Guacamole doesn’t want to connect to RHEL 9
2 min readSep 29, 2022
As of time of writing Guacamole 1.4.0 available from DockerHub is built on old Debian with old libssh2 1.8.0 not supporting EC cryptography. To be able to use modern SSH we must bake own guacd container image.
I decided to do it one time manually, so the Dockerfile is simplified. By hand I download code and patch https://github.com/apache/guacamole-server/blob/master/src/common-ssh/ssh.c#L57
#define FIPS_COMPLIANT_KEX_ALGORITHMS “diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,ext-info-c”
Then: autoreconf -fi, manual fixes to ./configure (related to brackets), ./configure — prefix=dist && make && make install.
FROM ubuntu:22.04ARG PREFIX_DIR=/opt/guacamole# Runtime environment
ENV LC_ALL=C.UTF-8
ENV LD_LIBRARY_PATH=${PREFIX_DIR}/lib
ENV GUACD_LOG_LEVEL=infoRUN DEBIAN_FRONTEND=noninteractive apt-get update && apt-get install libssh2-1-dev libcairo2-dev libjpeg-turbo8-dev libpng-dev libtool-bin uuid-dev libavcodec-dev libavformat-dev libavutil-dev freerdp2-dev libpango1.0-dev libvncserver-dev libwebsockets-dev libssl-dev libvorbis-dev libwebp-dev netcat -y## ./configure --prefix=dist; make; make install# Copy build artifacts into this stage
COPY dist ${PREFIX_DIR}# Checks the operating status every 5 minutes with a timeout of 5 seconds
HEALTHCHECK --interval=5m --timeout=5s CMD nc -z 127.0.0.1 4822 || exit 1# Create a new user guacd
ARG UID=1000
ARG GID=1000
RUN groupadd --gid $GID guacd
RUN useradd --system --create-home --shell /sbin/nologin --uid $UID --gid $GID guacd
RUN chown -R guacd:guacd ${PREFIX_DIR}; echo "${PREFIX_DIR}/lib" > /etc/ld.so.conf.d/guacd.conf; ldconfig# Run with user guacd
USER guacd# Expose the default listener port
EXPOSE 4822# Start guacd, listening on port 0.0.0.0:4822
#
# Note the path here MUST correspond to the value specified in the
# PREFIX_DIR build argument.
#
CMD /opt/guacamole/sbin/guacd -b 0.0.0.0 -L $GUACD_LOG_LEVEL -f