Linux Desktop In a Container
Table of Contents
Installing a Linux desktop in a Docker container and accessing it from a browser seems like something that is impossible. However it works. The tool that enables access to desktop from a browser is Guacamole. Not only can you access the desktop, but you can also share it with other people, in watch-only or collaborate mode. This may be very useful for teaching or collaboration.
1 Installation
1.1 Making The Container
- First install
ds: https://gitlab.com/docker-scripts/ds#installation - Then get the scripts:
ds pull desktop - Create a dir for the container:
ds init desktop @desk.example.org - Fix the settings:
cd /var/ds/desk.example.org/; vim settings.sh - Make the container:
ds make - Open https://127.0.0.1:444/guac/ (or
https://desk.example.org:444/guac/, or
https://123.45.67.89:444/guac/) , where 444 is the GUAC_PORT on
settings.sh.
1.2 Installing Additional Packages
You can go inside the docker container and install other packages with
apt, like this:
cd /var/ds/desk.example.org/ ds shell apt install ubuntu-edu-preschool ubuntu-edu-primary firefox exit
However, in case you rebuild the server (for example with ds
remake), you will have to install them again manually. To install
them automatically on each rebuild, create a file like
/var/ds/desk.example.org/packages with a content like this:
RUN DEBIAN_FRONTEND=noninteractive \
apt install --yes \
ubuntu-edu-preschool \
ubuntu-edu-primary \
firefox
See also packages.sample.
1.3 Accessing It From a Wi-Fi LAN
If the container is in a laptop and there is no wi-fi access point around to enable the connection/communication with other laptops, we can start a hotspot like this:
cd desktop/misc/ ./hotspot.sh start test-hotspot pass1234
Or like this:
cd /var/ds/desk.example.org/ ds hotspot start test-hotspot pass1234
Afterwards the server can be accessed on https://10.42.0.1:444/guac/
Note: If you have a firewall, make sure that the port 444 is
allowed. For example like this: ufw allow 444.
Note: Depending on the type on the wireless card or the driver that it has, the hotspot may not always work. In this case the most easy way to create a hotspot is with an Android or iPhone.
1.4 Getting a Letsencrypt SSL Certificate
For this to work, you need to have the container installed on a
machine with a public IP (for example on a VPS on the cloud), and to
have a domain name for this IP. You also have to set the proper
DOMAIN variable on settings.sh (before building the container) and
also a proper GMAIL_ADDRESS (or a SMTP_DOMAIN).
The letsencrypt SSL certificate will be managed by the container
wsproxy, so this one should be installed as well:
https://gitlab.com/docker-scripts/wsproxy#installation
If the desktop container is built after installation of wsproxy,
it will try automatically to get a SSL cert as well. Otherwise you can
get one manually like this:
cd /var/ds/desk.example.org/ ds @wsproxy get-ssl-cert user@example.org desk.example.org
Note: It is important that the domain is a real one and it is configured properly, otherwise getting a ssl-cert will fail.
2 Usage
2.1 Managing User Accounts
The file accounts.txt contains a list of accounts in the form
username:password, which are created automatically when the
container is created. But they can also be re-created any time with a
command like this:
ds inject users.sh create accounts.txt # or ds shell /app/scripts/users.sh create accounts.txt
There are other commands and options available from the script
users.sh, which can be used to export, import, backup and
restore user accounts: ds inject users.sh --help
In particular, there are shortcuts for making a backup of user accounts and restoring them:
ds backup ds restore backup/users-20190417.tgz
2.3 Using Guacamole
Guacamole allows desktop access to the server from a web browser. Everything runs on the server and the client does not consume any resources, except for a browser tab. This is very convenient because:
- It does not require installation of any additional tools or applications on the client, except a web browser.
- It is cross-platform and universal, the desktop can be accessed from any system, on any architecture.
2.3.1 Accessing User Account From a Browser
Any user that has an account on the server can access the desktop of the server from a web browser. He can do it like this:
- Open
https://10.42.0.1:444/guac/(replace10.42.0.1with the IP or name of the server). - Click on the button Login without a username and password.
- Click on the RDP connection.
- Give the username and password of the account, for example (user1,pass1).
2.3.2 Teacher Sharing His Screen With The Students
This is useful when the teacher wants to demonstrate to the students how to do something, for example how to write a program.
To be able to share the screen of his account, the teacher should
enter in Guacamole with the username student or admin (and the
corresponding password).
Then he should go to his account by clicking on the RDP connection and giving the username and password of his account. Afterwards he should follow these steps:
- Press Ctrl+Alt+Shift to open the Guacamole panel on the left side.
- Click on the Share menu of the top and then on Watch.
- Right-click on the link that is displayed and copy it.
- Open
https://10.42.0.1:444/chat/in another tab and share the link with the students. - Once the students open in browser the link of the shared Guacamole session, they will be able to see the desktop of the teacher and what he is doing.
2.3.3 Students Collaborating With The Teacher And With Each-Other
The students can share their desktop too with the teacher and with other students. This is useful when a student is stuck and needs some help (for example he cannot find a bug in the program) or when the students are working in pairs or in groups.
To be able to share his desktop a student should login in Guacamole
with the username student. Then he should follow the same steps as
above, except that he should select Collaborate from the menu of
Share, instead of Watch. The difference is that with Collaborate
both parties (or all of them) can use the keyboard and mouse to work
together, instead of just watching what the other person does.
Then they can use https://10.42.0.1:444/chat/ to share the link of
the guacamole session with the others (or maybe use email or other
communication means).
3 Alternative Installations
The preferred way is to install it in a Docker container (as described above). However it is possible to install it on a VirtualBox machine and on a real machine as well.
3.1 Install In a VirtualBox Machine (With Vagrant)
- Install virtualbox and vagrant: https://www.vagrantup.com/. In
bionic (ubuntu-18.04 and its derivatives), they can be installed
like this:
apt install virtualbox virtualbox-qt vagrant - Get the code:
git clone https://gitlab.com/docker-scripts/desktop - Customize:
cd desktop/ vim settings.sh cd vagrant/ vim settings.sh vim pre-config.sh vim post-config.sh
- Start installation and configuration with:
vagrant up. This will also runinstall.shinside the virtual machine. - When installation is finished open: https://127.0.0.1:444/guac/
- To stop and start the virtual machine use
vagrant haltandvagrant up. Other vagrant commands that can be used are:vagrant ssh,vagrant destroy,vagrant --help, etc.
3.2 Install In a Real Machine
- Get the code:
git clone https://gitlab.com/docker-scripts/desktop - Change GUAC_PASS:
cd desktop ; vim settings.sh - Check also
vagrant/pre-config.shandvagrant/post-config.sh - Start installation:
misc/install.sh - After installation is done open in browser: https://127.0.0.1/guac/
These scripts should be used on a machine that has a fresh installation of Ubuntu-18.04 or a derivative of it (preferably LinuxMint-19).
This machine is supposed to be a dedicated desktop server, not your laptop or a machine that is used for something else as well. It can also be a virtual machine that you manage manually (not with vagrant commands, as explained above).