diff --git a/1-setup.sh b/1-setup.sh index 72ec4a9..0bf768c 100644 --- a/1-setup.sh +++ b/1-setup.sh @@ -628,6 +628,7 @@ echo -e "${GREYB}Itiligent VDI & Jump Server Appliance Setup." echo -e " ${LGREEN}Powered by Guacamole" echo echo + echo -e "${LGREEN}Beginning Guacamole setup...${GREY}" echo echo -e "${GREY}Checking Linux distro specific dependencies..." diff --git a/2-install-guacamole.sh b/2-install-guacamole.sh index a8b6b75..af34174 100644 --- a/2-install-guacamole.sh +++ b/2-install-guacamole.sh @@ -95,7 +95,18 @@ if [ $? -ne 0 ]; then echo -e "${GUAC_SOURCE_LINK}/binary/guacamole-${GUAC_VERSION}.war${GREY}" exit 1 fi -echo -e "${LGREEN}Downloaded guacamole-${GUAC_VERSION}.war${GREY}" +echo -e "${LGREEN}Downloaded guacamole-${GUAC_VERSION}.war (Guacamole client web application)${GREY}" + +# Download MySQL connector/j +wget -q --show-progress -O mysql-connector-j-${MYSQLJCON}.tar.gz https://dev.mysql.com/get/Downloads/Connector-J/mysql-connector-j-${MYSQLJCON}.tar.gz +if [ $? -ne 0 ]; then + echo -e "${LRED}Failed to download mysql-connector-j-${MYSQLJCON}.tar.gz" 1>&2 + echo -e "https://dev.mysql.com/get/Downloads/Connector-J/mysql-connector-j-${MYSQLJCON}}.tar.gz${GREY}" + exit 1 +else + tar -xzf mysql-connector-j-${MYSQLJCON}.tar.gz +fi +echo -e "${LGREEN}Downloaded mysql-connector-j-${MYSQLJCON}.tar.gz${GREY}" # Download Guacamole authentication extensions wget -q --show-progress -O guacamole-auth-jdbc-${GUAC_VERSION}.tar.gz ${GUAC_SOURCE_LINK}/binary/guacamole-auth-jdbc-${GUAC_VERSION}.tar.gz @@ -172,17 +183,6 @@ if [ "${INSTALL_HISTREC}" = true ]; then fi echo -e "${LGREEN}Downloaded guacamole-history-recording-storage-${GUAC_VERSION}.tar.gz${GREY}" fi - -# Download MySQL connector/j -wget -q --show-progress -O mysql-connector-j-${MYSQLJCON}.tar.gz https://dev.mysql.com/get/Downloads/Connector-J/mysql-connector-j-${MYSQLJCON}.tar.gz -if [ $? -ne 0 ]; then - echo -e "${LRED}Failed to download mysql-connector-j-${MYSQLJCON}.tar.gz" 1>&2 - echo -e "https://dev.mysql.com/get/Downloads/Connector-J/mysql-connector-j-${MYSQLJCON}}.tar.gz${GREY}" - exit 1 -else - tar -xzf mysql-connector-j-${MYSQLJCON}.tar.gz -fi -echo -e "${LGREEN}Downloaded mysql-connector-j-${MYSQLJCON}.tar.gz${GREY}" echo -e "Source download complete.${GREY}" # Option to pause script here as we might want to make final tweaks to source code just before compiling @@ -262,6 +262,7 @@ chmod 664 /etc/guacamole/extensions/guacamole-auth-jdbc-mysql-${GUAC_VERSION}.ja # Create a symbolic link for Tomcat ln -sf /etc/guacamole/guacamole.war /var/lib/${TOMCAT_VERSION}/webapps/ + # Move MySQL connector/j files echo -e "${GREY}Moving mysql-connector-j-${MYSQLJCON}.jar (/etc/guacamole/lib/mysql-connector-java.jar)..." mv -f mysql-connector-j-${MYSQLJCON}/mysql-connector-j-${MYSQLJCON}.jar /etc/guacamole/lib/mysql-connector-java.jar diff --git a/README.md b/README.md index 66a1036..ab6ea29 100644 --- a/README.md +++ b/README.md @@ -85,6 +85,9 @@ See theme and branding instructions [here](https://github.com/itiligent/Guacamol - **Quick connect** allows for add-hoc unauthenticated connections. Whilst users must still authenticate directly with the endpoint, all other controls such as file sharing restrictions can be bypassed as add-hoc connections allow the user full access to all connection parameters. Also, add-hoc connections are not recorded or logged. - **History Recorded Storage** creates a locked down location for recorded session storage, however potentially sensitive recorded session data may require additional considerations beyond just Guacamole console & local filesystem access controls. Risk mitigations across the full storage and data lifecylce may also be a requirement. +## **Upgrading Guacamole** +To upgrade Guacamole, edit `upgrade-guac.sh` to reflect the desired `NEW_GUAC_VERSION` and `NEW_MYSQLJCON` values prior to running. The upgrade script will automatically update any pre-existing extensions already present (duo, ldap, totp, quick-connect or history-recored-storage) to the new Guacamole version. + ## **Download manifest** The autorun link above downloads the following items into the `$DOWNLOAD_DIR/guac-setup` directory: @@ -103,5 +106,5 @@ The autorun link above downloads the following items into the `$DOWNLOAD_DIR/gua - `add-tls-guac-daemon.sh`: A hardening script to add a TLS wrapper between the guacd server daemon and Guacamole application traffic (optional, consider extra performance impact mitigations) - `add-fail2ban.sh`: A hardening script to add a fail2ban policy (with local subnet override) to secure Guacamole against external brute force attacks - `backup-guacamole.sh`: A simple MySQL Guacamole backup script -- `upgrade-guac.sh` upgrades the currently installed version of Guacamole to a new version (new version must specified in the script.) +- `upgrade-guac.sh` Upgrades the currently installed versions of Guacamole and MySQL connector. - `branding.jar`: An example template for a custom (dark mode) Guacamole theme. Delete this file to keep the default Guacamole UI. This extension's source is also included for easier study and customisation. diff --git a/upgrade-guac.sh b/upgrade-guac.sh index 7d8f8a8..55d24aa 100644 --- a/upgrade-guac.sh +++ b/upgrade-guac.sh @@ -28,13 +28,6 @@ if ! [ $(id -u) = 0 ]; then exit 1 fi -#Setup download and temp directory paths -USER_HOME_DIR=$(eval echo ~${SUDO_USER}) -DOWNLOAD_DIR=$USER_HOME_DIR/guac-setup/upgrade - -# Setup directory locations -mkdir -p $DOWNLOAD_DIR - # Check to see if any previous version of build/install files exist, if so stop and check to be safe. if [ "$(find . -maxdepth 2 \( -name 'guacamole-*' -o -name 'mysql-connector-j-*' \))" != "" ]; then echo @@ -49,13 +42,23 @@ fi # Script branding header echo -echo -e "${GREYB}Itiligent Virtual Desktop Appliance UPGRADE" +echo -e "${GREYB}Itiligent VDI & Jump Server Appliance UPGRADE." echo -e " ${LGREEN}Powered by Guacamole" echo -# Version of Guacamole to upgrade to +#Setup download and temp directory paths +USER_HOME_DIR=$(eval echo ~${SUDO_USER}) +DOWNLOAD_DIR=$USER_HOME_DIR/guac-setup/upgrade + +# Setup directory locations +mkdir -p $DOWNLOAD_DIR + +# Version of Guacamole to upgrade to. See https://guacamole.apache.org/releases/ for latest version info. NEW_GUAC_VERSION="1.5.3" +# MySQL Connector/J version. See https://dev.mysql.com/downloads/connector/j/ for latest version number. +NEW_MYSQLJCON="8.1.0" + # Get the currently installed Tomcat version. TOMCAT_VERSION=$(ls /etc/ | grep tomcat) @@ -69,7 +72,7 @@ GUAC_SOURCE_LINK="http://apache.org/dyn/closer.cgi?action=download&filename=guac # Install log Location LOG_LOCATION="${DOWNLOAD_DIR}/guacamole_${NEW_GUAC_VERSION}_upgrade.log" -# Auto updated values from main installer +# Auto updated values from main installer (manually update if blank) MYSQL_HOST= MYSQL_PORT= GUAC_USER= @@ -77,71 +80,6 @@ GUAC_PWD= GUAC_DB= MYSQL_ROOT_PWD= -####################################################################################################################### -# Prompt inputs if used as a standalone script (without auto updated variables) ####################################### -####################################################################################################################### - -echo -# Get MySQL Hostname or IP -if [ -z "${MYSQL_HOST}" ]; then - read -p "Enter MySQL server hostname or IP [localhost]: " MYSQL_HOST - echo -fi - -# Get MySQL Port -if [ -z "${MYSQL_PORT}" ]; then - read -p "Enter MySQL server port [3306]: " MYSQL_PORT - echo -fi - -# Get MySQL database name -if [ -z "${GUAC_DB}" ]; then - read -p "Enter Guacamole database name [guacamole_db]: " GUAC_DB - echo -fi - -# Get MySQL user name -if [ -z "${GUAC_USER}" ]; then - read -p "Enter Guacamole user name [guacamole_user]: " GUAC_USER - echo -fi - -# Get Guacamole User password, confirm correct password entry and prevent blank passwords -if [ -z "${GUAC_PWD}" ]; then - read -s -p "Enter MySQL guacamole_user password: " GUAC_PWD - echo -fi - -# Get MySQL root password -if [ -z "${MYSQL_ROOT_PWD}" ]; then - echo - read -s -p "Enter MySQL root password: " MYSQL_ROOT_PWD - echo -fi - -# Set prompt input defaults if values not given - -# Checking if a mysql host given, if not set a default -if [ -z "${MYSQL_HOST}" ]; then - MYSQL_HOST="localhost" -fi - -# Checking if a mysql port given, if not set a default -if [ -z "${MYSQL_PORT}" ]; then - MYSQL_PORT="3306" -fi - -# Checking if a database name given, if not set a default -if [ -z "${GUAC_DB}" ]; then - GUAC_DB="guacamole_db" -fi - -# Checking if a mysql user given, if not set a default -if [ -z "${GUAC_USER}" ]; then - GUAC_USER="guacamole_user" -fi - - ####################################################################################################################### # Start upgrade actions ############################################################################################## ####################################################################################################################### @@ -155,7 +93,7 @@ systemctl stop guacd cd $DOWNLOAD_DIR echo -echo -e "${GREY}Beginning Guacamole ${OLD_GUAC_VERSION} to ${NEW_GUAC_VERSION} upgrade..." +echo -e "${GREY}Downloading updated Guacamole source files and beginning Guacamole ${OLD_GUAC_VERSION} to ${NEW_GUAC_VERSION} upgrade..." wget -q --show-progress -O guacamole-${NEW_GUAC_VERSION}.war ${GUAC_SOURCE_LINK}/binary/guacamole-${NEW_GUAC_VERSION}.war if [ $? -ne 0 ]; then echo -e "${LRED}Failed to download guacamole-${NEW_GUAC_VERSION}.war" 1>&2 @@ -182,6 +120,19 @@ else fi echo -e "${LGREEN}Upgraded Guacamole SQL jdbc to version ${NEW_GUAC_VERSION}${GREY}" +# Download MySQL connector/j +wget -q --show-progress -O mysql-connector-j-${NEW_MYSQLJCON}.tar.gz https://dev.mysql.com/get/Downloads/Connector-J/mysql-connector-j-${NEW_MYSQLJCON}.tar.gz +if [ $? -ne 0 ]; then + echo -e "${LRED}Failed to download mysql-connector-j-${NEW_MYSQLJCON}.tar.gz" 1>&2 + echo -e "https://dev.mysql.com/get/Downloads/Connector-J/mysql-connector-j-${NEW_MYSQLJCON}}.tar.gz${GREY}" + exit 1 +else + tar -xzf mysql-connector-j-${NEW_MYSQLJCON}.tar.gz + rm /etc/guacamole/lib/mysql-connector-java.jar + mv -f mysql-connector-j-${NEW_MYSQLJCON}/mysql-connector-j-${NEW_MYSQLJCON}.jar /etc/guacamole/lib/mysql-connector-java.jar +fi +echo -e "${LGREEN}Upgraded MySQL connector/j to ${NEW_MYSQLJCON}${GREY}" + # Download Guacamole Server wget -q --show-progress -O guacamole-server-${NEW_GUAC_VERSION}.tar.gz ${GUAC_SOURCE_LINK}/source/guacamole-server-${NEW_GUAC_VERSION}.tar.gz if [ $? -ne 0 ]; then @@ -382,6 +333,7 @@ fi # Cleanup echo -e "${GREY}Clean up install files...${GREY}" rm -rf guacamole-* +rm -rf mysql-connector-j-* unset MYSQL_PWD if [ $? -ne 0 ]; then echo -e "${LRED}Failed. See ${LOG_LOCATION}${GREY}" 1>&2