通过图形界面访问Oracle公有云中主机(VNC)
本实验使用了Oracle公有云上的虚机,配置为VM.Standard2.2。
客户端安装的是VNC Viewer。以下为服务器端的配置过程。
SSH登录到云中主机。
安装libEGL和libGL:
sudo yum -y install mesa-libEGL
sudo yum -y install mesa-libGL
安装图形桌面,此步骤耗时4m43.991s:
sudo yum -y groupinstall "Server with GUI"
安装TigerVNC:
sudo yum -y install tigervnc-server
为opc用户设置口令, opc是默认的Oracle公有云OS登录账户:
$ su - opc
$ vncpasswd
Password:
Verify:
Would you like to enter a view-only password (y/n)?
A view-only password is not used
从模板拷贝服务脚本,模板是由TigerVNC提供的:
sudo cp /lib/systemd/system/[email protected] /lib/systemd/system/vncserver@:1.service
此文件的原始内容为:
$ cat /lib/systemd/system/vncserver@:1.service
...
[Unit]
Description=Remote desktop service (VNC)
After=syslog.target network.target
[Service]
Type=forking
# Clean any existing files in /tmp/.X11-unix environment
ExecStartPre=/bin/sh -c '/usr/bin/vncserver -kill %i > /dev/null 2>&1 || :'
ExecStart=/usr/sbin/runuser -l <USER> -c "/usr/bin/vncserver %i"
PIDFile=/home/<USER>/.vnc/%H%i.pid
ExecStop=/bin/sh -c '/usr/bin/vncserver -kill %i > /dev/null 2>&1 || :'
[Install]
WantedBy=multi-user.target
编辑文件,将所有的opc, ExecStart=那行有bug,也需要修改,最终内容如下:
[Unit]
Description=Remote desktop service (VNC)
After=syslog.target network.target
[Service]
Type=forking
User=opc
Group=opc
WorkingDirectory=/home/opc
# Clean any existing files in /tmp/.X11-unix environment
ExecStartPre=/bin/sh -c '/usr/bin/vncserver -kill %i > /dev/null 2>&1 || :'
ExecStart=/usr/bin/vncserver %i
PIDFile=/home/opc/.vnc/%H%i.pid
ExecStop=/bin/sh -c '/usr/bin/vncserver -kill %i > /dev/null 2>&1 || :'
[Install]
WantedBy=multi-user.target
启动图形界面和VNC Server:
sudo systemctl start graphical.target
sudo systemctl start vncserver@:1
如果希望重启时自动启动服务:
sudo systemctl enable graphical.target
sudo systemctl enable vncserver@:1
以下是成功时的状态:
$ sudo systemctl status graphical.target
● graphical.target - Graphical Interface
Loaded: loaded (/usr/lib/systemd/system/graphical.target; static; vendor preset: disabled)
Active: active since Tue 2019-11-12 02:12:05 GMT; 7s ago
Docs: man:systemd.special(7)
Nov 12 02:12:05 instance-20191112-0956 systemd[1]: Reached target Graphical Interface.
$ sudo systemctl status vncserver@:1
● vncserver@:1.service - Remote desktop service (VNC)
Loaded: loaded (/usr/lib/systemd/system/vncserver@:1.service; disabled; vendor preset: disabled)
Active: active (running) since Tue 2019-11-12 02:12:23 GMT; 8s ago
Process: 15304 ExecStart=/usr/bin/vncserver %i (code=exited, status=0/SUCCESS)
Process: 15297 ExecStartPre=/bin/sh -c /usr/bin/vncserver -kill %i > /dev/null 2>&1 || : (code=exited, status=0/SUCCESS)
Main PID: 15313 (Xvnc)
CGroup: /system.slice/system-vncserver.slice/vncserver@:1.service
├─15313 /usr/bin/Xvnc :1 -auth /home/opc/.Xauthority -desktop instance-20191112-0956:1 (opc) -fp catalogue:/etc/X11/fontp...
├─15322 /bin/sh /home/opc/.vnc/xstartup
├─15323 /usr/libexec/gnome-session-binary --session=gnome-classic
├─15334 dbus-launch --sh-syntax --exit-with-session
├─15335 /usr/bin/dbus-daemon --fork --print-pid 5 --print-address 7 --session
├─15368 /usr/libexec/imsettings-daemon
├─15372 /usr/libexec/gvfsd
├─15427 /usr/bin/ssh-agent /etc/X11/xinit/Xclients
├─15442 /usr/libexec/at-spi-bus-launcher
├─15447 /usr/bin/dbus-daemon --config-file=/usr/share/defaults/at-spi2/accessibility.conf --nofork --print-address 3
├─15450 /usr/libexec/at-spi2-registryd --use-gnome-session
├─15476 /usr/bin/gnome-keyring-daemon --start --components=pkcs11
├─15490 /usr/bin/gnome-shell
├─15504 /usr/bin/pulseaudio --start --log-target=syslog
├─15541 ibus-daemon --xim --panel disable
├─15545 /usr/libexec/ibus-dconf
├─15547 /usr/libexec/ibus-x11 --kill-daemon
├─15551 /usr/libexec/ibus-portal
├─15561 /usr/libexec/xdg-permission-store
├─15566 /usr/libexec/gnome-shell-calendar-server
├─15571 /usr/libexec/evolution-source-registry
├─15576 /usr/libexec/dconf-service
├─15581 /usr/libexec/goa-daemon
├─15590 /usr/libexec/goa-identity-service
├─15613 /usr/libexec/mission-control-5
├─15619 /usr/libexec/gvfs-udisks2-volume-monitor
├─15624 /usr/libexec/gvfs-afc-volume-monitor
├─15632 /usr/libexec/gvfs-gphoto2-volume-monitor
├─15638 /usr/libexec/gvfs-mtp-volume-monitor
├─15645 /usr/libexec/gvfs-goa-volume-monitor
├─15653 /usr/libexec/gsd-power
├─15656 /usr/libexec/gsd-print-notifications
├─15658 /usr/libexec/gsd-rfkill
├─15659 /usr/libexec/gsd-screensaver-proxy
├─15664 /usr/libexec/gsd-sharing
├─15668 /usr/libexec/gsd-sound
├─15672 /usr/libexec/gsd-xsettings
├─15678 /usr/libexec/gsd-wacom
├─15681 /usr/libexec/gsd-smartcard
├─15682 /usr/libexec/gsd-account
├─15693 /usr/libexec/gsd-a11y-settings
├─15695 /usr/libexec/gsd-clipboard
├─15698 /usr/libexec/gsd-color
├─15702 /usr/libexec/gsd-datetime
├─15704 /usr/libexec/gsd-housekeeping
├─15705 /usr/libexec/gsd-keyboard
├─15707 /usr/libexec/gsd-media-keys
├─15714 /usr/libexec/gsd-mouse
├─15730 /usr/libexec/gsd-printer
├─15758 nautilus-desktop --force
├─15765 /usr/libexec/gvfsd-trash --spawner :1.4 /org/gtk/gvfs/exec_spaw/0
├─15781 /usr/bin/seapplet
├─15783 /usr/libexec/tracker-miner-apps
├─15784 /usr/libexec/tracker-miner-fs
├─15785 /usr/libexec/gnome-initial-setup --existing-user
├─15786 /usr/libexec/tracker-miner-user-guides
├─15796 /usr/libexec/gsd-disk-utility-notify
├─15798 /usr/libexec/tracker-store
├─15800 /usr/bin/gnome-software --gapplication-service
├─15817 abrt-applet
├─15820 /usr/libexec/tracker-extract
├─15843 /usr/bin/nautilus --gapplication-service
├─15852 /usr/libexec/evolution-calendar-factory
├─15885 /usr/libexec/evolution-calendar-factory-subprocess --factory all --bus-name org.gnome.evolution.dataserver.Subpro...
├─15924 /usr/libexec/evolution-addressbook-factory
├─15947 /usr/libexec/evolution-addressbook-factory-subprocess --factory all --bus-name org.gnome.evolution.dataserver.Sub...
├─15988 /usr/libexec/ibus-engine-simple
├─15991 /usr/libexec/gvfsd-metadata
└─15998 /usr/libexec/gvfsd-burn --spawner :1.4 /org/gtk/gvfs/exec_spaw/1
Nov 12 02:12:28 instance-20191112-0956 gnome-shell-cal[15566]: e_cal_client_set_default_timezone: assertion 'zone != NULL' failed
Nov 12 02:12:28 instance-20191112-0956 gnome-shell[15490]: STACK_OP_ADD: window 0x2200001 already in stack
Nov 12 02:12:28 instance-20191112-0956 gnome-shell[15490]: STACK_OP_ADD: window 0x2200001 already in stack
Nov 12 02:12:28 instance-20191112-0956 gnome-software[15800]: enabled plugins: desktop-categories, fwupd, os-release, packageki...black
Nov 12 02:12:28 instance-20191112-0956 gnome-software[15800]: disabled plugins: dpkg, dummy, fedora-pkgdb-collections, epiphany
Nov 12 02:12:28 instance-20191112-0956 gnome-shell[15490]: GNOME Shell started at Tue Nov 12 2019 02:12:25 GMT+0000 (GMT)
Nov 12 02:12:30 instance-20191112-0956 org.gnome.Shell.desktop[15490]: Window manager warning: Buggy client sent a _NET_ACTIVE_W...nit)
Nov 12 02:12:30 instance-20191112-0956 gnome-shell[15490]: JS WARNING: [resource:///org/gnome/shell/ui/keyboard.js 553]: refere...rect"
Nov 12 02:12:30 instance-20191112-0956 gnome-shell[15490]: JS ERROR: Exception in callback for signal: position-changed: TypeEr...fined
getCurrentRect@resource:///org/gnome/shell/ui/keyboard.js:553:22
wrapper@resource:///org/gnome/gjs/modules/_legacy.js:82:22...
Nov 12 02:12:30 instance-20191112-0956 telepathy-haze[15593]: Exiting
Hint: Some lines were ellipsized, use -l to show in full.
可以看到VNC进程和监听的端口:
$ ps aux|grep vnc
opc 15313 0.2 0.1 238672 60544 ? Sl 02:12 0:00 /usr/bin/Xvnc :1 -auth /home/opc/.Xauthority -desktop instance-20191112-0956:1 (opc) -fp catalogue:/etc/X11/fontpath.d -geometry 1024x768 -pn -rfbauth /home/opc/.vnc/passwd -rfbport 5901 -rfbwait 30000
opc 15322 0.0 0.0 113196 2684 ? S 02:12 0:00 /bin/sh /home/opc/.vnc/xstartup
$ netstat -an|grep 5901
tcp 0 0 0.0.0.0:5901 0.0.0.0:* LISTEN
tcp6 0 0 :::5901 :::* LISTEN
下一步就是配置防火墙了。
首先是需要在OCI中配置安全规则。
然后需要查看虚机是否启用了防火墙,如启用可以将其禁止:
$ systemctl status firewalld
$ sudo systemctl stop firewalld
如果不想禁止防火墙,可以添加入站规则,但重启后失效:
sudo iptables -I INPUT -m state --state NEW -p tcp --destination-port 5901 -j ACCEPT
如果需要永久存规则(--permanent),可使用linux 7中的命令:
$ sudo firewall-cmd --zone=public --permanent --add-port=5901/tcp
success
$ sudo firewall-cmd --reload
success
VNC客户端使用的是VNC Viewer。
使用VNC Viewer登录(public_IP:5901):
以上的Password就是之前用vncpasswd设置的口令。
万万没想到,卡在了屏幕保护上,这是云主机的普遍问题。
有两种解决方法,一是禁止屏幕保护,二是为用户设置口令。以下讨论的是前者。
参照How To Customize The Screensaver Options In Gnome on Oracle Linux 7 (文档 ID 2264955.1)禁止掉了屏幕保护,然后重启就可以登录进来了。
参照的是Global Mandatory settings (for the idle and lock delay这一节,我的设置如下:
# cat /etc/dconf/db/local.d/00-screensaver
[org/gnome/desktop/session]
idle-delay=uint32 0
[org/gnome/desktop/screensaver]
lock-enabled=false
# cat /etc/dconf/db/local.d/locks/screensaver
/org/gnome/desktop/session/idle-delay
/org/gnome/desktop/screensaver/lock-enabled
/org/gnome/desktop/screensaver/lock-delay
看到以下界面,真是又累又开心:
补充
- SELINUX可以使用默认配置,即启用而非permissive或禁止
- VNC速度比X11 Forwarding要快,这个可能是VNC分辨率低的原因,也许X11 Forwarding可以设置呢,这个再实验吧
参考
- https://docs.cloud.oracle.com/iaas/Content/Resources/Assets/whitepapers/run-graphical-apps-securely-on-oci.pdf
- https://oracle-base.com/articles/linux/configuring-vnc-server-on-linux#systemd
- https://askubuntu.com/questions/1044464/new-main-pid-does-not-belong-to-service-and-pid-file-is-not-owned-by-root
- https://www.golinuxcloud.com/vncserver-service-failed-because-a-configured-resource-limit-was-exceeded/
- https://www.ateam-oracle.com/vnc-in-the-oracle-cloud
- https://www.oracle.com/database/technologies/oracle-database-software-downloads.html
- https://www.liquidweb.com/kb/an-introduction-to-firewalld/