VNCServer¶
preliminary note¶
this information is taken from [[https://www.digitalocean.com/community/tutorials/how-to-install-and-configure-vnc-remote-access-for-the-gnome-desktop-on-centos-7]]
yum groupinstall "GNOME Desktop"
reboot
yum install tigervnc-server
ad hoc VNC Service¶
you most likely used to access a server occasionally.
First we need to set the VNC password. These are not the users' Linux passwords, but the users' password to log in to the VNC sessions.
Execute the following command:
vncpasswd
to start and stop the VNC-Server you can do:
vncserver :1 -geometry 1400x1000 -depth 24
vncserver -kill :1
If you run the VNC-Service only as long as necessary noone can tamper around with it.
In this case you maybe don't want to open your firewall as well, you can use a SSH-tunnel to access the VNC-Server
ssh -L 6000:localhost:5901 user@example.com -N
VNC Service for multiple Clients¶
create multiple test user¶
First, we will create two user accounts. These accounts will remotely connect to our CentOS 7 server from VNC clients.- joevnc
- janevnc
Run the following command to add a user account for joevnc:
useradd -c "User Joe Configured for VNC Access" joevnc
Then run the passwd command to change joevnc's password:
passwd joevnc
The output will ask us for new password. Once supplied, the account will be ready for login:
Changing password for user joevnc.
New password:
Retype new password:
passwd: all authentication tokens updated successfully.
Next, create an account for janevnc:
useradd -c "User Jane Configured for VNC Access" janevnc
passwd janevnc
Setting VNC Passwords¶
In this step, the users will need to set their VNC passwords. These are not the users' Linux passwords, but the passwords to log in to the VNC sessions.
Open another terminal connection to the CentOS 7 server, and this time log in as joevnc.
ssh joevnc@your_server_ip
Execute the following command:
vncpasswd
Set-up VNC Service¶
VNC server doesn't start automatically when it's first installed. To check this, run the following command:
systemctl status vncserver@:.service
The output will be like this:
vncserver@:.service - Remote desktop service (VNC)
Loaded: loaded (/usr/lib/systemd/system/vncserver@.service; disabled)
Active: inactive (dead)
You can also run this command:
systemctl is-enabled vncserver@.service
This should show output like this:
disabled
So why is it disabled? That's because each user will start a separate instance of the VNC service daemon. In other words, VNC doesn't run as one single process that serves every user request. Each user connecting via VNC will have to start a new instance of the daemon (or the system administrator can automate this).
CentOS 7 uses the systemd daemon to initiate other services. Each service that natively runs under systemd has a service unit file that's placed under the /lib/systemd/system directory by the yum installer. Processes that get started automatically at boot time have a link to this service unit file placed in the /etc/systemd/system/ directory.
In our case, a generic service unit file was created in the /lib/systemd/system/ directory, but no link was made under /etc/systemd/system/. To test this, run the following commands:
ls -l /lib/systemd/system/vnc*
You should see:
-rw-r--r--. 1 root root 1744 Jun 10 16:15 /lib/systemd/system/vncserver@.service
Then check under /etc/systemd/system/:
ls -l /etc/systemd/system/*.wants/vnc*
Thos one doesn't exist:
ls: cannot access /etc/systemd/system/*.wants/vnc*: No such file or directory
So, the first step is to start two new instances of VNC server for our two users. To do this, we will need to make two copies of the generic VNC service unit file under /etc/system/system. In the code snippet below, you're making two copies with two different names:
cp /lib/systemd/system/vncserver@.service /etc/systemd/system/vncserver@:4.service
cp /lib/systemd/system/vncserver@.service /etc/systemd/system/vncserver@:5.service
So why did we add two numbers (along with the colon) in the copied file names?
Again, that comes back to the concept of individual VNC services. VNC by itself runs on port 5900. Since each user will run their own VNC server, each user will have to connect via a separate port. The addition of a number in the file name tells VNC to run that service as a sub-port of 5900. So in our case, joevnc's VNC service will run on port 5904 (5900 + 4) and janevnc's will run on 5905 (5900 + 5).
Next edit the service unit file for each client. Open the /etc/systemd/system/vncserver:4.service@ file with the vim editor:
vim /etc/systemd/system/vncserver@:4.service
A look at the "Quick HowTo" section tells us we have already completed the first step. Now we need to go through the remaining steps. The comments also tell us that VNC is a non-trusted connection. We will talk about this later.
For now, edit the [Service] section of the file, replacing instances of <USER> with joevnc. Also, add the -geometry 1280x1024 clause at the end of the ExecStart parameter. This just tells VNC the screen size it should start in. You will modify two lines in total. Here's what the edited file should look like (note that the entire file is not shown):
# The vncserver service unit file
#
# Quick HowTo:
# 1. Copy this file to /etc/systemd/system/vncserver@:<display>.service
# 2. Edit <USER> and vncserver parameters appropriately
# ("runuser -l <USER> -c /usr/bin/vncserver %i -arg1 -arg2")
# 3. Run `systemctl daemon-reload`
# 4. Run `systemctl enable vncserver@:<display>.service`
#
. . .
[Unit]
Description=Remote desktop service (VNC)
After=syslog.target network.target
[Service]
Type=forking
# Clean any existing files in /tmp/.X11-unix environment
ExecStartPre=/bin/sh -c '/usr/bin/vncserver -kill %i > /dev/null 2>&1 || :'
ExecStart=/sbin/runuser -l joevnc -c "/usr/bin/vncserver %i -geometry 1280x1024"
PIDFile=/home/joevnc/.vnc/%H%i.pid
ExecStop=/bin/sh -c '/usr/bin/vncserver -kill %i > /dev/null 2>&1 || :'
[Install]
WantedBy=multi-user.target
Save the file and exit vi.
Similarly, open the /etc/systemd/system/vncserver:5.service@ file in vim and make the changes for user janevnc:
vim /etc/systemd/system/vncserver@:5.service
Here's just the [Service] section with the changes marked:
... [Service] Type=forking # Clean any existing files in /tmp/.X11-unix environment ExecStartPre=/bin/sh -c '/usr/bin/vncserver -kill %i > /dev/null 2>&1 || :' ExecStart=/sbin/runuser -l janevnc -c "/usr/bin/vncserver %i -geometry 1280x1024" PIDFile=/home/janevnc/.vnc/%H%i.pid ExecStop=/bin/sh -c '/usr/bin/vncserver -kill %i > /dev/null 2>&1 || :' ...
Next, run the following commands to reload the systemd daemon and also to make sure VNC starts up for two users at boot time.
systemctl daemon-reload
Enable the first server instance:
systemctl enable vncserver@:4.service
Output:
ln -s '/etc/systemd/system/vncserver@:4.service' '/etc/systemd/system/multi-user.target.wants/vncserver@:4.service'
Enable the second server instance:
systemctl enable vncserver@:5.service
Configuring your Firewall¶
If you need to access the VNC-Service and don't want to use a SSH-tunnel, then you might consider reconfiguring your Firewall
Next, we will need to configure the firewall to allow VNC traffic through ports 5904 and 5905 only. CentOS 7 uses Dynamic Firewall through the firewalld daemon; the service doesn't need to restart for changes to take effect.
The firewalld service should start automatically at system boot time, but it's always good to check:
firewall-cmd --state
This should show:
running
If the state is "not running" for any reason, execute the following command to make sure it's running:
systemctl start firewalld
Now add the rules for ports 5904 and 5905:
firewall-cmd --permanent --zone=public --add-port=5904-5905/tcp
firewall-cmd --reload
Von Jeremias Keihsler vor fast 8 Jahren aktualisiert · 1 Revisionen