DokuWiki » Infrastructure » Operating System » CentOS 7

h1. VNCServer

h2. preliminary note

this information is taken from [[https://www.digitalocean.com/community/tutorials/how-to-install-and-configure-vnc-remote-access-for-the-gnome-desktop-on-centos-7]]

<pre><code class="bash">

yum groupinstall "GNOME Desktop"

reboot

</code></pre>

<pre><code class="bash">

yum install tigervnc-server

</code></pre>

h2. ad hoc VNC Service

you most likely used to access a server occasionally.

First we need to set the VNC password. These are not the users' Linux passwords, but the users' password to log in to the VNC sessions.

Execute the following command:

<pre><code class="bash">

vncpasswd

</code></pre>

to start and stop the VNC-Server you can do:

<pre><code class="bash">

vncserver :1 -geometry 1400x1000 -depth 24

</code></pre>

<pre><code class="bash">

vncserver -kill :1

</code></pre>

If you run the VNC-Service only as long as necessary noone can tamper around with it.

In this case you maybe don't want to open your firewall as well, you can use a SSH-tunnel to access the VNC-Server

<pre><code class="bash">

ssh -L 6000:localhost:5901 user@example.com -N

</code></pre>

h2. VNC Service for multiple Clients

h3. create multiple test user

First, we will create two user accounts. These accounts will remotely connect to our CentOS 7 server from VNC clients.

* joevnc

* janevnc

Run the following command to add a user account for joevnc:

<pre><code class="bash">

useradd -c "User Joe Configured for VNC Access" joevnc

</code></pre>

Then run the passwd command to change joevnc's password:

<pre><code class="bash">

passwd joevnc

</code></pre>

The output will ask us for new password. Once supplied, the account will be ready for login: 

<pre><code class="bash">

Changing password for user joevnc.

New password:

Retype new password:

passwd: all authentication tokens updated successfully.

</code></pre>

Next, create an account for janevnc:

<pre><code class="bash">

useradd -c "User Jane Configured for VNC Access" janevnc

passwd janevnc

</code></pre>

h3. Setting VNC Passwords

In this step, the users will need to set their VNC passwords. These are not the users' Linux passwords, but the passwords to log in to the VNC sessions.

Open another terminal connection to the CentOS 7 server, and this time log in as joevnc. 

<pre><code class="bash">

ssh joevnc@your_server_ip

</code></pre>

Execute the following command:

<pre><code class="bash">

vncpasswd

</code></pre>

h3. Set-up VNC Service

VNC server doesn't start automatically when it's first installed. To check this, run the following command:

<pre><code class="bash">

systemctl status vncserver@:.service

</code></pre>

The output will be like this:

<pre><code class="bash">

vncserver@:.service - Remote desktop service (VNC)

   Loaded: loaded (/usr/lib/systemd/system/vncserver@.service; disabled)

   Active: inactive (dead)

</code></pre>

You can also run this command:

<pre><code class="bash">

systemctl is-enabled vncserver@.service

</code></pre>

This should show output like this:

<pre><code class="bash">

disabled

</code></pre>

So why is it disabled? That's because each user will start a separate instance of the VNC service daemon. In other words, VNC doesn't run as one single process that serves every user request. Each user connecting via VNC will have to start a new instance of the daemon (or the system administrator can automate this).

CentOS 7 uses the systemd daemon to initiate other services. Each service that natively runs under systemd has a service unit file that's placed under the @/lib/systemd/system@ directory by the yum installer. Processes that get started automatically at boot time have a link to this service unit file placed in the @/etc/systemd/system/@ directory.

In our case, a generic service unit file was created in the @/lib/systemd/system/@ directory, but no link was made under @/etc/systemd/system/@. To test this, run the following commands:

<pre><code class="bash">

ls -l /lib/systemd/system/vnc*

</code></pre>

You should see:

<pre><code class="bash">

-rw-r--r--. 1 root root 1744 Jun 10 16:15 /lib/systemd/system/vncserver@.service

</code></pre>

Then check under @/etc/systemd/system/@:

<pre><code class="bash">

ls -l /etc/systemd/system/*.wants/vnc*

</code></pre>

Thos one doesn't exist:

<pre><code class="bash">

ls: cannot access /etc/systemd/system/*.wants/vnc*: No such file or directory

</code></pre>

So, the first step is to start two new instances of VNC server for our two users. To do this, we will need to make two copies of the generic VNC service unit file under @/etc/system/system@. In the code snippet below, you're making two copies with two different names:

<pre><code class="bash">

cp /lib/systemd/system/vncserver@.service /etc/systemd/system/vncserver@:4.service

cp /lib/systemd/system/vncserver@.service /etc/systemd/system/vncserver@:5.service

</code></pre>

So why did we add two numbers (along with the colon) in the copied file names?

Again, that comes back to the concept of individual VNC services. VNC by itself runs on port 5900. Since each user will run their own VNC server, each user will have to connect via a separate port. The addition of a number in the file name tells VNC to run that service as a sub-port of 5900. So in our case, joevnc's VNC service will run on port 5904 (5900 + 4) and janevnc's will run on 5905 (5900 + 5).

Next edit the service unit file for each client. Open the @/etc/systemd/system/vncserver@:4.service@ file with the vim editor:

<pre><code class="bash">

vim /etc/systemd/system/vncserver@:4.service

</code></pre>

A look at the "Quick HowTo" section tells us we have already completed the first step. Now we need to go through the remaining steps. The comments also tell us that VNC is a non-trusted connection. We will talk about this later.

For now, edit the @[Service]@ section of the file, replacing instances of @<USER>@ with @joevnc@. Also, add the @-geometry 1280x1024@ clause at the end of the @ExecStart@ parameter. This just tells VNC the screen size it should start in. You will modify two lines in total. Here's what the edited file should look like (note that the entire file is not shown):

<pre>

# The vncserver service unit file

#

# Quick HowTo:

# 1. Copy this file to /etc/systemd/system/vncserver@:<display>.service

# 2. Edit <USER> and vncserver parameters appropriately

#   ("runuser -l <USER> -c /usr/bin/vncserver %i -arg1 -arg2")

# 3. Run `systemctl daemon-reload`

# 4. Run `systemctl enable vncserver@:<display>.service`

#

. . .

[Unit]

Description=Remote desktop service (VNC)

After=syslog.target network.target

[Service]

Type=forking

# Clean any existing files in /tmp/.X11-unix environment

ExecStartPre=/bin/sh -c '/usr/bin/vncserver -kill %i > /dev/null 2>&1 || :'

ExecStart=/sbin/runuser -l joevnc -c "/usr/bin/vncserver %i -geometry 1280x1024" 

PIDFile=/home/joevnc/.vnc/%H%i.pid

ExecStop=/bin/sh -c '/usr/bin/vncserver -kill %i > /dev/null 2>&1 || :'

[Install]

WantedBy=multi-user.target

</pre>

Save the file and exit vi.

Similarly, open the @/etc/systemd/system/vncserver@:5.service@ file in vim and make the changes for user janevnc:

<pre><code class="bash">

vim /etc/systemd/system/vncserver@:5.service

</code></pre>

Here's just the [Service] section with the changes marked:

<pre>

...

[Service]

Type=forking

# Clean any existing files in /tmp/.X11-unix environment

ExecStartPre=/bin/sh -c '/usr/bin/vncserver -kill %i > /dev/null 2>&1 || :'

ExecStart=/sbin/runuser -l janevnc -c "/usr/bin/vncserver %i -geometry 1280x1024"

PIDFile=/home/janevnc/.vnc/%H%i.pid

ExecStop=/bin/sh -c '/usr/bin/vncserver -kill %i > /dev/null 2>&1 || :'

...

</pre>

Next, run the following commands to reload the systemd daemon and also to make sure VNC starts up for two users at boot time.

<pre><code class="bash">

systemctl daemon-reload

</code></pre>

Enable the first server instance:

<pre><code class="bash">

systemctl enable vncserver@:4.service

</code></pre>

Output:

<pre><code class="bash">

ln -s '/etc/systemd/system/vncserver@:4.service' '/etc/systemd/system/multi-user.target.wants/vncserver@:4.service'

</code></pre>

Enable the second server instance:

<pre><code class="bash">

systemctl enable vncserver@:5.service

</code></pre>

h2. Configuring your Firewall

*If you need to access the VNC-Service and don't want to use a SSH-tunnel, then you might consider reconfiguring your Firewall*

Next, we will need to configure the firewall to allow VNC traffic through ports 5904 and 5905 only. CentOS 7 uses Dynamic Firewall through the firewalld daemon; the service doesn't need to restart for changes to take effect.

The firewalld service should start automatically at system boot time, but it's always good to check:

<pre><code class="bash">

firewall-cmd --state

</code></pre>

This should show:

<pre><code class="bash">

running

</code></pre>

If the state is "not running" for any reason, execute the following command to make sure it's running:

<pre><code class="bash">

systemctl start firewalld

</code></pre>

Now add the rules for ports 5904 and 5905:

<pre><code class="bash">

firewall-cmd --permanent --zone=public --add-port=5904-5905/tcp

firewall-cmd --reload

</code></pre>