-->
<html ng-app="index" ng-controller="indexController">
    <head>
        <meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
        <meta name="viewport" content="width=device-width, initial-scale=1.0, maximum-scale=1.0, minimum-scale=1.0, user-scalable=no, target-densitydpi=medium-dpi"/>
        <meta name="mobile-web-app-capable" content="yes"/>
        <meta name="apple-mobile-web-app-capable" content="yes"/>
        <link rel="icon" type="image/png" href="images/logo-64.png"/>
        <link rel="icon" type="image/png" sizes="144x144" href="images/logo-144.png"/>
        <link rel="apple-touch-icon" type="image/png" href="images/logo-144.png"/>
        <link rel="stylesheet" type="text/css" href="app.css?v=0.9.13-incubating">
        <title ng-bind="page.title | translate"></title>
    </head>
    <body ng-class="page.bodyClassName">

        <!-- Content for logged-in users -->
        <div ng-if="!expectedCredentials">

            <!-- Global status/error dialog -->
            <div ng-class="{shown: guacNotification.getStatus()}" class="status-outer">
                <div class="status-middle">
                    <guac-notification notification="guacNotification.getStatus()"></guac-notification>
                </div>
            </div>

            <div id="content" ng-view>
            </div>

        </div>

i cut most of the output, but the code does show it’s at least hitting the tomcat page…

I’ve tried adding the firewall entires in UCR

 ucr set security/packetfilter/tcp/40001/all=ACCEPT
 ucr set security/packetfilter/tcp/8080/all=ACCEPT
systemctl restart univention-firewall.service

no change there either…

Additionaly, since removing and re-installing the error has changed

# Service Unavailable

The server is temporarily unable to service your request due to maintenance downtime or capacity problems. Please try again later.

Apache/2.4.25 (Univention) Server at ucs2.sgvfr.lan Port 443