I'm trying to set up Guacamole using container on a home Ubuntu 20.04 desktop. I can get an SSH connection to work but I'm having a hard time with the VNC setup. Below are a summary of the errors, my setup and some troubleshooting steps I did.
SUMMARY OF ERROR MESSAGES
The management app Guacamole is served at http://localhost:8080/guacamole/, I try to access the VNC connection (its setup is in the next section) and get these errors
- guacamole web app error message: "The Guacamole server is denying access to this connection because you have exhausted the limit for simultaneous connection use by an individual user. Please close one or more connections and try again."
- In the Chrome or Firefox developer console, network/XHR, I'm pasting a few request/response headers:
Request URL: http://localhost:8080/guacamole/tunnel?connect
Response Status Code: 429
Response Headers:
Guacamole-Error_message: Cannot connect. Connection already in use by this user.
Guacamole-Status-Code: 797
- In the guacd docker container:
guacd[7]: DEBUG: Guacamole connection closed during handshake
guacd[7]: DEBUG: Error reading "select": End of stream reached while reading instruction
- In the guacamole docker container:
18:13:26.091 [http-nio-8080-exec-9] ERROR o.a.g.w.GuacamoleWebSocketTunnelEndpoint - Creation of WebSocket tunnel to guacd failed: Cannot connect. Connection already in use by this user.
18:13:26.116 [http-nio-8080-exec-6] WARN o.a.g.s.GuacamoleHTTPTunnelServlet - HTTP tunnel request rejected: Cannot connect. Connection already in use by this user.
MY INSTALLATION AND TROUBLESHOOTING DONE SO FAR
- Environment
- Ubuntu 20.04 desktop
- working tiger VNC server setup at display number 1, which I have been using for SSH-tunneled VNC connection for 2 years
$ sudo systemctl status [email protected]
?? [email protected] - Start TightVNC server at startup
Loaded: loaded (/etc/systemd/system/[email protected]; enabled; vendor preset: enabled)
Active: active (running) since Wed 2022-04-13 22:45:53 EDT; 8min ago
Main PID: 2035 (Xtigervnc)
- Docker containers
- I followed the official doc to set up three containers.
- The guacamole links to the guacd and mysql.
$ sudo docker ps
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
b0c49ab0fb8f guacamole/guacamole:1.4.0 "/opt/guacamole/bin/??" 20 hours ago Up 42 minutes 0.0.0.0:8080->8080/tcp, :::8080->8080/tcp some-guacamole
969afbd569c2 guacamole/guacd "/bin/sh -c '/usr/lo??" 21 hours ago Up 43 minutes (healthy) 4822/tcp some-guacd
3e490e948aa6 mysql/mysql-server:latest "/entrypoint.sh mysq??" 38 hours ago Up 42 minutes (healthy) 3306/tcp, 33060-33061/tcp mysql-docker
- The guacamole container, guacd container and the vnc server have connectivity with each other
- The web app came up fine and I can login to configure settings.
- I easily got an SSH connection to work on guacamole
- For VNC connections, I tried both guacamole at the latest and at tag 1.4.0 but that made no difference
- On my Ubuntu host, I have proper firewall settings:
- ports ssh 22, apache 80/443 are wide open
- my VNC server is sitting on 0 0.0.0.0:5901 and is therefore open to 172.17.0.0/24
- My docker0 is recognized by the host as 172.17.0.1
$ netstat -an | grep 5901
tcp 0 0 0.0.0.0:5901 0.0.0.0:* LISTEN
$ ifconfig docker0
docker0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 172.17.0.1 netmask 255.255.0.0 broadcast 172.17.255.255
- From within the guacd container, I can telnet to my docker host's SSH server (172.17.0.1:22), Apache server(172.17.0.1:80/443), and VNC server (172.17.0.1:5901)
$ sudo docker exec -u0 -it some-guacd bash
root@969afbd569c2:/# telnet 172.17.0.1 5901
Trying 172.17.0.1...
Connected to 172.17.0.1.
Escape character is '^]'.
RFB 003.008
^]
telnet> quit
Connection closed.
- In addition to the SSH connection working out of the box with guacamole install, from within the guacamole container, I could telnet to the guacd at port 4822 and paste the following vnc handshake (6.select,3.vnc;) and got a proper response.
$ sudo docker inspect some-guacd|grep IPAddress
"SecondaryIPAddresses": null,
"IPAddress": "172.17.0.2",
"IPAddress": "172.17.0.2",
$ sudo docker exec -u0 -it some-guacamole bash
root@b0c49ab0fb8f:/opt/guacamole# telnet 172.17.0.2 4822
Trying 172.17.0.2...
Connected to 172.17.0.2.
Escape character is '^]'.
6.select,3.vnc;
4.args,13.VERSION_1_3_0,8.hostname,4.port,9.read-only,9.encodings,8.username,8.password,13.swap-red-blue,11.color-depth,6.cursor,9.autoretry,18.clipboard-encoding,9.dest-host,9.dest-port,12.enable-audio,16.audio-servername,15.reverse-connect,14.listen-timeout,11.enable-sftp,13.sftp-hostname,13.sftp-host-key,9.sftp-port,13.sftp-username,13.sftp-password,16.sftp-private-key,15.sftp-passphrase,14.sftp-directory,19.sftp-root-directory,26.sftp-server-alive-interval,21.sftp-disable-download,19.sftp-disable-upload,14.recording-path,14.recording-name,24.recording-exclude-output,23.recording-exclude-mouse,22.recording-include-keys,21.create-recording-path,12.disable-copy,13.disable-paste,15.wol-send-packet,12.wol-mac-addr,18.wol-broadcast-addr,12.wol-udp-port,13.wol-wait-time,14.force-lossless;
- On guacamole VNC connection configuration, I have
Parameters
Network
Hostname: 172.17.0.1
Port: 5901
I believe the apparent error message "Cannot connect. Connection already in use by this user" is a red herring. It's more likely that the guacamole app has problem connecting to the guacd server at the protocol or the application level. I'm really baffled. I have posted onto the apache mailing list for guacamole a few days ago but haven't got a reply yet. So I'm trying my luck on SO.