Guacamole Network Bridge Problem - Bypass Solution

chackl · April 18, 2019, 8:59pm

Hello!

We installed Guacamole today and saw, that something was not working correct.
I found out that the network bridge og guacamole is not able to forward over the gateway of the docker bridge.

So both docker container are seeing each other + USC is able to comunicate with them -> But the container that is responsible to comunicate with the RDP server can not see the RDP-Server because the gateway has no forwarding.

With some research i found a little solution by just adding the normal docker bridge to te container “guacamole_guacd_1” (The other container does not need it if you use the revere-proxy of univention)

docker network connect bridge guacamole_guacd_1

I found the command here:

Maybe this could be solved / updated in the appcenter.

Thank you, Chackl

damrose · April 23, 2019, 7:13am

There is no general bug known with the installation, but there are some other reports that the network connection is not working after the app installation. It would be very helpful to understand how to reproduce the issue. You probably just installed the app and the bridge connection was simply not there?

Can you describe the network setup on your UCS? Just one interface connected to the network, or is there another bridge (e.g. when using KVM, or manually configured), bonding, or something else? Is the UCR variable docker/daemon/default/opts/bip set to its default value of 172.17.42.1/16, or was it modified?

Is there any warning or information regarding the network setup in the docker daemon logs or /var/log/univention/appcenter.log from the app installation time?

chackl · April 23, 2019, 12:32pm

Hello!

Well i fear i am not that fixed but i’ll try to get the information you asked for.

I installed the app on an running system that exists for about 2 years. After installing the app everything looked and i tried to set up the RDP connections. I am excluding all the troubles i had during setting up the parametes, because those are not the problem.

Within the installation it seems that there is a made a network Bridge in docker named “guacamole_default”. Both Container “guacamole_guacd_1” and “guacamole_guacamole_1” are connected to this network “guacamole_default”. Both containers need to interact over it.

After checking this is found out that guacamole was able to connect to LDAP on the Host and “synced” the users to guacamole. Login in was also no problem. I just did not get any connection to any RDP Host in the Network of the UCS-Host.
So i did a ping check - and found out that the host was able to ping the RDP-Host i wanted to connect to. But the “guacamole_guacd_1” was not able to ping my RDP-Host.
It seems that the network of “guacamole_default” seem not to be allowed to forward over the gateway to any other host within the network behind.
The default brridge of docker is able to forward to the network.
So a verry cheap solution was to connect the “guacamole_guacd_1” also to the default bridge so that the “guacamole_guacd_1” actually is able to reach a RDP-Host within the network that belongs to the USC-System. (Simply said ping the RDP-Host after connecting the “guacamole_guacd_1” to the bridge was possible)

Network (Modified for Public - pls conact me in private to get the real ips):
LAN Range of all PCs: 10.XXX.0.254/24 (Done with LEDE/WRT Router)
UCS Domain Master: 10.XXX.0.30
RDP Host i wanted to connect to: 10.XXX.0.20
Docker Bridge on UCS - no re-configuration done
There is no KVM Bridge in use / No KVM used.
Just one Interface connected to the LAN no bonding. (UCS is running on Hyper-V)

Going into the Container “guacamole_guacd_1” i was not able to ping 10.XXX.0.20 with the default installation. After joining “guacamole_guacd_1” to the bridge it was able to ping and able to connect.

The UCR variable on “docker/daemon/default/opts/bip” is still 172.17.42.1/16 and is / was not modified.

I did not see any warnings in the Appcenter-Log file.
I saw warnings in the Docker-Logs of “guacamole_guacd_1” that told me that something was not reachable… leading me to proof this by the ping-test.

The “simple” problem may just be a network named “guacamole_default” that is not able to forward into the next zone (in my case 10.XXX.0.254/24)

I did not do a clean install and tried again.

Thank you.